PDA

View Full Version : AV Care, something preventing protections from running


JustSomeGuy
2009-08-13, 07:50
I was browsing the other day and AV Care installed itself on my computer...nasty pop-ups, fake scans, you know the drill. It didn't show up in my add/remove program list, but I ran a search and was able to delete it...I think. I haven't had any pop-ups since then, but on my next boot, all my safeguards appeared to be uninstalled. My antivirus/antispyware wouldn't reinstall from the CD, and it only partially downloaded from the website. (A Webroot window still comes up when I boot, and it shows in my system tray [as "loading...", but nothing more], but I can't open the program, and it invariably says that the installation failed and I should re-install). I can't run SpyBot at all (not from the .src file, not by renaming it, and not in safe mode)...same for Malwarebytes.

I've done all in my extremely limited power I can to fix it, but I think I need some real help here. You're my only hope. I've been unable to run any fixes, but here's the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:06 PM, on 8/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\Rudy\LOCALS~1\Temp\b.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\msa.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\America Online 9.0\waol.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\Rudy\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 9279 bytes
Shaba
2009-08-16, 07:48
Hi JustSomeGuy

Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)

Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
JustSomeGuy
2009-08-16, 10:32
First of all, thanks for taking the time to help my case.

But...It didn't work. I could download gmer, I can extract it, but I can't run it. When I double-click it, I get the little hourglass for a moment, and then it disappears and nothing happens. (That's the same thing that happens when I try to run any of my other protections.) I tried to run it manually, but Windows Explorer said it could not find gmer.exe (even in Safe Mode). I did a search, and it shows up two places (the zip and the unzipped folders), but it just won't run.

I forgot to mention in my original post that as soon as I got the AVCare pop-up, I ran a Webroot scan. Halfway through, I got bluescreened and automatically restarted...sort of. It got as far as the welcome screen immediately before the desktop, but no further. I tried again, and when I got in, that's when I noticed that my protections had been removed or unresponsive. I'm not using my computer much lately, but the welcome freeze happens about half the time I boot up.

Back on topic, I tried to unzip gmer again, just to be safe. It worked, but when I opened the folder, I got a notification that "Windows Explorer encountered a problem and needs to close. Please tell Microsoft about this problem," immediately followed by the same thing for "DrWatsons Post Mortem Debugger." I tried to send an error report, got frozen, restarted, and came back here.

What should I do now?
Shaba
2009-08-16, 11:34
Please rename gmer.exe and try again.
JustSomeGuy
2009-08-17, 02:39
Renaming didn't do it for mbam or spybot, but it did the trick for gmer. After the scan, it said that it detected rootkit activity had made changes to the registry (I think), or something to that effect. Here's the log:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-08-16 17:29:27
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

Code 8595FC26 ZwEnumerateKey
Code 8595F9E6 ZwFlushInstructionCache
Code 00000000 pIofCallDriver
Code 8595FD9D IofCallDriver
Code 8596259D IofCompleteRequest
Code 8595EC5D ZwSaveKey
Code 8595B53D ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A0 3 Bytes JMP 8595FDA2
.text ntkrnlpa.exe!IofCallDriver + 4 804EF1A4 1 Byte [ 05 ]
.text ntkrnlpa.exe!IofCompleteRequest 804EF230 3 Bytes JMP 859625A2
.text ntkrnlpa.exe!IofCompleteRequest + 4 804EF234 1 Byte [ 05 ]
.text ntkrnlpa.exe!ZwSaveKey 80500D38 5 Bytes JMP 8595EC62
.text ntkrnlpa.exe!ZwSaveKeyEx 80500D4C 5 Bytes JMP 8595B542
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B5642 5 Bytes JMP 8595F9EA
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622DE0 5 Bytes JMP 8595FC2A

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\brsvc01a.exe[204] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003D000A
.text C:\WINDOWS\system32\brss01a.exe[252] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003E000A
.text C:\WINDOWS\system32\Brmfrmps.exe[540] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003D000A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[600] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0080000A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[664] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0086000A
.text ...
---- Processes - GMER 1.0.12 ----

Library \\?\globalroot\systemroot\system32\UACjkrwxvnmfb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [756] 0x00B70000
Library \\?\globalroot\systemroot\system32\UACmaprhesiyc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [756] 0x00C20000
Library \\?\globalroot\systemroot\system32\UACnbevpawsww.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1140] 0x02BD0000
Library \\?\globalroot\systemroot\system32\UACjkrwxvnmfb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1320] 0x00B60000
Library \\?\globalroot\systemroot\system32\UACmaprhesiyc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1320] 0x00C10000
Library \\?\globalroot\systemroot\system32\UACjkrwxvnmfb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1384] 0x00B60000
Library \\?\globalroot\systemroot\system32\UACmaprhesiyc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1384] 0x00C10000
Library \\?\globalroot\systemroot\system32\UACmaprhesiyc.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [1712] 0x00D80000

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
ADS C:\Documents and Settings\Rudy\Desktop\gmer\geeemeeareqwerty.exe:SummaryInformation
ADS C:\Documents and Settings\Rudy\Desktop\gmer\geeemeeareqwerty.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\gmer.exe:SummaryInformation
ADS C:\WINDOWS\gmer.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
File C:\WINDOWS\system32\drivers\SKYNETtnbgrqth.sys
File C:\WINDOWS\system32\SKYNETkomqpaps.dll
File C:\WINDOWS\system32\SKYNETmpyqbppw.dat
File C:\WINDOWS\system32\SKYNETublklvrq.dat
File C:\WINDOWS\system32\SKYNETwidoexru.dll

---- EOF - GMER 1.0.12 ----
Shaba
2009-08-17, 06:00
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
JustSomeGuy
2009-08-17, 08:29
I'm starting to sound like a broken record here, but ComboFix won't run either. If I double-click, the hourgalss appears for a moment and then disappears, and nothing else happens. I don't see it in my program files, so I can't rename it either. I tried to run it manually, and again, "Windows Explorer cannot find combofix.exe." I downloaded it to my desktop as instructed, and then again to a different folder, but neither works.

Interesting development: I opened up my task manager and tried to run ComboFix via the New Task button. That opens a new box that lets me type in whatever I want to search for: programs, folders, documents, or internet resources...I'm sure you techies know what I'm talking about. I found that by entering only one letter, I am able to see a rather lengthy list of webpages that I know I have never visited or searched for. I'm more than a little concerned about this, so now I'm even more motivated to get this problem solved as quickly as possible.
JustSomeGuy
2009-08-17, 08:34
Oh, and there may be a problem with disabling my protections while ComboFix is running. As I've said, I can't even open them, so I can't get in to turn them off. I'm pretty sure that the installation is damaged to some extent, so they might not even be active or running.

Should I just delete/uninstall MalwareBytes, Spybot, Webroot, and Spyware Blaster completely? And if I do, do you need a new HJT or gmer log before I go on with ComboFix?
Shaba
2009-08-17, 10:44
Please save combofix.exe to desktop, rename it (right-click - rename) and let me know if it runs now.
JustSomeGuy
2009-08-17, 22:22
My bad...I thought renaming the icon on my desktop only renamed the shortcut, not the application. Renaming it worked, so here's the ComboFix log:

ComboFix 09-08-10.06 - Rudy 08/17/2009 13:05.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.738 [GMT -7:00]
Running from: c:\documents and settings\Rudy\Desktop\CeeOhEmBeeOhasdfg.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Webroot AntiVirus with AntiSpyware *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\recycler\S-1-5-21-3817807122-3879334724-2376479202-1003
c:\windows\123messenger.per
c:\windows\2020search.dll
c:\windows\apphelp32.dll
c:\windows\asferror32.dll
c:\windows\asycfilt32.dll
c:\windows\athprxy32.dll
c:\windows\ati2dvaa32.dll
c:\windows\ati2dvag32.dll
c:\windows\audiosrv32.dll
c:\windows\autodisc32.dll
c:\windows\avifile32.dll
c:\windows\avisynthex32.dll
c:\windows\aviwrap32.dll
c:\windows\browserad.dll
c:\windows\changeurl_30.dll
c:\windows\Installer\10bfb8c4.msi
c:\windows\Installer\14c40fe.msi
c:\windows\Installer\16cdb5.msi
c:\windows\Installer\19a8f90.msi
c:\windows\Installer\19a8f96.msi
c:\windows\Installer\1ec34c9.msi
c:\windows\Installer\21170a.msi
c:\windows\Installer\211710.msi
c:\windows\Installer\21774f7.msi
c:\windows\Installer\21774fd.msi
c:\windows\Installer\2177503.msi
c:\windows\Installer\2177509.msi
c:\windows\Installer\28158.msi
c:\windows\Installer\28161.msi
c:\windows\Installer\2816a.msi
c:\windows\Installer\2aa3415.msi
c:\windows\Installer\2aa3416.msp
c:\windows\Installer\2aa3417.msp
c:\windows\Installer\2aa3418.msp
c:\windows\Installer\2aa3419.msp
c:\windows\Installer\2aa341a.msp
c:\windows\Installer\2aa341b.msp
c:\windows\Installer\2aa341c.msp
c:\windows\Installer\2aa341d.msp
c:\windows\Installer\2aa341e.msp
c:\windows\Installer\388bf.msi
c:\windows\Installer\3eb7d.msi
c:\windows\Installer\51d1a01.msp
c:\windows\Installer\524165.msi
c:\windows\Installer\89fd5.msi
c:\windows\Installer\89fdb.msi
c:\windows\Installer\89fec.msi
c:\windows\Installer\89ff8.msi
c:\windows\Installer\d1310.msi
c:\windows\Installer\f44b1.msi
c:\windows\licencia.txt
c:\windows\mainms.vpi
c:\windows\megavid.cdt
c:\windows\msa.exe
c:\windows\msa64chk.dll
c:\windows\msapasrc.dll
c:\windows\muotr.so
c:\windows\ntnut.exe
c:\windows\run.log
c:\windows\saiemod.dll
c:\windows\shdocpe.dll
c:\windows\shdocpl.dll
c:\windows\system32\_000110_.tmp.dll
c:\windows\system32\drivers\SKYNETtnbgrqth.sys
c:\windows\system32\drivers\UACkyaukanmyn.sys
c:\windows\system32\msxml71.dll
c:\windows\system32\net.net
c:\windows\system32\SKYNETkomqpaps.dll
c:\windows\system32\SKYNETmpyqbppw.dat
c:\windows\system32\SKYNETublklvrq.dat
c:\windows\system32\SKYNETwidoexru.dll
c:\windows\system32\UACepxvqypexm.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjkrwxvnmfb.dll
c:\windows\system32\UACkpppdcynij.db
c:\windows\system32\UACmaprhesiyc.dll
c:\windows\system32\UACnbevpawsww.dll
c:\windows\system32\UACtmvosqbuwo.dll
c:\windows\telefonos.txt
c:\windows\textos.txt
c:\windows\winsb.dll
D:\Autorun.inf


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETxjkcpdyo
-------\Legacy_SKYNETxjkcpdyo
-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-17 00:40 . 2009-08-17 00:40 585736 ----a-w- c:\windows\system32\minix32.exe
2009-08-17 00:40 . 2009-08-17 00:40 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-08-13 04:54 . 2009-08-13 04:57 -------- d-----w- c:\program files\ERUNT
2009-08-12 03:28 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 03:28 . 2009-08-12 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 03:28 . 2009-08-12 03:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-12 03:28 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-11 22:06 . 2009-07-10 13:42 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 22:05 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-11 09:05 . 2009-08-11 09:05 -------- d-----w- c:\documents and settings\Rudy\Application Data\Logs
2009-08-08 22:58 . 2009-08-08 22:58 -------- d-----w- c:\documents and settings\Rudy\Application Data\Sonic
2009-08-08 22:58 . 2009-08-08 22:58 -------- d-----w- c:\documents and settings\Rudy\Application Data\Leadertech
2009-08-08 20:13 . 2009-08-08 20:13 -------- d-----w- c:\documents and settings\Rudy\Application Data\Nikon
2009-08-08 20:05 . 2009-08-08 20:05 49152 ----a-r- c:\documents and settings\Rudy\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-08-08 20:00 . 2009-08-08 20:00 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\Apple Computer
2009-08-08 19:54 . 2004-08-04 07:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-08-08 19:54 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-08-08 19:54 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-08-08 19:54 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-08-05 09:11 . 2009-08-05 09:11 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 05:49 . 2009-07-09 18:29 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-12 22:10 . 2009-07-04 19:22 1510 ----a-w- c:\documents and settings\Rudy\Application Data\wklnhst.dat
2009-08-12 05:29 . 2006-06-22 16:35 -------- d-----w- c:\program files\Trend Micro
2009-08-12 04:47 . 2009-07-10 15:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 23:29 . 2009-07-09 18:29 -------- d-----w- c:\program files\SpywareBlaster
2009-08-11 22:18 . 2009-03-31 03:20 164 ----a-w- c:\windows\install.dat
2009-08-08 23:14 . 2009-01-05 20:41 20 ---h--w- c:\docume~1\ALLUSE~1\APPLIC~1\PKP_DLdu.DAT
2009-08-08 20:01 . 2009-01-05 20:37 -------- d-----w- c:\program files\QuickTime
2009-08-08 19:09 . 2006-04-10 16:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-08 19:09 . 2006-04-10 16:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-08-08 19:07 . 2006-04-10 16:11 -------- d-----w- c:\program files\Symantec
2009-08-05 09:11 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 08:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 18:33 . 2009-07-10 15:47 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-08 05:14 . 2009-07-08 05:14 -------- d-----w- c:\documents and settings\Rudy\Application Data\Netscape
2009-07-06 23:15 . 2009-07-06 23:15 -------- d-----w- c:\documents and settings\Rudy\Application Data\MSNInstaller
2009-07-05 22:25 . 2009-07-05 22:25 -------- d-----r- c:\documents and settings\Rudy\Application Data\Brother
2009-07-05 22:11 . 2009-07-05 22:11 50 ----a-w- c:\windows\system32\BRIDF04A.dat
2009-07-05 22:10 . 2009-07-05 22:09 -------- d-----w- c:\program files\Brother
2009-07-05 22:09 . 2006-04-10 15:39 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-05 22:09 . 2006-04-10 15:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-05 22:03 . 2009-07-05 22:03 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-07-05 22:03 . 2009-07-05 22:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ScanSoft
2009-07-05 22:02 . 2009-07-05 22:02 -------- d-----w- c:\program files\ScanSoft
2009-07-05 22:00 . 2009-07-05 22:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Brother
2009-07-05 20:16 . 2009-07-05 20:16 -------- d-----w- c:\documents and settings\Rudy\Application Data\HP
2009-07-04 21:04 . 2009-07-04 21:04 -------- d-----w- c:\documents and settings\Rudy\Application Data\Viewpoint
2009-07-04 19:55 . 2009-07-04 19:55 -------- d-----w- c:\documents and settings\Rudy\Application Data\AOL
2009-07-04 19:22 . 2009-07-04 19:22 -------- d-----w- c:\documents and settings\Rudy\Application Data\Template
2009-07-04 18:15 . 2009-07-04 18:15 -------- d-----w- c:\documents and settings\Rudy\Application Data\Webroot
2009-07-04 18:02 . 2009-07-04 18:00 61752 ----a-w- c:\documents and settings\Rudy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 18:02 . 2009-07-04 18:00 127 ----a-w- c:\documents and settings\Rudy\Local Settings\Application Data\fusioncache.dat
2009-07-04 18:00 . 2009-07-04 18:00 1779 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv1000 (ET732UA#ABA)_YN_0Pavi_QCNF62300ZQ_E396559002_46_I30A0_SQuanta_V55.10_BF.11_T060410_WXH2_L409_M1015_J80_7Intel_8T2300_91.66_#060410_N80861092_(ET732UA#ABA)_XMOBILE_CN10_Z_2Rev 1.MRK
2009-07-04 17:52 . 2006-04-10 15:39 -------- d-----w- c:\program files\HPQ
2009-07-04 17:21 . 2006-04-10 16:00 -------- d-----w- c:\program files\Quickensetup
2009-07-04 17:21 . 2006-04-10 16:00 -------- d-----w- c:\program files\Quicken
2009-07-04 17:19 . 2006-04-10 16:20 -------- d-----w- c:\program files\music_now
2009-07-04 17:19 . 2006-04-10 15:58 -------- d-----w- c:\program files\MSN Encarta Plus
2009-07-04 17:19 . 2006-04-10 15:58 -------- d-----w- c:\program files\Microsoft Works
2009-07-04 17:18 . 2006-04-10 16:20 -------- d-----w- c:\program files\Microsoft Office Trial Wizard
2009-07-04 17:18 . 2006-04-10 15:57 -------- d-----w- c:\program files\Microsoft Money 2006
2009-07-04 17:17 . 2006-04-10 16:21 -------- d-----w- c:\program files\HP Rhapsody
2009-07-04 17:16 . 2006-04-10 16:16 -------- d-----w- c:\program files\Google
2009-07-04 17:16 . 2006-04-10 15:48 -------- d-----w- c:\program files\CONEXANT
2009-07-04 17:15 . 2006-04-10 16:01 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-07-04 17:15 . 2006-04-10 16:00 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-07-04 17:15 . 2006-04-10 16:00 -------- d-----w- c:\program files\Common Files\Palo Alto Software
2009-07-04 17:15 . 2006-04-10 16:23 -------- d-----w- c:\program files\Common Files\LightScribe
2009-07-04 17:11 . 2006-04-10 16:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Sonic
2009-07-04 17:11 . 2006-04-10 16:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\hpqwmi
2009-06-29 16:12 . 2004-08-04 08:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-07-11 05:35 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 08:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2004-08-04 08:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-04 08:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 08:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 08:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2004-08-04 08:00 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-04 08:00 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-03-06 00:02 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AOL Fast Start"="c:\program files\America Online 9.0\AOL.EXE" [2005-07-26 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784]
"DetectorApp"="c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe" [2005-10-20 102400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 761945]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-05-18 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2005-12-28 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"minix32"="c:\windows\system32\minix32.exe" [2009-08-17 585736]

c:\documents and settings\Rudy\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2009-7-5 819200]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [3/30/2009 8:23 PM 1205760]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-svcWRSSSDK
SafeBoot-WebrootSpySweeperService


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
FF - ProfilePath - c:\docume~1\Rudy\APPLIC~1\Mozilla\Firefox\Profiles\nr1oi989.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 13:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-17 13:15
ComboFix-quarantined-files.txt 2009-08-17 20:15

Pre-Run: 41,889,992,704 bytes free
Post-Run: 41,956,655,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

334 --- E O F --- 2009-08-17 19:44
JustSomeGuy
2009-08-17, 22:24
And here's the fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:10 PM, on 8/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [minix32] C:\WINDOWS\system32\minix32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [minix32] C:\WINDOWS\system32\minix32.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 8100 bytes
Shaba
2009-08-18, 06:01
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.


Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


File::
c:\windows\system32\minix32.exe

Folder::
c:\program files\Windows Antivirus Pro

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"minix32"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"minix32"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
JustSomeGuy
2009-08-18, 07:29
Here's the latest ComboFix log, post-CFScript:

ComboFix 09-08-10.06 - Rudy 08/17/2009 22:17.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.700 [GMT -7:00]
Running from: c:\documents and settings\Rudy\Desktop\CeeOhEmBeeOhasdfg.exe
Command switches used :: c:\documents and settings\Rudy\Desktop\CFScript.txt
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Webroot AntiVirus with AntiSpyware *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}

FILE ::
"c:\windows\system32\minix32.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\ANTI_files.exe
c:\windows\system32\minix32.exe


.
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-13 04:54 . 2009-08-13 04:57 -------- d-----w- c:\program files\ERUNT
2009-08-12 03:28 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 03:28 . 2009-08-12 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 03:28 . 2009-08-12 03:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-12 03:28 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-11 22:06 . 2009-07-10 13:42 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 22:05 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-11 09:05 . 2009-08-11 09:05 -------- d-----w- c:\documents and settings\Rudy\Application Data\Logs
2009-08-08 22:58 . 2009-08-08 22:58 -------- d-----w- c:\documents and settings\Rudy\Application Data\Sonic
2009-08-08 22:58 . 2009-08-08 22:58 -------- d-----w- c:\documents and settings\Rudy\Application Data\Leadertech
2009-08-08 20:13 . 2009-08-08 20:13 -------- d-----w- c:\documents and settings\Rudy\Application Data\Nikon
2009-08-08 20:05 . 2009-08-08 20:05 49152 ----a-r- c:\documents and settings\Rudy\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-08-08 20:00 . 2009-08-08 20:00 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\Apple Computer
2009-08-08 19:54 . 2004-08-04 07:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-08-08 19:54 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-08-08 19:54 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-08-08 19:54 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-08-05 09:11 . 2009-08-05 09:11 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 05:49 . 2009-07-09 18:29 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-12 22:10 . 2009-07-04 19:22 1510 ----a-w- c:\documents and settings\Rudy\Application Data\wklnhst.dat
2009-08-12 05:29 . 2006-06-22 16:35 -------- d-----w- c:\program files\Trend Micro
2009-08-12 04:47 . 2009-07-10 15:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 23:29 . 2009-07-09 18:29 -------- d-----w- c:\program files\SpywareBlaster
2009-08-11 22:18 . 2009-03-31 03:20 164 ----a-w- c:\windows\install.dat
2009-08-08 23:14 . 2009-01-05 20:41 20 ---h--w- c:\docume~1\ALLUSE~1\APPLIC~1\PKP_DLdu.DAT
2009-08-08 20:01 . 2009-01-05 20:37 -------- d-----w- c:\program files\QuickTime
2009-08-08 19:09 . 2006-04-10 16:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-08 19:09 . 2006-04-10 16:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-08-08 19:07 . 2006-04-10 16:11 -------- d-----w- c:\program files\Symantec
2009-08-05 09:11 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 08:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 18:33 . 2009-07-10 15:47 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-08 05:14 . 2009-07-08 05:14 -------- d-----w- c:\documents and settings\Rudy\Application Data\Netscape
2009-07-06 23:15 . 2009-07-06 23:15 -------- d-----w- c:\documents and settings\Rudy\Application Data\MSNInstaller
2009-07-05 22:25 . 2009-07-05 22:25 -------- d-----r- c:\documents and settings\Rudy\Application Data\Brother
2009-07-05 22:11 . 2009-07-05 22:11 50 ----a-w- c:\windows\system32\BRIDF04A.dat
2009-07-05 22:10 . 2009-07-05 22:09 -------- d-----w- c:\program files\Brother
2009-07-05 22:09 . 2006-04-10 15:39 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-05 22:09 . 2006-04-10 15:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-05 22:03 . 2009-07-05 22:03 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-07-05 22:03 . 2009-07-05 22:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ScanSoft
2009-07-05 22:02 . 2009-07-05 22:02 -------- d-----w- c:\program files\ScanSoft
2009-07-05 22:00 . 2009-07-05 22:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Brother
2009-07-05 20:16 . 2009-07-05 20:16 -------- d-----w- c:\documents and settings\Rudy\Application Data\HP
2009-07-04 21:04 . 2009-07-04 21:04 -------- d-----w- c:\documents and settings\Rudy\Application Data\Viewpoint
2009-07-04 19:55 . 2009-07-04 19:55 -------- d-----w- c:\documents and settings\Rudy\Application Data\AOL
2009-07-04 19:22 . 2009-07-04 19:22 -------- d-----w- c:\documents and settings\Rudy\Application Data\Template
2009-07-04 18:15 . 2009-07-04 18:15 -------- d-----w- c:\documents and settings\Rudy\Application Data\Webroot
2009-07-04 18:02 . 2009-07-04 18:00 61752 ----a-w- c:\documents and settings\Rudy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 18:02 . 2009-07-04 18:00 127 ----a-w- c:\documents and settings\Rudy\Local Settings\Application Data\fusioncache.dat
2009-07-04 18:00 . 2009-07-04 18:00 1779 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv1000 (ET732UA#ABA)_YN_0Pavi_QCNF62300ZQ_E396559002_46_I30A0_SQuanta_V55.10_BF.11_T060410_WXH2_L409_M1015_J80_7Intel_8T2300_91.66_#060410_N80861092_(ET732UA#ABA)_XMOBILE_CN10_Z_2Rev 1.MRK
2009-07-04 17:52 . 2006-04-10 15:39 -------- d-----w- c:\program files\HPQ
2009-07-04 17:21 . 2006-04-10 16:00 -------- d-----w- c:\program files\Quickensetup
2009-07-04 17:21 . 2006-04-10 16:00 -------- d-----w- c:\program files\Quicken
2009-07-04 17:19 . 2006-04-10 16:20 -------- d-----w- c:\program files\music_now
2009-07-04 17:19 . 2006-04-10 15:58 -------- d-----w- c:\program files\MSN Encarta Plus
2009-07-04 17:19 . 2006-04-10 15:58 -------- d-----w- c:\program files\Microsoft Works
2009-07-04 17:18 . 2006-04-10 16:20 -------- d-----w- c:\program files\Microsoft Office Trial Wizard
2009-07-04 17:18 . 2006-04-10 15:57 -------- d-----w- c:\program files\Microsoft Money 2006
2009-07-04 17:17 . 2006-04-10 16:21 -------- d-----w- c:\program files\HP Rhapsody
2009-07-04 17:16 . 2006-04-10 16:16 -------- d-----w- c:\program files\Google
2009-07-04 17:16 . 2006-04-10 15:48 -------- d-----w- c:\program files\CONEXANT
2009-07-04 17:15 . 2006-04-10 16:01 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-07-04 17:15 . 2006-04-10 16:00 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-07-04 17:15 . 2006-04-10 16:00 -------- d-----w- c:\program files\Common Files\Palo Alto Software
2009-07-04 17:15 . 2006-04-10 16:23 -------- d-----w- c:\program files\Common Files\LightScribe
2009-07-04 17:11 . 2006-04-10 16:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Sonic
2009-07-04 17:11 . 2006-04-10 16:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\hpqwmi
2009-06-29 16:12 . 2004-08-04 08:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-07-11 05:35 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 08:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2004-08-04 08:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-04 08:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 08:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 08:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2004-08-04 08:00 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-04 08:00 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-17_20.13.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-18 05:13 . 2009-08-18 05:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-04 17:52 . 2009-08-18 05:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-04 17:52 . 2009-08-17 19:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-04 17:52 . 2009-08-18 05:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-07-04 17:52 . 2009-08-17 19:41 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-03-06 00:02 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AOL Fast Start"="c:\program files\America Online 9.0\AOL.EXE" [2005-07-26 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784]
"DetectorApp"="c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe" [2005-10-20 102400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 761945]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-05-18 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2005-12-28 61952]

c:\documents and settings\Rudy\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2009-7-5 819200]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [3/30/2009 8:23 PM 1205760]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
FF - ProfilePath - c:\docume~1\Rudy\APPLIC~1\Mozilla\Firefox\Profiles\nr1oi989.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 22:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-18 22:25
ComboFix-quarantined-files.txt 2009-08-18 05:25
ComboFix2.txt 2009-08-17 20:15

Pre-Run: 41,955,000,320 bytes free
Post-Run: 41,936,498,688 bytes free

241 --- E O F --- 2009-08-17 19:44
Shaba
2009-08-18, 07:33
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
JustSomeGuy
2009-08-18, 11:10
Here's the log from the Kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 18, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, August 18, 2009 08:43:17
Records in database: 2652889
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 100686
Threats found: 13
Infected objects found: 15
Suspicious objects found: 0
Scan duration: 02:10:18


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1BDC52E7.g04 Infected: Trojan-Downloader.Win32.Agent.kwg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\287905F5.00j Infected: Trojan-Downloader.Win32.Injecter.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\44330724.gv6 Infected: Trojan-Downloader.Win32.Agent.kwg 1
C:\Program Files\AOL Toolbar\toolbar.dll Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\BA3.tmp Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.wi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETtnbgrqth.sys.vir Infected: Trojan.Win32.TDSS.amve 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACkyaukanmyn.sys.vir Infected: Rootkit.Win32.Agent.oxr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir Infected: Trojan-Clicker.Win32.VBiframe.zu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETkomqpaps.dll.vir Infected: Trojan.Win32.Tdss.anuv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETwidoexru.dll.vir Infected: Trojan.Win32.Tdss.anus 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjkrwxvnmfb.dll.vir Infected: Trojan.Win32.Tdss.anrd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmaprhesiyc.dll.vir Infected: Trojan.Win32.Tdss.anre 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnbevpawsww.dll.vir Infected: Trojan.Win32.Tdss.anrc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACtmvosqbuwo.dll.vir Infected: Trojan.Win32.TDSS.amwo 1

Selected area has been scanned.


And here's the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:58 AM, on 8/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 8700 bytes
Shaba
2009-08-18, 13:34
Empty these folders:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine
C:\Qoobox\Quarantine\

Empty Recycle Bin.

Still problems?
JustSomeGuy
2009-08-18, 21:34
Slight problem...I can't seem to find the Symantec/Norton quarantine using the path you specified, nor does it show up when I search for it.

I did empty the other two quarantine folders, and I can open and run my various protections. Everything seems to be in order now. Should I uninstall ComboFix, gmer, or anything else?
Shaba
2009-08-18, 21:39
It is likely hidden.

See here (http://www.bleepingcomputer.com/tutorials/tutorial62.html) how to unhide them.
JustSomeGuy
2009-08-18, 23:07
Alright, I found the hidden Symantec folders and emptied the quarantine.

However, there's still something wrong with my Webroot Antivirus/Antispyware. It still tells me that "the installation has been damaged" and that I should "reinstall the product" at every boot. I have re-downloaded and installed it, and it seems to go ok, but after I restart at the end of the process, I get the same error message.
Shaba
2009-08-19, 05:57
Then I think that it is best to contact Webroot support.

If you like, you can of course try before that if you can install some free antivirus below (that we can see if it is webroot related issue or related to antivirus programs in general). If you choose to do it, please uninstall Webroot first:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.
JustSomeGuy
2009-08-19, 07:02
I've downloaded AVG and it works just fine. I'll see how I like it, maybe try one of the others you recommended, until I can get the Webroot situation resolved.

I think I'm in shape now. Do you need anything else from me?

Thanks for the help.
Shaba
2009-08-19, 07:05
Glad to hear :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)

Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:
Shaba
2009-08-22, 11:13
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.