Virtumundo

C

carolina

New member
Ok, I think that's what i have. I will try my very best in English.
I tryed diffrent removel tools, but no luck. I hope somebody can help me out.
I start in safe mode and this is what I got


[11/05/2008, 18:17:40] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner.LANDSCAPING\Desktop\VirtumundoBeGone.exe" )
[11/05/2008, 18:17:47] - Detected System Information:
[11/05/2008, 18:17:47] - Windows Version: 5.1.2600, Service Pack 3
[11/05/2008, 18:17:47] - Current Username: Owner (Admin)
[11/05/2008, 18:17:47] - Windows is in SAFE mode.
[11/05/2008, 18:17:47] - Searching for Browser Helper Objects:
[11/05/2008, 18:17:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/05/2008, 18:17:47] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[11/05/2008, 18:17:47] - BHO 3: {6ED59772-F4EB-4FDE-BBB3-E939952686BF} ()
[11/05/2008, 18:17:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/05/2008, 18:17:47] - Checking for HKLM\...\Winlogon\Notify\ssqoMgEx
[11/05/2008, 18:17:47] - Found: HKLM\...\Winlogon\Notify\ssqoMgEx - This is probably Virtumundo.
[11/05/2008, 18:17:47] - Assigning {6ED59772-F4EB-4FDE-BBB3-E939952686BF} MSEvents Object
[11/05/2008, 18:17:47] - BHO list has been changed! Starting over...
[11/05/2008, 18:17:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/05/2008, 18:17:47] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[11/05/2008, 18:17:47] - BHO 3: {6ED59772-F4EB-4FDE-BBB3-E939952686BF} (MSEvents Object)
[11/05/2008, 18:17:47] - ALERT: Found MSEvents Object!
[11/05/2008, 18:17:47] - BHO 4: {A057A204-BACC-4D26-9990-79A187E2698E} (AVG Security Toolbar)
[11/05/2008, 18:17:47] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[11/05/2008, 18:17:47] - BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[11/05/2008, 18:17:47] - BHO 7: {B76D1296-D0D0-4374-BB14-4C84BE81B95E} ()
[11/05/2008, 18:17:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/05/2008, 18:17:47] - Checking for HKLM\...\Winlogon\Notify\mlJCRJBs
[11/05/2008, 18:17:47] - Key not found: HKLM\...\Winlogon\Notify\mlJCRJBs, continuing.
[11/05/2008, 18:17:47] - BHO 8: {CA6319C0-31B7-401E-A518-A07C3DB8F777} (CBrowserHelperObject Object)
[11/05/2008, 18:17:47] - BHO 9: {de5bfccc-1bd4-4af0-ad99-700b473b5696} ()
[11/05/2008, 18:17:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/05/2008, 18:17:47] - Checking for HKLM\...\Winlogon\Notify\lxtzkt
[11/05/2008, 18:17:47] - Key not found: HKLM\...\Winlogon\Notify\lxtzkt, continuing.
[11/05/2008, 18:17:47] - BHO 10: {F64959B8-1A3E-4DCD-8FF0-9A94DDB3D6F7} ()
[11/05/2008, 18:17:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/05/2008, 18:17:47] - Checking for HKLM\...\Winlogon\Notify\xxyaaxVo
[11/05/2008, 18:17:47] - Found: HKLM\...\Winlogon\Notify\xxyaaxVo - This is probably Virtumundo.
[11/05/2008, 18:17:47] - Assigning {F64959B8-1A3E-4DCD-8FF0-9A94DDB3D6F7} MSEvents Object
[11/05/2008, 18:17:47] - BHO list has been changed! Starting over...
[11/05/2008, 18:17:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/05/2008, 18:17:47] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[11/05/2008, 18:17:47] - BHO 3: {6ED59772-F4EB-4FDE-BBB3-E939952686BF} (MSEvents Object)
[11/05/2008, 18:17:47] - ALERT: Found MSEvents Object!
[11/05/2008, 18:17:47] - BHO 4: {A057A204-BACC-4D26-9990-79A187E2698E} (AVG Security Toolbar)
[11/05/2008, 18:17:47] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[11/05/2008, 18:17:47] - BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[11/05/2008, 18:17:47] - BHO 7: {B76D1296-D0D0-4374-BB14-4C84BE81B95E} ()
[11/05/2008, 18:17:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/05/2008, 18:17:47] - Checking for HKLM\...\Winlogon\Notify\mlJCRJBs
[11/05/2008, 18:17:47] - Key not found: HKLM\...\Winlogon\Notify\mlJCRJBs, continuing.
[11/05/2008, 18:17:47] - BHO 8: {CA6319C0-31B7-401E-A518-A07C3DB8F777} (CBrowserHelperObject Object)
[11/05/2008, 18:17:47] - BHO 9: {de5bfccc-1bd4-4af0-ad99-700b473b5696} ()
[11/05/2008, 18:17:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/05/2008, 18:17:47] - Checking for HKLM\...\Winlogon\Notify\lxtzkt
[11/05/2008, 18:17:47] - Key not found: HKLM\...\Winlogon\Notify\lxtzkt, continuing.
[11/05/2008, 18:17:47] - BHO 10: {F64959B8-1A3E-4DCD-8FF0-9A94DDB3D6F7} (MSEvents Object)
[11/05/2008, 18:17:47] - ALERT: Found MSEvents Object!
[11/05/2008, 18:17:47] - Finished Searching Browser Helper Objects
[11/05/2008, 18:17:47] - *** Detected MSEvents Object
[11/05/2008, 18:17:47] - Trying to remove MSEvents Object...
[11/05/2008, 18:17:48] - Terminating Process: IEXPLORE.EXE
[11/05/2008, 18:17:48] - Terminating Process: RUNDLL32.EXE
[11/05/2008, 18:17:48] - Disabling Automatic Shell Restart
[11/05/2008, 18:17:48] - Terminating Process: EXPLORER.EXE
[11/05/2008, 18:17:49] - Suspending the NT Session Manager System Service
[11/05/2008, 18:17:49] - Terminating Windows NT Logon/Logoff Manager
[11/05/2008, 18:17:49] - Re-enabling Automatic Shell Restart
[11/05/2008, 18:17:49] - File to disable: C:\WINDOWS\system32\ssqoMgEx.dll
[11/05/2008, 18:17:49] - Renaming C:\WINDOWS\system32\ssqoMgEx.dll -> C:\WINDOWS\system32\ssqoMgEx.dll.vir
[11/05/2008, 18:17:49] - File successfully renamed!
[11/05/2008, 18:17:49] - Removing HKLM\...\Browser Helper Objects\{6ED59772-F4EB-4FDE-BBB3-E939952686BF}
[11/05/2008, 18:17:49] - Removing HKCR\CLSID\{6ED59772-F4EB-4FDE-BBB3-E939952686BF}
[11/05/2008, 18:17:49] - Adding Kill Bit for ActiveX for GUID: {6ED59772-F4EB-4FDE-BBB3-E939952686BF}
[11/05/2008, 18:17:49] - Deleting ATLEvents/MSEvents Registry entries
[11/05/2008, 18:17:49] - Removing HKLM\...\Winlogon\Notify\ssqoMgEx
[11/05/2008, 18:17:49] - Searching for Browser Helper Objects:
[11/05/2008, 18:17:49] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/05/2008, 18:17:49] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[11/05/2008, 18:17:49] - BHO 3: {A057A204-BACC-4D26-9990-79A187E2698E} (AVG Security Toolbar)
[11/05/2008, 18:17:49] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[11/05/2008, 18:17:49] - BHO 5: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[11/05/2008, 18:17:49] - BHO 6: {B76D1296-D0D0-4374-BB14-4C84BE81B95E} ()
[11/05/2008, 18:17:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/05/2008, 18:17:49] - Checking for HKLM\...\Winlogon\Notify\mlJCRJBs
[11/05/2008, 18:17:49] - Key not found: HKLM\...\Winlogon\Notify\mlJCRJBs, continuing.
[11/05/2008, 18:17:49] - BHO 7: {CA6319C0-31B7-401E-A518-A07C3DB8F777} (CBrowserHelperObject Object)
[11/05/2008, 18:17:49] - BHO 8: {de5bfccc-1bd4-4af0-ad99-700b473b5696} ()
[11/05/2008, 18:17:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/05/2008, 18:17:49] - Checking for HKLM\...\Winlogon\Notify\lxtzkt
[11/05/2008, 18:17:49] - Key not found: HKLM\...\Winlogon\Notify\lxtzkt, continuing.
[11/05/2008, 18:17:49] - BHO 9: {F64959B8-1A3E-4DCD-8FF0-9A94DDB3D6F7} (MSEvents Object)
[11/05/2008, 18:17:49] - ALERT: Found MSEvents Object!
[11/05/2008, 18:17:49] - Finished Searching Browser Helper Objects
[11/05/2008, 18:17:49] - *** Detected MSEvents Object
[11/05/2008, 18:17:49] - Trying to remove MSEvents Object...
[11/05/2008, 18:17:50] - Terminating Process: IEXPLORE.EXE
[11/05/2008, 18:17:50] - Terminating Process: RUNDLL32.EXE
[11/05/2008, 18:17:50] - Disabling Automatic Shell Restart
[11/05/2008, 18:17:50] - Terminating Process: EXPLORER.EXE
[11/05/2008, 18:17:50] - Suspending the NT Session Manager System Service
[11/05/2008, 18:17:50] - Terminating Windows NT Logon/Logoff Manager
[11/05/2008, 18:17:50] - Re-enabling Automatic Shell Restart
[11/05/2008, 18:17:50] - File to disable: C:\WINDOWS\system32\xxyaaxVo.dll
[11/05/2008, 18:17:50] - Removing HKLM\...\Browser Helper Objects\{F64959B8-1A3E-4DCD-8FF0-9A94DDB3D6F7}
[11/05/2008, 18:17:50] - Removing HKCR\CLSID\{F64959B8-1A3E-4DCD-8FF0-9A94DDB3D6F7}
[11/05/2008, 18:17:50] - Adding Kill Bit for ActiveX for GUID: {F64959B8-1A3E-4DCD-8FF0-9A94DDB3D6F7}
[11/05/2008, 18:17:50] - Deleting ATLEvents/MSEvents Registry entries
[11/05/2008, 18:17:50] - Removing HKLM\...\Winlogon\Notify\xxyaaxVo
[11/05/2008, 18:17:50] - Searching for Browser Helper Objects:
[11/05/2008, 18:17:50] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/05/2008, 18:17:50] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[11/05/2008, 18:17:50] - BHO 3: {A057A204-BACC-4D26-9990-79A187E2698E} (AVG Security Toolbar)
[11/05/2008, 18:17:50] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[11/05/2008, 18:17:50] - BHO 5: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[11/05/2008, 18:17:50] - BHO 6: {B76D1296-D0D0-4374-BB14-4C84BE81B95E} ()
[11/05/2008, 18:17:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/05/2008, 18:17:50] - Checking for HKLM\...\Winlogon\Notify\mlJCRJBs
[11/05/2008, 18:17:50] - Key not found: HKLM\...\Winlogon\Notify\mlJCRJBs, continuing.
[11/05/2008, 18:17:50] - BHO 7: {CA6319C0-31B7-401E-A518-A07C3DB8F777} (CBrowserHelperObject Object)
[11/05/2008, 18:17:50] - BHO 8: {de5bfccc-1bd4-4af0-ad99-700b473b5696} ()
[11/05/2008, 18:17:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/05/2008, 18:17:50] - Checking for HKLM\...\Winlogon\Notify\lxtzkt
[11/05/2008, 18:17:50] - Key not found: HKLM\...\Winlogon\Notify\lxtzkt, continuing.
[11/05/2008, 18:17:50] - Finished Searching Browser Helper Objects
[11/05/2008, 18:17:50] - Finishing up...
[11/05/2008, 18:17:50] - A restart is needed.
[11/05/2008, 18:18:03] - Attempting to Restart via STOP error (Blue Screen!)


Thanks alot
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:07 PM, on 11/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {41F841C1-AE16-11D5-8817-0050DA6EF5E5} (FarPoint Spread 6.0) - https://www.acsenterprisesystem.com/CAB and license files/SPR32X60.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1220723557343
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFD55825-72C0-40DF-BD3C-CBCE10E3FE37}: NameServer = 63.162.197.69 63.162.197.99
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL lxtzkt.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7481 bytes

Ups I forgot that one
 
Hi carolina

Rename HijackThis.exe to carolina.exe and post back a fresh HijackThis log, please :)
 
Logfile of Trend carolina.exe v2.0.2

Scan saved at 6:09:21 AM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {41F841C1-AE16-11D5-8817-0050DA6EF5E5} (FarPoint Spread 6.0) - https://www.acsenterprisesystem.com/CAB and license files/SPR32X60.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1220723557343
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFD55825-72C0-40DF-BD3C-CBCE10E3FE37}: NameServer = 63.162.197.69 63.162.197.99
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL wesacp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7515 bytes



Thanks so much for your Help
 
Unfortunately it didn't go right.

Rename HijackThis.exe to carolina.exe by doing the following;

  • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
  • Right-click on the HijackThis.exe
  • Choose from the pull-down menu; "Rename"
  • And now Rename HijackThis.exe to carolina.exe
  • When you've renamed HijackThis, open HijackThis again.
  • Take a fresh HijackThis log (click Do a system scan and save a log file)
  • Post the fresh HijackThis log here.
 
Ok, I hope I done it right.It kept asking if i was sure about the rename..


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:10 AM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\carolina.exe\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {41F841C1-AE16-11D5-8817-0050DA6EF5E5} (FarPoint Spread 6.0) - https://www.acsenterprisesystem.com/CAB and license files/SPR32X60.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1220723557343
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFD55825-72C0-40DF-BD3C-CBCE10E3FE37}: NameServer = 63.162.197.69 63.162.197.99
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL wesacp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7483 bytes
 
No, that is still unfortunately incorrect.

You are supposed to rename that bolded file. You renamed now folder where that file is.

C:\Program Files\Trend Micro\carolina.exe\HijackThis.exe

It might just look like plain HijackThis without .exe if you don't have file extensions visible.

Please try again :)
 
good lord pleae let it be right this Time, as you can tell 'm no expert, so please forgive me


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:29 PM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\carolina.exe\carolina.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39FD96C2-0181-4E7A-814C-3A6D4363920F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {558D2CCF-8BAC-468E-BE4C-311FA8AFCAE6} - (no file)
O2 - BHO: (no name) - {704BD01C-17DB-49E5-B560-D660742276C9} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O2 - BHO: (no name) - {D6140C6D-A55F-4335-B1E9-E52266D1D45A} - C:\WINDOWS\system32\mlJCRJBs.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {41F841C1-AE16-11D5-8817-0050DA6EF5E5} (FarPoint Spread 6.0) - https://www.acsenterprisesystem.com/CAB and license files/SPR32X60.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1220723557343
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFD55825-72C0-40DF-BD3C-CBCE10E3FE37}: NameServer = 63.162.197.69 63.162.197.99
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL wesacp.dll xxqtyv.dll
O20 - Winlogon Notify: ssqoMgEx - C:\WINDOWS\
O20 - Winlogon Notify: xxyaaxVo - C:\WINDOWS\
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8604 bytes
 
Yes, now it is correct :)

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

    1. Run Spybot-S&D in Advanced Mode.
    2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
    3. On the left hand side, Click on Tools
    4. Then click on the Resident Icon in the List
    5. Uncheck "Resident TeaTimer" and OK any prompts.
    6. Restart your computer.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
 
ComboFix 08-11-06.01 - Owner 2008-11-07 12:58:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.481 [GMT -5:00]
Running from: c:\documents and settings\Owner.LANDSCAPING\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\cpwavile.dll
c:\windows\system32\jbyseqjq.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mlJCRJBs.dll
c:\windows\system32\qjqesybj.dll
c:\windows\system32\sBJRCJlm.ini
c:\windows\system32\sBJRCJlm.ini2
c:\windows\system32\sqkfnhrs.dll
c:\windows\system32\ssqoMgEx.dll.vir
c:\windows\system32\xxqtyv.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.

2008-11-06 11:07 . 2008-11-06 11:07 <DIR> d-------- c:\windows\MPSReports
2008-11-05 18:33 . 2008-11-07 12:18 <DIR> d-------- c:\program files\Trend Micro
2008-11-05 17:42 . 2008-11-05 17:49 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-05 17:00 . 2008-11-05 17:00 <DIR> d-------- C:\VundoFix Backups
2008-11-05 16:50 . 2008-11-05 16:54 <DIR> d-------- c:\program files\SpyZooka
2008-11-05 16:50 . 2008-11-05 16:50 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-11-05 15:50 . 2008-11-05 15:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-05 15:50 . 2008-11-05 16:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-05 15:32 . 2008-11-05 15:32 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-23 23:42 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 12:41 . 2008-09-08 05:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys
2008-10-14 12:40 . 2008-08-14 05:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 12:40 . 2008-08-14 05:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 12:40 . 2008-08-14 04:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 12:40 . 2008-08-14 04:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 12:40 . 2008-09-15 07:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 18:59 --------- d-----w c:\documents and settings\Owner.LANDSCAPING\Application Data\Earthlink
2008-11-05 18:58 --------- d-----w c:\program files\Embarq TotalAccess
2008-10-26 00:15 --------- d-----w c:\program files\HP
2008-10-13 03:08 --------- d-----w c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare
2008-10-03 17:41 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-03 17:21 --------- d-----w c:\documents and settings\Owner.LANDSCAPING\Application Data\skypePM
2008-10-02 14:37 32,549 ----a-w c:\windows\king-uninstall.exe
2008-09-24 14:31 172 ----a-w c:\documents and settings\Owner.LANDSCAPING\Application Data\wklnhst.dat
2008-09-11 19:39 --------- d-----w c:\documents and settings\Owner.LANDSCAPING\Application Data\AVGTOOLBAR
2008-09-10 12:59 --------- d-----w c:\program files\Microsoft Works
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-06 29744]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-22 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"nwiz"="nwiz.exe" [2005-09-18 c:\windows\system32\nwiz.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 c:\windows\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-09-06 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-06 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-06 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-09-06 76040]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-06 29744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57aa2887-f690-11da-99ac-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2006-10-01 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 19:12]

2006-10-01 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{32ECB646-9760-4A7D-A720-5CB461C96F19} - c:\windows\system32\mlJCRJBs.dll
BHO-{39FD96C2-0181-4E7A-814C-3A6D4363920F} - (no file)
BHO-{558D2CCF-8BAC-468E-BE4C-311FA8AFCAE6} - (no file)
BHO-{704BD01C-17DB-49E5-B560-D660742276C9} - (no file)
HKLM-Run-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
ShellExecuteHooks-{F64959B8-1A3E-4DCD-8FF0-9A94DDB3D6F7} - (no file)
ShellExecuteHooks-{6ED59772-F4EB-4FDE-BBB3-E939952686BF} - (no file)
Notify-ssqoMgEx - (no file)
Notify-xxyaaxVo - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner.LANDSCAPING\Application Data\Mozilla\Firefox\Profiles\m26ypqg9.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 13:03:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-11-07 13:08:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-07 18:08:22

Pre-Run: 183,100,518,400 bytes free
Post-Run: 183,253,106,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

192 --- E O F --- 2008-10-24 07:01:23



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:41 PM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\carolina.exe\carolina.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {41F841C1-AE16-11D5-8817-0050DA6EF5E5} (FarPoint Spread 6.0) - https://www.acsenterprisesystem.com/CAB and license files/SPR32X60.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1220723557343
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFD55825-72C0-40DF-BD3C-CBCE10E3FE37}: NameServer = 63.162.197.69 63.162.197.99
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7462 bytes
 
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

uninstall-man.jpg


5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
 
Adobe Flash Player 10 Plugin
Adobe Flash Player 9
Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
Agere Systems PCI-SV92PP Soft Modem
Athlon 64 Processor Driver
AVG Free 8.0
BearShare
Digital Media Reader
DVD Solution
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
gtw_logo
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Solution Center 7.0
HP Update
J2SE Runtime Environment 5.0 Update 2
king.com (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Multimedia Keyboard Driver
Napster
Napster Burn Engine
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
Power2Go 4.0
PowerDVD
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Sonic Encoders
Spybot - Search & Destroy
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Windows Backup Utility
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
 
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BearShare

I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new uninstall list scan when finished and post the log back here.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:59 PM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\carolina.exe\carolina.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {41F841C1-AE16-11D5-8817-0050DA6EF5E5} (FarPoint Spread 6.0) - https://www.acsenterprisesystem.com/CAB and license files/SPR32X60.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1220723557343
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFD55825-72C0-40DF-BD3C-CBCE10E3FE37}: NameServer = 63.162.197.69 63.162.197.99
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7396 bytes




This is what I get when I try to uninstall it "Could not open Install.Log file
 
Thank you for information.

Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::

Folder::
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare
c:\Program Files\BearShare Applications

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
All went well...

ComboFix 08-11-07.01 - Owner 2008-11-07 13:55:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.463 [GMT -5:00]
Running from: c:\documents and settings\Owner.LANDSCAPING\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.LANDSCAPING\My Documents\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\112 - Pleasure & Pain (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\2Pac - Live At The House Of Blues (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\2Pac - Loyal To The Game (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Akon - Konvicted (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Akon - Presents The Re-Up.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Black Tooth - Tribute To Tupac Shakur.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Blu Cantrell - So Blu.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\CMH World - The Reggae Tribute To Today's Hottest Hits.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\David Banner - MTA2_ Baptized In Dirty Water (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Daz Dillinger - All I Need (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Elize - Tribute To Tupac Shakur.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Gorilla Zoe - Hood Nigga Diaries (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Heaven - Southern Drawl.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Johanna Sarad - Be Nice If You Did.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Kaoz The Assassin - Daz Dillinger Presents Outlawz & Kurupt_ To Live And Die In CA (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Kay Cee Dee - Kay Cee Dee.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Kurupt - Snoop Dogg Presents The Big Squeeze (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Lee Michaels - Barrel.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - Based On A True Story (Edited).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - Based On A True Story (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - Best Of Mack 10 (Edited).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - Best Of Mack 10 (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - Ghetto_ Gutter & Gangsta (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - Hustla's Handbook (Edited).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - Hustla's Handbook (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - Like This (Single).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - Mack 10.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - The Paper Route (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - The Recipe (Edited).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mack 10 - The Recipe (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mandingo - Cristal Y Acero.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mario Lanza - Mario!_ Lanza At His Best_Vagabond King Highlights.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mario Pacheco - Clube De Fado A Musica E A Guitarra.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Mario Sammarco - Voces Historicas Del Teatro Read De Madrid.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Men Of Vizion - MOV.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Men Of Vizion - Personal.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Michael's Uncle - The End Of Dark Psychedelia _ Live 1987.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Monica Sinclair - Le Nozze Di Figaro.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Naughty By Nature - 19 Naughty Nine_ Nature's Fury.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Naughty By Nature - Greatest Hits_ Naughty's Nicest.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Naughty By Nature - Ninteen Naughty Nine_ Nature's Fury (Edited).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Paul Wall - Chick Magnet_ Chopped & Skrewed By Micheal Watts (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Paul Wall - Da Bottom_ Vol.8 (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Paul Wall - Get Money Stay True (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Paul Wall - Get Ya Mind Correct (Chopped & Skrewed) (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Paul Wall - Get Ya Mind Correct (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Paul Wall - Gymc_ The Remix Album (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Paul Wall - Houston We Have A Problem_ Vol.2 (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Paul Wall - The People's Champ_ Chopped And Screwed (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Paul Wall - Whut It Dew_ Vol.1 (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Rosemary Clooney - Greatest Hits.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Round And Round - Our Fire.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Shade Sheist - Informal Introduction.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Sheep On Drugs - One For The Money (Unreleased) (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Solo - Judged By Self.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\T-Pain - Epiphany (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\T.I. - Whut It Dew 2 (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\The Tao Of Groove - Chill Pill_ Prescribed Laid-Back Grooves_ Vol.3.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\The Tao Of Groove - Latin Travels_ Vol.2_ A Six Degrees Collection.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\The Whispers - Anthology.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\The Whispers - Christmas Moments.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\The Whispers - Club Epic_ Vol.1.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\The Whispers - Greatest Slow Jams_ Vol.1.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\The Whispers - Greatest Slow Jams_ Vol.2.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\The Whispers - Headlights.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\The Whispers - More Of The Night.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\The Whispers - Song Book_ Vol.1_ The Songs Of Babyface.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Tribute Sounds Presents - Tribute To Tupac Shakur (Parental Advisory).jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Vanessa Lowe - 57 Suspect Words.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Artwork\Vanessa Williams - The Best Of Vanessa Williams_ Vol.2_ The Christmas Collection.jpeg
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Creatives.xml
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\10.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1040.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1043.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1044.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1050.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1054.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1055.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1057.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1058.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1060.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1062.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1063.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\1070.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\11.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\12.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\13.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\14.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\15.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\16.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\17.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\18.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\19.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\2.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\20.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\21.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\22.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\23.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\24.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\25.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\26.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\27.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\28.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\29.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\3.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\30.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\31.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\32.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\33.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\34.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\35.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\36.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\37.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\38.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\4.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\5.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\6.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\7.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\8.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\CreativesFiles\9.gif
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\__db.001
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\__db.002
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\__db.003
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\__db.004
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\__db.005
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\__db.006
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\BackUp\DataDir\ContentDirs.db
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\BackUp\DataDir\ContentFile.db
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\BackUp\DataDir\DownloadFile.db
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\BackUp\DataDir\PartsHashes.db
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\BackUp\DataDir\Playlists.db
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\DataDir\ContentDirs.db
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\DataDir\ContentFile.db
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\DataDir\DownloadFile.db
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\DataDir\PartsHashes.db
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\DataDir\Playlists.db
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\DataBase\LgDir\log.0000000003
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\Data\rjn.a92
c:\documents and settings\Owner.LANDSCAPING\Application Data\BearShare\IMPictures\11255299.gif
c:\program files\BearShare Applications
c:\program files\BearShare Applications\BearShare\ammp3.dll
c:\program files\BearShare Applications\BearShare\avcodec-51.dll
c:\program files\BearShare Applications\BearShare\avformat-51.dll
c:\program files\BearShare Applications\BearShare\avutil-49.dll
c:\program files\BearShare Applications\BearShare\BearShare.exe
c:\program files\BearShare Applications\BearShare\DiscoveryHelper.dll
c:\program files\BearShare Applications\BearShare\FFPage.exe
c:\program files\BearShare Applications\BearShare\FixAudioDriverSignature.reg
c:\program files\BearShare Applications\BearShare\GIFAnimator.dll
c:\program files\BearShare Applications\BearShare\HTML\error.html
c:\program files\BearShare Applications\BearShare\HTML\loading.html
c:\program files\BearShare Applications\BearShare\HTML\noInternet.html
c:\program files\BearShare Applications\BearShare\HTML\offline.html
c:\program files\BearShare Applications\BearShare\IMWebControl.dll
c:\program files\BearShare Applications\BearShare\lame_enc.dll
c:\program files\BearShare Applications\BearShare\Launcher.exe
c:\program files\BearShare Applications\BearShare\libungif4.dll
c:\program files\BearShare Applications\BearShare\lic_helper.dll
c:\program files\BearShare Applications\BearShare\license.txt
c:\program files\BearShare Applications\BearShare\licenseWMP11.rtf
c:\program files\BearShare Applications\BearShare\msvcp71.dll
c:\program files\BearShare Applications\BearShare\msvcr71.dll
c:\program files\BearShare Applications\BearShare\NCTAudioCDGrabber2.dll
c:\program files\BearShare Applications\BearShare\NCTAudioCDWriter2.dll
c:\program files\BearShare Applications\BearShare\NCTAudioCompress3.dll
c:\program files\BearShare Applications\BearShare\NCTAudioFile3.dll
c:\program files\BearShare Applications\BearShare\NCTAudioFileWMA3.dll
c:\program files\BearShare Applications\BearShare\NCTAudioFormatSettings3.dll
c:\program files\BearShare Applications\BearShare\NCTDataCDWriter2.dll
c:\program files\BearShare Applications\BearShare\PersonalizationUninstall.exe
c:\program files\BearShare Applications\BearShare\PortableMediaDeviceWrapper.dll
c:\program files\BearShare Applications\BearShare\ResourcesLOC.dll
c:\program files\BearShare Applications\BearShare\shistory.im
c:\program files\BearShare Applications\BearShare\Shw32.dll
c:\program files\BearShare Applications\BearShare\Skins\Default.skn
c:\program files\BearShare Applications\BearShare\Skins\Default.xml
c:\program files\BearShare Applications\BearShare\Skins\Images\DefArtwork.jpg
c:\program files\BearShare Applications\BearShare\Skins\Images\FriendshipNotif.jpg
c:\program files\BearShare Applications\BearShare\Skins\Images\TAFLogo.PNG
c:\program files\BearShare Applications\BearShare\Skins\Images\ToGoLogo.PNG
c:\program files\BearShare Applications\BearShare\Skins\Settings.xml
c:\program files\BearShare Applications\BearShare\UninstallSurvey.exe
c:\program files\BearShare Applications\BearShare\UNWISE.EXE
c:\program files\BearShare Applications\BearShare\UpdateInst.exe
c:\program files\BearShare Applications\BearShare\WMAProfiles.prx
c:\program files\BearShare Applications\BearShare\WMHelper.dll
c:\program files\BearShare Applications\BearShare\WMHelper.log
c:\program files\BearShare Applications\Common\InstallHelper.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.

2008-11-07 13:09 . 2008-11-07 13:35 <DIR> d-------- c:\windows\LastGood
2008-11-06 11:07 . 2008-11-06 11:07 <DIR> d-------- c:\windows\MPSReports
2008-11-05 18:33 . 2008-11-07 12:18 <DIR> d-------- c:\program files\Trend Micro
2008-11-05 17:42 . 2008-11-05 17:49 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-05 17:00 . 2008-11-05 17:00 <DIR> d-------- C:\VundoFix Backups
2008-11-05 16:50 . 2008-11-05 16:54 <DIR> d-------- c:\program files\SpyZooka
2008-11-05 16:50 . 2008-11-05 16:50 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-11-05 15:50 . 2008-11-05 15:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-05 15:50 . 2008-11-05 16:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-05 15:32 . 2008-11-05 15:32 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-23 23:42 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 12:41 . 2008-09-08 05:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys
2008-10-14 12:40 . 2008-08-14 05:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 12:40 . 2008-08-14 05:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 12:40 . 2008-08-14 04:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 12:40 . 2008-08-14 04:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 12:40 . 2008-09-15 07:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 18:59 --------- d-----w c:\documents and settings\Owner.LANDSCAPING\Application Data\Earthlink
2008-11-05 18:58 --------- d-----w c:\program files\Embarq TotalAccess
2008-10-26 00:15 --------- d-----w c:\program files\HP
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-03 17:41 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-03 17:21 --------- d-----w c:\documents and settings\Owner.LANDSCAPING\Application Data\skypePM
2008-10-02 14:37 32,549 ----a-w c:\windows\king-uninstall.exe
2008-09-24 14:31 172 ----a-w c:\documents and settings\Owner.LANDSCAPING\Application Data\wklnhst.dat
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-11 19:39 --------- d-----w c:\documents and settings\Owner.LANDSCAPING\Application Data\AVGTOOLBAR
2008-09-10 12:59 --------- d-----w c:\program files\Microsoft Works
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-06 17:26 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-07_13.08.02.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-19 02:10:48 94,920 ----a-w c:\windows\LastGood\system32\cdm.dll
+ 2008-07-19 02:09:44 563,912 ----a-w c:\windows\LastGood\system32\wuapi.dll
+ 2008-07-19 02:10:42 53,448 ----a-w c:\windows\LastGood\system32\wuauclt.exe
+ 2008-07-19 02:09:42 1,811,656 ----a-w c:\windows\LastGood\system32\wuaueng.dll
+ 2008-07-19 02:09:46 325,832 ----a-w c:\windows\LastGood\system32\wucltui.dll
+ 2008-07-19 02:10:20 36,552 ----a-w c:\windows\LastGood\system32\wups.dll
+ 2008-07-19 02:10:40 45,768 ----a-w c:\windows\LastGood\system32\wups2.dll
- 2008-07-19 02:10:48 94,920 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 19:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2008-07-19 02:10:42 53,448 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-19 02:09:42 1,811,656 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-19 02:09:46 325,832 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 19:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2007-08-13 23:39:10 13,312 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-08-25 08:38:00 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 19:12:20 561,688 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.2.6001.788\wuapi.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2007-11-30 11:18:51 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-06 29744]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-22 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"nwiz"="nwiz.exe" [2005-09-18 c:\windows\system32\nwiz.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 c:\windows\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-09-06 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-06 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-06 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-09-06 76040]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-06 29744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57aa2887-f690-11da-99ac-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2006-10-01 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 19:12]

2006-10-01 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 19:12]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 13:57:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-07 13:58:25
ComboFix-quarantined-files.txt 2008-11-07 18:58:12
ComboFix2.txt 2008-11-07 18:08:27

Pre-Run: 183,193,812,992 bytes free
Post-Run: 183,164,997,632 bytes free

357 --- E O F --- 2008-11-07 18:26:46


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:40 PM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\carolina.exe\carolina.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {41F841C1-AE16-11D5-8817-0050DA6EF5E5} (FarPoint Spread 6.0) - https://www.acsenterprisesystem.com/CAB and license files/SPR32X60.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1220723557343
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFD55825-72C0-40DF-BD3C-CBCE10E3FE37}: NameServer = 63.162.197.69 63.162.197.99
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7354 bytes
 
Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
 
I have to leave for about 20 min, is it safe to keep my computer running, or should I shut it down??

You have no Idea how much I appreciate your help....
 
It is fine to leave it running if you start scan first. Scan will take likely hours.

Otherwise please shut it down.
 
You must log in or register to reply here.
Back
Top