Virtumonde help, thanks in advance

coolc · Aug 4, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:08 PM, on 8/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton 360\ScanStub.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {CDCFA7AE-F6AC-492A-8CF1-3E7F19FA1987} - (no file)
O2 - BHO: (no name) - {F3C7357D-F999-FB38-9C8F-85FA39AD6990} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MetaCrawl.WS Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\IEToolbar\metacrawl.ws.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-3654468481-1888268719-1600119017-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - S-1-5-21-3654468481-1888268719-1600119017-501 Startup: .lnk = ? (User 'Guest')
O4 - S-1-5-21-3654468481-1888268719-1600119017-501 User Startup: .lnk = ? (User 'Guest')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: hggdebc - hggdebc.dll (file missing)
O20 - Winlogon Notify: xsspbqyw - C:\WINDOWS\SYSTEM32\xsspbqyw.dll
O20 - Winlogon Notify: ypkhcwyo - ypkhcwyo.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7016 bytes

Shaba · Aug 8, 2008

Hi coolc

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

coolc · Aug 8, 2008

Thanks for the response, the site you provided seems to be down http://www.bleepingcomputer.com/combofix/how-to-use-combofix

"We apologize for the temporary outage. The administrators are performing maintenance on the site and will be finished soon.
Please try again shortly.

You can try refreshing the page in a couple of minutes by clicking here."

I'll try again later today.

Thanks again for your help.

Shaba · Aug 8, 2008

Yes it is down, my bad.

You can do this meanwhile:

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

coolc · Aug 9, 2008

Installed file from bleepingcomputer.com, d/l recovery console. dragged and dropped file, disabled spybot, spywareblaster and norton 360, ran combo fix , then ran hijackthis. Thanks for your time...

here's the hijackthis file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:41 PM, on 8/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MetaCrawl.WS Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\IEToolbar\metacrawl.ws.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: xsspbqyw - C:\WINDOWS\SYSTEM32\xsspbqyw.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6300 bytes

Heres the combofix file:

ComboFix 08-08-08.06 - 007 2008-08-08 18:42:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.179 [GMT -4:00]
Running from: C:\Documents and Settings\007\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\007\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\007\Application Data\DriveCleaner Free
C:\Documents and Settings\007\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\007\Application Data\macromedia\Flash Player\#SharedObjects\FSFLFFY7\interclick.com
C:\Documents and Settings\007\Application Data\macromedia\Flash Player\#SharedObjects\FSFLFFY7\interclick.com\ud.sol
C:\Documents and Settings\007\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\007\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\007\err.log
C:\Documents and Settings\27\Application Data\searchtoolbarcorp
C:\Documents and Settings\27\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\27\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Documents and Settings\Guest\Application Data\DriveCleaner Free
C:\Documents and Settings\Guest\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Guest\Application Data\searchtoolbarcorp
C:\Documents and Settings\Guest\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\Guest\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Documents and Settings\Guest\err.log
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\.lnk
C:\Documents and Settings\SCUBA\Application Data\MBOLS~1
C:\Documents and Settings\SCUBA\Application Data\MBOLS~1\??mbols\
C:\Documents and Settings\SCUBA\Application Data\searchtoolbarcorp
C:\Documents and Settings\SCUBA\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\SCUBA\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Documents and Settings\SCUBA\My Documents\DOBE~1
C:\Program Files\IEToolbar
C:\Program Files\IEToolbar\basis.xml
C:\Program Files\IEToolbar\icons.bmp
C:\Program Files\IEToolbar\inst.bat
C:\Program Files\IEToolbar\metacrawl.ws.crc
C:\Program Files\IEToolbar\metacrawl.ws.dll
C:\Program Files\IEToolbar\metacrawl.ws.inf
C:\Program Files\IEToolbar\metacrawlit.bmp
C:\Program Files\IEToolbar\version.txt
C:\WINDOWS\BMb7cd7021.txt
C:\WINDOWS\BMb7cd7021.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\afoevogm.ini
C:\WINDOWS\system32\ajfljivl.ini
C:\WINDOWS\system32\apcclmvk.dll
C:\WINDOWS\system32\awairbgk.ini
C:\WINDOWS\system32\bjqigjyh.ini
C:\WINDOWS\system32\bkfckdvk.ini
C:\WINDOWS\system32\brbsvbiq.ini
C:\WINDOWS\system32\cbxuayvw.ini
C:\WINDOWS\system32\ccsrnxpj.ini
C:\WINDOWS\system32\ckuefjsx.ini
C:\WINDOWS\system32\cosjlmxw.ini
C:\WINDOWS\system32\cpgxipli.ini
C:\WINDOWS\system32\crjjdabs.ini
C:\WINDOWS\system32\crqrgccp.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cvarohdk.ini
C:\WINDOWS\system32\dekjoium.ini
C:\WINDOWS\system32\dhhnvedt.ini
C:\WINDOWS\system32\dsmgrcsf.ini
C:\WINDOWS\system32\dywstxgt.ini
C:\WINDOWS\system32\ekdhhlyl.ini
C:\WINDOWS\system32\elflhanc.ini
C:\WINDOWS\system32\emlcqbhv.ini
C:\WINDOWS\system32\entfhacv.ini
C:\WINDOWS\system32\erbxoowk.dll
C:\WINDOWS\system32\espcdcwh.ini
C:\WINDOWS\system32\esxmjjdo.ini
C:\WINDOWS\system32\fdbrujll.ini
C:\WINDOWS\system32\fdhtcway.dll
C:\WINDOWS\system32\fiyywggv.dll
C:\WINDOWS\system32\ftkaymjb.ini
C:\WINDOWS\system32\fvqhxdnh.ini
C:\WINDOWS\system32\gisxjhlu.ini
C:\WINDOWS\system32\gryjcqcy.ini
C:\WINDOWS\system32\gvegmgdf.ini
C:\WINDOWS\system32\gweaxxbt.ini
C:\WINDOWS\system32\gyyvlmnn.ini
C:\WINDOWS\system32\heejxwyr.ini
C:\WINDOWS\system32\hmvsslfb.ini
C:\WINDOWS\system32\hpyanbwf.ini
C:\WINDOWS\system32\igrnuphb.ini
C:\WINDOWS\system32\ioefeocq.ini
C:\WINDOWS\system32\iruufxya.ini
C:\WINDOWS\system32\jderssha.ini
C:\WINDOWS\system32\jenotwxw.ini
C:\WINDOWS\system32\jqrybrld.ini
C:\WINDOWS\system32\jttvvqls.ini
C:\WINDOWS\system32\jtvybxul.ini
C:\WINDOWS\system32\jumhfhxs.ini
C:\WINDOWS\system32\kerbfjwp.ini
C:\WINDOWS\system32\kgopnids.ini
C:\WINDOWS\system32\khsoixrd.ini
C:\WINDOWS\system32\kwicsvxf.ini
C:\WINDOWS\system32\kxfpkihd.ini
C:\WINDOWS\system32\lemfeomv.ini
C:\WINDOWS\system32\mauabxwb.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\motymmlj.ini
C:\WINDOWS\system32\mqkhjmqb.ini
C:\WINDOWS\system32\msmydjsm.ini
C:\WINDOWS\system32\nokuhrbh.ini
C:\WINDOWS\system32\npsmrfgs.ini
C:\WINDOWS\system32\nyqboluw.ini
C:\WINDOWS\system32\odtfhwfx.ini
C:\WINDOWS\system32\oebwffms.ini
C:\WINDOWS\system32\ofcdnbxn.dll
C:\WINDOWS\system32\oojhkivy.ini
C:\WINDOWS\system32\orksogwj.ini
C:\WINDOWS\system32\othqufwt.ini
C:\WINDOWS\system32\ovaaycsy.ini
C:\WINDOWS\system32\paqhxfid.ini
C:\WINDOWS\system32\pcfyrcld.ini
C:\WINDOWS\system32\pcmpufdt.ini
C:\WINDOWS\system32\pdeogmuf.ini
C:\WINDOWS\system32\pfpebnss.dll
C:\WINDOWS\system32\pjowlajf.dll
C:\WINDOWS\system32\pvjtpech.ini
C:\WINDOWS\system32\qibfutke.ini
C:\WINDOWS\system32\qkyfnqim.ini
C:\WINDOWS\system32\RCX2B.tmp
C:\WINDOWS\system32\RCX2C.tmp
C:\WINDOWS\system32\RCX2D.tmp
C:\WINDOWS\system32\RCX2E.tmp
C:\WINDOWS\system32\RCX2F.tmp
C:\WINDOWS\system32\RCX30.tmp
C:\WINDOWS\system32\RCX31.tmp
C:\WINDOWS\system32\RCX32.tmp
C:\WINDOWS\system32\RCX33.tmp
C:\WINDOWS\system32\RCX34.tmp
C:\WINDOWS\system32\RCX35.tmp
C:\WINDOWS\system32\RCX36.tmp
C:\WINDOWS\system32\RCX37.tmp
C:\WINDOWS\system32\RCX38.tmp
C:\WINDOWS\system32\RCX39.tmp
C:\WINDOWS\system32\RCX3A.tmp
C:\WINDOWS\system32\RCX3B.tmp
C:\WINDOWS\system32\RCX3C.tmp
C:\WINDOWS\system32\RCX3D.tmp
C:\WINDOWS\system32\RCX3E.tmp
C:\WINDOWS\system32\RCX3F.tmp
C:\WINDOWS\system32\RCX40.tmp
C:\WINDOWS\system32\RCX41.tmp
C:\WINDOWS\system32\RCX42.tmp
C:\WINDOWS\system32\RCX43.tmp
C:\WINDOWS\system32\RCX44.tmp
C:\WINDOWS\system32\RCX45.tmp
C:\WINDOWS\system32\RCX46.tmp
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\RCX48.tmp
C:\WINDOWS\system32\RCX49.tmp
C:\WINDOWS\system32\RCX4A.tmp
C:\WINDOWS\system32\RCX4B.tmp
C:\WINDOWS\system32\RCX4C.tmp
C:\WINDOWS\system32\RCX4D.tmp
C:\WINDOWS\system32\RCX4E.tmp
C:\WINDOWS\system32\RCX4F.tmp
C:\WINDOWS\system32\RCX50.tmp
C:\WINDOWS\system32\RCX51.tmp
C:\WINDOWS\system32\RCX52.tmp
C:\WINDOWS\system32\RCX53.tmp
C:\WINDOWS\system32\RCX54.tmp
C:\WINDOWS\system32\RCX55.tmp
C:\WINDOWS\system32\RCX56.tmp
C:\WINDOWS\system32\RCX57.tmp
C:\WINDOWS\system32\RCX58.tmp
C:\WINDOWS\system32\RCX59.tmp
C:\WINDOWS\system32\RCX5A.tmp
C:\WINDOWS\system32\RCX5F.tmp
C:\WINDOWS\system32\RCX60.tmp
C:\WINDOWS\system32\RCX61.tmp
C:\WINDOWS\system32\RCX62.tmp
C:\WINDOWS\system32\RCX63.tmp
C:\WINDOWS\system32\RCX64.tmp
C:\WINDOWS\system32\RCX65.tmp
C:\WINDOWS\system32\RCX6D.tmp
C:\WINDOWS\system32\RCX75.tmp
C:\WINDOWS\system32\RCX82.tmp
C:\WINDOWS\system32\RCX8D.tmp
C:\WINDOWS\system32\RCX8E.tmp
C:\WINDOWS\system32\RCX90.tmp
C:\WINDOWS\system32\RCXAD.tmp
C:\WINDOWS\system32\RCXBA.tmp
C:\WINDOWS\system32\RCXBB.tmp
C:\WINDOWS\system32\RCXCF.tmp
C:\WINDOWS\system32\RCXE7.tmp
C:\WINDOWS\system32\RCXE8.tmp
C:\WINDOWS\system32\RCXFC.tmp
C:\WINDOWS\system32\reqkmxem.dll
C:\WINDOWS\system32\rfmhgdxk.ini
C:\WINDOWS\system32\rkkflesq.ini
C:\WINDOWS\system32\rqpweald.ini
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\setkljxt.ini
C:\WINDOWS\system32\sfgpvhwh.ini
C:\WINDOWS\system32\srbevkuj.ini
C:\WINDOWS\system32\sshmkkwp.ini
C:\WINDOWS\system32\sybwsbiv.ini
C:\WINDOWS\system32\tbqvclqg.ini
C:\WINDOWS\system32\tqulepwp.ini
C:\WINDOWS\system32\uirjntbj.ini
C:\WINDOWS\system32\ujdkylml.ini
C:\WINDOWS\system32\urxaywmi.ini
C:\WINDOWS\system32\uujujomm.ini
C:\WINDOWS\system32\vafevfjn.ini
C:\WINDOWS\system32\vevwblkg.ini
C:\WINDOWS\system32\vhnptybj.ini
C:\WINDOWS\system32\vjhpylha.ini
C:\WINDOWS\system32\vkemidii.ini
C:\WINDOWS\system32\vlmquvyf.dll
C:\WINDOWS\system32\vnbhvabt.ini
C:\WINDOWS\system32\vnbwhjle.ini
C:\WINDOWS\system32\vrmidawj.ini
C:\WINDOWS\system32\wadxqhxe.ini
C:\WINDOWS\system32\wdgieotk.ini
C:\WINDOWS\system32\wepywava.ini
C:\WINDOWS\system32\wnstssv.exe
C:\WINDOWS\system32\wsqkjeff.ini
C:\WINDOWS\system32\wtfdxkvo.ini
C:\WINDOWS\system32\wxhgggjw.dll
C:\WINDOWS\system32\xewosnhm.ini
C:\WINDOWS\system32\xfdwmfju.ini
C:\WINDOWS\system32\xklopupt.ini
C:\WINDOWS\system32\xmpcqdtf.ini
C:\WINDOWS\system32\xvgaeqry.ini
C:\WINDOWS\system32\xwtyurrx.ini
C:\WINDOWS\system32\yphrexuk.ini
C:\WINDOWS\system32\yqusbvnw.ini
C:\WINDOWS\system32\ytgytsfj.ini
C:\WINDOWS\system32\yxxrcoak.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-03 19:10 . 2008-08-03 19:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 12:08 . 2008-08-03 12:08 <DIR> d-------- C:\N360_BACKUP
2008-08-03 09:34 . 2008-08-03 09:34 <DIR> d-------- C:\Documents and Settings\007\Application Data\Windows Search
2008-08-02 20:45 . 2008-08-02 20:45 <DIR> d-------- C:\Documents and Settings\007\Application Data\Motive
2008-08-02 20:06 . 2008-08-02 20:06 <DIR> d-------- C:\Documents and Settings\007\Application Data\Windows Desktop Search
2008-08-02 20:05 . 2008-08-02 20:05 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-08-02 20:05 . 2008-08-02 20:05 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-08-02 20:03 . 2008-03-07 13:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-02 20:03 . 2008-03-07 13:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-02 20:03 . 2008-03-07 13:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-02 20:02 . 2008-08-02 20:02 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-02 20:00 . 2008-08-02 20:01 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-02 19:47 . 2008-08-06 19:32 <DIR> d-------- C:\Documents and Settings\007\Application Data\U3
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-02 18:56 . 2008-08-02 19:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-02 18:49 . 2008-08-02 18:49 <DIR> d-------- C:\WINDOWS\EHome
2008-08-02 18:41 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-02 18:40 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-02 17:14 . 2008-08-02 17:14 <DIR> d-------- C:\Program Files\Linksys
2008-08-02 17:14 . 2008-08-02 17:14 21,419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-02 17:13 . 2008-08-02 17:13 <DIR> d-------- C:\WINDOWS\{7F7635FC-B887-49FA-8526-094724C01A6E}
2008-08-02 16:55 . 2008-08-02 16:55 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-08-02 16:55 . 2008-08-02 20:08 <DIR> d-------- C:\Program Files\Norton 360
2008-08-02 16:53 . 2008-08-02 17:46 <DIR> d-------- C:\Program Files\Symantec
2008-08-02 16:53 . 2008-08-04 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-02 16:53 . 2008-08-02 17:46 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-02 16:53 . 2008-08-02 17:46 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-02 16:53 . 2008-08-02 17:46 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-02 16:53 . 2008-08-02 17:46 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-02 16:34 . 2008-08-08 18:49 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-02 15:13 . 2008-08-02 15:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-02 15:13 . 2008-08-02 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 15:11 . 2008-08-03 18:37 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-02 15:11 . 2008-08-08 18:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 14:53 . 2006-12-04 18:25 385,443 --a------ C:\WINDOWS\hpdj5700.hi1
2008-08-02 14:53 . 2006-12-04 18:25 11,988 --a------ C:\WINDOWS\hpdj5700.bu1
2008-08-02 14:05 . 2008-08-02 14:05 2 --a------ C:\WINDOWS\msoffice.ini
2008-07-31 22:01 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-31 22:01 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-31 22:01 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-31 22:01 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-31 22:01 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-31 22:01 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-31 22:01 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-31 22:01 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-31 22:01 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-31 21:51 . 2008-07-31 21:51 610 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-31 21:33 . 2008-07-31 21:33 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 23:03 77,824 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\FDIWrapper.dll
2008-08-02 23:03 69,632 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\msxmlwrapper.dll
2008-08-02 23:03 49,152 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\PCHI18N.dll
2008-08-02 23:03 45,056 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\util.dll
2008-08-02 23:03 36,864 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\gnu.dll
2008-08-02 23:03 315,392 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\pchmsxml.dll
2008-08-02 23:03 307,200 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\pchealthplugin.dll
2008-08-02 23:03 28,672 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\InetWrap.dll
2008-08-02 23:03 26,572 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\INV16.dll
2008-08-02 23:03 155,877 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\js.zip
2008-08-02 21:53 --------- d-----w C:\Documents and Settings\007\Application Data\Symantec
2008-08-02 21:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 18:55 --------- d-----w C:\Program Files\HP
2008-08-02 18:55 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-02 18:11 --------- d-----w C:\Program Files\LimeWire
2008-08-02 18:05 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-02 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-08-01 01:55 --------- d-----w C:\Program Files\iTunes
2008-08-01 01:54 --------- d-----w C:\Program Files\iPod
2008-08-01 01:51 --------- d-----w C:\Program Files\Easy Internet signup
2008-08-01 01:50 --------- d-----w C:\Program Files\QuickTime
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-06-25 10:36 43,520 ----a-w C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-09 23:32 495,616 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-05-09 23:32 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
.

Code:

<pre>
----a-w            61,440 2008-08-01 01:33:31  C:\hp\KBD\KBD .EXE
----a-w            45,056 2008-08-01 01:33:42  C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
----a-w           180,269 2008-08-01 01:33:32  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           241,664 2008-08-01 01:33:36  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w            49,152 2008-04-27 18:24:03  C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06 .exe
----a-w           256,576 2008-08-01 01:33:38  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            36,975 2008-08-01 01:33:27  C:\Program Files\Java\jre1.5.0_03\bin\jusched .exe
----a-w           282,624 2008-05-09 23:24:20  C:\Program Files\QuickTime\qttask               .exe
----a-w           644,608 2008-05-09 23:24:01  C:\Program Files\QuickTime\qttask              .exe
----a-w           644,608 2008-05-09 23:09:28  C:\Program Files\QuickTime\qttask             .exe
----a-w           644,608 2008-04-28 02:07:34  C:\Program Files\QuickTime\qttask            .exe
----a-w           644,608 2008-04-27 18:23:57  C:\Program Files\QuickTime\qttask           .exe
----a-w           644,608 2008-04-27 16:51:37  C:\Program Files\QuickTime\qttask          .exe
----a-w           644,608 2008-04-04 20:51:32  C:\Program Files\QuickTime\qttask        .exe
----a-w           644,608 2008-03-20 02:13:55  C:\Program Files\QuickTime\qttask       .exe
----a-w           644,608 2008-03-03 02:21:56  C:\Program Files\QuickTime\qttask      .exe
----a-w           644,608 2008-03-03 02:09:56  C:\Program Files\QuickTime\qttask     .exe
----a-w           644,608 2008-02-25 02:05:35  C:\Program Files\QuickTime\qttask    .exe
----a-w           644,608 2008-02-16 04:51:49  C:\Program Files\QuickTime\qttask   .exe
----a-w           644,608 2008-02-13 23:27:57  C:\Program Files\QuickTime\qttask  .exe
----a-w           644,608 2008-02-11 02:51:57  C:\Program Files\QuickTime\qttask .exe
----a-w           158,208 2008-05-09 23:32:41  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           233,472 2008-08-01 01:33:33  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w            52,736 2008-08-01 01:33:31  C:\WINDOWS\system\hpsysdrv .exe
----a-w            15,360 2008-08-01 01:33:49  C:\WINDOWS\system32\ctfmon .exe
----a-w           659,456 2008-08-01 01:33:29  C:\WINDOWS\system32\hphmon06 .exe
----a-w            81,920 2008-08-01 01:33:33  C:\WINDOWS\system32\ps2 .exe
----a-w           527,872 2008-08-01 01:43:31  C:\WINDOWS\system32\spool\hpprintqueue .exe
----a-w           172,032 2008-08-01 01:33:37  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 20:12 169984]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 15:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 10:50 988512]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Clemson Tigers\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Documents and Settings\IronMan\My Documents\My Music\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-07 17:29:30 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 22:19:14 123904]
Wireless Network Monitor.lnk - C:\Program Files\Linksys\WUSB600N\WUSB600N.exe [2008-01-09 05:44:20 6922240]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 22:19 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xsspbqyw]
2006-09-09 19:59 188436 C:\WINDOWS\system32\xsspbqyw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b4fe43bd]
C:\WINDOWS\system32\tbxxaewg.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMb7cd7021]
C:\WINDOWS\system32\qmnpdodi.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-18 15:37 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1135833712\ee\AOLSoftware.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAS_Check]
C:\Program Files\Common Files\DriveCleaner Free\udcpas .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-09 19:24 282624 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDR6_Check]
C:\Program Files\Common Files\DriveCleaner Free\udcsdr .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"DomainService"=2 (0x2)
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R0 dajyqccz;dajyqccz;C:\WINDOWS\system32\drivers\tuhwliqz.dat []
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 15:37]
R2 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-11-28 21:46]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-06-25 06:36]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\rt2870.sys [2007-12-14 18:04]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-05-07 01:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1fa7ac8-60cc-11dd-abcd-00112fab7212}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]
.
- - - - ORPHANS REMOVED - - - -

Notify-hggdebc - hggdebc.dll
Notify-ypkhcwyo - ypkhcwyo.dll

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Search Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 18:49:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dajyqccz]
"ImagePath"="system32\drivers\tuhwliqz.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-08-08 18:55:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 22:54:59

Pre-Run: 127,451,815,936 bytes free
Post-Run: 127,644,844,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

504 --- E O F --- 2008-08-03 13:12:48

Shaba · Aug 9, 2008

Much better

Open notepad and copy/paste the text in the codebox below into it:

Code:

RenV::
----a-w            61,440 2008-08-01 01:33:31  C:\hp\KBD\KBD .EXE
----a-w            45,056 2008-08-01 01:33:42  C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
----a-w           180,269 2008-08-01 01:33:32  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           241,664 2008-08-01 01:33:36  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w            49,152 2008-04-27 18:24:03  C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06 .exe
----a-w           256,576 2008-08-01 01:33:38  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            36,975 2008-08-01 01:33:27  C:\Program Files\Java\jre1.5.0_03\bin\jusched .exe
----a-w           282,624 2008-05-09 23:24:20  C:\Program Files\QuickTime\qttask               .exe
----a-w           644,608 2008-05-09 23:24:01  C:\Program Files\QuickTime\qttask              .exe
----a-w           644,608 2008-05-09 23:09:28  C:\Program Files\QuickTime\qttask             .exe
----a-w           644,608 2008-04-28 02:07:34  C:\Program Files\QuickTime\qttask            .exe
----a-w           644,608 2008-04-27 18:23:57  C:\Program Files\QuickTime\qttask           .exe
----a-w           644,608 2008-04-27 16:51:37  C:\Program Files\QuickTime\qttask          .exe
----a-w           644,608 2008-04-04 20:51:32  C:\Program Files\QuickTime\qttask        .exe
----a-w           644,608 2008-03-20 02:13:55  C:\Program Files\QuickTime\qttask       .exe
----a-w           644,608 2008-03-03 02:21:56  C:\Program Files\QuickTime\qttask      .exe
----a-w           644,608 2008-03-03 02:09:56  C:\Program Files\QuickTime\qttask     .exe
----a-w           644,608 2008-02-25 02:05:35  C:\Program Files\QuickTime\qttask    .exe
----a-w           644,608 2008-02-16 04:51:49  C:\Program Files\QuickTime\qttask   .exe
----a-w           644,608 2008-02-13 23:27:57  C:\Program Files\QuickTime\qttask  .exe
----a-w           644,608 2008-02-11 02:51:57  C:\Program Files\QuickTime\qttask .exe
----a-w           158,208 2008-05-09 23:32:41  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           233,472 2008-08-01 01:33:33  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w            52,736 2008-08-01 01:33:31  C:\WINDOWS\system\hpsysdrv .exe
----a-w            15,360 2008-08-01 01:33:49  C:\WINDOWS\system32\ctfmon .exe
----a-w           659,456 2008-08-01 01:33:29  C:\WINDOWS\system32\hphmon06 .exe
----a-w            81,920 2008-08-01 01:33:33  C:\WINDOWS\system32\ps2 .exe
----a-w           527,872 2008-08-01 01:43:31  C:\WINDOWS\system32\spool\hpprintqueue .exe
----a-w           172,032 2008-08-01 01:33:37  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10 .exe

File::
C:\WINDOWS\system32\xsspbqyw.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xsspbqyw]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b4fe43bd]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMb7cd7021]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAS_Check]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDR6_Check]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

coolc · Aug 9, 2008

did that here's the files

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:55 AM, on 8/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MetaCrawl.WS Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\IEToolbar\metacrawl.ws.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6225 bytes

and combofix:
ComboFix 08-08-08.07 - 007 2008-08-09 7:54:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.131 [GMT -4:00]
Running from: C:\Documents and Settings\007\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\007\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\xsspbqyw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\xsspbqyw.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-03 19:10 . 2008-08-03 19:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 12:08 . 2008-08-03 12:08 <DIR> d-------- C:\N360_BACKUP
2008-08-03 09:34 . 2008-08-03 09:34 <DIR> d-------- C:\Documents and Settings\007\Application Data\Windows Search
2008-08-02 20:45 . 2008-08-02 20:45 <DIR> d-------- C:\Documents and Settings\007\Application Data\Motive
2008-08-02 20:06 . 2008-08-02 20:06 <DIR> d-------- C:\Documents and Settings\007\Application Data\Windows Desktop Search
2008-08-02 20:05 . 2008-08-02 20:05 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-08-02 20:05 . 2008-08-02 20:05 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-08-02 20:03 . 2008-03-07 13:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-02 20:03 . 2008-03-07 13:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-02 20:03 . 2008-03-07 13:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-02 20:02 . 2008-08-02 20:02 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-02 20:00 . 2008-08-02 20:01 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-02 19:47 . 2008-08-06 19:32 <DIR> d-------- C:\Documents and Settings\007\Application Data\U3
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-02 18:56 . 2008-08-02 19:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-02 18:49 . 2008-08-02 18:49 <DIR> d-------- C:\WINDOWS\EHome
2008-08-02 18:41 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-02 18:40 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-02 17:14 . 2008-08-02 17:14 <DIR> d-------- C:\Program Files\Linksys
2008-08-02 17:14 . 2008-08-02 17:14 21,419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-02 17:13 . 2008-08-02 17:13 <DIR> d-------- C:\WINDOWS\{7F7635FC-B887-49FA-8526-094724C01A6E}
2008-08-02 16:55 . 2008-08-02 16:55 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-08-02 16:55 . 2008-08-02 20:08 <DIR> d-------- C:\Program Files\Norton 360
2008-08-02 16:53 . 2008-08-02 17:46 <DIR> d-------- C:\Program Files\Symantec
2008-08-02 16:53 . 2008-08-04 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-02 16:53 . 2008-08-02 17:46 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-02 16:53 . 2008-08-02 17:46 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-02 16:53 . 2008-08-02 17:46 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-02 16:53 . 2008-08-02 17:46 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-02 16:34 . 2008-08-08 18:55 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-02 15:13 . 2008-08-02 15:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-02 15:13 . 2008-08-02 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 15:11 . 2008-08-03 18:37 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-02 15:11 . 2008-08-09 07:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 14:53 . 2006-12-04 18:25 385,443 --a------ C:\WINDOWS\hpdj5700.hi1
2008-08-02 14:53 . 2006-12-04 18:25 11,988 --a------ C:\WINDOWS\hpdj5700.bu1
2008-08-02 14:05 . 2008-08-02 14:05 2 --a------ C:\WINDOWS\msoffice.ini
2008-07-31 22:01 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-31 22:01 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-31 22:01 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-31 22:01 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-31 22:01 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-31 22:01 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-31 22:01 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-31 22:01 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-31 22:01 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-31 21:51 . 2008-07-31 21:51 610 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-31 21:33 . 2008-07-31 21:33 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-07-31 21:33 . 2008-07-31 21:33 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 11:55 --------- d-----w C:\Program Files\QuickTime
2008-08-09 11:54 --------- d-----w C:\Program Files\iTunes
2008-08-02 23:03 77,824 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\FDIWrapper.dll
2008-08-02 23:03 69,632 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\msxmlwrapper.dll
2008-08-02 23:03 49,152 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\PCHI18N.dll
2008-08-02 23:03 45,056 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\util.dll
2008-08-02 23:03 36,864 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\gnu.dll
2008-08-02 23:03 315,392 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\pchmsxml.dll
2008-08-02 23:03 307,200 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\pchealthplugin.dll
2008-08-02 23:03 28,672 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\InetWrap.dll
2008-08-02 23:03 26,572 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\INV16.dll
2008-08-02 23:03 155,877 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\js.zip
2008-08-02 21:53 --------- d-----w C:\Documents and Settings\007\Application Data\Symantec
2008-08-02 21:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 18:55 --------- d-----w C:\Program Files\HP
2008-08-02 18:55 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-02 18:11 --------- d-----w C:\Program Files\LimeWire
2008-08-02 18:05 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-02 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-08-01 01:54 --------- d-----w C:\Program Files\iPod
2008-08-01 01:51 --------- d-----w C:\Program Files\Easy Internet signup
2008-08-01 01:33 81,920 ----a-w C:\WINDOWS\system32\ps2.exe
2008-08-01 01:33 659,456 ----a-w C:\WINDOWS\system32\hphmon06.exe
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-06-29 22:07 1,907,976 --sha-w C:\WINDOWS\system32\xawfbgyh.tmp
2008-06-25 10:36 43,520 ----a-w C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 18:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 18:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-27 02:21 1,582,592 ------w C:\WINDOWS\system32\tquery.dll
2008-05-27 02:21 1,418,240 ------w C:\WINDOWS\system32\mssrch.dll
2008-05-27 02:19 97,792 ------w C:\WINDOWS\system32\UncCplExt.dll
2008-05-27 02:19 273,408 ------w C:\WINDOWS\system32\oeph.dll
2008-05-27 02:19 2,048 ------w C:\WINDOWS\system32\UncRes.dll
2008-05-27 02:19 143,872 ------w C:\WINDOWS\system32\UncDMS.dll
2008-05-27 02:19 131,072 ------w C:\WINDOWS\system32\UncPH.dll
2008-05-27 02:19 11,264 ------w C:\WINDOWS\system32\oephRes.dll
2008-05-27 02:19 108,032 ------w C:\WINDOWS\system32\UncNE.dll
2008-05-27 02:18 71,680 ------w C:\WINDOWS\system32\propdefs.dll
2008-05-27 02:18 56,320 ------w C:\WINDOWS\system32\xmlfilter.dll
2008-05-27 02:18 44,032 ------w C:\WINDOWS\system32\msstrc.dll
2008-05-27 02:18 439,808 ------w C:\WINDOWS\system32\searchindexer.exe
2008-05-27 02:18 38,400 ------w C:\WINDOWS\system32\rtffilt.dll
2008-05-27 02:18 350,208 ------w C:\WINDOWS\system32\mssph.dll
2008-05-27 02:18 231,936 ------w C:\WINDOWS\system32\msshsq.dll
2008-05-27 02:18 203,776 ------w C:\WINDOWS\system32\mssphtb.dll
2008-05-27 02:18 184,832 ------w C:\WINDOWS\system32\searchprotocolhost.exe
2008-05-27 02:17 87,552 ------w C:\WINDOWS\system32\searchfilterhost.exe
2008-05-27 02:17 87,552 ------w C:\WINDOWS\system32\mssitlb.dll
2008-05-27 02:17 754,176 ------w C:\WINDOWS\system32\propsys.dll
2008-05-27 02:17 60,416 ------w C:\WINDOWS\system32\msscntrs.dll
2008-05-27 02:17 34,816 ------w C:\WINDOWS\system32\msscb.dll
2008-05-27 02:17 32,768 ------w C:\WINDOWS\system32\mssprxy.dll
2008-05-27 02:17 301,568 ------w C:\WINDOWS\system32\srchadmin.dll
2008-05-27 02:17 11,776 ------w C:\WINDOWS\system32\msshooks.dll
2008-05-27 01:59 18,904 ------w C:\WINDOWS\system32\structuredqueryschematrivial.bin
2008-05-27 01:59 106,605 ------w C:\WINDOWS\system32\structuredqueryschema.bin
2008-05-09 23:32 495,616 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-05-09 23:32 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-08_18.54.30.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-01 01:33:33 233,472 ----a-w C:\WINDOWS\SMINST\RECGUARD.EXE
+ 2008-08-01 01:33:31 52,736 ----a-w C:\WINDOWS\system\hpsysdrv.exe
+ 2008-05-09 23:32:41 158,208 -c--a-w C:\WINDOWS\system32\dllcache\msconfig.exe
+ 2008-08-01 01:33:37 172,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
+ 2008-08-01 01:43:31 527,872 ----a-w C:\WINDOWS\system32\spool\hpprintqueue.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-07-31 21:33 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-05-09 19:32 158208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 15:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 10:50 988512]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Clemson Tigers\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Documents and Settings\IronMan\My Documents\My Music\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-07 17:29:30 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 22:19:14 123904]
Wireless Network Monitor.lnk - C:\Program Files\Linksys\WUSB600N\WUSB600N.exe [2008-01-09 05:44:20 6922240]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 22:19 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-18 15:37 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2008-04-27 14:24 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R0 dajyqccz;dajyqccz;C:\WINDOWS\system32\drivers\tuhwliqz.dat []
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 15:37]
R2 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-11-28 21:46]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-06-25 06:36]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\rt2870.sys [2007-12-14 18:04]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-05-07 01:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1fa7ac8-60cc-11dd-abcd-00112fab7212}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1135833712\ee\AOLSoftware.exe
MSConfigStartUp-QuickTime Task - C:\Program Files\QuickTime\qttask .exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 07:57:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\dajyqccz]
"ImagePath"="system32\drivers\tuhwliqz.dat"
.
Completion time: 2008-08-09 8:00:09
ComboFix-quarantined-files.txt 2008-08-09 12:00:03
ComboFix2.txt 2008-08-08 22:55:11

Pre-Run: 127,747,125,248 bytes free
Post-Run: 127,747,747,840 bytes free

258 --- E O F --- 2008-08-03 13:12:48

Shaba · Aug 9, 2008

One round is still needed.

Open notepad and copy/paste the text in the codebox below into it:

Code:

Driver::
dajyqccz

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

coolc · Aug 9, 2008

hijack this file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:35 AM, on 8/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MetaCrawl.WS Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\IEToolbar\metacrawl.ws.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6181 bytes

combofix:
ComboFix 08-08-08.07 - 007 2008-08-09 8:47:11.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.199 [GMT -4:00]
Running from: C:\Documents and Settings\007\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\007\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DAJYQCCZ
-------\Service_dajyqccz

((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-03 19:10 . 2008-08-03 19:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 12:08 . 2008-08-03 12:08 <DIR> d-------- C:\N360_BACKUP
2008-08-03 09:34 . 2008-08-03 09:34 <DIR> d-------- C:\Documents and Settings\007\Application Data\Windows Search
2008-08-02 20:45 . 2008-08-02 20:45 <DIR> d-------- C:\Documents and Settings\007\Application Data\Motive
2008-08-02 20:06 . 2008-08-02 20:06 <DIR> d-------- C:\Documents and Settings\007\Application Data\Windows Desktop Search
2008-08-02 20:05 . 2008-08-02 20:05 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-08-02 20:05 . 2008-08-02 20:05 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-08-02 20:03 . 2008-03-07 13:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-02 20:03 . 2008-03-07 13:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-02 20:03 . 2008-03-07 13:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-02 20:02 . 2008-08-02 20:02 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-02 20:00 . 2008-08-02 20:01 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-02 19:47 . 2008-08-06 19:32 <DIR> d-------- C:\Documents and Settings\007\Application Data\U3
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-02 18:56 . 2008-08-02 19:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-02 18:49 . 2008-08-02 18:49 <DIR> d-------- C:\WINDOWS\EHome
2008-08-02 18:41 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-02 18:40 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-02 17:14 . 2008-08-02 17:14 <DIR> d-------- C:\Program Files\Linksys
2008-08-02 17:14 . 2008-08-02 17:14 21,419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-02 17:13 . 2008-08-02 17:13 <DIR> d-------- C:\WINDOWS\{7F7635FC-B887-49FA-8526-094724C01A6E}
2008-08-02 16:55 . 2008-08-02 16:55 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-08-02 16:55 . 2008-08-02 20:08 <DIR> d-------- C:\Program Files\Norton 360
2008-08-02 16:53 . 2008-08-02 17:46 <DIR> d-------- C:\Program Files\Symantec
2008-08-02 16:53 . 2008-08-04 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-02 16:53 . 2008-08-02 17:46 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-02 16:53 . 2008-08-02 17:46 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-02 16:53 . 2008-08-02 17:46 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-02 16:53 . 2008-08-02 17:46 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-02 16:34 . 2008-08-09 08:52 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-02 15:13 . 2008-08-02 15:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-02 15:13 . 2008-08-02 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 15:11 . 2008-08-03 18:37 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-02 15:11 . 2008-08-09 08:43 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 14:53 . 2006-12-04 18:25 385,443 --a------ C:\WINDOWS\hpdj5700.hi1
2008-08-02 14:53 . 2006-12-04 18:25 11,988 --a------ C:\WINDOWS\hpdj5700.bu1
2008-08-02 14:05 . 2008-08-02 14:05 2 --a------ C:\WINDOWS\msoffice.ini
2008-07-31 22:01 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-31 22:01 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-31 22:01 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-31 22:01 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-31 22:01 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-31 22:01 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-31 22:01 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-31 22:01 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-31 22:01 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-31 21:51 . 2008-07-31 21:51 610 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-31 21:33 . 2008-07-31 21:33 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-07-31 21:33 . 2008-07-31 21:33 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 11:55 --------- d-----w C:\Program Files\QuickTime
2008-08-09 11:54 --------- d-----w C:\Program Files\iTunes
2008-08-02 23:03 77,824 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\FDIWrapper.dll
2008-08-02 23:03 69,632 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\msxmlwrapper.dll
2008-08-02 23:03 49,152 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\PCHI18N.dll
2008-08-02 23:03 45,056 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\util.dll
2008-08-02 23:03 36,864 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\gnu.dll
2008-08-02 23:03 315,392 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\pchmsxml.dll
2008-08-02 23:03 307,200 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\pchealthplugin.dll
2008-08-02 23:03 28,672 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\InetWrap.dll
2008-08-02 23:03 26,572 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\INV16.dll
2008-08-02 23:03 155,877 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\js.zip
2008-08-02 21:53 --------- d-----w C:\Documents and Settings\007\Application Data\Symantec
2008-08-02 21:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 18:55 --------- d-----w C:\Program Files\HP
2008-08-02 18:55 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-02 18:11 --------- d-----w C:\Program Files\LimeWire
2008-08-02 18:05 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-02 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-08-01 01:54 --------- d-----w C:\Program Files\iPod
2008-08-01 01:51 --------- d-----w C:\Program Files\Easy Internet signup
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-06-25 10:36 43,520 ----a-w C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-09 23:32 495,616 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-05-09 23:32 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
.

((((((((((((((((((((((((((((( snapshot@2008-08-08_18.54.30.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-08-01 01:33:33 233,472 ----a-w C:\WINDOWS\SMINST\RECGUARD.EXE
+ 2008-08-01 01:33:31 52,736 ----a-w C:\WINDOWS\system\hpsysdrv.exe
+ 2008-05-09 23:32:41 158,208 -c--a-w C:\WINDOWS\system32\dllcache\msconfig.exe
+ 2008-08-01 01:33:29 659,456 ----a-w C:\WINDOWS\system32\hphmon06.exe
+ 2008-08-01 01:33:33 81,920 ----a-w C:\WINDOWS\system32\ps2.exe
+ 2008-08-01 01:33:37 172,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
+ 2008-08-01 01:43:31 527,872 ----a-w C:\WINDOWS\system32\spool\hpprintqueue.exe
+ 2008-08-09 12:52:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_104.dat
+ 2008-08-09 12:55:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_f88.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-07-31 21:33 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-05-09 19:32 158208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 15:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 10:50 988512]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Clemson Tigers\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Documents and Settings\IronMan\My Documents\My Music\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-07 17:29:30 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 22:19:14 123904]
Wireless Network Monitor.lnk - C:\Program Files\Linksys\WUSB600N\WUSB600N.exe [2008-01-09 05:44:20 6922240]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 22:19 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-18 15:37 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2008-04-27 14:24 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R0 dajyqccz;dajyqccz;C:\WINDOWS\system32\drivers\tuhwliqz.dat []
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 15:37]
R2 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-11-28 21:46]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-06-25 06:36]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\rt2870.sys [2007-12-14 18:04]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-05-07 01:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1fa7ac8-60cc-11dd-abcd-00112fab7212}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
*Newly Created Service* - DAJYQCCZ
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 08:53:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dajyqccz]
"ImagePath"="system32\drivers\tuhwliqz.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-08-09 8:58:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-09 12:58:34
ComboFix2.txt 2008-08-09 12:00:10
ComboFix3.txt 2008-08-08 22:55:11

Pre-Run: 127,721,918,464 bytes free
Post-Run: 127,694,741,504 bytes free

236 --- E O F --- 2008-08-03 13:12:48

Shaba · Aug 9, 2008

Looks like that it is not going away.

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

coolc · Aug 9, 2008

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-09 10:08:11
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT 84DD1F10 ZwAlertResumeThread
SSDT 84DD1FD0 ZwAlertThread
SSDT 84DDFAF8 ZwAllocateVirtualMemory
SSDT 84E3FE98 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xECCA8EB0]
SSDT 84DD1CC0 ZwCreateMutant
SSDT 84DD6540 ZwCreateThread
SSDT 84DD19C0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xECCA9130]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xECCA9690]
SSDT 84DDF958 ZwFreeVirtualMemory
SSDT 84DD1D90 ZwImpersonateAnonymousToken
SSDT 84DD1E50 ZwImpersonateThread
SSDT 84DDF878 ZwMapViewOfSection
SSDT 84DD1C00 ZwOpenEvent
SSDT 84DDFBC8 ZwOpenProcessToken
SSDT 84DD1A80 ZwOpenSection
SSDT 84DDF618 ZwOpenThreadToken
SSDT 84E253E0 ZwResumeThread
SSDT 84DDF558 ZwSetContextThread
SSDT 84DDF6E8 ZwSetInformationProcess
SSDT 84DDF488 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xECCA98E0]
SSDT 84DD1B40 ZwSuspendProcess
SSDT 84DDF308 ZwSuspendThread
SSDT 84E25538 ZwTerminateProcess
SSDT 84DDF3C8 ZwTerminateThread
SSDT 84DDF7B8 ZwUnmapViewOfSection
SSDT 84DDFA28 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

? tuhwliqz.dat The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1640] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service system32\drivers\tuhwliqz.dat (*** hidden *** ) [BOOT] dajyqccz <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

Shaba · Aug 9, 2008

Yes, we have a rootkit.

Open notepad and copy/paste the text in the codebox below into it:

Code:

Rootkit::
c:\windows\system32\drivers\tuhwliqz.dat

Driver::
dajyqccz

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

coolc · Aug 9, 2008

combofix:
ComboFix 08-08-08.07 - 007 2008-08-09 10:46:17.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.150 [GMT -4:00]
Running from: C:\Documents and Settings\007\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\007\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\tuhwliqz.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DAJYQCCZ
-------\Service_dajyqccz

((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-09 09:57 . 2008-08-09 09:57 250 --a------ C:\WINDOWS\gmer.ini
2008-08-03 19:10 . 2008-08-03 19:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 12:08 . 2008-08-03 12:08 <DIR> d-------- C:\N360_BACKUP
2008-08-03 09:34 . 2008-08-03 09:34 <DIR> d-------- C:\Documents and Settings\007\Application Data\Windows Search
2008-08-02 20:45 . 2008-08-02 20:45 <DIR> d-------- C:\Documents and Settings\007\Application Data\Motive
2008-08-02 20:06 . 2008-08-02 20:06 <DIR> d-------- C:\Documents and Settings\007\Application Data\Windows Desktop Search
2008-08-02 20:05 . 2008-08-02 20:05 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-08-02 20:05 . 2008-08-02 20:05 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-08-02 20:03 . 2008-03-07 13:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-02 20:03 . 2008-03-07 13:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-02 20:03 . 2008-03-07 13:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-02 20:02 . 2008-08-02 20:02 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-02 20:00 . 2008-08-02 20:01 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-02 19:47 . 2008-08-06 19:32 <DIR> d-------- C:\Documents and Settings\007\Application Data\U3
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-02 18:59 . 2008-08-02 18:59 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-02 18:56 . 2008-08-02 19:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-02 18:49 . 2008-08-02 18:49 <DIR> d-------- C:\WINDOWS\EHome
2008-08-02 18:41 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-02 18:40 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-02 17:14 . 2008-08-02 17:14 <DIR> d-------- C:\Program Files\Linksys
2008-08-02 17:14 . 2008-08-02 17:14 21,419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-02 17:13 . 2008-08-02 17:13 <DIR> d-------- C:\WINDOWS\{7F7635FC-B887-49FA-8526-094724C01A6E}
2008-08-02 16:55 . 2008-08-02 16:55 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-08-02 16:55 . 2008-08-02 20:08 <DIR> d-------- C:\Program Files\Norton 360
2008-08-02 16:53 . 2008-08-02 17:46 <DIR> d-------- C:\Program Files\Symantec
2008-08-02 16:53 . 2008-08-04 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-02 16:53 . 2008-08-02 17:46 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-02 16:53 . 2008-08-02 17:46 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-02 16:53 . 2008-08-02 17:46 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-02 16:53 . 2008-08-02 17:46 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-02 16:34 . 2008-08-09 10:51 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-02 15:13 . 2008-08-02 15:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-02 15:13 . 2008-08-02 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 15:11 . 2008-08-09 09:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-02 15:11 . 2008-08-09 09:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 14:53 . 2006-12-04 18:25 385,443 --a------ C:\WINDOWS\hpdj5700.hi1
2008-08-02 14:53 . 2006-12-04 18:25 11,988 --a------ C:\WINDOWS\hpdj5700.bu1
2008-08-02 14:05 . 2008-08-02 14:05 2 --a------ C:\WINDOWS\msoffice.ini
2008-07-31 22:01 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-31 22:01 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-31 22:01 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-31 22:01 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-31 22:01 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-31 22:01 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-31 22:01 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-31 22:01 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-31 22:01 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-31 21:51 . 2008-07-31 21:51 610 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-31 21:33 . 2008-07-31 21:33 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-07-31 21:33 . 2008-07-31 21:33 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 11:55 --------- d-----w C:\Program Files\QuickTime
2008-08-09 11:54 --------- d-----w C:\Program Files\iTunes
2008-08-02 23:03 77,824 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\FDIWrapper.dll
2008-08-02 23:03 69,632 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\msxmlwrapper.dll
2008-08-02 23:03 49,152 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\PCHI18N.dll
2008-08-02 23:03 45,056 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\util.dll
2008-08-02 23:03 36,864 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\gnu.dll
2008-08-02 23:03 315,392 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\pchmsxml.dll
2008-08-02 23:03 307,200 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\pchealthplugin.dll
2008-08-02 23:03 28,672 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\InetWrap.dll
2008-08-02 23:03 26,572 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\INV16.dll
2008-08-02 23:03 155,877 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\js.zip
2008-08-02 21:53 --------- d-----w C:\Documents and Settings\007\Application Data\Symantec
2008-08-02 21:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 18:55 --------- d-----w C:\Program Files\HP
2008-08-02 18:55 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-02 18:11 --------- d-----w C:\Program Files\LimeWire
2008-08-02 18:05 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-02 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-08-01 01:54 --------- d-----w C:\Program Files\iPod
2008-08-01 01:51 --------- d-----w C:\Program Files\Easy Internet signup
2008-08-01 01:33 81,920 ----a-w C:\WINDOWS\system32\ps2.exe
2008-08-01 01:33 659,456 ----a-w C:\WINDOWS\system32\hphmon06.exe
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-06-29 22:07 1,907,976 --sha-w C:\WINDOWS\system32\xawfbgyh.tmp
2008-06-25 10:36 43,520 ----a-w C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 18:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 18:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-27 02:21 1,582,592 ------w C:\WINDOWS\system32\tquery.dll
2008-05-27 02:21 1,418,240 ------w C:\WINDOWS\system32\mssrch.dll
2008-05-27 02:19 97,792 ------w C:\WINDOWS\system32\UncCplExt.dll
2008-05-27 02:19 273,408 ------w C:\WINDOWS\system32\oeph.dll
2008-05-27 02:19 2,048 ------w C:\WINDOWS\system32\UncRes.dll
2008-05-27 02:19 143,872 ------w C:\WINDOWS\system32\UncDMS.dll
2008-05-27 02:19 131,072 ------w C:\WINDOWS\system32\UncPH.dll
2008-05-27 02:19 11,264 ------w C:\WINDOWS\system32\oephRes.dll
2008-05-27 02:19 108,032 ------w C:\WINDOWS\system32\UncNE.dll
2008-05-27 02:18 71,680 ------w C:\WINDOWS\system32\propdefs.dll
2008-05-27 02:18 56,320 ------w C:\WINDOWS\system32\xmlfilter.dll
2008-05-27 02:18 44,032 ------w C:\WINDOWS\system32\msstrc.dll
2008-05-27 02:18 439,808 ------w C:\WINDOWS\system32\searchindexer.exe
2008-05-27 02:18 38,400 ------w C:\WINDOWS\system32\rtffilt.dll
2008-05-27 02:18 350,208 ------w C:\WINDOWS\system32\mssph.dll
2008-05-27 02:18 231,936 ------w C:\WINDOWS\system32\msshsq.dll
2008-05-27 02:18 203,776 ------w C:\WINDOWS\system32\mssphtb.dll
2008-05-27 02:18 184,832 ------w C:\WINDOWS\system32\searchprotocolhost.exe
2008-05-27 02:17 87,552 ------w C:\WINDOWS\system32\searchfilterhost.exe
2008-05-27 02:17 87,552 ------w C:\WINDOWS\system32\mssitlb.dll
2008-05-27 02:17 754,176 ------w C:\WINDOWS\system32\propsys.dll
2008-05-27 02:17 60,416 ------w C:\WINDOWS\system32\msscntrs.dll
2008-05-27 02:17 34,816 ------w C:\WINDOWS\system32\msscb.dll
2008-05-27 02:17 32,768 ------w C:\WINDOWS\system32\mssprxy.dll
2008-05-27 02:17 301,568 ------w C:\WINDOWS\system32\srchadmin.dll
2008-05-27 02:17 11,776 ------w C:\WINDOWS\system32\msshooks.dll
2008-05-27 01:59 18,904 ------w C:\WINDOWS\system32\structuredqueryschematrivial.bin
2008-05-27 01:59 106,605 ------w C:\WINDOWS\system32\structuredqueryschema.bin
2008-05-09 23:32 495,616 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-05-09 23:32 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-08_18.54.30.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-08-09 13:57:38 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-08-09 13:53:38 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2008-08-01 01:33:33 233,472 ----a-w C:\WINDOWS\SMINST\RECGUARD.EXE
+ 2008-08-01 01:33:31 52,736 ----a-w C:\WINDOWS\system\hpsysdrv.exe
+ 2008-05-09 23:32:41 158,208 -c--a-w C:\WINDOWS\system32\dllcache\msconfig.exe
+ 2008-08-09 13:57:38 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2008-08-01 01:33:37 172,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
+ 2008-08-01 01:43:31 527,872 ----a-w C:\WINDOWS\system32\spool\hpprintqueue.exe
+ 2008-08-09 14:50:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_198.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-07-31 21:33 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-05-09 19:32 158208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 15:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 10:50 988512]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Clemson Tigers\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Documents and Settings\IronMan\My Documents\My Music\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-07 17:29:30 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 22:19:14 123904]
Wireless Network Monitor.lnk - C:\Program Files\Linksys\WUSB600N\WUSB600N.exe [2008-01-09 05:44:20 6922240]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 22:19 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-18 15:37 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2008-04-27 14:24 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 15:37]
R2 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-11-28 21:46]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-06-25 06:36]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\rt2870.sys [2007-12-14 18:04]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-05-07 01:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1fa7ac8-60cc-11dd-abcd-00112fab7212}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 10:51:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-08-09 10:56:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-09 14:56:27
ComboFix2.txt 2008-08-09 12:58:49
ComboFix3.txt 2008-08-09 12:00:10
ComboFix4.txt 2008-08-08 22:55:11

Pre-Run: 127,650,930,688 bytes free
Post-Run: 127,661,682,688 bytes free

273 --- E O F --- 2008-08-03 13:12:48

hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:33 AM, on 8/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MetaCrawl.WS Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\IEToolbar\metacrawl.ws.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6149 bytes

coolc · Aug 9, 2008

have to run some errands, be back in a few hours. Thanks for your continued help. I definately couldn't do this by myself!!!!!

Shaba · Aug 9, 2008

Looks better

Please make sure that all programs are closed when installing Java.

Click here to visit Java's website.
Scroll down to Java Runtime Environment (JRE) 6 Update 7. Click on Download.
Select Windows from the drop-down list for Platform.
Select Multi-language from the drop-down list for Language.
Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
Click on jre-6u7-windows-i586-p.exe link to download it and save this to a convenient location.
Double click on jre-6u7-windows-i586-p.exe to install Java.
After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

coolc · Aug 9, 2008

took about 2hrs to run, Here's Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 09, 2008 19:04:11
Records in database: 1075876
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 83137
Threat name: 6
Infected objects: 81
Suspicious objects: 0
Duration of the scan: 02:08:46

File name / Threat name / Threats count
C:\Program Files\QuickTime\qttask.exe Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\IEToolbar\metacrawl.ws.dll.vir Infected: not-a-virus:AdWare.Win32.Mostofate.ad 1
C:\QooBox\Quarantine\C\WINDOWS\system32\apcclmvk.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fiyywggv.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX2B.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX2C.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX2D.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX2E.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX2F.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX30.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX31.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX32.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX33.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX34.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX35.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX36.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX37.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX38.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX39.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX3A.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX3B.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX3C.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX3D.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX3E.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX3F.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX40.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX41.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX42.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX43.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX44.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX45.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX46.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX47.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX48.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX49.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX4A.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX4B.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX4C.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX4D.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX4E.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX4F.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX50.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX51.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX52.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX53.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX54.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX55.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX56.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX57.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX58.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX59.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX5A.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX5F.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX60.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX61.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX62.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX63.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX64.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX65.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX6D.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX75.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX82.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX8D.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX8E.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX90.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXAD.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXBA.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXBB.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXCF.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXE7.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXE8.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXFC.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vlmquvyf.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.nc 1
C:\QooBox\Quarantine\catchme2008-08-09_104846.89.zip Infected: Trojan.Win32.Agent.cid 1
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp Infected: Virus.Win32.Trats.d 1
C:\WINDOWS\system32\drivers\tuhwliqz.sys Infected: Rootkit.Win32.Agent.iy 1
C:\WINDOWS\system32\RCX114.tmp Infected: Virus.Win32.Trats.d 1
C:\WINDOWS\system32\RCX115.tmp Infected: Virus.Win32.Trats.d 1
C:\WINDOWS\system32\RCX129.tmp Infected: Virus.Win32.Trats.d 1
C:\WINDOWS\system32\spool\hpprintqueue.exe Infected: Virus.Win32.Trats.d 1

The selected area was scanned.

here's the updated hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:36 PM, on 8/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MetaCrawl.WS Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\IEToolbar\metacrawl.ws.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6434 bytes

Shaba · Aug 10, 2008

You may need to re-install some applications like QuickTime and HP printer software because file infector has infected them.

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp 
C:\WINDOWS\system32\drivers\tuhwliqz.sys 
C:\WINDOWS\system32\RCX114.tmp 
C:\WINDOWS\system32\RCX115.tmp 
C:\WINDOWS\system32\RCX129.tmp 
C:\WINDOWS\system32\spool\hpprintqueue.exe

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

coolc · Aug 10, 2008

C:\Program Files\QuickTime\qttask.exe moved successfully.
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp moved successfully.
C:\WINDOWS\system32\drivers\tuhwliqz.sys moved successfully.
C:\WINDOWS\system32\RCX114.tmp moved successfully.
C:\WINDOWS\system32\RCX115.tmp moved successfully.
C:\WINDOWS\system32\RCX129.tmp moved successfully.
C:\WINDOWS\system32\spool\hpprintqueue.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08102008_081757

Shaba · Aug 10, 2008

Empty this folder:

C:\QooBox\Quarantine\

Empty Recycle Bin.

Still problems?

coolc · Aug 10, 2008

ran spybot, clean
ran norton 360 full scan, clean

Thank you for all your help.

resent: :wav:

Virtumonde help, thanks in advance

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member