View Full Version : CANNOT access updates
AKILLSUX
2008-08-02, 04:22
Hi,first noticed problems when the MS update/clash with ZoneAlarm firewall issues arose.I disabled the firewall and MS updates so I could go online.The firewall could not be re-enabled although the zlclient.exe was still running in the task manager.And I could not access the Windows updates manually.Then my bookmarks disappeared and my homepage was changed.I uninstalled the firewall and the bookmark/homepage problem went away in Firefox, but is still happening in IE.
Next my antivirus was disabled,it has since been restored.
I have 2 different Windows security popups showing when I first connect,one tells me the Windows firewall is off.
I can't get any online scanners to work,but S and D in safe mode shows no threats,a rootkit scan shows 3 unidentified services,
When I try to access the Windows updates it gets to a page,and just hangs.
I can't access the Sun Java updates either
I don't use PtoP,visit porn sites,or go gambling online.I run XP pro,SP2,last updated 21 Jun.
Also have multiple temp/tmp/temp internet files,some of which cannot be deleted
Here is my HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:09 p.m., on 2/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD76BEB-89CC-4CEB-965D-24200785D4CF}: NameServer = 202.49.233.1 202.49.233.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FD76BEB-89CC-4CEB-965D-24200785D4CF}: NameServer = 202.49.233.1 202.49.233.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 8483 bytes
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly :D
I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
Installed Programs
Please could you give me a list of the programs that are installed.
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
AKILLSUX
2008-08-08, 05:39
Hi,thanks for replying...that link didn't take me anywhere so I downloaded direct from bleeping computer.Although I followed the instructions, at the end ,while the log was being created my firewall reactivated itself,and I had no idea whether to allow the actions it mentioned.
Also a couple of things have changed,disabled all the supposedly safe BHOs/ActiveX,in IE7,which I only use for Windows updates,finally got through to the update page,as all that was offered was SP3,I decided to try and install that from my MS CD,but after going through the install process,it told me it had failed,and"Access was denied",and then it uninstalled.
Here are the logs
ComboFix 08-08-07.05 - HP_Administrator 2008-08-08 15:05:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.170 [GMT 12:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\_004902_.tmp.dll
C:\WINDOWS\system32\_004903_.tmp.dll
C:\WINDOWS\system32\_004904_.tmp.dll
C:\WINDOWS\system32\_004905_.tmp.dll
C:\WINDOWS\system32\_004912_.tmp.dll
C:\WINDOWS\system32\_004913_.tmp.dll
C:\WINDOWS\system32\_004914_.tmp.dll
C:\WINDOWS\system32\_004915_.tmp.dll
C:\WINDOWS\system32\_004917_.tmp.dll
C:\WINDOWS\system32\_004918_.tmp.dll
C:\WINDOWS\system32\_004921_.tmp.dll
C:\WINDOWS\system32\_004922_.tmp.dll
C:\WINDOWS\system32\_004924_.tmp.dll
C:\WINDOWS\system32\_004925_.tmp.dll
C:\WINDOWS\system32\_004926_.tmp.dll
C:\WINDOWS\system32\_004928_.tmp.dll
C:\WINDOWS\system32\_004931_.tmp.dll
C:\WINDOWS\system32\_004932_.tmp.dll
C:\WINDOWS\system32\_004936_.tmp.dll
C:\WINDOWS\system32\_004937_.tmp.dll
C:\WINDOWS\system32\_004939_.tmp.dll
C:\WINDOWS\system32\_004942_.tmp.dll
C:\WINDOWS\system32\_004944_.tmp.dll
C:\WINDOWS\system32\_004945_.tmp.dll
C:\WINDOWS\system32\_004946_.tmp.dll
C:\WINDOWS\system32\_004947_.tmp.dll
C:\WINDOWS\system32\_004948_.tmp.dll
C:\WINDOWS\system32\_004951_.tmp.dll
C:\WINDOWS\system32\_004952_.tmp.dll
C:\WINDOWS\system32\_004953_.tmp.dll
C:\WINDOWS\system32\_004954_.tmp.dll
C:\WINDOWS\system32\_004955_.tmp.dll
C:\WINDOWS\system32\_004960_.tmp.dll
C:\WINDOWS\system32\_004962_.tmp.dll
C:\WINDOWS\system32\_004963_.tmp.dll
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.
2008-08-07 20:20 . 2008-04-14 05:42 354,304 --a------ C:\WINDOWS\system32\SET11F4.tmp
2008-08-07 20:20 . 2008-04-14 05:40 177,152 --a------ C:\WINDOWS\system32\SET1226.tmp
2008-08-07 20:20 . 2008-04-14 05:42 159,232 --a------ C:\WINDOWS\system32\SET120A.tmp
2008-08-07 20:20 . 2008-04-14 05:42 28,672 --a------ C:\WINDOWS\system32\SET11F9.tmp
2008-08-07 20:20 . 2008-04-14 05:41 20,480 --a------ C:\WINDOWS\system32\SET1253.tmp
2008-08-07 20:20 . 2008-04-14 05:41 16,896 --a------ C:\WINDOWS\system32\SET1250.tmp
2008-08-07 20:20 . 2008-04-14 05:42 13,824 --a------ C:\WINDOWS\system32\SET11F0.tmp
2008-08-07 20:19 . 2008-08-07 20:32 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-07 20:19 . 2008-08-07 20:32 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-07 20:19 . 2008-08-07 20:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-07 20:19 . 2008-04-14 05:42 80,896 --a------ C:\WINDOWS\system32\SET11EF.tmp
2008-08-07 20:19 . 2008-04-14 05:42 6,656 --a------ C:\WINDOWS\system32\SET11EC.tmp
2008-08-07 20:14 . 2008-04-14 05:42 471,552 --a------ C:\WINDOWS\system32\SET5EE.tmp
2008-08-07 20:14 . 2008-04-14 05:41 95,744 --a------ C:\WINDOWS\system32\SET5F4.tmp
2008-08-07 20:12 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\SET2C9.tmp
2008-08-07 20:11 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\system32\SET1EE.tmp
2008-08-07 20:07 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003237_.tmp
2008-08-07 20:04 . 2007-10-26 15:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-07 20:03 . 2007-02-28 21:10 2,180,352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-07 20:00 . 2008-08-07 20:00 <DIR> d-------- C:\WINDOWS\New Folder
2008-08-07 19:54 . 2008-08-07 20:21 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 22:48 . 2008-08-06 22:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 20:48 . 2008-08-06 20:48 <DIR> d-------- C:\Program Files\COMODO
2008-08-06 20:48 . 2008-08-06 20:48 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Comodo
2008-08-06 20:48 . 2008-08-06 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-08-06 20:48 . 2008-08-06 20:48 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-08-06 20:48 . 2008-08-06 20:48 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-08-06 20:48 . 2008-08-06 20:48 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-08-02 22:21 . 2008-08-02 22:21 <DIR> d-------- C:\Autoruns
2008-07-25 16:45 . 2008-07-25 16:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-25 16:45 . 2008-07-25 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 23:15 . 2008-07-24 23:15 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-24 22:43 . 2008-07-24 22:43 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-19 19:41 . 2008-08-03 19:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 19:41 . 2008-07-19 19:41 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-07-19 19:41 . 2008-07-19 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 19:41 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-19 19:41 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-18 18:12 . 2008-07-18 18:12 <DIR> d-------- C:\Program Files\Sophos
2008-07-17 16:36 . 2008-07-17 16:36 <DIR> d-------- C:\VundoFix Backups
2008-07-15 15:45 . 2008-07-15 15:45 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-13 18:48 . 2008-07-29 18:03 <DIR> d-------- C:\1954455e9283aee02610
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 03:13 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\WTablet
2008-08-01 07:07 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Canon
2008-07-19 02:29 --------- d-----w C:\Program Files\Common Files\Real
2008-07-14 23:32 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-11 04:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-23 09:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-06-23 09:17 --------- d-----w C:\Program Files\Common Files\TiVo Shared
2008-06-23 09:15 --------- d-----w C:\Program Files\Sonic
2008-06-23 09:14 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-23 07:34 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-06-23 02:55 --------- d---a-w C:\Program Files\Common Files\LightScribe
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2005-11-02 09:27 0 ----a-w C:\Program Files\pspbrwse.jbf
.
StartupList report, 6/08/2008, 9:50:17 p.m.
StartupList version: 1.52.2
Started from : C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16674)
* Using default options
* Including empty and uninteresting sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup]
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
LUMIX Simple Viewer.lnk = ?
Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Ulead AutoDetector v2 = C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 = C:\WINDOWS\system32\ps2.exe
OpwareSE2 = "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
LSBWatcher = c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
KBD = C:\HP\KBD\KBD.EXE
hpsysdrv = c:\windows\system\hpsysdrv.exe
High Definition Audio Property Page Shortcut = HDAudPropShortcut.exe
ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
AGRSMMSG = AGRSMMSG.exe
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
ehTray = C:\WINDOWS\ehome\ehtray.exe
HPHmon06 = C:\WINDOWS\system32\hphmon06.exe
HPHUPD06 = "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
MSPY2002 = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
PHIME2002ASync = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
PHIME2002A = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
ISUSPM Startup = "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
COMODO Firewall Pro = "C:\Program Files\COMODO\Firewall\cfp.exe" -h
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=wbsys.dll C:\WINDOWS\system32\guard32.dll
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
--------------------------------------------------
Enumerating Task Scheduler jobs:
*No jobs found*
--------------------------------------------------
Enumerating Download Program Files:
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
[Housecall ActiveX 6.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
[Java Plug-in 1.5.0]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
End of report, 17,051 bytes
Report generated in 0.141 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Hope this is OK
It looks like the ComboFix log got cut off, please can you post it again
C:\Combofix.txt
Can you post the Uninstall list I asked for please.
AKILLSUX
2008-08-09, 05:13
Hi,sorry I posted the wrong HJT.Correct one here
Adobe Help Center 2.0
Adobe Photoshop Elements 4.0
Adobe Shockwave Player 11
Agere Systems PCI Soft Modem
Alien Skin Eye Candy 4000 Demo
Apophysis 2.0
ArcSoft PhotoStudio 5.5
ArtRage 2
ATI Control Panel
ATI Display Driver
avast! Antivirus
Blackhawk Striker 2 from HP Media Center (remove only)
Blasterball 2 from HP Media Center (remove only)
Blasterball 2 Holidays from HP Media Center (remove only)
Blasterball 2 Remix from HP Media Center (remove only)
Bounce Symphony from HP Media Center (remove only)
Browser Hijack Recover(BHR) 2.3
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Drivers 6.0
Canon MP Navigator 1.1
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon ScanGear Starter
Canon Utilities Easy-PhotoPrint
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
CD-LabelPrint
COMODO Firewall Pro
Corel Paint Shop Pro X
Corel Painter Essentials 3
Corel Painter X
Corel Painter X
Corel Photo Album 6
Crystal Maze from HP Media Center (remove only)
Deep Paint
EasyCleaner
Easy-WebPrint
EzyPaint
Filter Forge 1.008
Final Drive Nitro from HP Media Center (remove only)
GemMaster Mystic
Harry's Filters 3
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
HP Deskjet Printer Preload
HP Image Zone 4.8.6
HP Image Zone for Media Center PC
HP Image Zone Plus 4.8.6
HP Photosmart Cameras 4.5
HP PSC & OfficeJet 4.7
HP Software Update
HP Tunes
HPIZplus450
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
KBD
Lexibox Deluxe from HP Media Center (remove only)
LUMIX Simple Viewer
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Digital Image Suite 2006
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money
Microsoft National Language Support Downlevel APIs
Microsoft Works
Mozilla Firefox (2.0.0.16)
Mozilla Thunderbird (1.0.6)
MS Access 97 SP2
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
muvee autoProducer 4.0
muvee autoProducer unPlugged - HPD
OmniPage SE 2.0
Otto
Overball from HP Media Center (remove only)
PC-Doctor for Windows
PenPlus Personal
Phoenix Assault from HP Media Center (remove only)
Photo Story 3 for Windows
PhotoFiltre
Photosmart 320,370,7400,8100,8400 Series
Polar Bowler from HP Media Center (remove only)
Polar Golfer from HP Media Center (remove only)
project dogwaffle
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RegAlyzer
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Shinycore Path Styler Pro 1.11 Tryout for Photoshop
Shockwave
Shooting Stars Pool from HP Media Center (remove only)
Slyder from HP Media Center (remove only)
Sonic Activation Module
Sonic DVD for Photo Story 3 for Windows
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sophos Anti-Rootkit 1.3.1
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Super Granny from HP Media Center (remove only)
SUPERAntiSpyware Free Edition
Tablet
The GIMP 2.2.9
Tradewinds from HP Media Center (remove only)
Ulead ArtTexture.Plugin 1.0
Ulead PhotoImpact 10 SE
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Updates from HP
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Player 10 Hotfix [See KB889858 for more information]
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885354
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891220
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB895678
The ComboFix log is incomplete,I think, because the Firewall reactivated,its icon was not in the tray,and I could see no option to terminate it,so pressed cancel,do I need to go through the process again?Should I have disabled the firewall in the services?Also my avast antivirus icons have gone from the tray since that reboot,any ideas on how I can get them back?Thanks for your help,all the best
Let's see if you can get Java sorted now.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u7
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) 6 update 7 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Run ComboFix using these instructions:
Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.
"%userprofile%\desktop\combofix.exe" /SkipFix
When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK
Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.
AKILLSUX
2008-08-10, 07:03
Struck a few difficulties with the Java update.That link would not go thru,just hung.Tried typing http://java.sun.com in the address bar,took me to a site called http://w3.org.That was in Firefox.So tried address in IE7,got to download part which took me to https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewFilteredProducts-SingleVariationTypeFilter
Does this look right?This message appeared(In addition to popups about moving from secure to insecure pages)
The website wants to run Java Web Start Active x control.
Also popup appeared headed "Did you notice Information bar?etc etc
Have seen the latter before during one of my failed attempts at installation
I do not normally use IE so just wanted to check this out with you.
Also when you say to close running programs,do you mean to exit the firewall?Not sure if Avast is running,icons still have not come back
Please just run ComboFix using the instructions I gave for the moment
AKILLSUX
2008-08-11, 06:24
Hi again,log as requested
ComboFix 08-08-07.05 - HP_Administrator 2008-08-11 16:11:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT 12:00]
Running from: C:\Documents and Settings\HP_Administrator\desktop\combofix.exe
Command switches used :: /SkipFix
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\_004902_.tmp.dll
C:\WINDOWS\system32\_004903_.tmp.dll
C:\WINDOWS\system32\_004904_.tmp.dll
C:\WINDOWS\system32\_004905_.tmp.dll
C:\WINDOWS\system32\_004912_.tmp.dll
C:\WINDOWS\system32\_004913_.tmp.dll
C:\WINDOWS\system32\_004914_.tmp.dll
C:\WINDOWS\system32\_004915_.tmp.dll
C:\WINDOWS\system32\_004917_.tmp.dll
C:\WINDOWS\system32\_004918_.tmp.dll
C:\WINDOWS\system32\_004921_.tmp.dll
C:\WINDOWS\system32\_004922_.tmp.dll
C:\WINDOWS\system32\_004924_.tmp.dll
C:\WINDOWS\system32\_004925_.tmp.dll
C:\WINDOWS\system32\_004926_.tmp.dll
C:\WINDOWS\system32\_004928_.tmp.dll
C:\WINDOWS\system32\_004931_.tmp.dll
C:\WINDOWS\system32\_004932_.tmp.dll
C:\WINDOWS\system32\_004936_.tmp.dll
C:\WINDOWS\system32\_004937_.tmp.dll
C:\WINDOWS\system32\_004939_.tmp.dll
C:\WINDOWS\system32\_004942_.tmp.dll
C:\WINDOWS\system32\_004944_.tmp.dll
C:\WINDOWS\system32\_004945_.tmp.dll
C:\WINDOWS\system32\_004946_.tmp.dll
C:\WINDOWS\system32\_004947_.tmp.dll
C:\WINDOWS\system32\_004948_.tmp.dll
C:\WINDOWS\system32\_004951_.tmp.dll
C:\WINDOWS\system32\_004952_.tmp.dll
C:\WINDOWS\system32\_004953_.tmp.dll
C:\WINDOWS\system32\_004954_.tmp.dll
C:\WINDOWS\system32\_004955_.tmp.dll
C:\WINDOWS\system32\_004960_.tmp.dll
C:\WINDOWS\system32\_004962_.tmp.dll
C:\WINDOWS\system32\_004963_.tmp.dll
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.
2008-08-07 20:20 . 2008-04-14 05:42 354,304 --a------ C:\WINDOWS\system32\SET11F4.tmp
2008-08-07 20:20 . 2008-04-14 05:40 177,152 --a------ C:\WINDOWS\system32\SET1226.tmp
2008-08-07 20:20 . 2008-04-14 05:42 159,232 --a------ C:\WINDOWS\system32\SET120A.tmp
2008-08-07 20:20 . 2008-04-14 05:42 28,672 --a------ C:\WINDOWS\system32\SET11F9.tmp
2008-08-07 20:20 . 2008-04-14 05:41 20,480 --a------ C:\WINDOWS\system32\SET1253.tmp
2008-08-07 20:20 . 2008-04-14 05:41 16,896 --a------ C:\WINDOWS\system32\SET1250.tmp
2008-08-07 20:20 . 2008-04-14 05:42 13,824 --a------ C:\WINDOWS\system32\SET11F0.tmp
2008-08-07 20:19 . 2008-08-07 20:32 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-07 20:19 . 2008-08-07 20:32 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-07 20:19 . 2008-08-07 20:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-07 20:19 . 2008-04-14 05:42 80,896 --a------ C:\WINDOWS\system32\SET11EF.tmp
2008-08-07 20:19 . 2008-04-14 05:42 6,656 --a------ C:\WINDOWS\system32\SET11EC.tmp
2008-08-07 20:14 . 2008-04-14 05:42 471,552 --a------ C:\WINDOWS\system32\SET5EE.tmp
2008-08-07 20:14 . 2008-04-14 05:41 95,744 --a------ C:\WINDOWS\system32\SET5F4.tmp
2008-08-07 20:12 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\SET2C9.tmp
2008-08-07 20:11 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\system32\SET1EE.tmp
2008-08-07 20:07 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003237_.tmp
2008-08-07 20:04 . 2007-10-26 15:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-07 20:03 . 2007-02-28 21:10 2,180,352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-07 20:00 . 2008-08-07 20:00 <DIR> d-------- C:\WINDOWS\New Folder
2008-08-07 19:54 . 2008-08-07 20:21 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 22:48 . 2008-08-06 22:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 20:48 . 2008-08-06 20:48 <DIR> d-------- C:\Program Files\COMODO
2008-08-06 20:48 . 2008-08-06 20:48 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Comodo
2008-08-06 20:48 . 2008-08-06 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-08-06 20:48 . 2008-08-06 20:48 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-08-06 20:48 . 2008-08-06 20:48 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-08-06 20:48 . 2008-08-06 20:48 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-08-02 22:21 . 2008-08-02 22:21 <DIR> d-------- C:\Autoruns
2008-07-25 16:45 . 2008-07-25 16:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-25 16:45 . 2008-07-25 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 23:15 . 2008-07-24 23:15 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-24 22:43 . 2008-07-24 22:43 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-19 19:41 . 2008-08-03 19:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 19:41 . 2008-07-19 19:41 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-07-19 19:41 . 2008-07-19 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 19:41 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-19 19:41 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-18 18:12 . 2008-07-18 18:12 <DIR> d-------- C:\Program Files\Sophos
2008-07-17 16:36 . 2008-07-17 16:36 <DIR> d-------- C:\VundoFix Backups
2008-07-15 15:45 . 2008-07-15 15:45 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-13 18:48 . 2008-07-29 18:03 <DIR> d-------- C:\1954455e9283aee02610
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 03:42 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\WTablet
2008-08-08 05:46 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Canon
2008-08-08 05:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-19 02:29 --------- d-----w C:\Program Files\Common Files\Real
2008-07-14 23:32 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-23 09:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-06-23 09:17 --------- d-----w C:\Program Files\Common Files\TiVo Shared
2008-06-23 09:15 --------- d-----w C:\Program Files\Sonic
2008-06-23 09:14 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-23 07:34 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-06-23 02:55 --------- d---a-w C:\Program Files\Common Files\LightScribe
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2005-11-02 09:27 0 ----a-w C:\Program Files\pspbrwse.jbf
2005-11-16 07:20 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-06-10 01:54 104 --sha-r C:\WINDOWS\system32\11060A099A.sys
2008-03-24 05:22 88 --sha-r C:\WINDOWS\system32\9A090A0611.sys
2008-03-24 05:22 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 16:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-27 19:22 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-15 01:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-26 02:17 90112]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 01:54 253952]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-03 03:44 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 21:04 52736]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-01 23:05 339968]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 16:00 208952]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-08 01:38 659456]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 01:44 49152]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 16:00 59392]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-02-14 13:49 278528]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 14:07 49263]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 16:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 16:00 455168]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 09:44 249856]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-08-06 20:48 1655552]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 22:06 88363 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 21:28:24 258048]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2006-10-26 22:16:25 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2005-06-29 15:08:27 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-07-20 02:38 78008 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-20 02:35]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-06 20:48]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-06 20:48]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-20 02:37]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2005-04-20 22:57]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2006-02-15 09:18]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2006-11-16 07:55]
S3 aswArKrn;aswArKrn;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\aswArKrn.sys []
S3 GNKPK;GNKPK;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\GNKPK.exe []
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\2.tmp []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
- - - - ORPHANS REMOVED - - - -
Notify-WB - C:\Program Files\AlienGUIse\fastload.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ny26a2ie.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 16:12:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\2.tmp"
.
Completion time: 2008-08-11 16:15:49
ComboFix-quarantined-files.txt 2008-08-11 04:15:41
Pre-Run: 112,033,419,264 bytes free
Post-Run: 112,023,371,776 bytes free
213
You have disabled Avast from running at startup with MSConfig
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-07-20 02:38 78008 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
I recommend that you re-enable it.
Download and Run SD Fix
Please download SDFix( by andymanchesta ) (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F5 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KillAll::
DirLook::
C:\WINDOWS\New Folder
Comment - Existing Categories
File::
C:\WINDOWS\system32\SET11F4.tmp
C:\WINDOWS\system32\SET1226.tmp
C:\WINDOWS\system32\SET120A.tmp
C:\WINDOWS\system32\SET11F9.tmp
C:\WINDOWS\system32\SET1253.tmp
C:\WINDOWS\system32\SET1250.tmp
C:\WINDOWS\system32\SET11F0.tmp
C:\WINDOWS\system32\SET11EF.tmp
C:\WINDOWS\system32\SET11EC.tmp
C:\WINDOWS\system32\SET5EE.tmp
C:\WINDOWS\system32\SET5F4.tmp
C:\WINDOWS\system32\SET2C9.tmp
C:\WINDOWS\system32\SET1EE.tmp
C:\WINDOWS\003237_.tmp
C:\WINDOWS\system32\11060A099A.sys
C:\WINDOWS\system32\9A090A0611.sys
Folder::
Driver::
aswArKrn
GNKPK
MEMSWEEP2
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Please try Active Scan now
AKILLSUX
2008-08-12, 09:24
Hi,cannot see how to re-enable antivirus...I only exited it before running Combofix the first time,that's when the icons went...I can't access the system selective startup,"access was denied".I am the administrator of a standalone computer on dialup and used by no one else,how can I get my access and antivirus back?
Will do the next stage,bye for now
AKILLSUX
2008-08-12, 11:07
Back again,really appreciate all your effort,this is so complex to me!
3 logs follow
SDFix: Version 1.215
Run by HP_Administrator on Tue 12/08/2008 at 07:46 p.m.
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 19:58:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4F8561EA-489E-25F2-CD1C-9A6D2753D252}]
"iaepjlkaomgpjjlibk"=hex:6a,61,6c,69,6a,70,67,66,6a,66,69,6c,61,68,6c,67,65,6c,66,6a,00,..
"haoopkjkaelfamgg"=hex:6a,61,6a,69,62,61,6f,63,6c,6b,67,6e,62,66,64,6d,69,66,62,66,00,..
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"="C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe:*:Disabled:Adobe Photoshop Elements Media Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe:*:Enabled:BackWeb for Pavilion"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
Files with Hidden Attributes :
Fri 21 Oct 2005 211 A.SHR --- "C:\BOOT.BAK"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 16 Nov 2005 22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Sat 10 Jun 2006 104 A.SHR --- "C:\WINDOWS\system32\11060A099A.sys"
Mon 24 Mar 2008 88 A.SHR --- "C:\WINDOWS\system32\9A090A0611.sys"
Mon 24 Mar 2008 5,018 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 22 Jul 2005 2,045 A..H. --- "C:\WINDOWS\system32\whlb32g.dll"
Mon 31 Oct 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 20 Nov 2005 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
Tue 29 Nov 2005 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
Sat 21 Jan 2006 782 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv12.bak"
Sun 23 Apr 2006 1,163 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Sat 11 Mar 2006 1,163 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Sat 11 Mar 2006 1,163 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv15.bak"
Sat 21 Jan 2006 782 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv16.bak"
Sun 23 Apr 2006 782 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Mon 31 Oct 2005 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\sdold\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT2.tmp"
Thu 6 Dec 2007 1,123,880 A..H. --- "C:\WINDOWS\sdold\Download\44e979936d19a4e833746e7d6f8e194d\BIT2.tmp"
Sat 5 Jul 2008 0 A..H. --- "C:\WINDOWS\sdold\Download\5daa4302a571c70622f2d915134243e4\BIT2.tmp"
Fri 16 May 2008 9,534,016 A..H. --- "C:\WINDOWS\sdold\Download\7c13b8e6c7c42a03e147155b9886753a\BIT8.tmp"
Mon 7 Apr 2008 9,245,760 A..H. --- "C:\WINDOWS\sdold\Download\90852e52670a109154a93ef73f224b9a\BIT7.tmp"
Fri 11 Jul 2008 601,152 A..H. --- "C:\WINDOWS\sdold\Download\cad1b3db84542881b7f0e03133a51894\BIT100.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\sdold\Download\f57152a5a22ab72198f43b935bbd91fa\BIT2.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\sdold\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT2.tmp"
Fri 6 Jun 2008 0 A..H. --- "C:\WINDOWS\sdold\Download\fe04f301a806183016ad136a2f18fddc\BIT2.tmp"
Thu 7 Aug 2008 6,004 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:16 p.m., on 12/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD76BEB-89CC-4CEB-965D-24200785D4CF}: NameServer = 202.49.233.1 202.49.233.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FD76BEB-89CC-4CEB-965D-24200785D4CF}: NameServer = 202.49.233.1 202.49.233.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 8613 bytes
ComboFix 08-08-07.05 - HP_Administrator 2008-08-12 20:17:00.3 - NTFSx86
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
FILE ::
C:\WINDOWS\[u]003237_.tmp
C:\WINDOWS\system32\11060A099A.sys
C:\WINDOWS\system32\9A090A0611.sys
C:\WINDOWS\system32\SET11EC.tmp
C:\WINDOWS\system32\SET11EF.tmp
C:\WINDOWS\system32\SET11F0.tmp
C:\WINDOWS\system32\SET11F4.tmp
C:\WINDOWS\system32\SET11F9.tmp
C:\WINDOWS\system32\SET120A.tmp
C:\WINDOWS\system32\SET1226.tmp
C:\WINDOWS\system32\SET1250.tmp
C:\WINDOWS\system32\SET1253.tmp
C:\WINDOWS\system32\SET1EE.tmp
C:\WINDOWS\system32\SET2C9.tmp
C:\WINDOWS\system32\SET5EE.tmp
C:\WINDOWS\system32\SET5F4.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\003237_.tmp
C:\WINDOWS\system32\11060A099A.sys
C:\WINDOWS\system32\9A090A0611.sys
C:\WINDOWS\system32\SET11EC.tmp
C:\WINDOWS\system32\SET11EF.tmp
C:\WINDOWS\system32\SET11F0.tmp
C:\WINDOWS\system32\SET11F4.tmp
C:\WINDOWS\system32\SET11F9.tmp
C:\WINDOWS\system32\SET120A.tmp
C:\WINDOWS\system32\SET1226.tmp
C:\WINDOWS\system32\SET1250.tmp
C:\WINDOWS\system32\SET1253.tmp
C:\WINDOWS\system32\SET1EE.tmp
C:\WINDOWS\system32\SET2C9.tmp
C:\WINDOWS\system32\SET5EE.tmp
C:\WINDOWS\system32\SET5F4.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASWARKRN
-------\Legacy_GNKPK
-------\Legacy_MEMSWEEP2
-------\Service_aswArKrn
-------\Service_GNKPK
-------\Service_MEMSWEEP2
((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.
2008-08-12 19:42 . 2008-08-12 19:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-12 19:36 . 2008-08-12 20:01 <DIR> d-------- C:\SDFix
2008-08-07 20:19 . 2008-08-07 20:32 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-07 20:19 . 2008-08-07 20:32 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-07 20:19 . 2008-08-07 20:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-07 20:12 . 2008-04-14 05:42 1,703,936 --a------ C:\WINDOWS\system32\SET289.tmp
2008-08-07 20:11 . 2008-04-14 05:42 1,499,136 --a------ C:\WINDOWS\system32\SET1EF.tmp
2008-08-07 20:05 . 2004-08-10 16:00 4,256,768 --a------ C:\WINDOWS\system32\dllcache\wmm2res.dll
2008-08-07 20:04 . 2007-10-26 15:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-07 20:03 . 2007-02-28 21:10 2,180,352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-07 20:00 . 2008-08-07 20:00 <DIR> d-------- C:\WINDOWS\New Folder
2008-08-07 19:54 . 2008-08-07 20:21 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 22:48 . 2008-08-06 22:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 20:48 . 2008-08-06 20:48 <DIR> d-------- C:\Program Files\COMODO
2008-08-06 20:48 . 2008-08-06 20:48 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Comodo
2008-08-06 20:48 . 2008-08-06 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-08-06 20:48 . 2008-08-06 20:48 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-08-06 20:48 . 2008-08-06 20:48 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-08-06 20:48 . 2008-08-06 20:48 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-08-02 22:21 . 2008-08-02 22:21 <DIR> d-------- C:\Autoruns
2008-07-25 16:45 . 2008-07-25 16:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-25 16:45 . 2008-07-25 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 23:15 . 2008-07-24 23:15 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-24 22:43 . 2008-07-24 22:43 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-19 19:41 . 2008-08-03 19:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 19:41 . 2008-07-19 19:41 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-07-19 19:41 . 2008-07-19 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 19:41 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-19 19:41 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-18 18:12 . 2008-07-18 18:12 <DIR> d-------- C:\Program Files\Sophos
2008-07-17 16:36 . 2008-07-17 16:36 <DIR> d-------- C:\VundoFix Backups
2008-07-15 15:45 . 2008-07-15 15:45 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-13 18:48 . 2008-07-29 18:03 <DIR> d-------- C:\1954455e9283aee02610
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 07:37 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\WTablet
2008-08-12 06:01 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Canon
2008-08-08 05:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-19 02:29 --------- d-----w C:\Program Files\Common Files\Real
2008-07-14 23:32 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-23 09:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-06-23 09:17 --------- d-----w C:\Program Files\Common Files\TiVo Shared
2008-06-23 09:15 --------- d-----w C:\Program Files\Sonic
2008-06-23 09:14 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-23 07:34 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-06-23 02:55 --------- d---a-w C:\Program Files\Common Files\LightScribe
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2005-11-02 09:27 0 ----a-w C:\Program Files\pspbrwse.jbf
2005-11-16 07:20 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2008-03-24 05:22 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\New Folder ----
((((((((((((((((((((((((((((( snapshot@2008-08-11_16.15.18.66 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 04:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-12 07:43:15 6,299,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-08-12 07:43:15 114,688 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 04:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-08-12 07:42:59 6,299,648 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-08-12 07:42:59 114,688 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-08-12 08:21:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_434.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 16:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-27 19:22 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-15 01:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-26 02:17 90112]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 01:54 253952]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-03 03:44 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 21:04 52736]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-01 23:05 339968]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 16:00 208952]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-08 01:38 659456]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 01:44 49152]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 16:00 59392]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-02-14 13:49 278528]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 14:07 49263]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 16:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 16:00 455168]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 09:44 249856]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-08-06 20:48 1655552]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 22:06 88363 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 21:28:24 258048]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2006-10-26 22:16:25 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2005-06-29 15:08:27 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-07-20 02:38 78008 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"uploadmgr"=2 (0x2)
"UMWdf"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"TabletService"=2 (0x2)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stllssvr"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"MHN"=3 (0x3)
"LmHosts"=2 (0x2)
"LightScribeService"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"iPodService"=3 (0x3)
"ImapiService"=3 (0x3)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"GNKPK"=3 (0x3)
"Fax"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=2 (0x2)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"cmdAgent"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"CCALib8"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"AudioSrv"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aswUpdSv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"Adobe LM Service"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-20 02:35]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-06 20:48]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-06 20:48]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-20 02:37]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2005-04-20 22:57]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2006-02-15 09:18]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2006-11-16 07:55]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 20:21:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-08-12 20:26:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-12 08:26:38
ComboFix2.txt 2008-08-11 04:15:50
Pre-Run: 113,141,280,768 bytes free
Post-Run: 113,128,169,472 bytes free
302
Hope this is ok,thanks again
Click Start >> Run
In the Run box, Copy/Paste the following
MSCONFIG
Now click <Enter>
On the General Tab, select Normal Startup
Click OK and reboot
Please rerun ComboFix and post the fresh log
AKILLSUX
2008-08-12, 12:04
Went into MSCONFIG,and did above and rebooted,went back in and the selective startup items are all checked now,is this right?The icons are not back but the firewall shows ashWebSv.exe as being 99.1% of the traffic.
Do you mean run combofix just by clicking on the .exe on the desktop?
Went into MSCONFIG,and did above and rebooted,went back in and the selective startup items are all checked now,is this right?The icons are not back but the firewall shows ashWebSv.exe as being 99.1% of the traffic.
Do you mean run combofix just by clicking on the .exe on the desktop?
That's correct.
AshWebSv.exe is part of Avast :bigthumb:
Just double click ComboFix.exe
AKILLSUX
2008-08-12, 23:23
ComboFix new log
ComboFix 08-08-07.05 - HP_Administrator 2008-08-13 9:10:34.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.215 [GMT 12:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.
2008-08-12 19:42 . 2008-08-12 19:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-12 19:36 . 2008-08-12 20:01 <DIR> d-------- C:\SDFix
2008-08-07 20:19 . 2008-08-07 20:32 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-07 20:19 . 2008-08-07 20:32 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-07 20:19 . 2008-08-07 20:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-07 20:12 . 2008-04-14 05:42 1,703,936 --a------ C:\WINDOWS\system32\SET289.tmp
2008-08-07 20:11 . 2008-04-14 05:42 1,499,136 --a------ C:\WINDOWS\system32\SET1EF.tmp
2008-08-07 20:05 . 2004-08-10 16:00 4,256,768 --a------ C:\WINDOWS\system32\dllcache\wmm2res.dll
2008-08-07 20:04 . 2007-10-26 15:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-07 20:03 . 2007-02-28 21:10 2,180,352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-07 20:00 . 2008-08-07 20:00 <DIR> d-------- C:\WINDOWS\New Folder
2008-08-07 19:54 . 2008-08-07 20:21 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 22:48 . 2008-08-06 22:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 20:48 . 2008-08-06 20:48 <DIR> d-------- C:\Program Files\COMODO
2008-08-06 20:48 . 2008-08-06 20:48 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Comodo
2008-08-06 20:48 . 2008-08-06 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-08-06 20:48 . 2008-08-06 20:48 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-08-06 20:48 . 2008-08-06 20:48 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-08-06 20:48 . 2008-08-06 20:48 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-08-02 22:21 . 2008-08-02 22:21 <DIR> d-------- C:\Autoruns
2008-07-25 16:45 . 2008-07-25 16:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-25 16:45 . 2008-07-25 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 23:15 . 2008-07-24 23:15 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-24 22:43 . 2008-07-24 22:43 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-19 19:41 . 2008-08-03 19:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 19:41 . 2008-07-19 19:41 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-07-19 19:41 . 2008-07-19 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 19:41 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-19 19:41 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-18 18:12 . 2008-07-18 18:12 <DIR> d-------- C:\Program Files\Sophos
2008-07-17 16:36 . 2008-07-17 16:36 <DIR> d-------- C:\VundoFix Backups
2008-07-15 15:45 . 2008-07-15 15:45 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-13 18:48 . 2008-07-29 18:03 <DIR> d-------- C:\1954455e9283aee02610
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 20:52 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\WTablet
2008-08-12 08:51 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Canon
2008-08-08 05:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-19 02:29 --------- d-----w C:\Program Files\Common Files\Real
2008-07-14 23:32 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-23 09:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-06-23 09:17 --------- d-----w C:\Program Files\Common Files\TiVo Shared
2008-06-23 09:15 --------- d-----w C:\Program Files\Sonic
2008-06-23 09:14 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-23 07:34 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-06-23 02:55 --------- d---a-w C:\Program Files\Common Files\LightScribe
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock(2)(3).dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dnsapi(2)(3).dll
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2005-11-02 09:27 0 ----a-w C:\Program Files\pspbrwse.jbf
2005-11-16 07:20 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2008-03-24 05:22 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-08-11_16.15.18.66 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 04:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-12 07:43:15 6,299,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-08-12 07:43:15 114,688 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 04:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-08-12 07:42:59 6,299,648 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-08-12 07:42:59 114,688 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-08-12 20:50:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_568.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 16:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-27 19:22 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-15 01:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-26 02:17 90112]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 01:54 253952]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-03 03:44 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 21:04 52736]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-01 23:05 339968]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 16:00 208952]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-08 01:38 659456]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 01:44 49152]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 16:00 59392]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-02-14 13:49 278528]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 14:07 49263]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 16:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 16:00 455168]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 09:44 249856]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-08-06 20:48 1655552]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 22:06 88363 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 21:28:24 258048]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2006-10-26 22:16:25 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2005-06-29 15:08:27 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-07-20 02:38 78008 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GNKPK"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-20 02:35]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-06 20:48]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-06 20:48]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-20 02:37]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2005-04-20 22:57]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2006-02-15 09:18]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2006-11-16 07:55]
*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ny26a2ie.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 09:15:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-13 9:17:16
ComboFix-quarantined-files.txt 2008-08-12 21:16:58
ComboFix2.txt 2008-08-12 08:26:49
ComboFix3.txt 2008-08-11 04:15:50
Pre-Run: 113,151,967,232 bytes free
Post-Run: 113,138,364,416 bytes free
166
Bye for now,all the best
That looks fine now, do you have any problems still ?
AKILLSUX
2008-08-13, 03:16
The Avast icons are still not in the tray.Should I try the java updates again?I notice that when I ping any of the sun.java or java sites,the requests time out and the packets are lost.
Same when I ping www.microsoft.com.get the result"pinging 1b1 www.ms.akadns.net etc",and the packets are lost
For Avast please try the following
Click Start >> All Programs >> Avast Antivirus >> Avast Antivirus
When it has opened
Click Menu >> Settings >> Appearance
make sure Show Avast Tray Icon is ticked
Please do a Tracert command for Java and Microsoft
Create A Tracert Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.
@echo off
if exist C:\kresults.txt del /q C:\kresults.txt
Echo Tracing Route ..... Please Wait
FOR %%G IN (
java.sun.com
microsoft.com
) DO (
Echo %%G
echo %%G >> C:\kresults.txt
tracert %%G >> C:\kresults.txt
echo. >> C:\kresults.txt
echo. >> C:\kresults.txt
)
Echo Finished
start notepad C:\kresults.txt
del /q %0
exit
Double click on look.bat
Please be patient, as this may take a while
Notepad will open, please copy/paste the results here.
AKILLSUX
2008-08-13, 07:31
java.sun.com
Tracing route to java.sun.com [72.5.124.55]
over a maximum of 30 hops:
1 145 ms 143 ms 143 ms max3.ps.gen.nz [XXX.XX.XXX.XXX]
2 154 ms 149 ms 143 ms gw.ps.gen.nz [XXX.XX.XXX.XXX]
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
microsoft.com
Tracing route to microsoft.com [207.46.197.32]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
Click Start >> Run type cmd and hit OK
In the CMD window type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)
Reboot and see if that helped.
Have you got a router ?
AKILLSUX
2008-08-13, 08:17
Sorry do have a few additional worries,Still unexplained temp files perflib perfdata,and some with names like ~DF6ADF,anything to worry about?
Avast icons option is ticked
In the received files where I keep my logs a couple of .js files I definitely did not save there.
A new file on the C drive called QooBox( 27mb),no idea about that
Heaps of Temp Internet files in my Local Settings????
perflib perfdata,and ~DF6ADF, are perfectly normal and every computer has them
The .js files are likely to be Java Script files for sites that you visit
QooBox is part of ComboFix, and we will remove that shortly
Heaps of Temp Internet files. Every time you connect to the web you will get those type of files. I will give you links to a couple of programs shortly that can help you remove unwanted junk.
Any other problems ?
AKILLSUX
2008-08-13, 11:36
I am on slow dial up no router,I am sole user and administrator of a standalone computer.System restore appears to be broken,get a message saying "system restore can no longer protect your computer,please restart etc"Avast did delete a trojan from there a while back
Flushed DNS cache,got to the Java page,downloaded and have the file ready to install....but the old Java files do NOT want to uninstall...in add/remove programs I get a variety of popup messages,the jusched.exe which i was suspicious about,can't be removed
Also can't remove an adobe reader update,remove option is missing
Re. "system restore can no longer protect your computer,please restart",
Have you tried restarting ?
Have you tried turning system restore off then back on ?
Please do the following
Please download FixPolicies.exe (http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe) by Bill Castner and save it to your desktop.
Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.
Reset System Restore.
Now you should disable System restore to purge any infected files and then re-enable it,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Un-Check Turn off System Restore.
Click Apply, and then click OK.
AKILLSUX
2008-08-13, 13:27
An access is denied message flashed when the 'fix policies' ran.
I can't find the System restore tab,is there another way to access it?
Deckard's System Scanner (DSS)
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop.
Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
AKILLSUX
2008-08-14, 03:42
Hi again,that link is dead too,but I do have a log of the strings appearing when rstrui.exe(System restore)was trying to run,it is very long,let me know if it is any use
AKILLSUX
2008-08-14, 04:53
Got system restore back,it had been disabled in the services(not by me!)Just need to get rid of the old Java,can show a log of the rundll.exe strings running when I get the error messages in the control panel,if that is of any use
Also I note that the Java Runtimes I have installed are 3 huge files,yet the update I downloaded is only 15mb approx,is that normal?
Please download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.
You will now need to reinstall Java. If you deleted the installer please do the following.
Download and install Java Runtime Environment (JRE) 6 Update 7 (http://java.sun.com/javase/downloads/index.jsp).
AKILLSUX
2008-08-15, 00:52
Hi again,the tool cleaned up some of the older versions,but when I go to Program Files,there is a 67mb file jre1.5.0_10.Should I try manually deleting,was able to remove 2 instances of jusched.exe from there manually.Also as I mentioned before,the earlier Java folders were huge,the update is only about 16mb,is there a reason for that?And how do I find the java control panel easily?One of the reasons I got so out of date is that I never saw anything to update!Same applies to all my other out of date programs...everyone should go to Secunia to check this out
On the same subject,my I tunes is out of date,I don't use it,is there anyway of uninstalling it,also an Adobe reader update,which is in add/remove programs with no option to remove,I can't find the file anywhere,and Adobe Reader did have a trojan quarantined by one of my security programs,a while back
I know you have spent so much time on my problems,it is so good of you,also what do you think caused them,given i am so cautious when on the web,and always run up to date security.
And sorry,one more thing,should the MS update CD for XP SP3 work now?
Hi again,the tool cleaned up some of the older versions,but when I go to Program Files,there is a 67mb file jre1.5.0_10.Should I try manually deleting,
We can get to that in a moment.
Also as I mentioned before,the earlier Java folders were huge,the update is only about 16mb,is there a reason for that?
It depends which package you downloaded, the full install or just the runtime environment
And how do I find the java control panel easily?
Start >> Control Panel >> Java
my I tunes is out of date,I don't use it,is there anyway of uninstalling it
Have you tried Add/Remove Programs ?
also an Adobe reader update,which is in add/remove programs with no option to remove,
Which Adobe is it ? There is no Adobe Reader in your original uninstall list.
also what do you think caused them
It could have been almost anything.
should the MS update CD for XP SP3 work now?
Let's leave that for the moment, until we have sorted the other problems.
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.
@echo off
if exist C:\kresults.txt del /q C:\kresults.txt
Echo Searching ..... Please Wait
FOR %%G IN (
Adobe
Java
) DO (
echo %%G >> C:\kresults.txt
dir C:\*.* /L /A /B /S|Find "%%G" >> C:\kresults.txt
echo. >> C:\kresults.txt
echo. >> C:\kresults.txt
)
Echo Finished
start notepad C:\kresults.txt
del /q %0
exit
Double click on look.bat
Please be patient, as this will search the entire disc
Notepad will open, please copy/paste the results here.
AKILLSUX
2008-08-17, 00:20
Hello,to clarify the above
I downloaded the Java installation as you directed,the file is jre6u7windows i586.p.exe
The Adobe Reader update might not have appeared on the uninstall program list,but is at the top of the Add/Remove list...,Adobe reader 6.0.2 update,a 5.64mb file with no option to remove,I have removed the rest of the Adobe reader when I had the trojan.
I tunes looks like it is being removed when I use that option,but it always comes back
Look.bat only ran for a minute or two,and the log is
Adobe
Java
Do you get any error message when you try to uninstall Itunes ?
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.
@echo off
if exist C:\kresults.txt del /q C:\kresults.txt
Echo Searching ..... Please Wait
FOR %%G IN (
Adobe
Java
) DO (
echo %%G >> C:\kresults.txt
dir /L /A /B /S "C:\%%G.*" >> C:\kresults.txt
echo. >> C:\kresults.txt
echo. >> C:\kresults.txt
)
Echo Finished
start notepad C:\kresults.txt
del /q %0
exit
Double click on look.bat
Please be patient, as this will search the entire disc
Notepad will open, please copy/paste the results here.
AKILLSUX
2008-08-18, 07:28
Hi again,result this time
Adobe
c:\documents and settings\all users\application data\adobe
c:\documents and settings\all users\application data\adobe\photoshop elements\how-tos\4.0\en_us\recipes\adobe
c:\documents and settings\hp_administrator\application data\adobe
c:\documents and settings\hp_administrator\application data\macromedia\flash player\#sharedobjects\ghg4hql3\adobe.com
c:\documents and settings\hp_administrator\local settings\application data\adobe
c:\documents and settings\hp_administrator\my documents\my pictures\adobe
c:\program files\adobe
c:\program files\common files\adobe
c:\program files\common files\adobe\typespt\unicode\mappings\adobe
c:\windows\system32\adobe
Java
c:\documents and settings\hp_administrator\application data\sun\java
c:\program files\java
c:\program files\common files\java
c:\program files\gimp-2.0\share\gimp\2.0\patterns\java.pat
c:\program files\java\jre1.5.0_10\bin\java.dll
c:\program files\java\jre1.5.0_10\bin\java.exe
c:\program files\java\jre1.5.0_10\lib\security\java.policy
c:\program files\java\jre1.5.0_10\lib\security\java.security
c:\program files\pc-doctor for windows\java
c:\program files\pc-doctor for windows\java\jre\bin\java.dll
c:\program files\pc-doctor for windows\java\jre\bin\java.exe
c:\program files\pc-doctor for windows\java\jre\lib\security\java.policy
c:\program files\pc-doctor for windows\java\jre\lib\security\java.security
c:\program files\ulead systems\ulead photoimpact 10 se\wcsdata\java
c:\windows\java
c:\windows\sun\java
c:\windows\system32\java.exe
Not sure if this is relevant,but took the browser security test mentioned on this site,and found although my Firefox is up to date(v2.0.0.16)I did not pass the apple Quick Time scripting vulnerability.my quickTime is v6.5.2(I think) and will not run or update.
Also had a result on the HJT ADSSpy scan
AKILLSUX
2008-08-18, 09:46
Another wave of infection I think...just when I thought we were getting somewhere!...superAntiSpyware was interrupted when updating,it started to search for updates again,but when I tried to terminate,error message appeared"Program could not be terminated as it is locked by the system,had to turn off the computer to get out of that lot
Spybot showed no threats in safe mode
Tried running Comodo scan in safe mode,but a warning message re the Defense plus system shows,which does not appear in normal mode
Avast is still a concern,no icons,and no auto update...I Tunes,I click remove and nothing happens
To be honest, I suspect system instability at this point rather than malware.
There is no evidence of current infection, yet your problems appear to be increasing.
OTMoveIt
Please download OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to your desktop
Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.
c:\documents and settings\all users\application data\adobe
c:\documents and settings\hp_administrator\application data\adobe
c:\documents and settings\hp_administrator\application data\macromedia\flash player\#sharedobjects\ghg4hql3\adobe.com
c:\documents and settings\hp_administrator\local settings\application data\adobe
c:\documents and settings\hp_administrator\my documents\my pictures\adobe
c:\program files\adobe
c:\program files\common files\adobe
c:\windows\system32\adobe
c:\documents and settings\hp_administrator\application data\sun\java
c:\program files\java
c:\program files\common files\java
c:\program files\java\jre1.5.0_10
c:\windows\java
c:\windows\sun
c:\windows\system32\java.exe
Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Now reinstall Adobe and Java.
Please re-run ComboFix, and then do the following
Eset NOD32 Online AntiVirus
Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
Click Start
Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
Click Scan
Wait for the scan to finish
Re-enable your Anvirisus software.
A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
AKILLSUX
2008-08-19, 04:33
This morning could not open this reply page at all,and all other pages were really slow.
Re reinstalling Adobe,I am unsure what you mean,I am on slow dialup and could not download the gigantic Reader file from the net.Also have Adobe Photoshop Elements which has no problems,does this tool uninstall it,and its components?
AKILLSUX
2008-08-19, 09:45
Also still unable to identify those services in servicesmsc that are just numbers
Service {89FE77F6-92FC-40F7-856C-AAFD60911E3D} [???]
Service {C08DF078-4392-4359-8229-20FA527CBBDD} [???]
Service {EA22DB8F-2CF2-4EA0-91A1-ED32A79D99ED} [???]
Don't use OTMoveIt yet, please do the following.
Please Download GMER to your desktop
Please create a folder in the Program Files folder called GMER.
Download GMER (http://www.majorgeeks.com/GMER_d5198.html) and extract it to the C:\program files\GMER folder you have just made.
Run the Gmer.exe program by double-clicking the executable file gmer.exe.
You may be prompted to scan immediately if GMER detects rootkit activity.
If you are prompted to scan your system click "yes" to begin the scan.
If you are not prompted, Click the "Rootkit" tab, then click "Scan".
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
At the end of the scan, click "Copy" to copy the scan results to the clipboard. Then paste the results in a notepad file and also paste them back in your next reply.
Please post the results from the GMER scan in your reply.
Also please re-run ComboFix
AKILLSUX
2008-08-20, 06:36
Gmer Result
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-20 16:32:31
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6D78618]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6D784D4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6D789B2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6D780AC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB6D785AE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6D77FEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6D78050]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6D786CE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6D7868E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6D7880E]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB6E72F20]
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINDOWS\system32\services.exe[672] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005B0002
IAT C:\WINDOWS\system32\services.exe[672] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005B0000
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SSFS0509.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat SSFS0509.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
---- Registry - GMER 1.0.14 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{4F8561EA-489E-25F2-CD1C-9A6D2753D252}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{4F8561EA-489E-25F2-CD1C-9A6D2753D252}\InProcServer32@jakpjekoohglpkcgfdka 0x6A 0x61 0x6C 0x69 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{4F8561EA-489E-25F2-CD1C-9A6D2753D252}\InProcServer32@iakppdekjijiffjkig 0x6A 0x61 0x6A 0x69 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{6D76D6D7-A7CC-131F-797F424BC93C15B8}\{47289824-B993-06F3-156E190938736781}\{502C4C98-88D9-9643-C836CEAED1829527}
Reg HKLM\SOFTWARE\Classes\CLSID\{6D76D6D7-A7CC-131F-797F424BC93C15B8}\{47289824-B993-06F3-156E190938736781}\{502C4C98-88D9-9643-C836CEAED1829527}@TKXOCIF12AS45MG3KJPY6BAVAE1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{757F58AC-056D-78F5-1369DDDE8D3DA057}\{8E7CB394-6DC8-952F-BBD65168C0AE0804}\{90FEEFF2-F058-330D-A5C639EBEDCEE7EE}
Reg HKLM\SOFTWARE\Classes\CLSID\{757F58AC-056D-78F5-1369DDDE8D3DA057}\{8E7CB394-6DC8-952F-BBD65168C0AE0804}\{90FEEFF2-F058-330D-A5C639EBEDCEE7EE}@TKXOCIF12AS45MG3KJPY6BAVAE1 0x01 0x00 0x01 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4F8561EA-489E-25F2-CD1C-9A6D2753D252}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4F8561EA-489E-25F2-CD1C-9A6D2753D252}@iaepjlkaomgpjjlibk 0x6A 0x61 0x6C 0x69 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4F8561EA-489E-25F2-CD1C-9A6D2753D252}@haoopkjkaelfamgg 0x6A 0x61 0x6A 0x69 ...
---- EOF - GMER 1.0.14 ----
AKILLSUX
2008-08-20, 06:42
When I went to run Combofix a little message came up telling me"there is a newer version of ComboFix.would you like to update"Could not escape from it,terminated nircmd.exe,and it went.
When I went to run Combofix a little message came up telling me"there is a newer version of ComboFix.would you like to update"Could not escape from it,terminated nircmd.exe,and it went.
Download the latest version.
ComboFix.exe 1 (http://subs.geekstogo.com/ComboFix.exe)
ComboFix.exe 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
ComboFix.exe 3 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
AKILLSUX
2008-08-20, 12:00
Hi,pages still loading very slowly,and reply page would not appear,i killed oleaut32.dll in Firefox,and it suddenly came right.Anyway here is Combo log
ComboFix 08-08-18.05 - HP_Administrator 2008-08-20 21:25:11.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.220 [GMT 12:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\CFIX.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\HP_Administrator\UserData
C:\Documents and Settings\HP_Administrator\UserData\index.dat
.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.
2008-08-20 16:38 . 2008-08-20 16:38 <DIR> d-------- C:\ComboFix
2008-08-20 16:17 . 2008-08-20 16:17 250 --a------ C:\WINDOWS\gmer.ini
2008-08-20 16:06 . 2008-08-20 16:16 <DIR> d-------- C:\Program Files\GMER
2008-08-17 12:20 . 2008-08-17 12:20 0 --a------ C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-08-13 20:47 . 2008-08-14 19:30 <DIR> d--hs---- C:\WINDOWS\Installer
2008-08-12 19:42 . 2008-08-12 19:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-12 19:36 . 2008-08-12 20:01 <DIR> d-------- C:\SDFix
2008-08-07 20:19 . 2008-08-07 20:32 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-07 20:19 . 2008-08-07 20:32 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-07 20:19 . 2008-08-07 20:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-07 20:12 . 2008-04-14 05:42 1,703,936 --a------ C:\WINDOWS\system32\SET289.tmp
2008-08-07 20:11 . 2008-04-14 05:42 1,499,136 --a------ C:\WINDOWS\system32\SET1EF.tmp
2008-08-07 20:05 . 2004-08-10 16:00 4,256,768 --a------ C:\WINDOWS\system32\dllcache\wmm2res.dll
2008-08-07 20:04 . 2007-10-26 15:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-07 20:03 . 2007-02-28 21:10 2,180,352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-07 20:00 . 2008-08-07 20:00 <DIR> d-------- C:\WINDOWS\New Folder
2008-08-07 19:54 . 2008-08-07 20:21 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-08-06 22:49 . 2008-08-06 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 22:48 . 2008-08-06 22:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 20:48 . 2008-08-19 19:27 <DIR> d-------- C:\Program Files\COMODO
2008-08-06 20:48 . 2008-08-19 19:27 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Comodo
2008-08-06 20:48 . 2008-08-19 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-08-02 22:21 . 2008-08-02 22:21 <DIR> d-------- C:\Autoruns
2008-07-25 16:45 . 2008-07-25 16:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-25 16:45 . 2008-07-25 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 23:15 . 2008-07-24 23:15 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-24 22:43 . 2008-07-24 22:43 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 07:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-20 03:56 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\WTablet
2008-08-18 22:44 --------- d-----w C:\Program Files\Trend Micro
2008-08-14 22:16 --------- d-----w C:\Program Files\Java
2008-08-12 08:51 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Canon
2008-08-03 07:01 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 08:07 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 08:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-19 07:41 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-07-19 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 02:29 --------- d-----w C:\Program Files\Common Files\Real
2008-07-18 06:12 --------- d-----w C:\Program Files\Sophos
2008-07-14 23:32 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-23 09:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-06-23 09:17 --------- d-----w C:\Program Files\Common Files\TiVo Shared
2008-06-23 09:15 --------- d-----w C:\Program Files\Sonic
2008-06-23 09:14 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-23 07:34 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-06-23 02:55 --------- d---a-w C:\Program Files\Common Files\LightScribe
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock(2)(3).dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dnsapi(2)(3).dll
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2005-11-02 09:27 0 ----a-w C:\Program Files\pspbrwse.jbf
2005-11-16 07:20 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2008-03-24 05:22 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-08-11_16.15.18.66 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 04:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-12 07:43:15 6,299,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-08-12 07:43:15 114,688 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 04:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-08-12 07:42:59 6,299,648 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-08-12 07:42:59 114,688 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-08-20 04:17:34 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-04-17 09:13:02 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2008-08-20 04:17:34 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2008-07-23 06:27:31 179,668 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-08-18 22:46:10 1,175,528 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-08-20 03:54:40 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_528.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 16:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-27 19:22 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-15 01:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-26 02:17 90112]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 01:54 253952]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-03 03:44 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 21:04 52736]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-01 23:05 339968]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 16:00 208952]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-08 01:38 659456]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 01:44 49152]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 16:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 16:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 16:00 455168]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 09:44 249856]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 22:06 88363 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk.disabled [2005-12-21 20:58:15 999]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 21:28:24 258048]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2006-10-26 22:16:25 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2005-06-29 15:08:27 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-07-20 02:38 78008 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GNKPK"=3 (0x3)
"cmdAgent"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-20 02:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-20 02:37]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2005-04-20 22:57]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2006-02-15 09:18]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2006-11-16 07:55]
S3 aswArKrn;aswArKrn;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\aswArKrn.sys []
*Newly Created Service* - GMER
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ny26a2ie.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 21:28:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-20 21:29:22
ComboFix-quarantined-files.txt 2008-08-20 09:29:12
ComboFix2.txt 2008-08-12 21:17:17
ComboFix3.txt 2008-08-12 08:26:49
ComboFix4.txt 2008-08-11 04:15:50
Pre-Run: 113,244,934,144 bytes free
Post-Run: 113,232,240,640 bytes free
177
There is no malware that would be causing your problems now, the only thing I can suggest is that your system has become unstable for some reason.
How old is the machine, have you ever reformatted or reinstalled the OS ?
AKILLSUX
2008-08-22, 03:38
So all the GMER entries mean nothing?The machine is only 3 years old,and has not had any reinstallation or reformatting.All the troubles started when that MS update in July clashed with the Zone Alarm,and I turned both off.Previously everything was fine
There is no malware that would be causing your problem.
The failed MS update has obviously changed some files and not others,
Unfortunately you are now outside my area of knowledge, so I'm going to have to recommend that you visit one of the tech forums for assistance.
http://www.techsupportforum.com/
http://www.bleepingcomputer.com/forums/
http://forums.whatthetech.com/forums.html
All the forums above have good support for software/OS problems, and I'm sure they will be able to help.
When you start your thread, explain what the problem is and let them know that you have been checked for malware.
Give them the following link, so they can see the logs if needed
http://forums.spybot.info/showthread.php?t=31919
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You can also delete any logs we have produced, and empty your Recycle bin.
Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.
AKILLSUX
2008-08-25, 02:05
just to check,i haven't downloaded Ot move it yet,do i need to copy that code,you wrote earlier.Also can you give any advice on getting msconfig back to normal startup?it is stuck in selective and when i try and change it,i get a restart message,and when i restart i get those popups saying firewall is turned off(which it isn't),and then the other matching one saying auto updates is off(which is)
thanks so much for trying to help
Don't bother with the OTMoveIt instructions, you should be able to uninstall the Adobe and Java when the OS is running properly.
RE. MSConfig,
If you followed my previous instructions, MSConfig should already be in normal startup.
The Firewall and autoupdate notifications come from Security Centre, not MSConfig.
AKILLSUX
2008-08-25, 23:39
Sorry,mean that those double popups only appear after I try and change msconfig back to normal startup,I also get the message saying that i must restart to make any changes take place,but whether i restart or not,it is still stuck in selective.also last couple of times I've started up there is a panel saying I've made changes to System configuration etc,when I haven,t.
Also have lost System restore again
Just for reference,what kind of service and registry entries have all those numbers and are hidden,just so I know (roughly) what to ignore in future?
Many thanks again,last questions I promise!
AKILLSUX
2008-08-27, 09:11
Just posting a final HJT log,can't restart system restore in Services,and there is no tab to click on My computer/properties etc
Msconfig still stuck in selective startup,as advised a few pages back
a few things seem to have changed in the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:50 p.m., on 26/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://security.kolla.de/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD76BEB-89CC-4CEB-965D-24200785D4CF}: NameServer = 60.234.1.1 60.234.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FD76BEB-89CC-4CEB-965D-24200785D4CF}: NameServer = 60.234.1.1 60.234.2.2
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
--
End of file - 8221 bytes
There is no evidence of any active malware, you need to start a thread at one of the tech forums I suggested and get your OS sorted.
If you are still having problems after that, then you can come back and have another check.