View Full Version : I need help, immediatly!
Hi there, when I run SB S&D, it tells me I have a virtumonde.dll or w/e malware. Well, its either that or something else that keeps popping up ads. I need this taken care of seeing as my mother works from home. Please help me!
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 7:23:01 PM, on 1/23/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Server\mysql\bin\mysqld-nt.exe
C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=15450&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Program Files\csrss.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{C4304~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{C4304~1\reboot.ini -l0x9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Citrix Access Gateway.lnk = C:\Program Files\Citrix\Secure Access Client\nsload.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: piyuyigi.dll c:\windows\system32\luleloma.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O21 - SSODL: gobopeyek - {57cdec22-4c4b-40fc-87f5-bc1464a56d35} - c:\windows\system32\luleloma.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: jugezatag - {57cdec22-4c4b-40fc-87f5-bc1464a56d35} - c:\windows\system32\luleloma.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: mysql - Unknown owner - C:\Server\mysql\bin\mysqld-nt.exe
O23 - Service: Citrix Secure Access Client Service (nsverctl) - Citrix Systems, Inc - C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
--
End of file - 14609 bytes
Hello Chimb
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
You do have some issues going on :lip:
Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.
Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer
Internet Explorer is needed to run this program properly.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
i get an error when installing DelDomains or whatever.
http://forums.spybot.info/showthread.php?t=55177
What error did you get ? This does not tell me much. Bypass it for now and run Combofix
sorry for the not being specific, lol, but anyway, here is the combofix log, and a newer HJT log.
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\4k3171kp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - Charter.net
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\4k3171kp.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SharedTaskScheduler-{45d0480e-4d52-4137-a3aa-b49a13fbc0eb} - c:\windows\system32\tuyedufo.dll
MSConfigStartUp-CamWizard - c:\program files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
MSConfigStartUp-nwiz - nwiz.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 12:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql]
"ImagePath"="c:\server\mysql\bin\mysqld-nt --defaults-file=c:\server\mysql\bin\my.cnf mysql"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{085326CB-51A3560A-05010003}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(6524)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\program files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\ARPWRMSG.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\server\mysql\bin\mysqld-nt.exe
c:\program files\DISC\DiscGui.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\program files\Lexmark 2200 Series\lxbvbmon.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Winamp Remote\bin\Orb.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\DISC\DiscStreamHub.exe
.
**************************************************************************
.
Completion time: 2010-01-30 12:58:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-30 18:58
Pre-Run: 156,051,013,632 bytes free
Post-Run: 155,984,060,416 bytes free
- - End Of File - - 22544CCCB98F907F7D417F16A2C72449
and here is the HJT log....
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 2:13:57 PM, on 1/30/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Server\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=15450&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Citrix Access Gateway.lnk = C:\Program Files\Citrix\Secure Access Client\nsload.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: mysql - Unknown owner - C:\Server\mysql\bin\mysqld-nt.exe
O23 - Service: Citrix Secure Access Client Service (nsverctl) - Citrix Systems, Inc - C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
--
End of file - 12550 bytes
Hi,
C:\ComboFix.txt <-- I need to see the entire Combofix log and you can find it here
ComboFix 10-01-29.09 - HP_Administrator 01/30/2010 12:44:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.1912 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\kb913800.exe
c:\windows\system32\ps2.bat
c:\windows\system32\twain_32.dll
c:\windows\Tasks\onbqgvry.job
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-30 )))))))))))))))))))))))))))))))
.
2010-01-30 15:55 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-30 15:55 . 2010-01-30 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-30 15:55 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-30 14:35 . 2010-01-30 14:35 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Winamp Toolbar
2010-01-25 23:23 . 2010-01-25 23:23 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\ProphetX
2010-01-25 23:05 . 2010-01-25 23:10 -------- d-----w- C:\Stealth Gaming 3.3.0a
2010-01-24 03:13 . 2010-01-28 21:54 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-24 03:13 . 2010-01-28 21:57 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-24 03:13 . 2010-01-28 21:57 163280 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-24 03:13 . 2010-01-28 21:54 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-24 03:13 . 2010-01-28 21:54 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-24 03:13 . 2010-01-28 21:54 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-24 03:13 . 2010-01-28 21:53 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-24 03:13 . 2010-01-28 22:09 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-24 03:13 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-24 03:13 . 2010-01-24 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-24 01:43 . 2010-01-24 01:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-01-24 01:43 . 2010-01-24 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-24 01:36 . 2010-01-24 01:36 0 ----a-w- c:\documents and settings\HP_Administrator\settings.dat
2010-01-24 01:22 . 2010-01-24 01:22 -------- d-----w- c:\program files\TrendMicro
2010-01-23 04:28 . 2010-01-23 04:28 -------- d-----w- c:\program files\Winamp Toolbar
2010-01-23 04:28 . 2010-01-23 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2010-01-22 01:33 . 2010-01-22 01:33 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-01-20 00:36 . 2010-01-20 00:36 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-01-19 22:49 . 2010-01-23 19:12 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\LimeWire
2010-01-19 22:47 . 2010-01-19 22:48 -------- d-----w- c:\program files\LimeWire
2010-01-19 20:01 . 2010-01-19 20:01 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HeidiSQL
2010-01-19 19:29 . 2010-01-18 03:31 -------- d-----w- C:\Server
2010-01-19 18:57 . 2010-01-25 23:36 -------- d-----w- c:\program files\HeidiSQL
2010-01-19 18:57 . 2010-01-19 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\HeidiSQL
2010-01-19 03:43 . 2010-01-20 04:24 -------- d-----w- c:\program files\VentSrv
2010-01-16 02:05 . 2010-01-16 02:05 -------- d-----w- c:\program files\Ventrilo
2010-01-15 21:37 . 2010-01-30 18:05 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-15 21:37 . 2010-01-30 18:04 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-01-15 21:37 . 2010-01-15 21:41 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-01-15 21:37 . 2010-01-15 21:37 -------- d-----w- c:\windows\system32\LogFiles
2010-01-15 21:29 . 2010-01-15 21:29 -------- d-----w- c:\program files\Activision
2010-01-15 12:27 . 2010-01-15 12:27 -------- d-sh--w- c:\windows\ftpcache
2010-01-15 05:24 . 2010-01-15 05:24 -------- d-----w- c:\windows\Sun
2010-01-15 05:24 . 2010-01-15 05:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-12 21:44 . 2010-01-12 21:44 -------- d-----w- c:\program files\DIFX
2010-01-12 21:44 . 2010-01-12 21:44 -------- d-----w- c:\windows\D56B0E274A3E46C9B5C1D93D580C099C.TMP
2010-01-12 21:35 . 2010-01-12 21:35 -------- d-----w- c:\program files\2K Games
2010-01-12 21:35 . 2010-01-12 21:43 -------- d-----w- C:\BDS
2010-01-12 21:30 . 2010-01-12 21:30 -------- d-----w- c:\program files\PowerISO
2010-01-10 19:10 . 2010-01-10 19:10 -------- d-----w- C:\Citrix
2010-01-10 04:44 . 2010-01-10 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-10 04:27 . 2010-01-10 04:27 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-01-07 05:53 . 2010-01-09 23:41 -------- d-----w- c:\program files\AutoHotkey
2010-01-05 09:06 . 2010-01-05 09:06 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-01-05 05:58 . 2010-01-05 05:58 -------- d-----w- c:\program files\Microsoft
2010-01-05 05:57 . 2010-01-05 05:58 -------- d-----w- c:\program files\Windows Live
2010-01-05 01:08 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-05 01:08 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-04 23:01 . 2010-01-30 18:00 -------- d-----w- c:\documents and settings\HP_Administrator\Tracing
2010-01-04 23:00 . 2010-01-04 23:00 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-04 22:57 . 2010-01-04 22:57 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-04 22:54 . 2010-01-04 22:54 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Acreon
2010-01-04 22:54 . 2010-01-18 17:32 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\._Revolution_
2010-01-04 22:45 . 2010-01-04 22:45 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-01-04 02:36 . 2004-08-04 04:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-01-04 02:36 . 2004-08-04 04:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-01-04 02:36 . 2001-08-18 04:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-01-04 02:36 . 2001-08-18 04:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-01-04 02:36 . 2010-01-04 02:37 -------- d-----w- c:\program files\Lexmark 2200 Series
2010-01-04 02:36 . 2004-02-13 14:52 69632 ----a-w- c:\windows\system32\lxbvscin.dll
2010-01-04 02:36 . 2004-02-13 14:52 57344 ----a-w- c:\windows\system32\lxbvcinf.dll
2010-01-04 02:36 . 2004-02-13 14:51 49152 ----a-w- c:\windows\system32\lxbvcoin.dll
2010-01-04 02:36 . 2004-02-13 14:07 483328 ----a-w- c:\windows\system32\LXBVJSWR.DLL
2010-01-04 02:36 . 2004-02-13 14:02 368640 ----a-w- c:\windows\system32\LXBVUTIL.DLL
2010-01-04 02:36 . 2003-06-18 11:39 983107 ----a-w- c:\windows\system32\LXBVGF.DLL
2010-01-04 02:36 . 1997-04-09 02:08 299520 ----a-w- c:\windows\uninst.exe
2010-01-04 02:36 . 2010-01-04 02:36 -------- d-----w- C:\Lxk2200
2010-01-03 12:34 . 2010-01-03 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-01-03 01:31 . 2010-01-19 20:14 -------- d-----w- c:\program files\World of Warcraft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 18:52 . 2009-12-20 22:00 -------- d-----w- c:\program files\Common Files\Akamai
2010-01-30 18:01 . 2009-12-21 01:44 -------- d-----w- c:\program files\Winamp Remote
2010-01-30 16:46 . 2005-12-08 17:11 -------- d-----w- c:\program files\Microsoft Works
2010-01-30 14:34 . 2009-12-22 02:51 302 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2010-01-30 05:12 . 2009-12-20 21:38 -------- d-----w- c:\program files\Xfire
2010-01-29 22:37 . 2009-12-20 21:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Xfire
2010-01-24 03:13 . 2009-12-20 05:21 -------- d-----w- c:\program files\Alwil Software
2010-01-24 01:30 . 2009-12-20 07:57 0 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat
2010-01-24 01:22 . 2010-01-24 01:22 388096 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-23 05:03 . 2009-12-28 19:55 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\BitTorrent
2010-01-23 04:29 . 2009-12-20 16:19 -------- d-----w- c:\program files\Winamp
2010-01-23 04:28 . 2009-12-20 16:19 -------- d-----w- c:\program files\Winamp Detect
2010-01-22 22:31 . 2009-12-28 20:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\TeamViewer
2010-01-21 03:22 . 2009-12-21 00:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2010-01-20 04:15 . 2009-12-20 06:24 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Ventrilo
2010-01-19 04:50 . 2009-12-20 06:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-17 05:27 . 2009-12-20 04:04 139 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2010-01-16 06:10 . 2005-12-08 16:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-15 21:37 . 2010-01-15 21:37 22328 ----a-w- c:\documents and settings\HP_Administrator\Application Data\PnkBstrK.sys
2010-01-15 21:37 . 2010-01-15 21:37 22328 ----a-w- c:\documents and settings\HP_Administrator\Application Data\PnkBstrK.sys
2010-01-15 05:24 . 2005-12-08 16:36 -------- d-----w- c:\program files\Java
2010-01-15 05:23 . 2010-01-15 05:23 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-15 05:23 . 2010-01-15 05:22 79488 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-15 00:19 . 2005-12-08 17:00 57088 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-14 23:34 . 2009-12-20 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-10 04:37 . 2005-12-08 17:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-09 23:44 . 2009-12-28 23:34 -------- d-----w- c:\program files\Rockstar Games
2010-01-09 03:22 . 2009-12-20 16:37 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Winamp
2010-01-04 22:54 . 2010-01-04 22:54 272384 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Acreon\WowMatrix\Modules\curl.exe
2010-01-04 22:54 . 2010-01-04 22:54 196608 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Acreon\WowMatrix\Libraries\wmweb.dll
2010-01-04 22:54 . 2010-01-04 22:54 258048 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Acreon\WowMatrix\Libraries\wmzip.dll
2010-01-03 03:11 . 2009-12-31 03:07 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-12-31 03:08 . 2009-12-31 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-12-31 00:16 . 2009-12-30 19:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\vlc
2009-12-28 23:41 . 2009-12-28 23:41 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-28 20:16 . 2009-12-28 20:16 -------- d-----w- c:\program files\TeamViewer
2009-12-28 09:36 . 2009-12-21 12:22 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HpUpdate
2009-12-26 16:28 . 2009-12-26 16:28 2678 ----a-w- c:\windows\java\Packages\Data\1NXZZRDZ.DAT
2009-12-26 16:28 . 2009-12-26 16:28 2678 ----a-w- c:\windows\java\Packages\Data\F5J9BHJ3.DAT
2009-12-26 16:28 . 2009-12-26 16:28 2678 ----a-w- c:\windows\java\Packages\Data\ZRN5Z5VL.DAT
2009-12-26 16:28 . 2009-12-26 16:28 2678 ----a-w- c:\windows\java\Packages\Data\TRFLRLZP.DAT
2009-12-26 16:28 . 2009-12-26 16:28 2678 ----a-w- c:\windows\java\Packages\Data\BHVZRDBJ.DAT
2009-12-26 16:21 . 2009-12-26 16:21 2232 ----a-w- c:\windows\java\Packages\Data\VX71V7D3.DAT
2009-12-26 16:21 . 2009-12-26 16:21 155995 ----a-w- c:\windows\java\Packages\HVPRTB5B.ZIP
2009-12-26 14:46 . 2009-12-20 04:13 -------- d-----w- c:\program files\Crystal Point
2009-12-22 05:42 . 2004-08-10 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-22 02:51 . 2009-12-22 02:51 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Template
2009-12-21 12:22 . 2005-12-08 16:50 -------- d-----w- c:\program files\HP
2009-12-21 12:22 . 2005-12-08 17:08 -------- d-----w- c:\program files\Hewlett-Packard
2009-12-21 02:17 . 2009-12-21 02:17 -------- d-----w- c:\program files\RocketDock
2009-12-21 01:46 . 2009-12-21 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\OrbNetworks
2009-12-21 01:45 . 2009-12-21 01:44 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-12-21 01:44 . 2009-12-21 01:44 -------- d-----w- c:\program files\DVDVideoSoft
2009-12-21 00:47 . 2009-12-21 00:46 -------- d-----w- c:\program files\iTunes
2009-12-21 00:47 . 2009-12-21 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-21 00:46 . 2009-12-21 00:46 -------- d-----w- c:\program files\iPod
2009-12-21 00:46 . 2009-12-21 00:43 -------- d-----w- c:\program files\Common Files\Apple
2009-12-21 00:46 . 2009-12-21 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-21 00:46 . 2009-12-21 00:46 -------- d-----w- c:\program files\Bonjour
2009-12-21 00:45 . 2009-12-21 00:44 -------- d-----w- c:\program files\QuickTime
2009-12-21 00:44 . 2009-12-21 00:44 -------- d-----w- c:\program files\Apple Software Update
2009-12-21 00:43 . 2009-12-21 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-20 23:26 . 2009-12-20 23:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Xfire
2009-12-20 23:18 . 2009-12-20 23:18 -------- d-----w- c:\program files\OGPlanet
2009-12-20 22:34 . 2009-12-20 22:34 -------- d-----w- c:\program files\MSXML 4.0
2009-12-20 22:20 . 2009-12-20 22:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2009-12-20 21:39 . 2009-12-20 21:39 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-12-20 20:31 . 2009-12-20 20:31 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-12-20 20:11 . 2005-12-08 17:24 -------- d-----w- c:\program files\PC-Doctor 5 for Windows
2009-12-20 18:09 . 2009-12-20 04:13 -------- d-----w- c:\program files\CCleaner
2009-12-20 07:50 . 2009-12-20 07:35 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GetRightToGo
2009-12-20 07:48 . 2009-12-20 07:48 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-12-20 06:57 . 2009-12-20 06:57 -------- d-----w- c:\program files\Common Files\eSellerate
2009-12-20 06:57 . 2009-12-20 06:57 -------- d-----w- c:\program files\iPod To Computer Transfer
2009-12-20 06:53 . 2009-12-20 06:53 -------- d-----w- c:\program files\Ask.com
2009-12-20 06:53 . 2009-12-20 06:53 -------- d-----w- c:\program files\BitTorrent
2009-12-20 06:44 . 2009-12-20 06:44 -------- d-----w- c:\program files\Citrix
2009-12-20 06:44 . 2009-12-20 06:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-12-20 06:41 . 2009-12-20 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-12-20 06:36 . 2009-12-20 06:35 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-12-20 06:35 . 2009-12-20 06:27 -------- d-----w- c:\program files\Logitech
2009-12-20 06:35 . 2009-12-20 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-12-20 06:27 . 2009-12-20 06:27 -------- d-----w- c:\program files\Common Files\Logitech
2009-12-20 06:16 . 2005-12-08 17:32 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-20 06:09 . 2009-12-20 06:08 -------- d-----w- c:\program files\NVIDIA Corporation
2009-12-20 06:09 . 2009-12-20 06:09 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-20 06:09 . 2009-12-20 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-20 06:08 . 2009-12-20 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-12-20 06:03 . 2009-12-20 06:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-20 05:50 . 2009-12-20 05:50 -------- d-----w- c:\program files\AVG
2009-12-20 05:07 . 2009-12-20 05:07 0 ----a-w- c:\windows\nsreg.dat
2009-12-20 04:52 . 2009-12-20 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers Headquarters
2009-12-20 04:48 . 2009-12-20 04:48 -------- d-----w- c:\program files\MSBuild
2009-12-20 04:48 . 2009-12-20 04:48 -------- d-----w- c:\program files\Reference Assemblies
2009-12-20 04:45 . 2009-12-20 04:45 -------- d-----w- c:\program files\MSXML 6.0
2009-12-20 04:23 . 2009-12-20 04:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-20 04:22 . 2009-12-20 04:22 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-20 04:22 . 2009-12-20 04:22 -------- d-----w- c:\program files\SystemRequirementsLab
2009-12-20 04:16 . 2009-12-20 04:16 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2006-01-25 05:09 . 2009-12-20 04:54 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-19 1196936]
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-11-19 00:40 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-19 1196936]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-19 1196936]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-15 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-19 2743104]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-8 27136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Citrix Access Gateway.lnk - c:\program files\Citrix\Secure Access Client\nsload.exe [2009-2-5 1368728]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-12-8 36903]
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 22:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Server\\mysql\\bin\\mysqld.exe"=
"c:\\Server\\evo-X\\evoXlogon.exe"=
"c:\\Server\\evo-X\\evoXworld.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Stealth Gaming 3.3.0a\\Server\\mysql\\bin\\mysqld.exe"=
"c:\\Stealth Gaming 3.3.0a\\MaNGOS\\realmd.exe"=
"c:\\Program Files\\Microsoft Works\\WksWP.exe"=
"c:\\Program Files\\Windows Live\\Contacts\\wlcomm.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26036:TCP"= 26036:TCP:Bit
"3784:TCP"= 3784:TCP:Vent Server1
"3784:UDP"= 3784:UDP:Myvent
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/23/2010 9:13 PM 163280]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 6:00 AM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/23/2010 9:13 PM 19024]
R2 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [2/5/2009 12:42 AM 139264]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2/5/2009 12:44 AM 73368]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [12/8/2005 10:47 AM 100480]
S3 PCD5SRVC{085326CB-51A3560A-05010003};PCD5SRVC{085326CB-51A3560A-05010003} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [9/8/2005 1:23 AM 21120]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [12/8/2005 10:46 AM 468768]
S3 XDva309;XDva309;\??\c:\windows\system32\XDva309.sys --> c:\windows\system32\XDva309.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2010-01-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-11-19 00:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=15450&l=dis
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\4k3171kp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - Charter.net
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\4k3171kp.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SharedTaskScheduler-{45d0480e-4d52-4137-a3aa-b49a13fbc0eb} - c:\windows\system32\tuyedufo.dll
MSConfigStartUp-CamWizard - c:\program files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
MSConfigStartUp-nwiz - nwiz.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 12:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql]
"ImagePath"="c:\server\mysql\bin\mysqld-nt --defaults-file=c:\server\mysql\bin\my.cnf mysql"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{085326CB-51A3560A-05010003}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(6524)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\program files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\ARPWRMSG.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\server\mysql\bin\mysqld-nt.exe
c:\program files\DISC\DiscGui.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\program files\Lexmark 2200 Series\lxbvbmon.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Winamp Remote\bin\Orb.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\DISC\DiscStreamHub.exe
.
**************************************************************************
.
Completion time: 2010-01-30 12:58:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-30 18:58
Pre-Run: 156,051,013,632 bytes free
Post-Run: 155,984,060,416 bytes free
- - End Of File - - 22544CCCB98F907F7D417F16A2C72449
Great, thank you.
Let me point a few things out
If you continue using programs like these you will be back here real quick and so you know there are some threats going around that are uncleanable. When using sites like these your downloading files from and unknown source and some are bundled with malicious programs. Its kind of like playing Russian Roulette malwarewise. You would be doing yourself a big favor by uninstalling both of these.
c:\program files\LimeWire
c:\program files\BitTorrent
This one is not really malicious but gathers personal info about your surfing habits and sends you adds, I would uninstall this one also.
c:\program files\Ask.com
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
thanks, ya, i havnt even really used those 2 programs, lol, but ya, i was plannin on unistallin em anyway. I have malwarebytes from trying to fix this myself, but i will run the other really quick and brb =D
Malwarebytes' Anti-Malware 1.44
Database version: 3662
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
1/30/2010 8:14:47 PM
mbam-log-2010-01-30 (20-14-47).txt
Scan type: Quick Scan
Objects scanned: 125173
Time elapsed: 6 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
also, are you able to help me with an error that comes up when i start up my computer? I will post exactly what the error sais in just a minute after i restart it and write it down
wow, comp running a ton faster now, and i guess one of the things, prolly combofix, got rid of that error =D wow, this is amazing, thanks!
actually, it didnt fix it, but the error is "Windows cannot find 'C:\PROGRA~1\INSTAL~1\{C4304~1\SETUP.EXE'. Make sure you typed the name correctly, then try again. To search for a file, click the start button, then click search" any help on getting rid of this? it pops it up at startup when logging into my user
Hi,
Did this just start or have you had it for awhile ?
That message is abbreviated.
See if it shows up in msinfo32
Go to Start> Run> and type in msinfo32
Then look here ...System Summary> Software Environment> Windows Error Reporting
If the full file name is listed please post it here.
I've had it for a while, and i didn't see the error in that.
Do you have a Logitech Webcam installed ?
yes, I do have one installed.
That error your getting appears to be from Logitech Webcam.
Right click on My Computer and select Properties, then go to Device Manager and look for the web cam and see if there is a yellow splat or red x associated with it
nope, and i mean, i use this on a daily basis with ventrilo, talking on there, i use the webcam mic and my ventrilo mic
Well, what I would do is post in this windows forum and they can help you fix that as we just do malware removal on this one
http://forums.whatthetech.com/Microsoft_Windows_f119.html
Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.