Here are my logs, any help is GREATLY appreciated!
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:35 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" /run
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 2WireSetup.lnk = C:\Program Files\2Wire\WebWorks.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase4009.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 7408 bytes
Combofix:
ComboFix 08-01-10.2 - HP_Administrator 2008-01-10 13:48:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2077 [GMT -8:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Router
C:\Program Files\WinAble
C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\cpovstek.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\dcwfbtnm.ini
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini2
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.
2008-01-10 13:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 13:44 . 2008-01-10 13:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 12:23 . 2008-01-10 12:23 18 --ah----- C:\SYSREST
2008-01-10 08:52 . 2008-01-10 09:11 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-08 11:27 . 2008-01-08 11:27 <DIR> d-------- C:\WIN32
2008-01-08 09:24 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-08 09:24 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-08 09:20 . 2008-01-08 09:20 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-03 17:30 . 2008-01-03 17:30 <DIR> d-------- C:\Program Files\ModernRcon v0.4
2007-12-30 14:56 . 2008-01-07 08:32 659,456 --a------ C:\WINDOWS\system32\hphmon06 .exe
2007-12-30 14:56 . 2008-01-07 08:31 339,968 --a------ C:\WINDOWS\system32\hphmon04 .exe
2007-12-30 13:34 . 2008-01-07 10:29 39,936 --a------ C:\WINDOWS\mrofinu11.exe.tmp
2007-12-30 11:16 . 2007-12-30 14:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 11:16 . 2007-12-30 11:16 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-12 18:33 . 2007-12-12 18:35 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\GetRightToGo
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 21:46 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-10 21:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-10 04:50 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-10 04:47 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Xfire
2008-01-08 19:52 --------- d-----w C:\Program Files\Symantec
2008-01-08 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-07 19:03 --------- d-----w C:\Program Files\Windows Defender
2008-01-07 19:03 --------- d-----w C:\Program Files\QuickTime
2007-12-21 00:56 --------- d-s---w C:\Program Files\Xfire
2007-12-21 00:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 01:21 --------- d-s---w C:\Program Files\HLSW
2007-11-16 01:18 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ventrilo
2007-11-15 01:46 --------- d-----w C:\Program Files\Ventrilo
2007-11-15 01:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 08:13 22,328 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\PnkBstrK.sys
2007-11-10 07:58 --------- d-----w C:\Program Files\Activision
.
Code:
<pre>
----a-w 253,952 2008-01-07 16:31:54 C:\hp\drivers\hplsbwatcher\lsburnwatcher .exe
----a-w 40,048 2008-01-07 16:32:44 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 339,968 2008-01-07 16:31:59 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w 52,896 2008-01-07 16:32:52 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 245,760 2008-01-07 16:31:56 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w 245,760 2008-01-07 17:50:51 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w 245,760 2008-01-07 17:50:57 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w 245,760 2008-01-07 17:51:03 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w 245,760 2008-01-07 17:51:10 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w 245,760 2008-01-07 17:51:16 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w 245,760 2008-01-07 17:51:23 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w 245,760 2008-01-07 17:51:29 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w 69,632 2008-01-07 16:32:00 C:\Program Files\HP\HP Share-to-Web\hpgs2wnd .exe
----a-w 49,152 2008-01-07 16:31:58 C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04 .exe
----a-w 132,496 2008-01-07 16:31:58 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 282,624 2008-01-07 18:14:31 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-07 18:14:38 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-07 18:14:44 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-07 18:14:51 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-07 18:14:57 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-07 18:15:03 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-07 18:15:10 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-07 18:15:16 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-07 18:15:23 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-07 18:15:29 C:\Program Files\QuickTime\qttask .exe
----a-w 125,168 2008-01-07 16:32:55 C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w 866,584 2008-01-07 16:32:30 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 64,512 2008-01-08 17:20:39 C:\WINDOWS\ehome\ehtray .exe
----a-w 15,360 2008-01-08 17:20:47 C:\WINDOWS\system32\ctfmon .exe
----a-w 339,968 2008-01-07 16:31:59 C:\WINDOWS\system32\hphmon04 .exe
----a-w 659,456 2008-01-07 16:32:18 C:\WINDOWS\system32\hphmon06 .exe
----a-w 188,416 2008-01-07 16:31:58 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
</pre>
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 20:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56 64512]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" [ ]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"POINTER"="point32.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-04-13 16:31]
.
Contents of the 'Scheduled Tasks' folder
"2008-01-10 21:28:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-10 03:29:20 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 13:56:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-10 13:59:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 21:59:44
.
2008-01-10 20:07:25 --- E O F ---