Computer running extremely slow

F

Fuente$

New member
I think my computer has a virus because it is running extremely slow. I really need help here is my hjt log

Logfile of HijackThis v1.99.1
Scan saved at 5:40:59 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\SpamBlockerUtility\SBTV\SBTV.exe
C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbSrv.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hjt\hijackthis\HijackThis.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://officialhomepage.org/home15.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: TVEngine Helper /fleok=1D8A83A5C2E6107D98AE75760EA83FA5EF80752B9499803B2A2303766A - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\spamblockerutility\sbtv\sbtvhelper.dll
O2 - BHO: (no name) - {4ba8e9cc-00fe-41c1-a891-97c79e6d24f3} - C:\WINDOWS\system32\kbd949.dll
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [NI.UERS_9999_N91S2507] "C:\documents and settings\hp_administrator\application data\errorsafenewreleaseinstall[1].exe" -nag
O4 - HKLM\..\Run: [NI.UWA6P_0001_N91M1807] "c:\documents and settings\hp_administrator\application data\winantiviruspro2006freeinstall[1].exe" -nag
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbWeatherOnTray.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe
O4 - HKLM\..\Run: [sgyqzsep] C:\WINDOWS\system32\vgypmxig.exe
O4 - HKLM\..\Run: [NI.UWA7P_0001_N91M0809] "C:\Documents and Settings\HP_Administrator\Application Data\winantiviruspro2007freeinstall[1].exe" -nag
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm492YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\mljgecc.dll
O20 - Winlogon Notify: kbd949 - C:\WINDOWS\SYSTEM32\kbd949.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

please someone help
 
Hello Fuente$ :)

YOu're badly infected...

Please download the following program and save it to your desktop:

http://noahdfear.geekstogo.com/FindAWF.exe

Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.

:bigthumb:
 
Alright heres the awf.txt thing


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/02/2005 04:44 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\DISC\BAK

11/11/2005 09:11 PM 1,064,960 DISCover.exe
11/11/2005 09:10 PM 61,440 DiscUpdateMgr.exe
2 File(s) 1,126,400 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

03/14/2007 07:05 PM 257,088 iTunesHelper.exe
1 File(s) 257,088 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/14/2007 09:22 AM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINDOWS\CREATOR\BAK

12/14/2004 03:23 AM 663,552 Remind_XP.exe
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/05/2005 09:56 PM 64,512 ehtray.exe
1 File(s) 64,512 bytes

Directory of C:\WINDOWS\SMINST\BAK

07/22/2005 11:14 PM 237,568 RECGUARD.EXE
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/09/2004 09:00 PM 15,360 ctfmon.exe
03/06/2007 02:36 PM 0 lsasss.exe
11/09/2006 07:05 AM 253,952 vgypmxig.exe
3 File(s) 269,312 bytes

Directory of C:\DOCUME~1\HP_ADM~1\APPLIC~1\BAK

12/27/2006 09:43 AM 87,760 errorsafenewreleaseinstall[1].exe
01/04/2007 01:28 PM 88,280 winantiviruspro2006freeinstall[1].exe
01/25/2007 10:10 PM 87,248 winantiviruspro2007freeinstall[1].exe
3 File(s) 263,288 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

09/16/2005 11:27 PM 52,848 ccApp.exe
1 File(s) 52,848 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

11/09/2005 05:29 PM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

05/12/2005 07:12 AM 49,152 HPwuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

11/22/2004 04:18 PM 307,200 AdobeUpdateManager.exe
1 File(s) 307,200 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

06/01/2005 11:35 PM 49,152 hphupd08.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\BAK

12/13/2006 09:29 PM 28,672 mwsoemon.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\SONIC\DIGITA~1\DIGITA~1\BAK

11/01/2005 10:01 AM 90,112 DMAScheduler.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\SPAMBL~1\BIN\484~1.0\BAK

03/05/2004 06:17 AM 45,056 SBInst.exe
11/09/2006 07:06 AM 53,248 SbOEAddOn.exe
11/09/2006 07:05 AM 253,952 SbWeatherOnTray.exe
3 File(s) 352,256 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

37407 Apr 6 2007 "C:\hp\KBD\KBD.EXE"
61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.EXE"
37407 Apr 6 2007 "C:\Program Files\DISC\DISCover.exe"
1064960 Nov 11 2005 "C:\Program Files\DISC\bak\DISCover.exe"
37407 Apr 6 2007 "C:\Program Files\DISC\DiscUpdateMgr.exe"
61440 Nov 11 2005 "C:\Program Files\DISC\bak\DiscUpdateMgr.exe"
37407 Apr 6 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
257088 Mar 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Mar 31 2007 "C:\WINDOWS\Installer\{AB90749C-7422-4580-8A7A-66CC5E9E5F98}\iTunesIco.exe"
116288 Mar 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
37860928 Mar 31 2007 "C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\SX8R07GR\iTunesSetup[1].exe"
37407 Apr 6 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 Feb 14 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
37407 Apr 6 2007 "C:\WINDOWS\CREATOR\Remind_XP.exe"
663552 Dec 14 2004 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
37407 Apr 6 2007 "C:\WINDOWS\SMINST\RECGUARD.EXE"
237568 Jul 22 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
15360 Aug 9 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 9 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
37407 Apr 6 2007 "C:\WINDOWS\system32\lsasss.exe"
0 Mar 6 2007 "C:\WINDOWS\system32\bak\lsasss.exe"
37407 Apr 6 2007 "C:\WINDOWS\system32\vgypmxig.exe"
253952 Nov 9 2006 "C:\WINDOWS\system32\bak\vgypmxig.exe"
37407 Apr 6 2007 "C:\Documents and Settings\HP_Administrator\Application Data\errorsafenewreleaseinstall[1].exe"
87760 Dec 27 2006 "C:\Documents and Settings\HP_Administrator\Application Data\bak\errorsafenewreleaseinstall[1].exe"
88272 Jan 2 2007 "C:\Documents and Settings\HP_Administrator\Application Data\winantispyware2006freeinstall[1].exe"
88280 Jan 4 2007 "C:\Documents and Settings\HP_Administrator\Application Data\bak\winantiviruspro2006freeinstall[1].exe"
87248 Apr 11 2007 "C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\21K3U5Y5\WinAntiVirusPro2007FreeInstall[1].exe"
37407 Apr 6 2007 "C:\Documents and Settings\HP_Administrator\Application Data\winantiviruspro2006freeinstall[1].exe"
87248 Jan 25 2007 "C:\Documents and Settings\HP_Administrator\Application Data\bak\winantiviruspro2007freeinstall[1].exe"
37407 Apr 6 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
52848 Sep 16 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
37407 Apr 6 2007 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Nov 9 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
37407 Apr 6 2007 "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
37407 Apr 6 2007 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
307200 Nov 22 2004 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
716800 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\AdobeUpdateManager.exe"
37407 Apr 6 2007 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
49152 Jun 1 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
37407 Apr 6 2007 "C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe"
28672 Dec 13 2006 "C:\Program Files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe"
37407 Apr 6 2007 "C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe"
90112 Nov 1 2005 "C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\bak\DMAScheduler.exe"
37407 Apr 6 2007 "C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SBInst.exe"
45056 Mar 5 2004 "C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\bak\SBInst.exe"
37407 Apr 6 2007 "C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe"
53248 Nov 9 2006 "C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\bak\SbOEAddOn.exe"
37407 Apr 6 2007 "C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbWeatherOnTray.exe"
253952 Nov 9 2006 "C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\bak\SbWeatherOnTray.exe"


end of report
 
Sorry for the delay...we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Replacer.bat to your desktop. Don't run it yet!

Download ATF Cleaner by Atribune to your desktop.Do NOT run yet.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Do NOT run yet

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.

Doubleclick on Replacer.bat and let in run.

Run ATF Cleaner
  • Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run a scan with Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot the computer in Normal Mode,
  • Post the Cure-it report and a fresh HijackThis log
 
ok here is the drweb report

mediabar.dll;c:\program files\bearshare applications\bearshare mediabar;Adware.Softomate;Incurable.Moved.;
discupdatemgr.exe;c:\program files\disc;Trojan.DownLoader.19701;Deleted.;
hpbootop.exe;c:\program files\hewlett-packard\hp boot optimizer;Trojan.DownLoader.19701;Deleted.;
hphupd08.exe;c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729};Trojan.DownLoader.19701;Deleted.;
mwsbar.dll;c:\program files\mywebsearch\bar\1.bin;Adware.MWS;Incurable.Moved.;
mwssrcas.dll;c:\program files\mywebsearch\srchastt\1.bin;Adware.MWS;Incurable.Moved.;
sbhostie.dll;c:\program files\spamblockerutility\bin\4.8.4.0;Probably STPAGE.Trojan;Incurable.Moved.;
sbinst.exe;c:\program files\spamblockerutility\bin\4.8.4.0;Trojan.DownLoader.19701;Deleted.;
sboeaddon.exe;c:\program files\spamblockerutility\bin\4.8.4.0;Trojan.DownLoader.19701;Deleted.;
sbweatherontray.exe;c:\program files\spamblockerutility\bin\4.8.4.0;Trojan.DownLoader.19701;Deleted.;
sbtvhelper.dll;c:\program files\spamblockerutility\sbtv;Adware.Hotbar;Incurable.Moved.;
lsasss.exe;c:\windows\system32;Trojan.DownLoader.19701;Deleted.;
vgypmxig.exe;c:\windows\system32;Trojan.DownLoader.19701;Deleted.;
winantispyware2006freeinstall[1].exe;C:\Documents and Settings\HP_Administrator\Application Data;Trojan.DownLoader.10963;Deleted.;
errorsafenewreleaseinstall[1].exe;C:\Documents and Settings\HP_Administrator\Application Data\bak;Trojan.DownLoader.10963;Deleted.;
winantiviruspro2006freeinstall[1].exe;C:\Documents and Settings\HP_Administrator\Application Data\bak;Trojan.DownLoader.10963;Deleted.;
winantiviruspro2007freeinstall[1].exe;C:\Documents and Settings\HP_Administrator\Application Data\bak;Trojan.DownLoader.10963;Deleted.;
hvkpcry.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.DownLoader.21719;Deleted.;
Shrek.exe;C:\Documents and Settings\HP_Administrator\My Documents;Adware.Comet;Incurable.Moved.;
sinstaller.exe;C:\Documents and Settings\HP_Administrator\My Documents;Adware.Comet;Incurable.Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
MediaBar.dll;C:\Program Files\BearShare Applications\BearShare MediaBar;Adware.Softomate;;
setup.exe;C:\Program Files\Common Files\AOL\Backup\ACS\Current\Suite;Probably BACKDOOR.Trojan;Incurable.Moved.;
GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
MiniBugTransporter.dll;C:\Program Files\Common Files\Real\WeatherBug;Adware.Minibug;Incurable.Moved.;
hphupd08.exe1173503359;C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729};Trojan.DownLoader.17850;Deleted.;
hphupd08.exe1175904951;C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729};Trojan.DownLoader.19442;Deleted.;
riched20.dll;C:\Program Files\MSN Messenger;Adware.Msearch;Incurable.Moved.;
inetchk.exe;C:\Program Files\music_now;Trojan.Click.2093;Deleted.;
F3HISTSW.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;Incurable.Moved.;
F3HTTPCT.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Trojan.Isbar.438;Deleted.;
F3POPSWT.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Adware.Funweb;Incurable.Moved.;
F3PSSAVR.SCR;C:\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;Incurable.Moved.;
F3RESTUB.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;Incurable.Moved.;
F3SCHMON.EXE;C:\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;Incurable.Moved.;
F3SCRCTR.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Trojan.DownLoader.7028;Deleted.;
F3WPHOOK.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;Incurable.Moved.;
M3IDLE.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Adware.MWS;Incurable.Moved.;
M3OUTLCN.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;Incurable.Moved.;
M3PLUGIN.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;Incurable.Moved.;
MWSBAR.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Adware.MWS;;
MWSOEPLG.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;Incurable.Moved.;
MWSOESTB.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Adware.MWS;Incurable.Moved.;
NPMYWEBS.DLL;C:\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;Incurable.Moved.;
mwsoemon.exe;C:\Program Files\MyWebSearch\bar\1.bin\bak;Adware.Websearch;Incurable.Moved.;
MWSSRCAS.DLL;C:\Program Files\MyWebSearch\SrchAstt\1.bin;Adware.MWS;;
PPCInstall.dll;C:\Program Files\Online Services\PeoplePC;Probably STPAGE.Trojan;Incurable.Moved.;
Cml.exe;C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0;Adware.Hotbar;Incurable.Moved.;
SbCoreSrv.dll;C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0;Adware.Hotbar;Incurable.Moved.;
SbGuard.exe;C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0;Adware.Hotbar;Incurable.Moved.;
SbHostIE.dll;C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0;Probably STPAGE.Trojan;;
SbHostOL.dll;C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0;Adware.Hotbar;Incurable.Moved.;
SbInstIE.dll;C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0;Adware.Hotbar;Incurable.Moved.;
SbSrv.exe;C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0;Adware.Hotbar;Incurable.Moved.;
SbToolbar.dll;C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0;Adware.Hotbar;Incurable.Moved.;
SbWallpaper.dll;C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0;Adware.Hotbar;Incurable.Moved.;
SbWeatherOnTray.exe;C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\bak;Adware.Hotbar;Incurable.Moved.;
SBTV.exe;C:\Program Files\SpamBlockerUtility\SBTV;Adware.Hotbar;Incurable.Moved.;
SBTVHelper.dll;C:\Program Files\SpamBlockerUtility\SBTV;Adware.Hotbar;;
A0022906.EXE;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022907.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022908.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022909.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022910.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022912.EXE;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022914.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022915.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022916.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022917.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022918.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022919.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022920.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.10963;Deleted.;
A0022921.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022945.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022946.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022947.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022948.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022949.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022950.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022951.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022952.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.19701;Deleted.;
A0022953.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.10963;Deleted.;
A0022954.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.10963;Deleted.;
A0022955.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.10963;Deleted.;
A0022956.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.10963;Deleted.;
A0022957.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.Click.2093;Deleted.;
A0022958.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.Isbar.438;Deleted.;
A0022959.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.DownLoader.7028;Deleted.;
sb6adts.htc\Script.0;C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\sb6adts.htc;Probably SCRIPT.Virus;;
sb6adts.htc;C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts;Archive contains infected objects;Moved.;
actskn45.ocx;C:\WINDOWS\system32;Trojan.Isbar.439;Deleted.;
f3PSSavr.scr;C:\WINDOWS\system32;Adware.Msearch;Incurable.Moved.;
vgypmxig.exe;C:\WINDOWS\system32\bak;Adware.Hotbar;Incurable.Moved.;
firstopt.js;D:\I386\APPS\APP18398;Probably SCRIPT.Virus;Incurable.Moved.;
 
and here is the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 3:56:46 PM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\DISC\DiscStreamHub.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\HP_Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://officialhomepage.org/home15.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4ba8e9cc-00fe-41c1-a891-97c79e6d24f3} - C:\WINDOWS\system32\kbd949.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [NI.UERS_9999_N91S2507] "C:\documents and settings\hp_administrator\application data\errorsafenewreleaseinstall[1].exe" -nag
O4 - HKLM\..\Run: [NI.UWA6P_0001_N91M1807] "c:\documents and settings\hp_administrator\application data\winantiviruspro2006freeinstall[1].exe" -nag
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbWeatherOnTray.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe
O4 - HKLM\..\Run: [NI.UWA7P_0001_N91M0809] "C:\Documents and Settings\HP_Administrator\Application Data\winantiviruspro2007freeinstall[1].exe" -nag
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm492YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\mljgecc.dll
O20 - Winlogon Notify: kbd949 - C:\WINDOWS\SYSTEM32\kbd949.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 
Ok :)

Did you ran the Replacer.bat? If not, please restart the computer to safe mode and run it.

Now please run FindAWF again and post the fresh log to here :bigthumb:
 
Heres the awf log


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DISC\BAK

11/11/2005 09:10 PM 61,440 DiscUpdateMgr.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\CREATOR\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\EHOME\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SMINST\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

03/06/2007 02:36 PM 0 lsasss.exe
1 File(s) 0 bytes

Directory of C:\DOCUME~1\HP_ADM~1\APPLIC~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

11/09/2005 05:29 PM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

06/01/2005 11:35 PM 49,152 hphupd08.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SONIC\DIGITA~1\DIGITA~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SPAMBL~1\BIN\484~1.0\BAK

03/05/2004 06:17 AM 45,056 SBInst.exe
11/09/2006 07:06 AM 53,248 SbOEAddOn.exe
2 File(s) 98,304 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Nov 11 2005 "C:\Program Files\DISC\bak\DiscUpdateMgr.exe"
0 Mar 6 2007 "C:\WINDOWS\system32\bak\lsasss.exe"
249856 Nov 9 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\BAK\HPBootOp.exe"
49152 Jun 1 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\BAK\hphupd08.exe"
45056 Mar 5 2004 "C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\bak\SBInst.exe"
53248 Nov 9 2006 "C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\bak\SbOEAddOn.exe"


end of report

P.S. I ran the replacer.bat and i caught this image of it. I think it isnt doing what its supposed to

attachment.php
 
Hello :)

Ok looks much better now. Ok we need a new version of replacer.bat

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Replacer2.bat to your desktop. Don't run it yet!

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.

Doubleclick on Replacer2.bat and let in run.

Run ATF Cleaner
  • Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Reboot the computer in Normal Mode

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a fresh HijackThis log and a fresh FindAWF log
 
Theres a problem with that, I dont have that computer connected to the internet. I use a different computer to post on this
 
so is there some other program that i can use that can be downloaded? cuz thats what i have been doing downloading the stuff then transfering it via memory stick
 
Hello :)

Ok, we may another scanner then (you can download it, then transfer it and scan with it)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot the computer in Normal Mode,
  • Post the Cure-it report and a fresh HijackThis log and FindAWF log

:bigthumb:
 
Heres the hjt log

Logfile of HijackThis v1.99.1
Scan saved at 8:49:46 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\HP_Administrator\Desktop\drweb-cureit(2).exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\RarSFX0\_start.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\RarSFX0\cureit.exe
C:\Documents and Settings\HP_Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://officialhomepage.org/home15.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4ba8e9cc-00fe-41c1-a891-97c79e6d24f3} - C:\WINDOWS\system32\kbd949.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [NI.UERS_9999_N91S2507] "C:\documents and settings\hp_administrator\application data\errorsafenewreleaseinstall[1].exe" -nag
O4 - HKLM\..\Run: [NI.UWA6P_0001_N91M1807] "c:\documents and settings\hp_administrator\application data\winantiviruspro2006freeinstall[1].exe" -nag
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [NI.UWA7P_0001_N91M0809] "C:\Documents and Settings\HP_Administrator\Application Data\winantiviruspro2007freeinstall[1].exe" -nag
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm492YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\mljgecc.dll
O20 - Winlogon Notify: kbd949 - C:\WINDOWS\SYSTEM32\kbd949.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Heres the awf log

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DISC\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\CREATOR\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\EHOME\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SMINST\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

03/06/2007 02:36 PM 0 lsasss.exe
1 File(s) 0 bytes

Directory of C:\DOCUME~1\HP_ADM~1\APPLIC~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SONIC\DIGITA~1\DIGITA~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

0 Mar 6 2007 "C:\WINDOWS\system32\bak\lsasss.exe"


end of report
 
And heres the DrWeb.csv

A0022960.ocx;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Trojan.Isbar.439;Deleted.;
A0022961.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Softomate;Incurable.Moved.;
A0022962.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.MWS;Incurable.Moved.;
A0022963.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.MWS;Incurable.Moved.;
A0022964.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Probably STPAGE.Trojan;Incurable.Moved.;
A0022965.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
A0022966.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Tool.ProcessKill;Incurable.Moved.;
A0022967.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0022968.ocx;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Gdown;Incurable.Moved.;
A0022969.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Minibug;Incurable.Moved.;
A0022970.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Msearch;Incurable.Moved.;
A0022971.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Msearch;Incurable.Moved.;
A0022972.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Funweb;Incurable.Moved.;
A0022973.SCR;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Msearch;Incurable.Moved.;
A0022974.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Msearch;Incurable.Moved.;
A0022975.EXE;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Msearch;Incurable.Moved.;
A0022976.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Msearch;Incurable.Moved.;
A0022977.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.MWS;Incurable.Moved.;
A0022978.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Msearch;Incurable.Moved.;
A0022979.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Msearch;Incurable.Moved.;
A0022980.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Websearch;Incurable.Moved.;
A0022981.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.MWS;Incurable.Moved.;
A0022982.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Msearch;Incurable.Moved.;
A0022983.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Websearch;Incurable.Moved.;
A0022984.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Probably STPAGE.Trojan;Incurable.Moved.;
A0022985.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
A0022986.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
A0022987.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
A0022988.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
A0022989.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
A0022990.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
A0022991.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
A0022992.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
A0022993.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
A0022994.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
A0022995.scr;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Msearch;Incurable.Moved.;
A0022996.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP50;Adware.Hotbar;Incurable.Moved.;
 
Ok great, looks like we nailed the nastiest infection...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

:bigthumb:
 
The combofix log

"HP_Administrator" - 2007-05-12 14:22:05 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\HP_Administrator\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))


2007-05-08 14:49 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\MSNInstaller
2007-05-08 14:42 143,360 --a------ C:\WINDOWS\GTRemove.exe
2007-05-08 14:42 <DIR> d-------- C:\Program Files\Qwest
2007-05-08 14:42 <DIR> d-------- C:\Program Files\Actiontec
2007-05-08 14:42 <DIR> d-------- C:\Program Files\2Wire_USB_Drivers
2007-05-08 14:42 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\InstallShield
2007-05-07 19:47 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-05-06 14:07 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\DoctorWeb
2007-05-03 18:13 <DIR> d-------- C:\Program Files\America Online 9.0
2007-05-01 17:35 <DIR> d-------- C:\hjt
2007-04-29 09:50 <DIR> d-------- C:\WINDOWS\CSC
2007-04-29 09:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-04-28 22:10 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2007-04-28 22:10 108,480 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-28 21:01 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-04-28 21:00 <DIR> d-------- C:\WINDOWS\5DF3D1BB894E4DCD8275159AC9829B43.TMP
2007-04-28 21:00 <DIR> d-------- C:\Program Files\Network Associates
2007-04-28 21:00 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2007-04-28 21:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Network Associates
2007-04-28 20:48 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SpamBlockerUtility
2007-04-28 20:48 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-04-16 05:56 180,224 --a------ C:\WINDOWS\system32\nvunrm.exe
2007-04-16 05:56 100,480 --a------ C:\WINDOWS\system32\drivers\nvtcp.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-12 17:53:52 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-12 17:48:31 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
2007-05-08 21:42:55 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-08 21:29:56 -------- d-----w C:\Program Files\DISC
2007-05-06 21:40:45 -------- d-----w C:\Program Files\music_now
2007-05-06 21:15:49 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\bak
2007-05-06 20:59:33 -------- d-----w C:\Program Files\QuickTime
2007-05-06 20:59:32 -------- d-----w C:\Program Files\iTunes
2007-05-04 01:14:54 -------- d-----w C:\Program Files\AOL Toolbar
2007-05-04 01:14:46 -------- d-----w C:\Program Files\AOL Deskbar
2007-05-03 21:37:23 -------- d-----w C:\Program Files\LimeWire
2007-04-29 17:09:01 -------- d-----w C:\Program Files\Qwest QuickConnect
2007-04-29 16:15:25 -------- d-----w C:\Program Files\Google
2007-04-23 20:30:32 5,578 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat
2007-04-12 00:28:43 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-12 00:13:16 -------- d-----w C:\Program Files\Quicken
2007-04-12 00:02:42 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\SpamBlockerUtility
2007-04-07 00:51:10 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Sammsoft
2007-04-07 00:51:04 -------- d-----w C:\Program Files\Advanced Registry Optimizer
2007-04-07 00:41:01 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\SpamBlockerUtility_Icons
2007-04-07 00:11:58 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\SpamBlocker
2007-04-07 00:11:34 2,692,288 ----a-w C:\WINDOWS\system32\pruuqsly.exe
2007-04-06 03:47:19 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\LimeWire
2007-03-31 18:14:27 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Apple Computer
2007-03-31 18:14:14 -------- d-----w C:\Program Files\iPod
2007-03-31 18:13:13 -------- d-----w C:\Program Files\Apple Software Update
2007-03-17 00:21:51 8,535 ----a-w C:\WINDOWS\system32\mljgecc.dll
2007-03-06 21:22:44 -------- d-----w C:\Program Files\Norton Internet Security
2007-03-06 21:07:39 -------- d-----w C:\Program Files\HP Rhapsody
2007-03-06 20:21:05 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\ArcSoft
2007-03-06 20:18:07 -------- d-----w C:\Program Files\Symantec


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"="C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"
"{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}"="c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll"
"{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}"="C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"RTHDCPL"="RTHDCPL.EXE"
"HPHUPD08"="c:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"DISCover"="C:\\Program Files\\DISC\\DISCover.exe"
"DiscUpdateManager"="C:\\Program Files\\DISC\\DiscUpdateMgr.exe"
"DMAScheduler"="c:\\Program Files\\Sonic\\DigitalMedia Plus\\DigitalMedia Archive\\DMAScheduler.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
@=""
"PCDrProfiler"=""
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"HP Software Update"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"NI.UERS_9999_N91S2507"="\"C:\\documents and settings\\hp_administrator\\application data\\errorsafenewreleaseinstall[1].exe\" -nag "
"NI.UWA6P_0001_N91M1807"="\"c:\\documents and settings\\hp_administrator\\application data\\winantiviruspro2006freeinstall[1].exe\" -nag "
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpamBlocker"="C:\\Program Files\\SpamBlockerUtility\\Bin\\4.8.4.0\\SbOEAddOn.exe"
"NI.UWA7P_0001_N91M0809"="\"C:\\Documents and Settings\\HP_Administrator\\Application Data\\winantiviruspro2007freeinstall[1].exe\" -nag "
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MyWebSearch Email Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_0"
"AROReminder"="C:\\Program Files\\Advanced Registry Optimizer\\aro.exe -rem"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="c:\windows\system32\mljgecc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
Usnsvc usnsvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2d89d56-7b6a-11db-bd33-0017311090e8}]
Shell\AutoRun\command K:\Installer.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\Easy Internet Sign-up.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 14:25:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-12 14:25:14
C:\ComboFix-quarantined-files.txt ... 2007-05-12 14:25
 
Ok the story continues....

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
 
VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 11:03:57 AM 5/13/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

and the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 11:19:22 AM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\ComboFix\15577.cfexe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\DISC\DiscGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\DISC\DiscStreamHub.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Documents and Settings\HP_Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://officialhomepage.org/home15.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NI.UERS_9999_N91S2507] "C:\documents and settings\hp_administrator\application data\errorsafenewreleaseinstall[1].exe" -nag
O4 - HKLM\..\Run: [NI.UWA6P_0001_N91M1807] "c:\documents and settings\hp_administrator\application data\winantiviruspro2006freeinstall[1].exe" -nag
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [NI.UWA7P_0001_N91M0809] "C:\Documents and Settings\HP_Administrator\Application Data\winantiviruspro2007freeinstall[1].exe" -nag
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm492YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\mljgecc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 
Hi again :)

Before we'll continue I would like you to do something for me...
I need you too upload few malware files for further inspection.

Make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
    • Click "Browse" on the 1. field.
      Browse to the following file and click the file with your mouse, press "Open"
      C:\WINDOWS\system32\mljgecc.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
Please let me know when you have done this and then we'll get you cleaned :bigthumb:
 
You must log in or register to reply here.
Back
Top