So the malware I have is braviax as Spy Doctor picks it up every time on start up. I downloaded and ran silent runners and here's the result -

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"MSN Messenger" = "msn.com" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"RECGUARD" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"ps2" = "C:\WINDOWS\system32\ps2.exe" [file not found]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"ISTray" = ""C:\Program Files\Spyware Doctor\pctsTray.exe"" ["PC Tools"]
"osCheck" = ""C:\Program Files\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
"MSN Configuration" = "msnconfig.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DBFB267C-334F-4F19-A304-63B7130C20C7}" = "MediaCenter Property Page"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "arpower.dll" ["Microsoft"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "ShellViewRTF"
-> {HKLM...CLSID} = "ShellViewRTF"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {HKLM...CLSID} = "KodakShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Kodak\ifscore\KodakShX.dll" ["Eastman Kodak Company"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Shell" = "EXPLORER.EXE \556137.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssmypics.scr" [MS]


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

D:\cmdcons\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\hp\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\I386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\PRELOAD\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\SYSTEM.SAV\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\TOOLS\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]


Startup items in "HP_Administrator" & "All Users" startup folders:
------------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"Updates from HP" -> shortcut to: "C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe -startup" ["Hewlett-Packard"]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0" -> launches: "c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0" [null data]
"Norton Internet Security - Run Full System Scan - HP_Administrator" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Common Files\PC Tools\LSP\PCTLsp.dll ["PC Tools Research Pty Ltd."], 01 - 03, 19
%SystemRoot%\system32\mswsock.dll [MS], 04 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 17 - 18


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{3AD14F0C-ED16-4E43-B6D8-661B03F6A1EF}\
"ButtonText" = "PokerStars"
"Exec" = "C:\Program Files\PokerStars\PokerStarsUpdate.exe" ["PokerStars"]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2D4D26B-0180-43A4-B05F-462D6D54C789}\
"ButtonText" = "Connection Help"
"MenuText" = "Connection Help"
"Script" = "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm" [null data]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
ARSVC, ARSVC, "C:\WINDOWS\arservice.exe" ["Microsoft"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
HP CUE DeviceDiscovery Service, hpqddsvc, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll" ["Hewlett-Packard Co."]}
hpqcxs08, hpqcxs08, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll" ["Hewlett-Packard Co."]}
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Net Driver HPZ12, Net Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]}
PC Tools Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\pctsAuxs.exe" ["PC Tools"]
PC Tools Security Service, sdCoreService, "C:\Program Files\Spyware Doctor\pctsSvc.exe" ["PC Tools"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}


Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "arkbcfltr" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PCL Language Monitor\Driver = "hpz3l4v2.dll" ["Hewlett-Packard Company"]


---------- (launch time: 2008-03-02 11:40:23)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 106 seconds.
---------- (total run time: 167 seconds)

FYI - I can't seem to get Hijack This, Combo Fix or DSS working.

Hello benhal8

Welcome to G2Go.
=====================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Thanks for the welcome and your time.

I can't get SDFix to run either.

You're welcome try renaming sdfix.

If that won't try to rename the dss scan to kahdah.exe and try to run it please.

I was able to run sdfix and dss after renaming them, but I'm unable to start in safe mode. A screen pops up that says

Please select the operating system to start
Windows XP Media Center Edition
Microsoft Windows Recovery Console

For troubleshooting and advanced startup options for Windows, press F8

I press F8 but nothing occurs.

Also, even after renaming Hijack This I am unable to run it.

This post has been edited by benhal8: Mar 2 2008, 02:54 PM

Here's the Deckard's scan results:

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-03-02 14:53:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-03-02 20:53:08 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:49 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\msn.com
C:\WINDOWS\live.messenger.com
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\msnconfig.exe
C:\WINDOWS\system32\BDAGENTS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dssd.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Administrator.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.serv...8AA&LF=blue
F2 - REG:system.ini: Shell=EXPLORER.EXE \232602.exe
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [MSN Messenger] msn.com
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MSN Configuration] msnconfig.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Microsoft Update] BDAGENTS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Microsoft Update] BDAGENTS.EXE
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9879 bytes

-- File Associations -----------------------------------------------------------

.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S0 ftsata2 - c:\windows\system32\drivers\ftsata2.sys (file missing)
S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-29 20:34:18 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-02-29 20:00:00 586 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job
2008-01-18 15:46:24 1026 --ah----- C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job


-- Files created between 2008-02-02 and 2008-03-02 -----------------------------

2008-03-02 14:39:16 143872 -rahs---- C:\232602.exe
2008-03-02 14:39:13 143872 -rahs---- C:\737844.exe
2008-03-02 13:50:10 41517 ---h----- C:\WINDOWS\system32\bdagents.exe
2008-03-02 11:53:01 0 d-------- C:\Program Files\Trend Micro
2008-03-02 11:34:19 143872 -rahs---- C:\556137.exe
2008-03-02 11:34:16 143872 -rahs---- C:\218632.exe
2008-03-02 10:03:56 13312 --a------ C:\WINDOWS\braviax.exe
2008-03-02 09:55:53 143872 -rahs---- C:\472220.exe
2008-03-02 08:55:32 41233 -r-hs---- C:\WINDOWS\msnconfig.exe
2008-03-02 08:53:47 143872 -rahs---- C:\884573.exe
2008-03-01 18:32:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-03-01 16:26:04 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Uniblue
2008-03-01 16:08:13 143872 -rahs---- C:\813484.exe
2008-03-01 16:08:09 143872 -rahs---- C:\588684.exe
2008-03-01 16:04:38 143872 -rahs---- C:\414661.exe
2008-03-01 16:04:35 143872 -rahs---- C:\467838.exe
2008-03-01 12:08:59 143872 -rahs---- C:\664846.exe
2008-03-01 12:08:55 143872 -rahs---- C:\667677.exe
2008-03-01 08:37:52 143872 -rahs---- C:\742208.exe
2008-03-01 08:37:48 143872 -rahs---- C:\622743.exe
2008-03-01 08:21:52 143872 -rahs---- C:\682464.exe
2008-03-01 08:21:51 143872 -rahs---- C:\808444.exe
2008-02-29 18:29:38 0 d--hs---- C:\WINDOWS\ftpcache
2008-02-29 18:00:32 143872 -rahs---- C:\535673.exe
2008-02-29 18:00:28 143872 -rahs---- C:\277411.exe
2008-02-29 17:52:18 143872 -rahs---- C:\211116.exe
2008-02-29 17:52:15 143872 -rahs---- C:\073072.exe
2008-02-29 17:48:13 143872 -rahs---- C:\887544.exe
2008-02-29 17:48:08 143872 -rahs---- C:\034254.exe
2008-02-29 15:14:07 143872 -rahs---- C:\667708.exe
2008-02-29 15:14:04 143872 -rahs---- C:\534732.exe
2008-02-29 12:24:23 143872 -rahs---- C:\040120.exe
2008-02-29 12:24:19 143872 -rahs---- C:\587576.exe
2008-02-29 11:43:38 143872 -rahs---- C:\430675.exe
2008-02-29 11:43:36 143872 -rahs---- C:\746611.exe
2008-02-29 07:58:39 143872 -rahs---- C:\136010.exe
2008-02-29 07:58:35 143872 -rahs---- C:\240273.exe
2008-02-28 20:56:28 143872 -rahs---- C:\372741.exe
2008-02-28 20:56:25 143872 -rahs---- C:\185273.exe
2008-02-28 20:53:21 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-28 20:33:45 143872 -rahs---- C:\660705.exe
2008-02-28 20:33:42 143872 -rahs---- C:\033055.exe
2008-02-28 20:29:51 0 d-------- C:\Program Files\Common Files\PC Tools
2008-02-28 20:19:43 143872 -rahs---- C:\417236.exe
2008-02-28 20:19:41 143872 -rahs---- C:\126043.exe
2008-02-28 20:12:37 143872 -rahs---- C:\582471.exe
2008-02-28 20:12:34 143872 -rahs---- C:\662215.exe
2008-02-28 19:49:44 143872 -rahs---- C:\431401.exe
2008-02-28 19:49:41 143872 -rahs---- C:\753328.exe
2008-02-28 19:33:23 16118 --a------ C:\WINDOWS\system32\kygy.bin
2008-02-28 19:33:23 17134 --a------ C:\WINDOWS\system32\ehoqu.scr
2008-02-28 19:33:23 18462 --a------ C:\WINDOWS\itoz.sys
2008-02-28 19:33:23 14676 --a------ C:\WINDOWS\goges.scr
2008-02-28 19:33:23 12754 --a------ C:\Program Files\Common Files\rimoze.vbs
2008-02-28 19:27:33 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-28 19:27:20 0 d-------- C:\Program Files\Spyware Doctor
2008-02-28 19:27:20 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\PC Tools
2008-02-28 18:45:57 17283 --a------ C:\WINDOWS\igocepekak.reg
2008-02-28 18:45:57 16788 --a------ C:\WINDOWS\ewugatylu.exe
2008-02-28 18:45:57 12580 --a------ C:\Program Files\Common Files\ofydupuv.dll
2008-02-28 18:45:56 10653 --a------ C:\WINDOWS\system32\tahos.dll
2008-02-28 18:45:56 19376 --a------ C:\WINDOWS\exagut.bat
2008-02-28 18:45:56 19743 --a------ C:\Program Files\Common Files\ozipamin.scr
2008-02-28 18:45:56 13147 --a------ C:\Documents and Settings\HP_Administrator\Application Data\nasynubor.sys
2008-02-28 18:32:39 143872 -rahs---- C:\764814.exe
2008-02-28 18:32:37 143872 -rahs---- C:\365731.exe
2008-02-28 18:30:07 143872 -rahs---- C:\442187.exe
2008-02-28 18:30:05 143872 -rahs---- C:\152456.exe
2008-02-28 18:29:53 6144 --a------ C:\WINDOWS\system32\cru629.dat
2008-02-28 18:29:53 6144 --a------ C:\WINDOWS\cru629.dat
2008-02-28 17:55:22 143872 -rahs---- C:\563624.exe
2008-02-28 17:55:16 143872 -rahs---- C:\344248.exe
2008-02-28 17:49:47 143872 -rahs---- C:\740564.exe
2008-02-28 17:49:47 143872 -rahs---- C:\667760.exe
2008-02-28 17:44:26 143872 -rahs---- C:\040145.exe
2008-02-28 17:44:23 143872 -rahs---- C:\324616.exe
2008-02-28 17:40:09 143872 -rahs---- C:\384301.exe
2008-02-28 17:40:08 143872 -rahs---- C:\461131.exe
2008-02-28 17:35:48 143872 -rahs---- C:\241060.exe
2008-02-28 17:35:46 143872 -rahs---- C:\442824.exe
2008-02-28 17:33:37 143872 -rahs---- C:\638051.exe
2008-02-28 17:33:28 143872 -rahs---- C:\566353.exe
2008-02-28 17:21:16 0 d-------- C:\WINDOWS\pss
2008-02-28 17:12:49 143872 -rahs---- C:\145060.exe
2008-02-28 17:12:45 143872 -rahs---- C:\184618.exe
2008-02-28 16:34:37 143872 -rahs---- C:\440707.exe
2008-02-28 16:34:33 143872 -rahs---- C:\541436.exe
2008-02-28 16:25:40 143872 -rahs---- C:\367587.exe
2008-02-28 16:25:38 143872 -rahs---- C:\018760.exe
2008-02-28 16:07:28 143872 -rahs---- C:\625513.exe
2008-02-28 16:07:25 143872 -rahs---- C:\150417.exe
2008-02-28 16:00:26 143872 -rahs---- C:\644028.exe
2008-02-28 15:58:54 143872 -rahs---- C:\834423.exe
2008-02-28 15:56:01 143872 -rahs---- C:\827263.exe
2008-02-28 15:55:59 143872 -rahs---- C:\201270.exe
2008-02-28 15:50:04 143872 -rahs---- C:\032626.exe
2008-02-28 15:50:00 143872 -rahs---- C:\778614.exe
2008-02-28 14:47:00 143872 -rahs---- C:\327586.exe
2008-02-28 14:46:57 143872 -rahs---- C:\268221.exe
2008-02-28 11:17:58 143872 -rahs---- C:\660771.exe
2008-02-28 11:17:54 143872 -rahs---- C:\350583.exe
2008-02-27 08:00:41 143872 -rahs---- C:\111007.exe
2008-02-27 08:00:38 143872 -rahs---- C:\328727.exe
2008-02-26 13:26:23 143872 -rahs---- C:\874708.exe
2008-02-26 13:26:20 143872 -rahs---- C:\027610.exe
2008-02-26 08:14:47 143872 -rahs---- C:\882628.exe
2008-02-26 08:14:29 143872 -rahs---- C:\223252.exe
2008-02-26 06:42:15 143872 -rahs---- C:\746117.exe
2008-02-26 06:42:11 143872 -rahs---- C:\035560.exe
2008-02-25 17:10:54 143872 -rahs---- C:\788605.exe
2008-02-25 17:10:49 143872 -rahs---- C:\040228.exe
2008-02-25 07:41:44 143872 -rahs---- C:\268661.exe
2008-02-25 07:41:40 143872 -rahs---- C:\511812.exe
2008-02-24 09:31:00 143872 -rahs---- C:\510344.exe
2008-02-24 09:30:57 143872 -rahs---- C:\134187.exe
2008-02-23 09:04:31 143872 -rahs---- C:\782826.exe
2008-02-23 09:04:28 32 --a------ C:\WINDOWS\system32\1.bat
2008-02-23 09:04:28 143872 -rahs---- C:\627307.exe
2008-02-22 21:06:02 143872 -rahs---- C:\303061.exe
2008-02-22 21:05:59 143872 -rahs---- C:\108661.exe
2008-02-22 20:59:00 0 d-------- C:\Program Files\QuickTime
2008-02-22 16:21:20 143872 -rahs---- C:\735688.exe
2008-02-22 16:21:17 143872 -rahs---- C:\673187.exe
2008-02-22 07:25:10 143872 -rahs---- C:\447102.exe
2008-02-22 07:25:02 143872 -rahs---- C:\116483.exe
2008-02-21 12:09:59 32 --a------ C:\WINDOWS\system32\2.bat
2008-02-21 12:09:58 32 --a------ C:\WINDOWS\system32\0.bat
2008-02-21 12:09:58 143872 -rahs---- C:\337025.exe
2008-02-20 20:11:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-20 20:10:20 0 d-------- C:\Program Files\MSN Messenger
2008-02-09 15:54:51 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-09 15:54:33 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-07 18:13:16 846848 -r-hs---- C:\WINDOWS\wkssvc.exe


-- Find3M Report ---------------------------------------------------------------

2008-03-01 08:22:53 0 d-------- C:\Program Files\PokerStars
2008-02-29 17:54:53 0 d-------- C:\Program Files\Messenger
2008-02-28 20:29:51 0 d-------- C:\Program Files\Common Files
2008-02-28 19:33:23 13625 --a------ C:\Documents and Settings\HP_Administrator\Application Data\kebejuhuqu._dl
2008-02-28 19:33:23 19295 --a------ C:\Documents and Settings\HP_Administrator\Application Data\aqonawy.db
2008-02-28 18:45:57 12533 --a------ C:\Program Files\Common Files\kudupewefu._dl
2008-02-28 18:45:57 14341 --a------ C:\Documents and Settings\HP_Administrator\Application Data\imavoj._dl
2008-02-28 18:45:57 19972 --a------ C:\Documents and Settings\HP_Administrator\Application Data\awizelyw.inf
2008-02-28 18:45:56 17425 --a------ C:\Documents and Settings\HP_Administrator\Application Data\ocifehafe.dl
2008-02-28 18:28:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-22 21:01:25 0 d-------- C:\Program Files\iTunes
2008-02-22 21:01:13 0 d-------- C:\Program Files\iPod
2008-02-16 19:04:22 0 d-------- C:\Program Files\Real
2008-02-10 22:51:20 0 d-------- C:\Program Files\Incomplete
2008-02-09 08:00:49 0 d--h----- C:\Documents and Settings\HP_Administrator\Application Data\Move Networks
2008-01-16 14:48:26 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Nikon
2008-01-16 14:48:24 0 d-------- C:\Program Files\Common Files\Nikon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 07:51 PM]
"MSN Messenger"="msn.com" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/10/2005 06:30 PM]
"RECGUARD"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/23/2005 12:14 AM]
"ps2"="C:\WINDOWS\system32\ps2.exe" []
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 03:44 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/28/2004 01:50 AM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 10:04 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 08:52 PM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 10:56 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 09:59 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/14/2005 06:05 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [09/05/2006 07:22 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/28/2004 01:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [08/27/2005 03:14 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 11:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/10/2004 06:00 AM]
"MSN Configuration"="msnconfig.exe" [03/02/2008 08:55 AM C:\WINDOWS\msnconfig.exe]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"Microsoft Update"="BDAGENTS.EXE" [03/02/2008 01:50 PM C:\WINDOWS\system32\bdagents.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 05:24 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"Microsoft Update"=BDAGENTS.EXE

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [1/2/2007 8:40:10 PM]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [11/10/2005 6:50:28 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="EXPLORER.EXE \232602.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Console]
wkssvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator]
"C:\Program Files\WinReanimator\WinReanimator.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2c1cefc-9817-11da-9069-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-03-02 14:58:42 ------------

Note this will remove two system files because they are infected.
The files that we are removing are these two:
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
(Beep.sys is used only to make simple "beep" sounds even if no sound card is installed.
Windows works absolutely correct without beep.sys driver.)
Nothing to worry about.
So if you get a warning saying that you have files that need to be replaced do not be worried.

Also please delete your version of Combofix please (Just the Icon)
============================================================
Make sure that you paste the following file paths under the yellow bar within the OTMoveit2 program or it will not work correctly.

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  C:\232602.exe
  C:\737844.exe
  C:\WINDOWS\system32\bdagents.exe
  C:\556137.exe
  C:\218632.exe
  C:\WINDOWS\braviax.exe
  C:\472220.exe
  C:\WINDOWS\msnconfig.exe
  C:\884573.exe
  C:\813484.exe
  C:\588684.exe
  C:\414661.exe
  C:\467838.exe
  C:\664846.exe
  C:\667677.exe
  C:\742208.exe
  C:\622743.exe
  C:\682464.exe
  C:\808444.exe
  C:\535673.exe
  C:\277411.exe
  C:\211116.exe
  C:\073072.exe
  C:\887544.exe
  C:\034254.exe
  C:\667708.exe
  C:\534732.exe
  C:\040120.exe
  C:\587576.exe
  C:\430675.exe
  C:\746611.exe
  C:\136010.exe
  C:\240273.exe
  C:\372741.exe
  C:\185273.exe
  C:\660705.exe
  C:\033055.exe
  C:\417236.exe
  C:\126043.exe
  C:\582471.exe
  C:\662215.exe
  C:\431401.exe
  C:\753328.exe
  C:\WINDOWS\system32\kygy.bin
  C:\WINDOWS\system32\ehoqu.scr
  C:\WINDOWS\itoz.sys
  C:\WINDOWS\goges.scr
  C:\Program Files\Common Files\rimoze.vbs
  C:\WINDOWS\igocepekak.reg
  C:\WINDOWS\ewugatylu.exe
  C:\Program Files\Common Files\ofydupuv.dll
  C:\WINDOWS\system32\tahos.dll
  C:\WINDOWS\exagut.bat
  C:\Program Files\Common Files\ozipamin.scr
  C:\Documents and Settings\HP_Administrator\Application Data\nasynubor.sys
  C:\764814.exe
  C:\365731.exe
  C:\442187.exe
  C:\152456.exe
  C:\WINDOWS\system32\cru629.dat
  C:\WINDOWS\cru629.dat
  C:\563624.exe
  C:\344248.exe
  C:\740564.exe
  C:\667760.exe
  C:\040145.exe
  C:\324616.exe
  C:\384301.exe
  C:\461131.exe
  C:\241060.exe
  C:\442824.exe
  C:\638051.exe
  C:\566353.exe
  C:\145060.exe
  C:\184618.exe
  C:\440707.exe
  C:\541436.exe
  C:\367587.exe
  C:\018760.exe
  C:\625513.exe
  C:\150417.exe
  C:\644028.exe
  C:\834423.exe
  C:\827263.exe
  C:\201270.exe
  C:\032626.exe
  C:\778614.exe
  C:\327586.exe
  C:\268221.exe
  C:\660771.exe
  C:\350583.exe
  C:\111007.exe
  C:\328727.exe
  C:\874708.exe
  C:\027610.exe
  C:\882628.exe
  C:\223252.exe
  C:\746117.exe
  C:\035560.exe
  C:\788605.exe
  C:\040228.exe
  C:\268661.exe
  C:\511812.exe
  C:\510344.exe
  C:\134187.exe
  C:\782826.exe
  C:\WINDOWS\system32\1.bat
  C:\627307.exe
  C:\303061.exe
  C:\108661.exe
  C:\735688.exe
  C:\673187.exe
  C:\447102.exe
  C:\116483.exe
  C:\WINDOWS\system32\2.bat
  C:\WINDOWS\system32\0.bat
  C:\337025.exe
  C:\WINDOWS\wkssvc.exe
  C:\Documents and Settings\HP_Administrator\Application Data\kebejuhuqu._dl
  C:\Documents and Settings\HP_Administrator\Application Data\aqonawy.db
  C:\Program Files\Common Files\kudupewefu._dl
  C:\Documents and Settings\HP_Administrator\Application Data\imavoj._dl
  C:\Documents and Settings\HP_Administrator\Application Data\awizelyw.inf
  C:\Documents and Settings\HP_Administrator\Application Data\ocifehafe.dl
  C:\Program Files\WinReanimator
  C:\WINDOWS\system32\dllcache\beep.sys
  C:\WINDOWS\system32\drivers\beep.sys
  HKLM\software\microsoft\shared tools\msconfig\startupreg\Windows Console
  HKLM\software\microsoft\shared tools\msconfig\startupreg\braviax
  HKLM\software\microsoft\shared tools\msconfig\startupreg\WinReanimator
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Update
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\Microsoft Update
  
  
  
• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================
Then Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Dss (Kahdah) log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

OTMoveIt2 Log:

[Custom Input]
< C:\232602.exe >
C:\232602.exe moved successfully.
< C:\737844.exe >
C:\737844.exe moved successfully.
< C:\WINDOWS\system32\bdagents.exe >
C:\WINDOWS\system32\bdagents.exe moved successfully.
< C:\556137.exe >
C:\556137.exe moved successfully.
< C:\218632.exe >
C:\218632.exe moved successfully.
< C:\WINDOWS\braviax.exe >
C:\WINDOWS\braviax.exe moved successfully.
< C:\040120.exe >
C:\040120.exe moved successfully.
< C:\587576.exe >
C:\587576.exe moved successfully.
< C:\430675.exe >
C:\430675.exe moved successfully.
< C:\746611.exe >
C:\746611.exe moved successfully.
< C:\136010.exe >
C:\136010.exe moved successfully.
< C:\240273.exe >
C:\240273.exe moved successfully.
< C:\372741.exe >
C:\372741.exe moved successfully.
< C:\185273.exe >
C:\185273.exe moved successfully.
< C:\660705.exe >
C:\660705.exe moved successfully.
< C:\033055.exe >
C:\033055.exe moved successfully.
< C:\417236.exe >
C:\417236.exe moved successfully.
< C:\126043.exe >
C:\126043.exe moved successfully.
< C:\582471.exe >
C:\582471.exe moved successfully.
< C:\662215.exe >
C:\662215.exe moved successfully.
< C:\431401.exe >
C:\431401.exe moved successfully.
< C:\753328.exe >
C:\753328.exe moved successfully.
< C:\WINDOWS\system32\kygy.bin >
C:\WINDOWS\system32\kygy.bin moved successfully.
< C:\WINDOWS\system32\ehoqu.scr >
C:\WINDOWS\system32\ehoqu.scr moved successfully.
< C:\WINDOWS\itoz.sys >
C:\WINDOWS\itoz.sys moved successfully.
< C:\WINDOWS\goges.scr >
C:\WINDOWS\goges.scr moved successfully.
< C:\Program Files\Common Files\rimoze.vbs >
C:\Program Files\Common Files\rimoze.vbs moved successfully.
< C:\WINDOWS\igocepekak.reg >
C:\WINDOWS\igocepekak.reg moved successfully.
< C:\WINDOWS\ewugatylu.exe >
C:\WINDOWS\ewugatylu.exe moved successfully.
< C:\Program Files\Common Files\ofydupuv.dll >
LoadLibrary failed for C:\Program Files\Common Files\ofydupuv.dll
C:\Program Files\Common Files\ofydupuv.dll NOT unregistered.
C:\Program Files\Common Files\ofydupuv.dll moved successfully.
< C:\WINDOWS\system32\tahos.dll >
LoadLibrary failed for C:\WINDOWS\system32\tahos.dll
C:\WINDOWS\system32\tahos.dll NOT unregistered.
C:\WINDOWS\system32\tahos.dll moved successfully.
< C:\WINDOWS\exagut.bat >
C:\WINDOWS\exagut.bat moved successfully.
< C:\Program Files\Common Files\ozipamin.scr >
C:\Program Files\Common Files\ozipamin.scr moved successfully.
< C:\Documents and Settings\HP_Administrator\Application Data\nasynubor.sys >
C:\Documents and Settings\HP_Administrator\Application Data\nasynubor.sys moved successfully.
< C:\764814.exe >
C:\764814.exe moved successfully.
< C:\365731.exe >
C:\365731.exe moved successfully.
< C:\442187.exe >
C:\442187.exe moved successfully.
< C:\152456.exe >
C:\152456.exe moved successfully.
< C:\WINDOWS\system32\cru629.dat >
C:\WINDOWS\system32\cru629.dat moved successfully.
< C:\WINDOWS\cru629.dat >
C:\WINDOWS\cru629.dat moved successfully.
< C:\563624.exe >
C:\563624.exe moved successfully.
< C:\344248.exe >
C:\344248.exe moved successfully.
< C:\740564.exe >
C:\740564.exe moved successfully.
< C:\667760.exe >
C:\667760.exe moved successfully.
< C:\040145.exe >
C:\040145.exe moved successfully.
< C:\324616.exe >
C:\324616.exe moved successfully.
< C:\384301.exe >
C:\384301.exe moved successfully.
< C:\461131.exe >
C:\461131.exe moved successfully.
< C:\241060.exe >
C:\241060.exe moved successfully.
< C:\442824.exe >
C:\442824.exe moved successfully.
< C:\638051.exe >
C:\638051.exe moved successfully.
< C:\566353.exe >
C:\566353.exe moved successfully.
< C:\145060.exe >
C:\145060.exe moved successfully.
< C:\184618.exe >
C:\184618.exe moved successfully.
< C:\440707.exe >
C:\440707.exe moved successfully.
< C:\541436.exe >
C:\541436.exe moved successfully.
< C:\367587.exe >
C:\367587.exe moved successfully.
< C:\018760.exe >
C:\018760.exe moved successfully.
< C:\625513.exe >
C:\625513.exe moved successfully.
< C:\150417.exe >
C:\150417.exe moved successfully.
< C:\644028.exe >
C:\644028.exe moved successfully.
< C:\834423.exe >
C:\834423.exe moved successfully.
< C:\827263.exe >
C:\827263.exe moved successfully.
< C:\201270.exe >
C:\201270.exe moved successfully.
< C:\032626.exe >
C:\032626.exe moved successfully.
< C:\778614.exe >
C:\778614.exe moved successfully.
< C:\327586.exe >
C:\327586.exe moved successfully.
< C:\268221.exe >
C:\268221.exe moved successfully.
< C:\660771.exe >
C:\660771.exe moved successfully.
< C:\350583.exe >
C:\350583.exe moved successfully.
< C:\111007.exe >
C:\111007.exe moved successfully.
< C:\328727.exe >
C:\328727.exe moved successfully.
< C:\874708.exe >
C:\874708.exe moved successfully.
< C:\027610.exe >
C:\027610.exe moved successfully.
< C:\882628.exe >
C:\882628.exe moved successfully.
< C:\223252.exe >
C:\223252.exe moved successfully.
< C:\746117.exe >
C:\746117.exe moved successfully.
< C:\035560.exe >
C:\035560.exe moved successfully.
< C:\788605.exe >
C:\788605.exe moved successfully.
< C:\040228.exe >
C:\040228.exe moved successfully.
< C:\268661.exe >
C:\268661.exe moved successfully.
< C:\511812.exe >
C:\511812.exe moved successfully.
< C:\510344.exe >
C:\510344.exe moved successfully.
< C:\134187.exe >
C:\134187.exe moved successfully.
< C:\782826.exe >
C:\782826.exe moved successfully.
< C:\WINDOWS\system32\1.bat >
C:\WINDOWS\system32\1.bat moved successfully.
< C:\627307.exe >
C:\627307.exe moved successfully.
< C:\303061.exe >
C:\303061.exe moved successfully.
< C:\108661.exe >
C:\108661.exe moved successfully.
< C:\735688.exe >
C:\735688.exe moved successfully.
< C:\673187.exe >
C:\673187.exe moved successfully.
< C:\447102.exe >
C:\447102.exe moved successfully.
< C:\116483.exe >
C:\116483.exe moved successfully.
< C:\WINDOWS\system32\2.bat >
C:\WINDOWS\system32\2.bat moved successfully.
< C:\WINDOWS\system32\0.bat >
C:\WINDOWS\system32\0.bat moved successfully.
< C:\337025.exe >
C:\337025.exe moved successfully.
< C:\WINDOWS\wkssvc.exe >
C:\WINDOWS\wkssvc.exe moved successfully.
< C:\Documents and Settings\HP_Administrator\Application Data\kebejuhuqu._dl >
C:\Documents and Settings\HP_Administrator\Application Data\kebejuhuqu._dl moved successfully.
< C:\Documents and Settings\HP_Administrator\Application Data\aqonawy.db >
C:\Documents and Settings\HP_Administrator\Application Data\aqonawy.db moved successfully.
< C:\Program Files\Common Files\kudupewefu._dl >
C:\Program Files\Common Files\kudupewefu._dl moved successfully.
< C:\Documents and Settings\HP_Administrator\Application Data\imavoj._dl >
C:\Documents and Settings\HP_Administrator\Application Data\imavoj._dl moved successfully.
< C:\Documents and Settings\HP_Administrator\Application Data\awizelyw.inf >
C:\Documents and Settings\HP_Administrator\Application Data\awizelyw.inf moved successfully.
< C:\Documents and Settings\HP_Administrator\Application Data\ocifehafe.dl >
C:\Documents and Settings\HP_Administrator\Application Data\ocifehafe.dl moved successfully.
< C:\Program Files\WinReanimator >
File/Folder C:\Program Files\WinReanimator not found.
< C:\WINDOWS\system32\dllcache\beep.sys >
C:\WINDOWS\system32\dllcache\beep.sys moved successfully.
< C:\WINDOWS\system32\drivers\beep.sys >
C:\WINDOWS\system32\drivers\beep.sys moved successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\Windows Console >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Console\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\braviax >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\WinReanimator >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator\\ deleted successfully.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Update >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Update deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\Microsoft Update >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\Microsoft Update deleted successfully.

OTMoveIt2 v1.0.20 log created on 03022008_174608

Here's the DSS log:

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-03-02 17:53:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:41 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\msn.com
C:\WINDOWS\live.messenger.com
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\msnconfig.exe
C:\WINDOWS\system32\BDAGENTS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Documents and Settings\HP_Administrator\Desktop\dssd.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_ADM~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.serv...8AA&LF=blue
F2 - REG:system.ini: Shell=EXPLORER.EXE \232602.exe
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [MSN Messenger] msn.com
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MSN Configuration] msnconfig.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Microsoft Update] BDAGENTS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Microsoft Update] BDAGENTS.EXE
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10075 bytes

-- Files created between 2008-02-02 and 2008-03-02 -----------------------------

2008-03-02 11:53:01 0 d-------- C:\Program Files\Trend Micro
2008-03-01 18:32:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-03-01 16:26:04 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Uniblue
2008-02-29 18:29:38 0 d--hs---- C:\WINDOWS\ftpcache
2008-02-28 20:53:21 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-28 20:29:51 0 d-------- C:\Program Files\Common Files\PC Tools
2008-02-28 19:27:33 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-28 19:27:20 0 d-------- C:\Program Files\Spyware Doctor
2008-02-28 19:27:20 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\PC Tools
2008-02-28 17:21:16 0 d-------- C:\WINDOWS\pss
2008-02-22 20:59:00 0 d-------- C:\Program Files\QuickTime
2008-02-20 20:11:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-20 20:10:20 0 d-------- C:\Program Files\MSN Messenger
2008-02-09 15:54:51 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-09 15:54:33 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller


-- Find3M Report ---------------------------------------------------------------

2008-03-02 17:46:16 0 d-------- C:\Program Files\Common Files
2008-03-01 08:22:53 0 d-------- C:\Program Files\PokerStars
2008-02-29 17:54:53 0 d-------- C:\Program Files\Messenger
2008-02-28 18:28:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-22 21:01:25 0 d-------- C:\Program Files\iTunes
2008-02-22 21:01:13 0 d-------- C:\Program Files\iPod
2008-02-16 19:04:22 0 d-------- C:\Program Files\Real
2008-02-10 22:51:20 0 d-------- C:\Program Files\Incomplete
2008-02-09 08:00:49 0 d--h----- C:\Documents and Settings\HP_Administrator\Application Data\Move Networks
2008-01-16 14:48:26 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Nikon
2008-01-16 14:48:24 0 d-------- C:\Program Files\Common Files\Nikon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 07:51 PM]
"MSN Messenger"="msn.com" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/10/2005 06:30 PM]
"RECGUARD"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/23/2005 12:14 AM]
"ps2"="C:\WINDOWS\system32\ps2.exe" []
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 03:44 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/28/2004 01:50 AM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 10:04 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 08:52 PM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 10:56 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 09:59 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/14/2005 06:05 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [09/05/2006 07:22 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/28/2004 01:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [08/27/2005 03:14 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 11:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/10/2004 06:00 AM]
"MSN Configuration"="msnconfig.exe" []
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"Microsoft Update"="BDAGENTS.EXE" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 05:24 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"Microsoft Update"=BDAGENTS.EXE

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [1/2/2007 8:40:10 PM]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [11/10/2005 6:50:28 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="EXPLORER.EXE \232602.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2c1cefc-9817-11da-9069-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-03-02 17:54:15 ------------

I'm still unable to run Combofix. I tried all three links and I even renamed each - no dice.

Thanks again for your help.

Ben

This post has been edited by benhal8: Mar 2 2008, 06:03 PM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

Here's the log:

Malwarebytes' Anti-Malware 1.05
Database version: 441

Scan type: Full Scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 117028
Time elapsed: 52 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Deckard\System Scanner\20080302175336\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\uninst.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\20080302175336\backup\WINDOWS\temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\6L12Q60M\scgtyl[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I05F513K\Installer[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\03022008_174608\WINDOWS\braviax.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\03022008_174608\WINDOWS\system32\dllcache\beep.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\03022008_174608\WINDOWS\system32\drivers\beep.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Thanks again for your help. Here's the log:

SmitFraudFix v2.300

Scan done at 19:18:24.51, Sun 03/02/2008
Run from C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HP_ADM~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="cru629.dat"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 16.92.3.242
DNS Server Search Order: 16.92.3.243
DNS Server Search Order: 16.81.3.243
DNS Server Search Order: 16.118.3.243

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 68.115.71.53
DNS Server Search Order: 24.196.64.53
DNS Server Search Order: 24.159.193.40

HKLM\SYSTEM\CCS\Services\Tcpip\..\{71EDBE64-A8C6-4AAF-B9D8-521A759A1796}: DhcpNameServer=68.115.71.53 24.196.64.53 24.159.193.40
HKLM\SYSTEM\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{71EDBE64-A8C6-4AAF-B9D8-521A759A1796}: DhcpNameServer=68.115.71.53 24.196.64.53 24.159.193.40
HKLM\SYSTEM\CS1\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{71EDBE64-A8C6-4AAF-B9D8-521A759A1796}: DhcpNameServer=68.115.71.53 24.196.64.53 24.159.193.40
HKLM\SYSTEM\CS3\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.115.71.53 24.196.64.53 24.159.193.40
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.115.71.53 24.196.64.53 24.159.193.40
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.115.71.53 24.196.64.53 24.159.193.40


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:
  Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Thanks again for your help. Here's the Kaspersky log:

Monday, March 03, 2008 7:23:02 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/03/2008
Kaspersky Anti-Virus database records: 594708
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics
Total number of scanned objects 87203
Number of viruses found 9
Number of infected objects 121
Number of suspicious objects 0
Duration of the scan process 01:42:46

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\20080302175336\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\eraseme_28376.exe Infected: Backdoor.Win32.IRCBot.bsg skipped
C:\Deckard\System Scanner\20080302175336\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\eraseme_37040.exe Infected: Backdoor.Win32.Bifrose.fgo skipped
C:\Deckard\System Scanner\20080302175336\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\eraseme_42168.exe Infected: Backdoor.Win32.Bifrose.fgo skipped
C:\Deckard\System Scanner\20080302175336\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\eraseme_50843.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\Deckard\System Scanner\20080302175336\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\eraseme_56865.exe Infected: Backdoor.Win32.Bifrose.fgo skipped
C:\Deckard\System Scanner\20080302175336\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\eraseme_58066.exe Infected: Backdoor.Win32.IRCBot.bsg skipped
C:\Deckard\System Scanner\20080302175336\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\eraseme_70466.exe Infected: Backdoor.Win32.IRCBot.bsd skipped
C:\Deckard\System Scanner\20080302175336\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\eraseme_75208.exe Infected: Backdoor.Win32.Bifrose.fgo skipped
C:\Deckard\System Scanner\20080302175336\backup\WINDOWS\temp\box3r.exe/data.rar/nope.dll Infected: Net-Worm.Win32.Kolab.l skipped
C:\Deckard\System Scanner\20080302175336\backup\WINDOWS\temp\box3r.exe/data.rar Infected: Net-Worm.Win32.Kolab.l skipped
C:\Deckard\System Scanner\20080302175336\backup\WINDOWS\temp\box3r.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-03_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\A2484525.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\41cr802e.default\cert8.db Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\41cr802e.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\41cr802e.default\history.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\41cr802e.default\key3.db Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\41cr802e.default\parent.lock Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\41cr802e.default\search.sqlite Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\41cr802e.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\53\6a1dde35-2f7b1f61/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\53\6a1dde35-2f7b1f61 ZIP: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-683f230e-7da87ce0.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-683f230e-7da87ce0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\41cr802e.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\41cr802e.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\41cr802e.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\41cr802e.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012008030320080304\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Acr9688.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF140B.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\MSN Messenger\msn.com Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Spyware Doctor\NetworkLayer\InterfaceDLL.txt Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\L0000006.FCS Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0000047.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0000048.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\live.messenger.com Infected: Backdoor.Win32.IRCBot.bsg skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{65678C50-D895-4FA5-8947-17F9CF510095}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system\userinfo32.ggt Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\018760.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\027610.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\032626.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\033055.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\034254.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\035560.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\040120.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\040145.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\040228.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\073072.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\108661.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\111007.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\116483.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\126043.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\134187.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\136010.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\145060.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\150417.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\152456.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\184618.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\185273.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\201270.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\211116.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\218632.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\223252.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\232602.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\240273.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\241060.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\268221.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\268661.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\277411.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\303061.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\324616.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\327586.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\328727.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\337025.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\344248.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\350583.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\365731.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\367587.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\372741.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\384301.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\414661.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\417236.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\430675.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\431401.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\440707.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\442187.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\442824.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\447102.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\461131.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\467838.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\472220.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\510344.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\511812.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\534732.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\535673.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\541436.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\556137.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\563624.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\566353.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\582471.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\587576.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\588684.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\622743.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\625513.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\627307.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\638051.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\644028.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\660705.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\660771.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\662215.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\664846.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\667677.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\667708.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\667760.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\673187.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\682464.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\735688.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\737844.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\740564.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\742208.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\746117.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\746611.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\753328.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\764814.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\778614.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\782826.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\788605.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\808444.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\813484.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\827263.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\834423.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\874708.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\882628.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\884573.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\887544.exe Infected: Backdoor.Win32.IRCBot.bnz skipped
C:\_OTMoveIt\MovedFiles\03022008_174608\WINDOWS\wkssvc.exe Infected: Email-Worm.Win32.Anker.x skipped
Scan process completed.