View Full Version : Unable to Remove Spyguard 2009
I need help removing Spyguard 2009 on a Machine, Hijack this Nor Malwarebytes will Load On the Machine, It seems as if Something is stopping both from running.
Please Let me know what steps I need to take.
Thank you
Doff
Hi Doff_V
Please rename hijackthis.exe and let me know if it runs now :)
I Renamed the Hijackthis.exe, I assume I can Name it anything other than Hijackthis? Came up with the same result, Kinda blinks then does nothing.
Let me know what to try Next.
Thank you
Doff
Let me know if this runs:
Download at your desktop DDS from one of the links below:
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finish it will open 2 reports.
Copy/paste both reports back here and remove DDS from your desktop.
Ok, here you are. Fist Log, DDS.
DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 21:46:53.50 on Tue 08/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.108 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Vongo\VongoService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://wl.gelohen.com/v3063/repins.jpg?msg=lieMq7BAv8czQ%2BKukUxIWz1OexH%2BsZFAnJArSXi7AG61sBSU%2Bpx7IvwfsC9mty4MvZItBe1kDoeoN4zo4scMhlk9tiifCLIy9mgfgNxK8PtCrYYptRQLThw8Lzd%2BHooexhA5D0GUInxVru%2F78Bc0vs6Io4LbyfL4mAnP6DpxwSzj62ZFgLVrcqWpdSvDorv%2BpvdyYzAX0H2dPlQFX2zeYB%3D%3D
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [A00F5BFBD.exe] c:\docume~1\admini~1\locals~1\temp\_A00F5BFBD.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] "c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] "c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpzsetup.lnk - c:\program files\hp\temp\{4604f1bd-2b72-4194-9387-ad83312326ed}\hpzstub.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\npjpi150_10.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251085278625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: 6e45f3b530 - c:\windows\system32\divx_xx0732.dll
Notify: cfddecaeacedb - c:\windows\system32\cfddecaeacedb.dll
Notify: igfxcui - igfxdev.dll
Notify: __c00C2400 - c:\windows\system32\__c00C2400.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-11 1251720]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2007-5-19 20160]
=============== Created Last 30 ================
2009-08-25 15:24 17,692 a------- c:\windows\GnuHashes.ini
2009-08-25 15:01 <DIR> --d----- c:\windows\system32\scripting
2009-08-25 15:01 <DIR> --d----- c:\windows\l2schemas
2009-08-25 15:01 <DIR> --d----- c:\windows\system32\en
2009-08-25 15:01 <DIR> --d----- c:\windows\system32\bits
2009-08-25 13:29 29,184 a------- c:\windows\system32\__c0010C22.dat
2009-08-25 13:16 124 a------- C:\xcrashdump.dat
2009-08-25 13:15 29,184 a------- c:\windows\system32\__c00C2400.dat
2009-08-25 13:13 530 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-08-25 13:13 518,144 a--sh--- c:\windows\system32\14.tmp
2009-08-25 13:12 <DIR> --dsh--- c:\documents and settings\administrator\IECompatCache
2009-08-25 13:12 268,648 a------- c:\windows\system32\mucltui.dll
2009-08-25 13:12 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-08-25 13:12 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2009-08-25 13:09 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2009-08-23 21:32 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-23 20:25 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-08-23 20:25 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-08-23 20:25 <DIR> --d----- c:\windows\ie8updates
2009-08-23 20:25 101,376 -------- c:\windows\system32\dllcache\iecompat.dll
2009-08-23 20:23 <DIR> -cd-h--- c:\windows\ie8
2009-08-23 16:53 <DIR> --dsh--- C:\found.000
2009-08-23 15:34 281,105 -------- c:\windows\system32\4dc4303c151fbb82f432e7440f3f1d28.TMP
2009-08-23 15:18 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-23 14:16 <DIR> --d----- c:\windows\ERUNT
2009-08-23 14:15 <DIR> --d----- C:\SDFix
2009-08-23 14:06 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-08-23 13:41 <DIR> a-dshr-- C:\cmdcons
2009-08-23 13:37 229,376 a------- c:\windows\PEV.exe
2009-08-23 13:37 161,792 a------- c:\windows\SWREG.exe
2009-08-23 13:37 98,816 a------- c:\windows\sed.exe
2009-08-23 11:09 0 a------- C:\.autoreg
2009-08-23 11:06 <DIR> --d----- c:\windows\pss
2009-08-23 11:05 <DIR> --d----- c:\program files\CCleaner
2009-08-23 10:44 <DIR> --dsh--- c:\windows\system32\LocalService
2009-08-23 10:44 518,144 a--sh--- c:\windows\system32\6B4.tmp
2009-08-23 10:10 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-23 10:07 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-23 10:04 655,872 -------- c:\windows\system32\dllcache\mstscax.dll
2009-08-23 10:01 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-08-23 10:01 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-08-23 09:55 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-23 09:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-28 21:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 21:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
==================== Find3M ====================
2009-08-25 15:27 281,105 a------- c:\windows\system32\cfddecaeacedb.dll
2009-08-25 15:05 92,599 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-23 10:50 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-23 10:50 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-08-23 10:50 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-23 10:50 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 06:18 5,937,152 a------- c:\windows\system32\dllcache\cache\mshtml.dll
2009-07-19 06:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 10:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 10:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 10:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 09:12 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-06-29 04:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-22 04:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 04:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 04:49 117,248 -------- c:\windows\system32\dllcache\mqtgsvc.exe
2009-06-22 04:49 19,968 -------- c:\windows\system32\dllcache\mqbkup.exe
2009-06-22 04:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-22 04:49 4,608 -------- c:\windows\system32\dllcache\mqsvc.exe
2009-06-22 04:48 91,776 -------- c:\windows\system32\dllcache\mqac.sys
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 05:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 07:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-09 23:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2007-10-24 23:08 774,144 a------- c:\program files\RngInterstitial.dll
============= FINISH: 21:49:15.10 ===============
Here is the Second Log file Attach, Now the instructions Said to attack, but yours Said Copy/Paste If I did it wrong I appologize.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/13/2006 1:28:44 AM
System Uptime: 8/25/2009 9:44:01 PM (0 hours ago)
Motherboard: Hewlett-Packard | | 30C6
Processor: Genuine Intel(R) CPU T1350 @ 1.86GHz | U1 | 782/mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 64 GiB total, 43.955 GiB free.
D: is FIXED (FAT32) - 10 GiB total, 1.087 GiB free.
E: is CDROM ()
F: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP190: 11/25/2008 11:49:16 PM - System Checkpoint
RP191: 11/27/2008 1:44:08 PM - System Checkpoint
RP192: 11/28/2008 10:30:58 PM - System Checkpoint
RP193: 11/30/2008 8:35:24 PM - System Checkpoint
RP194: 12/1/2008 9:37:51 PM - System Checkpoint
RP195: 12/4/2008 9:58:29 PM - System Checkpoint
RP196: 12/8/2008 12:10:05 AM - System Checkpoint
RP197: 12/9/2008 12:47:24 AM - System Checkpoint
RP198: 12/12/2008 2:34:12 PM - System Checkpoint
RP199: 12/13/2008 11:36:58 PM - Software Distribution Service 3.0
RP200: 12/17/2008 11:47:02 AM - System Checkpoint
RP201: 12/18/2008 7:03:17 PM - Software Distribution Service 3.0
RP202: 12/20/2008 7:24:50 PM - System Checkpoint
RP203: 12/21/2008 10:31:52 PM - System Checkpoint
RP204: 12/23/2008 11:25:03 PM - System Checkpoint
RP205: 12/25/2008 12:15:55 AM - System Checkpoint
RP206: 12/26/2008 12:31:46 PM - System Checkpoint
RP207: 12/27/2008 10:54:14 PM - System Checkpoint
RP208: 12/29/2008 10:46:18 PM - System Checkpoint
RP209: 12/31/2008 4:39:34 PM - System Checkpoint
RP210: 1/2/2009 6:54:32 PM - System Checkpoint
RP211: 1/3/2009 7:26:33 PM - System Checkpoint
RP212: 1/8/2009 8:50:32 PM - System Checkpoint
RP213: 1/9/2009 10:13:38 PM - System Checkpoint
RP214: 1/11/2009 12:14:45 AM - System Checkpoint
RP215: 1/14/2009 9:42:20 AM - System Checkpoint
RP216: 1/15/2009 12:12:21 PM - Software Distribution Service 3.0
RP217: 1/16/2009 10:48:43 PM - System Checkpoint
RP218: 1/18/2009 1:34:29 AM - System Checkpoint
RP219: 1/18/2009 10:52:35 PM - Installed muvee Plugin 1.0
RP220: 1/19/2009 11:29:15 PM - System Checkpoint
RP221: 1/21/2009 10:02:34 PM - System Checkpoint
RP222: 1/24/2009 8:06:44 AM - System Checkpoint
RP223: 1/25/2009 9:50:48 AM - System Checkpoint
RP224: 1/26/2009 11:34:31 AM - System Checkpoint
RP225: 1/27/2009 11:03:38 PM - System Checkpoint
RP226: 1/29/2009 11:30:22 AM - System Checkpoint
RP227: 2/1/2009 10:06:16 PM - System Checkpoint
RP228: 2/3/2009 12:51:17 AM - System Checkpoint
RP229: 2/4/2009 8:25:04 PM - System Checkpoint
RP230: 2/5/2009 11:34:21 PM - System Checkpoint
RP231: 2/7/2009 10:59:45 PM - System Checkpoint
RP232: 2/19/2009 11:20:06 PM - Software Distribution Service 3.0
RP233: 2/20/2009 11:36:08 AM - Software Distribution Service 3.0
RP234: 2/21/2009 6:45:19 PM - System Checkpoint
RP235: 8/23/2009 1:37:59 PM - ComboFix created restore point
RP236: 8/23/2009 3:16:52 PM - Software Distribution Service 3.0
RP237: 8/23/2009 8:19:40 PM - Software Distribution Service 3.0
RP238: 8/23/2009 9:29:30 PM - Software Distribution Service 3.0
RP239: 8/25/2009 2:26:40 PM - System Checkpoint
RP240: 8/25/2009 2:50:00 PM - Software Distribution Service 3.0
==== Installed Programs ======================
32 Bit HP CIO Components Installer
3ivx MPEG-4 5.0.3 (remove only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.5
AIO_Scan
AutoUpdate
BufferChm
ccCommon
CCleaner (remove only)
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
DivX
Easy Internet Sign-up
ebgcInfra
ebgcRes
ebgcSDK
ESPNMotion
FullDPAppQFolder
GemMaster Mystic
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP DVD Play 2.3
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart All-In-One Driver Software 9.0.A Corporate Edition
HP Photosmart Premier Software 6.0
HP Quick Launch Buttons 6.10 A1
HP Rhapsody
HP Software Update
HP User Guides--System Recovery
HP User Guides 0037
HP Wireless Assistant 2.00 G2
HpSdpAppCoreApp
InstantShareDevices
Intel(R) Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
LimeWire 4.12.11
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
muvee Plugin 1.0
My HP Games
Netscape Browser (remove only)
NetWaiting
Office 2003 Trial Assistant
OptionalContentQFolder
Otto
PhotoGallery
ps_aio_02_corporate
PS_AIO_02_Software_min
Quicken 2006
RandMap
RealPlayer
Rhapsody Player Engine
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SkinsHP1
SmartAudio
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
SonicAC3Encoder
SonicMPEGEncoder
Spybot - Search & Destroy
Symantec KB-DocID:2003093015493306
Synaptics Pointing Device Driver
Toolbox
TourSetup
Unload
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URGE
Vongo
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Wireless Home Network Setup
==== Event Viewer Messages From Past Week ========
8/25/2009 1:32:57 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\wzcdlg.dll. Reference error message: Error Message is unavailable .
8/23/2009 9:48:54 AM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/23/2009 9:48:53 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
8/23/2009 9:48:53 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
8/23/2009 9:48:29 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
8/23/2009 7:53:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8/23/2009 7:04:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm
8/23/2009 4:57:33 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
8/23/2009 3:01:36 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
8/23/2009 2:12:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/23/2009 2:12:35 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/23/2009 2:12:35 PM, error: Service Control Manager [7001] - The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
8/23/2009 2:12:35 PM, error: Service Control Manager [7001] - The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.
8/23/2009 2:12:35 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/23/2009 2:12:35 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/23/2009 2:11:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/23/2009 2:11:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/23/2009 2:08:57 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/23/2009 10:59:02 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001302C053DD. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
8/23/2009 10:57:00 AM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
8/23/2009 10:57:00 AM, error: PlugPlayManager [11] - The device Root\LEGACY_SSHRMD\0000 disappeared from the system without first being prepared for removal.
8/23/2009 10:57:00 AM, error: PlugPlayManager [11] - The device Root\LEGACY_SSFS0BB9\0000 disappeared from the system without first being prepared for removal.
8/23/2009 10:13:24 AM, error: Service Control Manager [7034] - The hpqwmiex service terminated unexpectedly. It has done this 1 time(s).
8/23/2009 10:12:35 AM, error: PlugPlayManager [11] - The device Root\LEGACY_762623FF152F55A22FD53B48BC3FF861\0000 disappeared from the system without first being prepared for removal.
8/23/2009 1:45:22 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
==== End Of File ===========================
Thanks again, I look forward to your Reply.
Doff
Meant Attach* Up there sorry about the Typos.
Doff
That is fine :)
According to forum rules (http://forums.spybot.info/showthread.php?t=282), all p2p programs need to be removed.
So please uninstall LimeWire 4.12.11, re-run DDS and post back fresh DDS logs.
No Problem.
Ok here are the new Logs without Limewire on the Pc.
DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 16:45:46.21 on Wed 08/26/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.193 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://wl.gelohen.com/v3063/repins.jpg?msg=lieMq7BAv8czQ%2BKukUxIWz1OexH%2BsZFAnJArSXi7AG61sBSU%2Bpx7IvwfsC9mty4MvZItBe1kDoeoN4zo4scMhlk9tiifCLIy9mgfgNxK8PtCrYYptRQLThw8Lzd%2BHooexhA5D0GUInxVru%2F78Bc0vs6Io4LbyfL4mAnP6DpxwSzj62ZFgLVrcqWpdSvDorv%2BpvdyYzAX0H2dPlQFX2zeYB%3D%3D
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [A00F5BFBD.exe] c:\docume~1\admini~1\locals~1\temp\_A00F5BFBD.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] "c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] "c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpzsetup.lnk - c:\program files\hp\temp\{4604f1bd-2b72-4194-9387-ad83312326ed}\hpzstub.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\npjpi150_10.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251085278625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: 6e45f3b530 - c:\windows\system32\divx_xx0732.dll
Notify: cfddecaeacedb - c:\windows\system32\cfddecaeacedb.dll
Notify: igfxcui - igfxdev.dll
Notify: __c00C2400 - c:\windows\system32\__c00C2400.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-11 1251720]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2007-5-19 20160]
=============== Created Last 30 ================
2009-08-25 15:24 17,692 a------- c:\windows\GnuHashes.ini
2009-08-25 15:01 <DIR> --d----- c:\windows\system32\scripting
2009-08-25 15:01 <DIR> --d----- c:\windows\l2schemas
2009-08-25 15:01 <DIR> --d----- c:\windows\system32\en
2009-08-25 15:01 <DIR> --d----- c:\windows\system32\bits
2009-08-25 13:29 29,184 a------- c:\windows\system32\__c0010C22.dat
2009-08-25 13:16 124 a------- C:\xcrashdump.dat
2009-08-25 13:15 29,184 a------- c:\windows\system32\__c00C2400.dat
2009-08-25 13:13 530 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-08-25 13:13 518,144 a--sh--- c:\windows\system32\14.tmp
2009-08-25 13:12 <DIR> --dsh--- c:\documents and settings\administrator\IECompatCache
2009-08-25 13:12 268,648 a------- c:\windows\system32\mucltui.dll
2009-08-25 13:12 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-08-25 13:12 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2009-08-25 13:09 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2009-08-23 21:32 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-23 20:25 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-08-23 20:25 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-08-23 20:25 <DIR> --d----- c:\windows\ie8updates
2009-08-23 20:25 101,376 -------- c:\windows\system32\dllcache\iecompat.dll
2009-08-23 20:23 <DIR> -cd-h--- c:\windows\ie8
2009-08-23 16:53 <DIR> --dsh--- C:\found.000
2009-08-23 15:34 281,105 -------- c:\windows\system32\4dc4303c151fbb82f432e7440f3f1d28.TMP
2009-08-23 15:18 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-23 14:16 <DIR> --d----- c:\windows\ERUNT
2009-08-23 14:15 <DIR> --d----- C:\SDFix
2009-08-23 14:06 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-08-23 13:41 <DIR> a-dshr-- C:\cmdcons
2009-08-23 13:37 229,376 a------- c:\windows\PEV.exe
2009-08-23 13:37 161,792 a------- c:\windows\SWREG.exe
2009-08-23 13:37 98,816 a------- c:\windows\sed.exe
2009-08-23 11:09 0 a------- C:\.autoreg
2009-08-23 11:06 <DIR> --d----- c:\windows\pss
2009-08-23 11:05 <DIR> --d----- c:\program files\CCleaner
2009-08-23 10:44 <DIR> --dsh--- c:\windows\system32\LocalService
2009-08-23 10:44 518,144 a--sh--- c:\windows\system32\6B4.tmp
2009-08-23 10:10 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-23 10:07 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-23 10:04 655,872 -------- c:\windows\system32\dllcache\mstscax.dll
2009-08-23 10:01 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-08-23 10:01 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-08-23 09:55 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-23 09:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-28 21:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 21:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
==================== Find3M ====================
2009-08-25 15:27 281,105 a------- c:\windows\system32\cfddecaeacedb.dll
2009-08-25 15:05 92,599 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-23 10:50 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-23 10:50 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-08-23 10:50 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-23 10:50 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 06:18 5,937,152 a------- c:\windows\system32\dllcache\cache\mshtml.dll
2009-07-19 06:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 10:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 10:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 10:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 09:12 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-06-29 04:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-22 04:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 04:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 04:49 117,248 -------- c:\windows\system32\dllcache\mqtgsvc.exe
2009-06-22 04:49 19,968 -------- c:\windows\system32\dllcache\mqbkup.exe
2009-06-22 04:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-22 04:49 4,608 -------- c:\windows\system32\dllcache\mqsvc.exe
2009-06-22 04:48 91,776 -------- c:\windows\system32\dllcache\mqac.sys
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 05:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 07:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-09 23:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2007-10-24 23:08 774,144 a------- c:\program files\RngInterstitial.dll
============= FINISH: 16:46:39.68 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/13/2006 1:28:44 AM
System Uptime: 8/26/2009 4:41:34 PM (0 hours ago)
Motherboard: Hewlett-Packard | | 30C6
Processor: Genuine Intel(R) CPU T1350 @ 1.86GHz | U1 | 1862/mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 64 GiB total, 43.972 GiB free.
D: is FIXED (FAT32) - 10 GiB total, 1.087 GiB free.
E: is CDROM ()
F: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP190: 11/25/2008 11:49:16 PM - System Checkpoint
RP191: 11/27/2008 1:44:08 PM - System Checkpoint
RP192: 11/28/2008 10:30:58 PM - System Checkpoint
RP193: 11/30/2008 8:35:24 PM - System Checkpoint
RP194: 12/1/2008 9:37:51 PM - System Checkpoint
RP195: 12/4/2008 9:58:29 PM - System Checkpoint
RP196: 12/8/2008 12:10:05 AM - System Checkpoint
RP197: 12/9/2008 12:47:24 AM - System Checkpoint
RP198: 12/12/2008 2:34:12 PM - System Checkpoint
RP199: 12/13/2008 11:36:58 PM - Software Distribution Service 3.0
RP200: 12/17/2008 11:47:02 AM - System Checkpoint
RP201: 12/18/2008 7:03:17 PM - Software Distribution Service 3.0
RP202: 12/20/2008 7:24:50 PM - System Checkpoint
RP203: 12/21/2008 10:31:52 PM - System Checkpoint
RP204: 12/23/2008 11:25:03 PM - System Checkpoint
RP205: 12/25/2008 12:15:55 AM - System Checkpoint
RP206: 12/26/2008 12:31:46 PM - System Checkpoint
RP207: 12/27/2008 10:54:14 PM - System Checkpoint
RP208: 12/29/2008 10:46:18 PM - System Checkpoint
RP209: 12/31/2008 4:39:34 PM - System Checkpoint
RP210: 1/2/2009 6:54:32 PM - System Checkpoint
RP211: 1/3/2009 7:26:33 PM - System Checkpoint
RP212: 1/8/2009 8:50:32 PM - System Checkpoint
RP213: 1/9/2009 10:13:38 PM - System Checkpoint
RP214: 1/11/2009 12:14:45 AM - System Checkpoint
RP215: 1/14/2009 9:42:20 AM - System Checkpoint
RP216: 1/15/2009 12:12:21 PM - Software Distribution Service 3.0
RP217: 1/16/2009 10:48:43 PM - System Checkpoint
RP218: 1/18/2009 1:34:29 AM - System Checkpoint
RP219: 1/18/2009 10:52:35 PM - Installed muvee Plugin 1.0
RP220: 1/19/2009 11:29:15 PM - System Checkpoint
RP221: 1/21/2009 10:02:34 PM - System Checkpoint
RP222: 1/24/2009 8:06:44 AM - System Checkpoint
RP223: 1/25/2009 9:50:48 AM - System Checkpoint
RP224: 1/26/2009 11:34:31 AM - System Checkpoint
RP225: 1/27/2009 11:03:38 PM - System Checkpoint
RP226: 1/29/2009 11:30:22 AM - System Checkpoint
RP227: 2/1/2009 10:06:16 PM - System Checkpoint
RP228: 2/3/2009 12:51:17 AM - System Checkpoint
RP229: 2/4/2009 8:25:04 PM - System Checkpoint
RP230: 2/5/2009 11:34:21 PM - System Checkpoint
RP231: 2/7/2009 10:59:45 PM - System Checkpoint
RP232: 2/19/2009 11:20:06 PM - Software Distribution Service 3.0
RP233: 2/20/2009 11:36:08 AM - Software Distribution Service 3.0
RP234: 2/21/2009 6:45:19 PM - System Checkpoint
RP235: 8/23/2009 1:37:59 PM - ComboFix created restore point
RP236: 8/23/2009 3:16:52 PM - Software Distribution Service 3.0
RP237: 8/23/2009 8:19:40 PM - Software Distribution Service 3.0
RP238: 8/23/2009 9:29:30 PM - Software Distribution Service 3.0
RP239: 8/25/2009 2:26:40 PM - System Checkpoint
RP240: 8/25/2009 2:50:00 PM - Software Distribution Service 3.0
==== Installed Programs ======================
32 Bit HP CIO Components Installer
3ivx MPEG-4 5.0.3 (remove only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.5
AIO_Scan
AutoUpdate
BufferChm
ccCommon
CCleaner (remove only)
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
DivX
Easy Internet Sign-up
ebgcInfra
ebgcRes
ebgcSDK
ESPNMotion
FullDPAppQFolder
GemMaster Mystic
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP DVD Play 2.3
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart All-In-One Driver Software 9.0.A Corporate Edition
HP Photosmart Premier Software 6.0
HP Quick Launch Buttons 6.10 A1
HP Rhapsody
HP Software Update
HP User Guides--System Recovery
HP User Guides 0037
HP Wireless Assistant 2.00 G2
HpSdpAppCoreApp
InstantShareDevices
Intel(R) Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
muvee Plugin 1.0
My HP Games
Netscape Browser (remove only)
NetWaiting
Office 2003 Trial Assistant
OptionalContentQFolder
Otto
PhotoGallery
ps_aio_02_corporate
PS_AIO_02_Software_min
Quicken 2006
RandMap
RealPlayer
Rhapsody Player Engine
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SkinsHP1
SmartAudio
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
SonicAC3Encoder
SonicMPEGEncoder
Spybot - Search & Destroy
Symantec KB-DocID:2003093015493306
Synaptics Pointing Device Driver
Toolbox
TourSetup
Unload
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URGE
Vongo
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Wireless Home Network Setup
==== Event Viewer Messages From Past Week ========
8/25/2009 1:32:57 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\wzcdlg.dll. Reference error message: Error Message is unavailable .
8/23/2009 9:48:54 AM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/23/2009 9:48:53 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
8/23/2009 9:48:53 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
8/23/2009 9:48:29 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
8/23/2009 7:53:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8/23/2009 7:04:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm
8/23/2009 4:57:33 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
8/23/2009 3:01:36 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
8/23/2009 2:12:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/23/2009 2:12:35 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/23/2009 2:12:35 PM, error: Service Control Manager [7001] - The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
8/23/2009 2:12:35 PM, error: Service Control Manager [7001] - The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.
8/23/2009 2:12:35 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/23/2009 2:12:35 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/23/2009 2:11:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/23/2009 2:11:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/23/2009 2:08:57 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/23/2009 10:59:02 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001302C053DD. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
8/23/2009 10:57:00 AM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
8/23/2009 10:57:00 AM, error: PlugPlayManager [11] - The device Root\LEGACY_SSHRMD\0000 disappeared from the system without first being prepared for removal.
8/23/2009 10:57:00 AM, error: PlugPlayManager [11] - The device Root\LEGACY_SSFS0BB9\0000 disappeared from the system without first being prepared for removal.
8/23/2009 10:13:24 AM, error: Service Control Manager [7034] - The hpqwmiex service terminated unexpectedly. It has done this 1 time(s).
8/23/2009 10:12:35 AM, error: PlugPlayManager [11] - The device Root\LEGACY_762623FF152F55A22FD53B48BC3FF861\0000 disappeared from the system without first being prepared for removal.
8/23/2009 1:45:22 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
==== End Of File ===========================
Thank you.
Doff
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Ok here is the first Part.
ComboFix 09-08-22.06 - Administrator 08/27/2009 16:58.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.189 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\0200000057923185530C.manifest
c:\documents and settings\Administrator\Application Data\0200000057923185530O.manifest
c:\documents and settings\Administrator\Application Data\0200000057923185530P.manifest
c:\documents and settings\Administrator\Application Data\0200000057923185530S.manifest
c:\windows\GnuHashes.ini
c:\windows\system32\__c0010C22.dat
c:\windows\system32\__c00C2400.dat
c:\windows\system32\GroupPolicy000.dat
C:\xcrashdump.dat
.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.
2009-08-25 22:16 . 2009-08-25 22:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-25 22:14 . 2009-08-25 22:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\system32\scripting
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\l2schemas
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\system32\en
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\system32\bits
2009-08-25 20:12 . 2009-08-25 20:12 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-08-25 20:12 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-25 20:12 . 2009-08-25 20:12 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-25 20:09 . 2009-08-25 20:09 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-24 04:32 . 2009-08-24 04:32 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-24 03:25 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-24 03:25 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-24 03:25 . 2009-08-24 03:25 -------- d-----w- c:\windows\ie8updates
2009-08-24 03:25 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-08-24 03:23 . 2009-08-24 03:24 -------- dc-h--w- c:\windows\ie8
2009-08-23 23:53 . 2009-08-23 23:53 -------- d-sh--w- C:\found.000
2009-08-23 22:18 . 2009-08-25 21:58 -------- d-----w- c:\windows\ServicePackFiles
2009-08-23 21:16 . 2009-08-23 21:16 -------- d-----w- c:\windows\ERUNT
2009-08-23 21:15 . 2009-08-23 21:28 -------- d-----w- C:\SDFix
2009-08-23 18:05 . 2009-08-23 18:05 -------- d-----w- c:\program files\CCleaner
2009-08-23 17:44 . 2009-08-25 20:14 -------- d-sh--w- c:\windows\system32\LocalService
2009-08-23 17:07 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-23 17:04 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-23 17:01 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-23 17:01 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-08-23 16:55 . 2009-08-25 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 16:55 . 2009-08-23 17:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 16:44 . 2009-08-23 16:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 04:37 . 2009-07-29 04:37 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:37 . 2009-07-29 04:37 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-25 22:27 . 2003-08-09 02:20 281105 ----a-w- c:\windows\system32\cfddecaeacedb.dll
2009-08-25 22:18 . 2006-09-12 04:40 66128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 22:05 . 2006-06-29 18:43 92599 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-25 20:13 . 2009-08-25 20:13 518144 --sha-w- c:\windows\system32\14.tmp
2009-08-24 03:10 . 2007-01-03 18:37 -------- d-----w- c:\program files\Google
2009-08-23 22:34 . 2009-08-23 22:34 281105 ------w- c:\windows\system32\4dc4303c151fbb82f432e7440f3f1d28.TMP
2009-08-23 18:18 . 2006-09-12 04:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-23 17:58 . 2006-09-12 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-23 17:50 . 2006-09-12 04:50 -------- d-----w- c:\program files\Symantec
2009-08-23 17:50 . 2006-12-13 03:30 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-23 17:50 . 2006-12-13 03:30 10671 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-23 17:50 . 2006-09-12 04:50 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-23 17:50 . 2006-09-12 04:50 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-23 17:44 . 2009-08-23 17:44 518144 --sha-w- c:\windows\system32\6B4.tmp
2009-08-05 09:01 . 2006-03-16 04:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2005-10-18 05:14 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2006-03-16 04:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2006-03-16 04:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-03-16 04:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 18:36 . 2006-03-16 04:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-03-16 04:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-03-16 04:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-03-16 04:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-03-16 04:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-03-16 04:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-03-16 04:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-03-16 04:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-03-16 04:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-03-16 04:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-03-16 04:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2006-03-16 04:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2006-03-16 04:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2006-03-16 04:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2006-03-16 04:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2006-03-16 04:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-12 12:31 . 2006-03-16 04:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-03-16 04:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-03-16 04:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2006-03-16 04:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-30 12:13 1291264 ------w- c:\windows\system32\quartz.dll
2007-10-25 06:08 . 2007-10-25 06:13 774144 ----a-w- c:\program files\RngInterstitial.dll
Disregarde that last Post, I think there is something wrong with the Log, seems way too long. going to re-run then Repost.
Not sure how I ended up with a very Large Combo Fix File the first time, But I deleted it and re-ran Combofix, here is the proper Log.
ComboFix 09-08-22.06 - Administrator 08/27/2009 19:17.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.167 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\0200000057923185530C.manifest
c:\documents and settings\Administrator\Application Data\0200000057923185530O.manifest
c:\documents and settings\Administrator\Application Data\0200000057923185530P.manifest
c:\documents and settings\Administrator\Application Data\0200000057923185530S.manifest
.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.
2009-08-25 22:16 . 2009-08-25 22:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-25 22:14 . 2009-08-25 22:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\system32\scripting
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\l2schemas
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\system32\en
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\system32\bits
2009-08-25 20:12 . 2009-08-25 20:12 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-08-25 20:12 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-25 20:12 . 2009-08-25 20:12 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-25 20:09 . 2009-08-25 20:09 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-24 04:32 . 2009-08-24 04:32 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-24 03:25 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-24 03:25 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-24 03:25 . 2009-08-24 03:25 -------- d-----w- c:\windows\ie8updates
2009-08-24 03:25 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-08-24 03:23 . 2009-08-24 03:24 -------- dc-h--w- c:\windows\ie8
2009-08-23 23:53 . 2009-08-23 23:53 -------- d-sh--w- C:\found.000
2009-08-23 22:18 . 2009-08-25 21:58 -------- d-----w- c:\windows\ServicePackFiles
2009-08-23 21:16 . 2009-08-23 21:16 -------- d-----w- c:\windows\ERUNT
2009-08-23 21:15 . 2009-08-23 21:28 -------- d-----w- C:\SDFix
2009-08-23 18:05 . 2009-08-23 18:05 -------- d-----w- c:\program files\CCleaner
2009-08-23 17:44 . 2009-08-25 20:14 -------- d-sh--w- c:\windows\system32\LocalService
2009-08-23 17:07 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-23 17:04 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-23 17:01 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-23 17:01 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-08-23 16:55 . 2009-08-25 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 16:55 . 2009-08-23 17:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 16:44 . 2009-08-23 16:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 04:37 . 2009-07-29 04:37 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:37 . 2009-07-29 04:37 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-25 22:27 . 2003-08-09 02:20 281105 ----a-w- c:\windows\system32\cfddecaeacedb.dll
2009-08-25 22:18 . 2006-09-12 04:40 66128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 22:05 . 2006-06-29 18:43 92599 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-25 20:13 . 2009-08-25 20:13 518144 --sha-w- c:\windows\system32\14.tmp
2009-08-24 03:10 . 2007-01-03 18:37 -------- d-----w- c:\program files\Google
2009-08-23 22:34 . 2009-08-23 22:34 281105 ------w- c:\windows\system32\4dc4303c151fbb82f432e7440f3f1d28.TMP
2009-08-23 18:18 . 2006-09-12 04:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-23 17:58 . 2006-09-12 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-23 17:50 . 2006-09-12 04:50 -------- d-----w- c:\program files\Symantec
2009-08-23 17:50 . 2006-12-13 03:30 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-23 17:50 . 2006-12-13 03:30 10671 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-23 17:50 . 2006-09-12 04:50 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-23 17:50 . 2006-09-12 04:50 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-23 17:44 . 2009-08-23 17:44 518144 --sha-w- c:\windows\system32\6B4.tmp
2009-08-05 09:01 . 2006-03-16 04:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2005-10-18 05:14 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2006-03-16 04:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2006-03-16 04:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-03-16 04:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 18:36 . 2006-03-16 04:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-03-16 04:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-03-16 04:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-03-16 04:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-03-16 04:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-03-16 04:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-03-16 04:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-03-16 04:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-03-16 04:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-03-16 04:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-03-16 04:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2006-03-16 04:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2006-03-16 04:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2006-03-16 04:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2006-03-16 04:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2006-03-16 04:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-12 12:31 . 2006-03-16 04:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-03-16 04:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-03-16 04:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2006-03-16 04:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-30 12:13 1291264 ------w- c:\windows\system32\quartz.dll
2007-10-25 06:08 . 2007-10-25 06:13 774144 ----a-w- c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-12 53096]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-06-23 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-13 185896]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2009-06-25 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\6e45f3b530]
2009-02-08 23:17 135168 ----a-w- c:\windows\system32\divx_xx0732.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cfddecaeacedb]
2009-08-25 22:27 281105 ----a-w- c:\windows\system32\cfddecaeacedb.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [5/19/2007 9:18 AM 20160]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://wl.gelohen.com/v3063/repins.jpg?msg=lieMq7BAv8czQ%2BKukUxIWz1OexH%2BsZFAnJArSXi7AG61sBSU%2Bpx7IvwfsC9mty4MvZItBe1kDoeoN4zo4scMhlk9tiifCLIy9mgfgNxK8PtCrYYptRQLThw8Lzd%2BHooexhA5D0GUInxVru%2F78Bc0vs6Io4LbyfL4mAnP6DpxwSzj62ZFgLVrcqWpdSvDorv%2BpvdyYzAX0H2dPlQFX2zeYB%3D%3D
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-27 19:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???`Q??????`?@?????L?@
scanning hidden files ...
c:\windows\system32\762623ff152f55a22fd53b48bc3ff861.sys 39936 bytes executable
c:\windows\system32\_762623ff152f55a22fd53b48bc3ff861.sys_.vir 39936 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\762623ff152f55a22fd53b48bc3ff861]
"ImagePath"="system32\762623ff152f55a22fd53b48bc3ff861.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-993114052-3150016730-3182295812-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\windows\System32\divx_xx0732.dll
c:\windows\system32\WININET.dll
c:\windows\system32\cfddecaeacedb.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-08-28 19:28
ComboFix-quarantined-files.txt 2009-08-28 02:27
ComboFix2.txt 2009-08-24 04:23
ComboFix3.txt 2009-08-23 23:01
ComboFix4.txt 2009-08-23 21:07
Pre-Run: 47,160,926,208 bytes free
Post-Run: 47,142,465,536 bytes free
189 --- E O F --- 2009-08-25 22:12
Thank You
Doff
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)
Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
Here we go, Next log from Gmer.
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-28 18:34:39
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
Code 762623ff152f55a22fd53b48bc3ff861.sys (ckmd/Noves Inc) ZwCreateKey [0xF8528C8E]
Code 762623ff152f55a22fd53b48bc3ff861.sys (ckmd/Noves Inc) ZwEnumerateKey [0xF8528D13]
Code 762623ff152f55a22fd53b48bc3ff861.sys (ckmd/Noves Inc) ZwOpenKey [0xF8528C10]
Code 762623ff152f55a22fd53b48bc3ff861.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF8528999]
Code 762623ff152f55a22fd53b48bc3ff861.sys (ckmd/Noves Inc) IoCreateFile
Code \??\C:\ComboFix\catchme.sys pIofCallDriver
Code 762623ff152f55a22fd53b48bc3ff861.sys (ckmd/Noves Inc) NtQueryDirectoryFile
---- Kernel code sections - GMER 1.0.15 ----
PAGE ntkrnlpa.exe!IoCreateFile 8056BB8C 5 Bytes JMP F8528872 762623ff152f55a22fd53b48bc3ff861.sys (ckmd/Noves Inc)
PAGE ntkrnlpa.exe!NtQueryDirectoryFile 8056F0F4 5 Bytes JMP F852899D 762623ff152f55a22fd53b48bc3ff861.sys (ckmd/Noves Inc)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A330 5 Bytes JMP F8528C92 762623ff152f55a22fd53b48bc3ff861.sys (ckmd/Noves Inc)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB70 7 Bytes JMP F8528D17 762623ff152f55a22fd53b48bc3ff861.sys (ckmd/Noves Inc)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B702 5 Bytes JMP F8528C14 762623ff152f55a22fd53b48bc3ff861.sys (ckmd/Noves Inc)
? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\explorer.exe[3020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 1000D702 C:\WINDOWS\System32\divx_xx0732.dll
.text C:\WINDOWS\explorer.exe[3020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 1000D6AA C:\WINDOWS\System32\divx_xx0732.dll
.text C:\WINDOWS\explorer.exe[3020] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 1000D7E9 C:\WINDOWS\System32\divx_xx0732.dll
.text C:\WINDOWS\explorer.exe[3020] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 1000D774 C:\WINDOWS\System32\divx_xx0732.dll
.text C:\WINDOWS\explorer.exe[3020] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 5 Bytes JMP 1000D85E C:\WINDOWS\System32\divx_xx0732.dll
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\762623ff152f55a22fd53b48bc3ff861.sys (*** hidden *** ) [BOOT] 762623ff152f55a22fd53b48bc3ff861 <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\762623ff152f55a22fd53b48bc3ff861
Reg HKLM\SYSTEM\CurrentControlSet\Services\762623ff152f55a22fd53b48bc3ff861@c ®istry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\762623ff152f55a22fd53b48bc3ff861&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=762623ff152f55a22fd53b48bc3ff861&path=system32\762623ff152f55a22fd53b48bc3ff861.sys&wmid=Dep005&idate=2009-02-20 01:17:40:296&last_download_time=2009-8-23 9:45:14.578&first_skip=1&last_update_ip_pos=0&fails_0=1
Reg HKLM\SYSTEM\CurrentControlSet\Services\762623ff152f55a22fd53b48bc3ff861@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\762623ff152f55a22fd53b48bc3ff861@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\762623ff152f55a22fd53b48bc3ff861@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\762623ff152f55a22fd53b48bc3ff861@Tag 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\762623ff152f55a22fd53b48bc3ff861@ImagePath system32\762623ff152f55a22fd53b48bc3ff861.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\762623ff152f55a22fd53b48bc3ff861@DisplayName 762623ff152f55a22fd53b48bc3ff861
Reg HKLM\SYSTEM\CurrentControlSet\Services\762623ff152f55a22fd53b48bc3ff861@Group Security Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\762623ff152f55a22fd53b48bc3ff861\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\762623ff152f55a22fd53b48bc3ff861\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\762623ff152f55a22fd53b48bc3ff861 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\762623ff152f55a22fd53b48bc3ff861@c ®istry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\762623ff152f55a22fd53b48bc3ff861&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=762623ff152f55a22fd53b48bc3ff861&path=system32\762623ff152f55a22fd53b48bc3ff861.sys&wmid=Dep005&idate=2009-02-20 01:17:40:296&last_download_time=2009-8-23 9:45:14.578&first_skip=1&last_update_ip_pos=0&fails_0=1
Reg HKLM\SYSTEM\ControlSet002\Services\762623ff152f55a22fd53b48bc3ff861@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\762623ff152f55a22fd53b48bc3ff861@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\762623ff152f55a22fd53b48bc3ff861@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\762623ff152f55a22fd53b48bc3ff861@Tag 4
Reg HKLM\SYSTEM\ControlSet002\Services\762623ff152f55a22fd53b48bc3ff861@ImagePath system32\762623ff152f55a22fd53b48bc3ff861.sys
Reg HKLM\SYSTEM\ControlSet002\Services\762623ff152f55a22fd53b48bc3ff861@DisplayName 762623ff152f55a22fd53b48bc3ff861
Reg HKLM\SYSTEM\ControlSet002\Services\762623ff152f55a22fd53b48bc3ff861@Group Security Extender
Reg HKLM\SYSTEM\ControlSet002\Services\762623ff152f55a22fd53b48bc3ff861\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\762623ff152f55a22fd53b48bc3ff861\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\762623ff152f55a22fd53b48bc3ff861 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\762623ff152f55a22fd53b48bc3ff861@c ®istry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\762623ff152f55a22fd53b48bc3ff861&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=762623ff152f55a22fd53b48bc3ff861&path=system32\762623ff152f55a22fd53b48bc3ff861.sys&wmid=Dep005&idate=2009-02-20 01:17:40:296&last_download_time=2009-8-23 9:45:14.578&first_skip=1&last_update_ip_pos=0&fails_0=1
Reg HKLM\SYSTEM\ControlSet003\Services\762623ff152f55a22fd53b48bc3ff861@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\762623ff152f55a22fd53b48bc3ff861@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\762623ff152f55a22fd53b48bc3ff861@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\762623ff152f55a22fd53b48bc3ff861@Tag 4
Reg HKLM\SYSTEM\ControlSet003\Services\762623ff152f55a22fd53b48bc3ff861@ImagePath system32\762623ff152f55a22fd53b48bc3ff861.sys
Reg HKLM\SYSTEM\ControlSet003\Services\762623ff152f55a22fd53b48bc3ff861@DisplayName 762623ff152f55a22fd53b48bc3ff861
Reg HKLM\SYSTEM\ControlSet003\Services\762623ff152f55a22fd53b48bc3ff861@Group Security Extender
Reg HKLM\SYSTEM\ControlSet003\Services\762623ff152f55a22fd53b48bc3ff861\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\762623ff152f55a22fd53b48bc3ff861\Security@Security 0x01 0x00 0x14 0x80 ...
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\762623ff152f55a22fd53b48bc3ff861.sys 39936 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\_762623ff152f55a22fd53b48bc3ff861.sys_.vir 39936 bytes executable
---- EOF - GMER 1.0.15 ----
One of these Days Id love to know exactly what these logs Mean.
Thanks again,
Doff
Well it shows that you have rootkit there.
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Rootkit::
C:\WINDOWS\system32\762623ff152f55a22fd53b48bc3ff861.sys
C:\WINDOWS\system32\_762623ff152f55a22fd53b48bc3ff861.sys_.vir
File::
c:\windows\system32\cfddecaeacedb.dll
Driver::
762623ff152f55a22fd53b48bc3ff861
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Here is a Hjt File Since it is now Working, Awesome!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:16 AM, on 8/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wl.gelohen.com/v3063/repins.jpg?msg=lieMq7BAv8czQ%2BKukUxIWz1OexH%2BsZFAnJArSXi7AG61sBSU%2Bpx7IvwfsC9mty4MvZItBe1kDoeoN4zo4scMhlk9tiifCLIy9mgfgNxK8PtCrYYptRQLThw8Lzd%2BHooexhA5D0GUInxVru%2F78Bc0vs6Io4LbyfL4mAnP6DpxwSzj62ZFgLVrcqWpdSvDorv%2BpvdyYzAX0H2dPlQFX2zeYB%3D%3D
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpzsetup.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251085278625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: 6e45f3b530 - C:\WINDOWS\System32\divx_xx0732.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
--
End of file - 8302 bytes
And here is the Combfix Log for you.
ComboFix 09-08-22.06 - Administrator 08/29/2009 9:00.7.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.131 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
FILE ::
"c:\windows\system32\cfddecaeacedb.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\0200000057923185530C.manifest
c:\documents and settings\Administrator\Application Data\0200000057923185530O.manifest
c:\documents and settings\Administrator\Application Data\0200000057923185530P.manifest
c:\documents and settings\Administrator\Application Data\0200000057923185530S.manifest
c:\windows\system32\cfddecaeacedb.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.
2009-08-25 22:16 . 2009-08-25 22:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-25 22:14 . 2009-08-25 22:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\system32\scripting
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\l2schemas
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\system32\en
2009-08-25 22:01 . 2009-08-25 22:01 -------- d-----w- c:\windows\system32\bits
2009-08-25 20:12 . 2009-08-25 20:12 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-08-25 20:12 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-25 20:12 . 2009-08-25 20:12 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-25 20:09 . 2009-08-25 20:09 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-24 04:32 . 2009-08-24 04:32 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-24 03:25 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-24 03:25 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-24 03:25 . 2009-08-24 03:25 -------- d-----w- c:\windows\ie8updates
2009-08-24 03:25 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-08-24 03:23 . 2009-08-24 03:24 -------- dc-h--w- c:\windows\ie8
2009-08-23 23:53 . 2009-08-23 23:53 -------- d-sh--w- C:\found.000
2009-08-23 22:18 . 2009-08-25 21:58 -------- d-----w- c:\windows\ServicePackFiles
2009-08-23 21:16 . 2009-08-23 21:16 -------- d-----w- c:\windows\ERUNT
2009-08-23 21:15 . 2009-08-23 21:28 -------- d-----w- C:\SDFix
2009-08-23 18:05 . 2009-08-23 18:05 -------- d-----w- c:\program files\CCleaner
2009-08-23 17:44 . 2009-08-25 20:14 -------- d-sh--w- c:\windows\system32\LocalService
2009-08-23 17:07 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-23 17:04 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-23 17:01 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-23 17:01 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-08-23 16:55 . 2009-08-25 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 16:55 . 2009-08-23 17:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 16:44 . 2009-08-23 16:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-25 22:18 . 2006-09-12 04:40 66128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 22:05 . 2006-06-29 18:43 92599 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-25 20:13 . 2009-08-25 20:13 518144 --sha-w- c:\windows\system32\14.tmp
2009-08-24 03:10 . 2007-01-03 18:37 -------- d-----w- c:\program files\Google
2009-08-23 22:34 . 2009-08-23 22:34 281105 ------w- c:\windows\system32\4dc4303c151fbb82f432e7440f3f1d28.TMP
2009-08-23 18:18 . 2006-09-12 04:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-23 17:58 . 2006-09-12 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-23 17:50 . 2006-09-12 04:50 -------- d-----w- c:\program files\Symantec
2009-08-23 17:50 . 2006-12-13 03:30 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-23 17:50 . 2006-12-13 03:30 10671 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-23 17:50 . 2006-09-12 04:50 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-23 17:50 . 2006-09-12 04:50 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-23 17:44 . 2009-08-23 17:44 518144 --sha-w- c:\windows\system32\6B4.tmp
2009-08-05 09:01 . 2006-03-16 04:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2005-10-18 05:14 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2006-03-16 04:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2006-03-16 04:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-03-16 04:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 18:36 . 2006-03-16 04:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-03-16 04:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-03-16 04:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-03-16 04:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-03-16 04:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-03-16 04:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-03-16 04:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-03-16 04:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-03-16 04:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-03-16 04:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-03-16 04:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2006-03-16 04:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2006-03-16 04:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2006-03-16 04:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2006-03-16 04:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2006-03-16 04:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-12 12:31 . 2006-03-16 04:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-03-16 04:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-03-16 04:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2006-03-16 04:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-30 12:13 1291264 ------w- c:\windows\system32\quartz.dll
2007-10-25 06:08 . 2007-10-25 06:13 774144 ----a-w- c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-12 53096]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-06-23 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-13 185896]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2009-06-25 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\6e45f3b530]
2009-02-08 23:17 135168 ----a-w- c:\windows\system32\divx_xx0732.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
S0 762623ff152f55a22fd53b48bc3ff861;762623ff152f55a22fd53b48bc3ff861;c:\windows\system32\762623ff152f55a22fd53b48bc3ff861.sys --> c:\windows\system32\762623ff152f55a22fd53b48bc3ff861.sys [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [5/19/2007 9:18 AM 20160]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -
Notify-cfddecaeacedb - c:\windows\system32\cfddecaeacedb.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://wl.gelohen.com/v3063/repins.jpg?msg=lieMq7BAv8czQ%2BKukUxIWz1OexH%2BsZFAnJArSXi7AG61sBSU%2Bpx7IvwfsC9mty4MvZItBe1kDoeoN4zo4scMhlk9tiifCLIy9mgfgNxK8PtCrYYptRQLThw8Lzd%2BHooexhA5D0GUInxVru%2F78Bc0vs6Io4LbyfL4mAnP6DpxwSzj62ZFgLVrcqWpdSvDorv%2BpvdyYzAX0H2dPlQFX2zeYB%3D%3D
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 09:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???`Q??????`?@?????L?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-993114052-3150016730-3182295812-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(724)
c:\windows\System32\divx_xx0732.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3952)
c:\windows\system32\WININET.dll
c:\windows\System32\divx_xx0732.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\msdtc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Vongo\VongoService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-08-29 9:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-29 16:23
ComboFix2.txt 2009-08-28 02:28
ComboFix3.txt 2009-08-24 04:23
ComboFix4.txt 2009-08-23 23:01
ComboFix5.txt 2009-08-29 15:59
Pre-Run: 47,131,197,440 bytes free
Post-Run: 47,086,559,232 bytes free
217 --- E O F --- 2009-08-25 22:12
Looks like its getting closer to Cleaned, I Appreciate all your Help.
Doff
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Kaspersky Came up with No threats and a Blank Log.
Here is the HJT Log.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:11 PM, on 8/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
C:\WINDOWS\system32\rundll32.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wl.gelohen.com/v3063/repins.jpg?msg=lieMq7BAv8czQ%2BKukUxIWz1OexH%2BsZFAnJArSXi7AG61sBSU%2Bpx7IvwfsC9mty4MvZItBe1kDoeoN4zo4scMhlk9tiifCLIy9mgfgNxK8PtCrYYptRQLThw8Lzd%2BHooexhA5D0GUInxVru%2F78Bc0vs6Io4LbyfL4mAnP6DpxwSzj62ZFgLVrcqWpdSvDorv%2BpvdyYzAX0H2dPlQFX2zeYB%3D%3D
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpzsetup.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251085278625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
--
End of file - 7981 bytes
I Updated and Ran MalwareBytes, and it seemed to clean a few Items. Sorry if I got a step ahead and wasent supposed to.
Thank you
Doff
Good :)
Still some issues left?
Everything seems to be running great on It now. Thank you very much for your Time.
Clean computer that actually Opens Other Software its amazing!
Once again all your help is very much appreciated.
Thank you
Doff
Good :)
Before final instructions, this is the next step:
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.
You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.
Post back a fresh HijackThis log afterwards, please.
Due to the lack of feedback this Topic is closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.