Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack This list as sugested [RESOLVED]

Started by BMAC23 , Apr 25 2008 12:07 PM

  • This topic is locked This topic is locked

#1
BMAC23
Posted 25 April 2008 - 12:07 PM

BMAC23

    Member

  • Member
  • PipPip
  • 11 posts
I posted in another forum and was told to come here. i followed all the malware/spyware/virus steps in the "You Must Read this"

My issue: one day, every after-market program I have (and some of the ones that came with the computer) stopped working. They no longer appear on my add/remove programs list and do not give me an uninstall option in my programs folder. When opened, they ask for serial numbers, when the serial numbers are typed in they say they are not installed properly (or a variation on that theme), when I attempt to re-install they say they cannot because the programs have not been uninstalled and I am back to the beginning.

Also, all of my outlook express mail accounts were erased. I still have the .dbx files, but they do not import even after following the steps correctly (I have done this step many times before).

I had previously installed the Windows Service Packs, but tried to do so again (as per instructions in "You Must Read This"), but they also failed to install.

My HiJack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:38 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Outlook Express\msimn.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7890 bytes


My uninstal list
Adobe Reader 7.0.5
ATI Control Panel
ATI Display Driver
avast! Antivirus
Compaq Connections (remove only)
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
DISCover
Easy Hi-Q Recorder 2.2
Enhanced Multimedia Keyboard Solution
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
HP Boot Optimizer
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Software Update
HP Support Overview
HP Web Helper
J2SE Runtime Environment 5.0 Update 6
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003 60 days trial
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Works
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Netscape Browser (remove only)
Otto
Panda ActiveScan 2.0
PC-Doctor 5 for Windows
Power Email Recovery for Outlook Express 1.1
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
RealPlayer
Realtek High Definition Audio Driver
Recovery Toolbox for Outlook Express 1.1
Remove WeatherBug Installer
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony ACID Pro 6.0
Sony Media Manager 2.2
SUPERAntiSpyware Free Edition
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
WildTangent Web Driver
Windows Defender
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067


Thanks in advance for any advice you can give me. I am at a complete loss of what to do.
BMac23
  • 0

Advertisements

#2
andrewuk
Posted 25 April 2008 - 12:32 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi BMAC23

welcome to this part of Geekstogo :)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk
  • 0

#3
BMAC23
Posted 25 April 2008 - 01:11 PM

BMAC23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks AndrewUK,
I posted the main and the extra back-to-back

Deckard's System Scanner v20071014.68
Run by Compaq_Administrator on 2008-04-25 11:45:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
14: 2008-04-25 18:45:20 UTC - RP20 - Deckard's System Scanner Restore Point
13: 2008-04-25 17:40:14 UTC - RP19 - Installed Windows XP KB944533.
12: 2008-04-25 17:38:38 UTC - RP18 - Installed Windows XP KB938829.
11: 2008-04-25 17:37:51 UTC - RP17 - Installed Windows XP KB921503.
10: 2008-04-25 17:14:16 UTC - RP16 - Printer Driver Microsoft XPS Document Writer Installed


-- First Restore Point --
1: 2008-04-24 01:55:45 UTC - RP7 - Installed SUPERAntiSpyware Free Edition


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Compaq_Administrator.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:45 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\spider.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Compaq_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7896 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-25 10:47:09 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-03-25 and 2008-04-25 -----------------------------

2008-04-25 10:54:12 0 d-------- C:\Program Files\Trend Micro
2008-04-25 10:14:58 0 d-------- C:\Program Files\MSBuild
2008-04-25 10:14:53 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-04-25 10:14:46 0 d-------- C:\Program Files\Reference Assemblies
2008-04-25 10:13:16 0 d-------- C:\Program Files\MSXML 6.0
2008-04-25 09:19:45 0 d-------- C:\WINDOWS\network diagnostic
2008-04-24 20:08:58 0 d-------- C:\Program Files\Sony Setup
2008-04-24 15:07:16 0 d-------- C:\Program Files\Easy Hi-Q Recorder
2008-04-24 08:43:16 0 d-------- C:\Program Files\Panda Security
2008-04-23 18:55:52 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-23 18:55:47 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-23 18:55:47 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com
2008-04-23 18:53:25 0 d-------- C:\movedfrom desktop
2008-04-23 18:28:00 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
2008-04-23 18:27:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 18:27:48 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-23 18:26:09 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-23 14:59:35 0 d-------- C:\Documents and Settings\Brad\Application Data\Flickr
2008-04-23 14:59:35 0 d-------- C:\Documents and Settings\Brad\Application Data\FastStone
2008-04-23 14:59:35 0 d-------- C:\Documents and Settings\Brad\Application Data\DVD Flick
2008-04-23 14:59:35 0 d-------- C:\Documents and Settings\Brad\Application Data\DivX
2008-04-23 14:59:35 0 d-------- C:\Documents and Settings\Brad\Application Data\Corel
2008-04-23 14:59:35 0 d-------- C:\Documents and Settings\Brad\Application Data\CoffeeCup Software
2008-04-23 14:59:35 0 d-------- C:\Documents and Settings\Brad\Application Data\Applied Acoustics Systems
2008-04-23 14:59:35 0 d-------- C:\Documents and Settings\Brad\Application Data\Apple Computer
2008-04-23 14:59:35 0 d-------- C:\Documents and Settings\Brad\Application Data\AdobeUM
2008-04-23 14:59:35 0 d-------- C:\Documents and Settings\Brad\Application Data\Adobe
2008-04-23 14:59:34 0 d-------- C:\Documents and Settings\Brad\Application Data\GlarySoft
2008-04-23 14:59:29 0 d-------- C:\Documents and Settings\Brad\Application Data\Leadertech
2008-04-23 14:59:29 0 d-------- C:\Documents and Settings\Brad\Application Data\Lavasoft
2008-04-23 14:59:29 0 d-------- C:\Documents and Settings\Brad\Application Data\InstallShield
2008-04-23 14:59:29 0 d-------- C:\Documents and Settings\Brad\Application Data\HPQ
2008-04-23 14:59:29 0 d-------- C:\Documents and Settings\Brad\Application Data\HP
2008-04-23 14:59:29 0 d-------- C:\Documents and Settings\Brad\Application Data\Help
2008-04-23 14:59:15 0 d-------- C:\Documents and Settings\Brad\Application Data\Media Player Classic
2008-04-23 14:59:15 0 d-------- C:\Documents and Settings\Brad\Application Data\Macromedia
2008-04-23 14:59:14 0 d-------- C:\Documents and Settings\Brad\Application Data\MixMeister Technology
2008-04-23 14:59:13 0 d-------- C:\Documents and Settings\Brad\Application Data\Publish Providers
2008-04-23 14:59:13 0 d-------- C:\Documents and Settings\Brad\Application Data\Propellerhead Software
2008-04-23 14:59:13 0 d-------- C:\Documents and Settings\Brad\Application Data\Otto
2008-04-23 14:59:13 0 d-------- C:\Documents and Settings\Brad\Application Data\Nikon
2008-04-23 14:59:13 0 d-------- C:\Documents and Settings\Brad\Application Data\Netscape
2008-04-23 14:59:13 0 d-------- C:\Documents and Settings\Brad\Application Data\NetMedia Providers
2008-04-23 14:59:13 0 d-------- C:\Documents and Settings\Brad\Application Data\Mozilla
2008-04-23 14:59:12 0 d-------- C:\Documents and Settings\Brad\Application Data\Waves Audio
2008-04-23 14:59:12 0 d-------- C:\Documents and Settings\Brad\Application Data\Uniblue
2008-04-23 14:59:12 0 d-------- C:\Documents and Settings\Brad\Application Data\Template
2008-04-23 14:59:12 0 d-------- C:\Documents and Settings\Brad\Application Data\Sun
2008-04-23 14:59:12 0 d-------- C:\Documents and Settings\Brad\Application Data\Sony
2008-04-23 14:59:12 0 d-------- C:\Documents and Settings\Brad\Application Data\Sony Setup
2008-04-23 14:59:12 0 d-------- C:\Documents and Settings\Brad\Application Data\Sonic
2008-04-23 14:59:12 0 d-------- C:\Documents and Settings\Brad\Application Data\Roxio
2008-04-23 14:58:54 0 d---s---- C:\Documents and Settings\Brad\UserData
2008-04-23 14:49:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-23 14:49:46 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-23 14:49:46 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-23 14:49:46 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-23 14:49:46 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-23 14:49:46 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-23 14:49:46 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-23 14:49:46 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-23 14:49:46 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-23 14:49:46 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-23 14:49:46 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-23 14:49:46 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-23 14:49:46 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-23 14:49:46 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-23 14:49:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-04-23 14:49:46 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-23 14:49:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-23 14:49:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-23 14:49:44 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-23 14:40:23 0 d--h----- C:\Documents and Settings\Brad\Local Settings
2008-04-23 14:40:23 0 dr------- C:\Documents and Settings\Brad\Favorites
2008-04-23 14:40:23 0 d-------- C:\Documents and Settings\Brad\Desktop
2008-04-23 14:40:23 0 d---s---- C:\Documents and Settings\Brad\Cookies
2008-04-23 14:40:23 0 dr-h----- C:\Documents and Settings\Brad\Application Data
2008-04-23 14:40:23 0 d-------- C:\Documents and Settings\Brad\Application Data\Real
2008-04-23 14:40:23 0 d---s---- C:\Documents and Settings\Brad\Application Data\Microsoft
2008-04-23 14:40:23 0 d-------- C:\Documents and Settings\Brad\Application Data\Intuit
2008-04-23 14:40:23 0 d-------- C:\Documents and Settings\Brad\Application Data\Identities
2008-04-23 14:40:23 0 d-------- C:\Documents and Settings\Brad\Application Data\Gtek
2008-04-23 14:40:22 0 d-------- C:\Documents and Settings\Brad\WINDOWS
2008-04-23 14:40:22 0 d--h----- C:\Documents and Settings\Brad\Templates
2008-04-23 14:40:22 0 dr------- C:\Documents and Settings\Brad\Start Menu
2008-04-23 14:40:22 0 dr-h----- C:\Documents and Settings\Brad\SendTo
2008-04-23 14:40:22 0 dr-h----- C:\Documents and Settings\Brad\Recent
2008-04-23 14:40:22 0 d--h----- C:\Documents and Settings\Brad\PrintHood
2008-04-23 14:40:22 1048576 --ah----- C:\Documents and Settings\Brad\NTUSER.DAT
2008-04-23 14:40:22 0 d--h----- C:\Documents and Settings\Brad\NetHood
2008-04-23 14:40:22 0 dr------- C:\Documents and Settings\Brad\My Documents
2008-04-23 14:37:37 0 d-------- C:\Documents and Settings\Brad2\Application Data\Intuit
2008-04-23 14:37:37 0 d-------- C:\Documents and Settings\Brad2\Application Data\Identities
2008-04-23 14:37:37 0 d-------- C:\Documents and Settings\Brad2\Application Data\Gtek
2008-04-23 14:37:36 0 d-------- C:\Documents and Settings\Brad2\WINDOWS
2008-04-23 14:37:36 0 d--h----- C:\Documents and Settings\Brad2\Templates
2008-04-23 14:37:36 0 dr------- C:\Documents and Settings\Brad2\Start Menu
2008-04-23 14:37:36 0 dr-h----- C:\Documents and Settings\Brad2\SendTo
2008-04-23 14:37:36 0 dr-h----- C:\Documents and Settings\Brad2\Recent
2008-04-23 14:37:36 0 d--h----- C:\Documents and Settings\Brad2\PrintHood
2008-04-23 14:37:36 1048576 --ah----- C:\Documents and Settings\Brad2\NTUSER.DAT
2008-04-23 14:37:36 0 d--h----- C:\Documents and Settings\Brad2\NetHood
2008-04-23 14:37:36 0 dr------- C:\Documents and Settings\Brad2\My Documents
2008-04-23 14:37:36 0 d--h----- C:\Documents and Settings\Brad2\Local Settings
2008-04-23 14:37:36 0 dr------- C:\Documents and Settings\Brad2\Favorites
2008-04-23 14:37:36 0 d-------- C:\Documents and Settings\Brad2\Desktop
2008-04-23 14:37:36 0 d---s---- C:\Documents and Settings\Brad2\Cookies
2008-04-23 14:37:36 0 dr-h----- C:\Documents and Settings\Brad2\Application Data
2008-04-23 14:37:36 0 d-------- C:\Documents and Settings\Brad2\Application Data\Real
2008-04-23 14:37:36 0 d---s---- C:\Documents and Settings\Brad2\Application Data\Microsoft
2008-04-23 13:34:57 0 d-------- C:\Program Files\Windows Defender
2008-04-22 18:05:00 0 d-------- C:\Program Files\Recovery Toolbox for Outlook Express
2008-04-22 17:21:47 0 d-------- C:\Program Files\Power Email Recovery for Outlook Express
2008-04-22 15:45:30 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-22 09:46:55 0 dr-h----- C:\Documents and Settings\Compaq_Administrator\Recent
2008-04-22 09:46:54 0 dr-hs---- C:\cmdcons
2008-04-22 09:46:36 0 d-------- C:\WINDOWS\setupupd
2008-04-22 09:38:54 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Intuit
2008-04-22 09:38:54 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Identities
2008-04-22 09:38:54 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Gtek
2008-04-22 09:38:53 0 d-------- C:\Documents and Settings\Compaq_Administrator\WINDOWS
2008-04-22 09:38:53 0 d--h----- C:\Documents and Settings\Compaq_Administrator\Templates
2008-04-22 09:38:53 0 dr------- C:\Documents and Settings\Compaq_Administrator\Start Menu
2008-04-22 09:38:53 0 dr-h----- C:\Documents and Settings\Compaq_Administrator\SendTo
2008-04-22 09:38:53 0 d--h----- C:\Documents and Settings\Compaq_Administrator\PrintHood
2008-04-22 09:38:53 2097152 --a------ C:\Documents and Settings\Compaq_Administrator\NTUSER.DAT
2008-04-22 09:38:53 0 d--h----- C:\Documents and Settings\Compaq_Administrator\NetHood
2008-04-22 09:38:53 0 dr------- C:\Documents and Settings\Compaq_Administrator\My Documents
2008-04-22 09:38:53 0 d--h----- C:\Documents and Settings\Compaq_Administrator\Local Settings
2008-04-22 09:38:53 0 dr------- C:\Documents and Settings\Compaq_Administrator\Favorites
2008-04-22 09:38:53 0 d-------- C:\Documents and Settings\Compaq_Administrator\Desktop
2008-04-22 09:38:53 0 d--hs---- C:\Documents and Settings\Compaq_Administrator\Cookies
2008-04-22 09:38:53 0 dr-h----- C:\Documents and Settings\Compaq_Administrator\Application Data
2008-04-22 09:38:53 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Real
2008-04-22 09:35:11 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-22 08:44:24 0 dr-hs---- C:\WINDOWS\system32\dllcache
2008-04-22 07:57:25 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\GlarySoft
2008-04-22 07:54:54 0 d-------- C:\Program Files\Registry Repair
2008-04-22 07:47:34 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Uniblue
2008-04-16 07:51:25 0 d-------- C:\videooutput
2008-04-13 14:32:56 0 d-------- C:\TubeHunter Ultra
2008-04-12 18:29:43 0 d-------- C:\Program Files\GPLGS
2008-04-12 18:28:02 0 d-------- C:\Program Files\Acro Software
2008-04-07 12:05:05 0 d-------- C:\Mp3 Output
2008-04-07 12:05:02 0 d-------- C:\Program Files\Smallvideosoft
2008-04-01 10:10:10 0 d-------- C:\Program Files\Neoretix
2008-04-01 10:08:52 0 d-------- C:\WINDOWS\Downloaded Installations
2008-03-31 14:51:22 0 d-------- C:\Movie Magic Screenwriter


-- Find3M Report ---------------------------------------------------------------

2008-04-25 09:35:10 0 d-------- C:\Program Files\Sony
2008-04-24 20:08:28 4820 --a------ C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
2008-04-24 08:43:16 3204 --a------ C:\WINDOWS\mozver.dat
2008-04-23 21:51:46 0 d-------- C:\Program Files\music_now
2008-04-23 18:55:29 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 18:26:09 0 d-------- C:\Program Files\Common Files
2008-04-23 14:47:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 11:52:44 0 d-------- C:\Program Files\Yahoo!
2008-04-23 08:13:17 0 d-------- C:\Program Files\PC-Doctor 5 for Windows
2008-04-22 08:03:19 129 --a------ C:\Documents and Settings\Compaq_Administrator\Application Data\EasyBejeweled.exe.ini
2008-04-21 15:29:01 0 d-------- C:\Program Files\RapidLeecher Ultimate 2007
2008-04-21 13:56:44 207 --a------ C:\Documents and Settings\Compaq_Administrator\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
2008-03-24 17:50:34 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Adobe
2008-03-24 17:49:55 0 d-------- C:\Program Files\Bonjour
2008-03-24 17:42:12 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-24 11:00:20 3012 --a------ C:\drmHeader.bin
2008-03-18 09:07:52 0 d-------- C:\Program Files\Player
2008-03-17 09:46:27 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Media Player Classic
2008-03-17 09:44:57 0 d-------- C:\Program Files\Real Alternative
2008-03-14 15:01:26 0 d-------- C:\Program Files\DivX
2008-03-14 11:43:48 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Netscape
2008-03-06 12:20:05 0 d-------- C:\Program Files\Linksys EasyLink Advisor


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 09:01 PM]
"ftutil2"="ftutil2.dll" [06/07/2004 02:05 PM C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [06/13/2006 08:05 PM C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/02/2005 11:19 PM C:\WINDOWS\arpwrmsg.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/22/2005 10:14 PM]
"@"="" []
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/15/2006 10:34 PM]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [12/14/2004 02:23 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [02/17/2005 06:11 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/08/2006 02:10 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 11:37 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 04:24 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [04/24/2008 03:14 PM]

C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/24/2005 5:05:26 AM]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [8/8/2006 2:27:56 AM]
Free WebSite Tools.lnk - C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [5/13/2007 8:11:12 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [12/17/2002 6:23:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/24/2008 03:14 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,




-- End of Deckard's System Scanner: finished at 2008-04-25 11:47:20 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz
CPU 1: Intel® Pentium® D CPU 2.80GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 959.36 MiB / 541.47 MiB
Pagefile Memory (total/avail): 2314.13 MiB / 1882.92 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.75 MiB

C: is Fixed (NTFS) - 224.54 GiB total, 107.64 GiB free.
D: is Fixed (FAT32) - 8.33 GiB total, 0.35 GiB free.
E: is CDROM (Unformatted)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Fixed (FAT32) - 186.26 GiB total, 1.39 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD2500JS-60NCB1 - 232.88 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 224.54 GiB - C:
\PARTITION1 - Unknown - 8.33 GiB - D:

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE1 - ST320082 2A USB Device - 186.31 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 186.31 GiB - J:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.8.1169 [VPS 080425-1] v4.8.1169 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe:*:Enabled:Compaq Connections"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DISC\\DISCover.exe"="C:\\Program Files\\DISC\\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\\Program Files\\DISC\\myFTP.exe"="C:\\Program Files\\DISC\\myFTP.exe:*:Enabled:DISCover FTP"
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe:*:Enabled:Compaq Connections"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Compaq_Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-4DACD0EA75
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Compaq_Administrator
LOGONSERVER=\\YOUR-4DACD0EA75
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
USERDOMAIN=YOUR-4DACD0EA75
USERNAME=Compaq_Administrator
USERPROFILE=C:\Documents and Settings\Compaq_Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Compaq_Administrator (admin)
Brad2 (admin)
Brad (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Compaq Connections (remove only) --> C:\WINDOWS\HPCPCUninstall-5577497\HPBWSetup.exe -appid 5577497 -uninstall
Customer Experience Enhancement --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE -U -ITrx200Ck.inf
DISCover --> "C:\Program Files\DISC\uninstall.exe"
Easy Hi-Q Recorder 2.2 --> "C:\Program Files\Easy Hi-Q Recorder\unins000.exe"
Enhanced Multimedia Keyboard Solution --> C:\HP\KBD\Install.exe /u
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Boot Optimizer --> MsiExec.exe /X{1341D838-719C-4A05-B50F-49420CA1B4BB}
HP DVD Play 2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Support Overview --> "C:\WINDOWS\unins000.exe"
HP Web Helper --> regsvr32 /u /s "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll"
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Away Mode -->
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Standard Edition 2003 60 days trial --> c:\hp\bin\cloaker.exe c:\hp\bin\MSOffice\uninst.cmd
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC-Doctor 5 for Windows --> C:\Program Files\PC-Doctor 5 for Windows\uninst.exe
Power Email Recovery for Outlook Express 1.1 --> "C:\Program Files\Power Email Recovery for Outlook Express\unins000.exe"
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Recovery Toolbox for Outlook Express 1.1 --> "C:\Program Files\Recovery Toolbox for Outlook Express\unins000.exe"
Remove WeatherBug Installer --> c:\hp\bin\cloaker.exe c:\hp\bin\commands.exe /c c:\hp\bin\wbug\clean.bat
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic Express Labeler --> MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /X{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /X{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /X{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /X{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /X{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sony ACID Pro 6.0 --> MsiExec.exe /X{87DABCF7-2C38-4996-8FBE-053CA6536168}
Sony Media Manager 2.2 --> MsiExec.exe /X{47AA42FD-0450-4CB4-ADAF-B6E770AA7B2F}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update Rollup 2 for Windows XP Media Center Edition 2005 -->
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB912067 --> "C:\WINDOWS\$NtUninstallKB912067$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type256 / Warning
Event Submitted/Written: 04/25/2008 10:44:23 AM
Event ID/Source: 19011 / MSSQL$SONY_MEDIAMGR
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type252 / Warning
Event Submitted/Written: 04/25/2008 10:42:31 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type232 / Warning
Event Submitted/Written: 04/25/2008 10:15:19 AM
Event ID/Source: 0 / System.ServiceModel.Install 3.0.0.0
Event Description:
HTTP namespace reservations are not installed.

Event Record #/Type230 / Warning
Event Submitted/Written: 04/25/2008 10:15:13 AM
Event ID/Source: 0 / System.ServiceModel.Install 3.0.0.0
Event Description:
HttpModules node ServiceModel does not exist in System.Web section group.

Event Record #/Type229 / Warning
Event Submitted/Written: 04/25/2008 10:15:13 AM
Event ID/Source: 0 / System.ServiceModel.Install 3.0.0.0
Event Description:
HttpHandlers node *.svc does not exist in System.Web section group.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type853 / Warning
Event Submitted/Written: 04/25/2008 11:47:03 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:
%YOUR-4DACD0EA75275

Scan ID: {D7C4FE8D-5AB2-47C3-87AB-853F33116C61}

User: YOUR-4DACD0EA75\Compaq_Administrator

Name: %YOUR-4DACD0EA75271

ID: %YOUR-4DACD0EA75272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-4DACD0EA75276

Alert Type: %YOUR-4DACD0EA75278

Detection Type: 1.1.1593.02

Event Record #/Type852 / Warning
Event Submitted/Written: 04/25/2008 11:47:03 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:
%YOUR-4DACD0EA75275

Scan ID: {4CD37970-D379-4A9B-AF4E-2E32CFBBDA06}

User: YOUR-4DACD0EA75\Compaq_Administrator

Name: %YOUR-4DACD0EA75271

ID: %YOUR-4DACD0EA75272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-4DACD0EA75276

Alert Type: %YOUR-4DACD0EA75278

Detection Type: 1.1.1593.02

Event Record #/Type851 / Warning
Event Submitted/Written: 04/25/2008 11:47:03 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:
%YOUR-4DACD0EA75275

Scan ID: {D0070489-E887-4A81-B271-266AA76164E7}

User: YOUR-4DACD0EA75\Compaq_Administrator

Name: %YOUR-4DACD0EA75271

ID: %YOUR-4DACD0EA75272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-4DACD0EA75276

Alert Type: %YOUR-4DACD0EA75278

Detection Type: 1.1.1593.02

Event Record #/Type850 / Warning
Event Submitted/Written: 04/25/2008 11:47:01 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:
%YOUR-4DACD0EA75275

Scan ID: {4B4760A8-4776-4773-AF31-5720A8C75A24}

User: YOUR-4DACD0EA75\Compaq_Administrator

Name: %YOUR-4DACD0EA75271

ID: %YOUR-4DACD0EA75272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-4DACD0EA75276

Alert Type: %YOUR-4DACD0EA75278

Detection Type: 1.1.1593.02

Event Record #/Type849 / Warning
Event Submitted/Written: 04/25/2008 11:47:01 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:
%YOUR-4DACD0EA75275

Scan ID: {9AF6D8E6-E49C-4A1B-AB9E-5E815F5F8BD5}

User: YOUR-4DACD0EA75\Compaq_Administrator

Name: %YOUR-4DACD0EA75271

ID: %YOUR-4DACD0EA75272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-4DACD0EA75276

Alert Type: %YOUR-4DACD0EA75278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-04-25 11:47:20 ------------
  • 0

#4
andrewuk
Posted 25 April 2008 - 02:02 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi BMAC23

in this post we will clear some of the malware i can see and do a couple of scans to clean and to seek out other infections on your system. potentially the scan logs could be quite log.

the scans will likely take 2 hours, quite possibly much longer. so just let them run.


====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O15 - Trusted Zone: http://*.trymedia.com (HKLM)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


====STEP 2====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 3====
could you delete the current version of malwarebytes you have and follow these instructions:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 4====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


In your next reply could i see:
1. the malwarebytes log
2. the kaspersky log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#5
BMAC23
Posted 26 April 2008 - 09:21 AM

BMAC23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks Andrewuk. Here are all three logs.

Malwarebytes' Anti-Malware 1.11
Database version: 682

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 230010
Time elapsed: 2 hour(s), 0 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 25, 2008 11:58:04 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/04/2008
Kaspersky Anti-Virus database records: 725908
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 184473
Number of viruses found: 4
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 03:07:38

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\WINDOWS\temp\255.tmp Infected: Trojan-Spy.Win32.Zbot.bfk skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9e92b085585120e913a178e8576ce5b0_a273d633-d217-438f-ae9f-459377279f30 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04232008-133504.log Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\otgykdsh.default\cert8.db Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\otgykdsh.default\history.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\otgykdsh.default\key3.db Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\otgykdsh.default\parent.lock Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\otgykdsh.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\otgykdsh.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-25-2008( 10-44-47 ).LOG Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Desktop\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\ApplicationHistory\DiscStreamHub.exe.fddeaf63.ini.inuse Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\ApplicationHistory\DiscUpdMgr.exe.f0c5ac89.ini.inuse Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6EAD9D2A-32FA-4AFE-950C-F318A0AD7A22} Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\otgykdsh.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\otgykdsh.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\otgykdsh.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\otgykdsh.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe WiseSFX: infected - 2 skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe WiseSFXDropper: infected - 2 skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\BitComet\Downloads\Cakewalk Sonar Producer Edition v4.0.rar/Cakewalk Sonar Producer Edition v4.0.zip/Cakewalk Sonar Producer Edition v4.0.3/setup.exe Infected: Trojan-Dropper.Win32.Binder.c skipped
C:\Program Files\BitComet\Downloads\Cakewalk Sonar Producer Edition v4.0.rar/Cakewalk Sonar Producer Edition v4.0.zip Infected: Trojan-Dropper.Win32.Binder.c skipped
C:\Program Files\BitComet\Downloads\Cakewalk Sonar Producer Edition v4.0.rar RAR: infected - 2 skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\master.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\model.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\modellog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\templog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP20\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\WPD\wpdtrace.log Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{21316571-331C-4A5E-9292-DEFFC0FACB74}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\security\Database\secedit.sdb Object is locked skipped
C:\WINDOWS\security\edb.log Object is locked skipped
C:\WINDOWS\security\edbtmp.log Object is locked skipped
C:\WINDOWS\security\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{631D426C-7C57-482F-8B41-B6CF24FED889}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_364.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_538.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_8ac.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\I386\APPS\APP22208\src\CompaqPresario_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP22208\src\CompaqPresario_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP22208\src\CompaqPresario_Spring06.exe WiseSFX: infected - 2 skipped
D:\I386\APPS\APP22208\src\CompaqPresario_Spring06.exe WiseSFXDropper: infected - 2 skipped
D:\I386\APPS\APP22208\src\HPPavillion_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP22208\src\HPPavillion_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP22208\src\HPPavillion_Spring06.exe WiseSFX: infected - 2 skipped
D:\I386\APPS\APP22208\src\HPPavillion_Spring06.exe WiseSFXDropper: infected - 2 skipped
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP20\change.log Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:23 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\5d1b63b440a48ee590dfaf6f8030dbff\update\update.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6779 bytes
  • 0

#6
andrewuk
Posted 26 April 2008 - 09:57 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the kaspersky scan found a number of false positives but also one infected file which we will clear in the post following this. in this post we will run another scan and fix your file associations.

firstly, could you disable your windows defender, it may get in the way of the scan in this post.


====STEP 1====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /daft
This will open up Deckard's File Association Tool
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
if the program fails to load then try this Please download DAFT and save it to your desktop and Double-click the daft.exe icon, and then follow the above instructions from "Click on the Scan button".


====STEP 2====
Then, Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. once you install the Recovery Console, when you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. that is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.


andrewuk
  • 0

#7
BMAC23
Posted 26 April 2008 - 11:30 AM

BMAC23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I really appreciate your help. Here are the logs:

ComboFix 08-04-24.1 - Compaq_Administrator 2008-04-26 10:06:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Brad\Application Data\macromedia\Flash Player\#SharedObjects\KYEYLWF4\www.broadcaster.com
C:\Documents and Settings\Brad\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Compaq_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\KYEYLWF4\www.broadcaster.com
C:\Documents and Settings\Compaq_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\KYEYLWF4\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Compaq_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\KYEYLWF4\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Compaq_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Compaq_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 08:18 . 2008-04-26 08:18 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-25 19:00 . 2008-04-25 19:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 19:00 . 2008-04-25 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 15:46 . 2008-04-25 15:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 11:35 . 2008-04-25 11:35 <DIR> d-------- C:\Deckard
2008-04-25 10:54 . 2008-04-25 10:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 10:14 . 2008-04-25 10:14 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-25 10:14 . 2008-04-25 10:14 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-25 10:14 . 2008-04-25 10:14 <DIR> d-------- C:\Program Files\MSBuild
2008-04-25 10:14 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-04-25 10:13 . 2008-04-25 10:13 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-25 09:37 . 2002-12-17 16:23 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2008-04-25 09:37 . 2002-10-20 14:05 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2008-04-24 20:08 . 2008-04-24 20:08 <DIR> d-------- C:\Program Files\Sony Setup
2008-04-24 15:07 . 2008-04-24 15:07 <DIR> d-------- C:\Program Files\Easy Hi-Q Recorder
2008-04-24 15:07 . 2001-03-13 09:49 140,288 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-04-24 08:43 . 2008-04-24 08:43 <DIR> d-------- C:\Program Files\Panda Security
2008-04-23 18:55 . 2008-04-24 15:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-23 18:55 . 2008-04-23 18:55 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com
2008-04-23 18:55 . 2008-04-23 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-23 18:53 . 2008-04-23 18:55 <DIR> d-------- C:\movedfrom desktop
2008-04-23 18:28 . 2008-04-23 18:28 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
2008-04-23 18:27 . 2008-04-23 18:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 18:26 . 2008-04-23 18:26 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-23 14:59 . 2007-04-16 11:56 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Waves Audio
2008-04-23 14:59 . 2008-04-22 07:47 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Uniblue
2008-04-23 14:59 . 2006-12-14 19:56 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Template
2008-04-23 14:59 . 2006-12-15 19:27 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Sony Setup
2008-04-23 14:59 . 2006-12-16 11:44 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Sony
2008-04-23 14:59 . 2006-12-13 18:29 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Sonic
2008-04-23 14:59 . 2007-12-08 17:29 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Roxio
2008-04-23 14:59 . 2006-12-16 11:37 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Publish Providers
2008-04-23 14:59 . 2007-07-07 11:31 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Propellerhead Software
2008-04-23 14:59 . 2006-12-13 17:05 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Otto
2008-04-23 14:59 . 2007-05-18 06:56 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Nikon
2008-04-23 14:59 . 2008-03-14 11:43 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Netscape
2008-04-23 14:59 . 2006-12-16 11:37 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\NetMedia Providers
2008-04-23 14:59 . 2007-07-03 11:52 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\MixMeister Technology
2008-04-23 14:59 . 2008-03-17 09:46 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Media Player Classic
2008-04-23 14:59 . 2006-12-13 18:29 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Leadertech
2008-04-23 14:59 . 2006-12-13 10:56 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Lavasoft
2008-04-23 14:59 . 2007-04-16 08:32 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\InstallShield
2008-04-23 14:59 . 2006-12-13 10:34 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\HPQ
2008-04-23 14:59 . 2006-12-23 12:57 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\HP
2008-04-23 14:59 . 2008-04-22 07:57 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\GlarySoft
2008-04-23 14:59 . 2007-07-16 14:58 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Flickr
2008-04-23 14:59 . 2007-06-18 17:22 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\FastStone
2008-04-23 14:59 . 2007-10-17 18:59 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\DVD Flick
2008-04-23 14:59 . 2007-10-08 17:25 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\DivX
2008-04-23 14:59 . 2007-06-07 18:51 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Corel
2008-04-23 14:59 . 2007-05-13 20:12 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\CoffeeCup Software
2008-04-23 14:59 . 2007-04-18 11:21 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Applied Acoustics Systems
2008-04-23 14:59 . 2006-12-22 14:00 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Apple Computer
2008-04-23 14:59 . 2007-02-08 09:50 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\AdobeUM
2008-04-23 14:58 . 2008-04-23 14:59 <DIR> d---s---- C:\Documents and Settings\Brad\UserData
2008-04-23 14:49 . 2006-08-08 02:22 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-23 14:49 . 2006-08-08 02:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-23 14:49 . 2008-03-06 12:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-23 14:49 . 2008-04-23 14:49 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-23 14:49 . 2008-04-26 10:03 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 14:40 . 2006-08-08 02:22 <DIR> d-------- C:\Documents and Settings\Brad\WINDOWS
2008-04-23 14:40 . 2006-08-08 02:23 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Intuit
2008-04-23 14:40 . 2008-04-22 09:44 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Gtek
2008-04-23 14:40 . 2008-04-23 16:27 <DIR> d-------- C:\Documents and Settings\Brad
2008-04-23 14:40 . 2008-04-26 10:03 1,024 --ah----- C:\Documents and Settings\Brad\ntuser.dat.LOG
2008-04-23 14:37 . 2006-08-08 02:22 <DIR> d-------- C:\Documents and Settings\Brad2\WINDOWS
2008-04-23 14:37 . 2006-08-08 02:23 <DIR> d-------- C:\Documents and Settings\Brad2\Application Data\Intuit
2008-04-23 14:37 . 2008-03-06 12:20 <DIR> d-------- C:\Documents and Settings\Brad2\Application Data\Gtek
2008-04-23 14:37 . 2008-04-23 14:37 <DIR> d-------- C:\Documents and Settings\Brad2
2008-04-23 14:37 . 2008-04-26 10:03 1,024 --ah----- C:\Documents and Settings\Brad2\ntuser.dat.LOG
2008-04-23 13:34 . 2008-04-23 13:34 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-22 18:05 . 2008-04-22 18:05 <DIR> d-------- C:\Program Files\Recovery Toolbox for Outlook Express
2008-04-22 17:21 . 2008-04-22 17:21 <DIR> d-------- C:\Program Files\Power Email Recovery for Outlook Express
2008-04-22 16:40 . 2006-03-20 20:23 23,040 --------- C:\WINDOWS\kb913800.exe
2008-04-22 09:44 . 2008-04-22 09:44 1,899 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_RE476AA-ABA SR2050NX NA680_YC_0Pres_QCNH641_E64NAemREA3_48_IAsterope3_SHewleet-Packard_V1.0_B3.16_T060622_WXP2_L409_M960_J250_7Intel_8Pentium D_92.8_#061213_N10EC8139_Z14F12F20_G10025A61.MRK
2008-04-22 09:38 . 2006-08-08 02:22 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\WINDOWS
2008-04-22 09:38 . 2006-08-08 02:23 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Intuit
2008-04-22 09:38 . 2008-04-22 09:44 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Gtek
2008-04-22 09:38 . 2008-04-25 23:59 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator
2008-04-22 09:38 . 2008-04-26 10:08 1,024 --a------ C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG
2008-04-22 09:36 . 2006-08-08 02:22 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-04-22 09:36 . 2006-08-08 02:53 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-04-22 09:36 . 2006-08-08 02:23 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit
2008-04-22 09:36 . 2008-03-06 12:20 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek
2008-04-22 09:26 . 2008-04-26 10:03 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2008-04-22 08:44 . 2008-04-25 10:43 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-04-22 07:57 . 2008-04-22 07:57 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\GlarySoft
2008-04-22 07:54 . 2008-04-22 08:04 <DIR> d-------- C:\Program Files\Registry Repair
2008-04-22 07:47 . 2008-04-22 07:47 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Uniblue
2008-04-16 07:51 . 2008-04-16 07:51 <DIR> d-------- C:\videooutput
2008-04-13 14:32 . 2008-04-13 14:32 <DIR> d-------- C:\TubeHunter Ultra
2008-04-12 18:29 . 2008-04-12 18:29 <DIR> d-------- C:\Program Files\GPLGS
2008-04-12 18:28 . 2008-04-12 18:28 <DIR> d-------- C:\Program Files\Acro Software
2008-04-07 12:05 . 2008-04-16 07:51 <DIR> d-------- C:\Program Files\Smallvideosoft
2008-04-07 12:05 . 2008-04-07 12:05 <DIR> d-------- C:\Mp3 Output
2008-04-01 10:10 . 2008-04-01 10:10 <DIR> d-------- C:\Program Files\Neoretix
2008-04-01 10:08 . 2008-04-13 14:32 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-31 14:51 . 2008-03-31 15:48 <DIR> d-------- C:\Movie Magic Screenwriter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 16:35 --------- d-----w C:\Program Files\Sony
2008-04-25 03:08 4,820 ----a-w C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
2008-04-24 04:51 --------- d-----w C:\Program Files\music_now
2008-04-24 01:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 21:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-23 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 18:52 --------- d-----w C:\Program Files\Yahoo!
2008-04-23 16:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-04-23 15:13 --------- d-----w C:\Program Files\PC-Doctor 5 for Windows
2008-04-21 22:29 --------- d-----w C:\Program Files\RapidLeecher Ultimate 2007
2008-03-25 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-25 00:49 --------- d-----w C:\Program Files\Bonjour
2008-03-25 00:42 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-24 18:00 3,012 ----a-w C:\drmHeader.bin
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-18 16:07 --------- d-----w C:\Program Files\Player
2008-03-17 16:46 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Media Player Classic
2008-03-17 16:44 --------- d-----w C:\Program Files\Real Alternative
2008-03-14 22:01 --------- d-----w C:\Program Files\DivX
2008-03-14 18:43 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Netscape
2008-03-06 19:20 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2008-03-02 01:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 09:32 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-02-16 09:32 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-02-16 09:32 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-02-16 09:32 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2008-02-16 09:32 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-05-18 14:08 0 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2007-05-18 14:03 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2006-12-13 23:37 251 ----a-w C:\Program Files\wt3d.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-24 15:14 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 21:01 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 14:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 20:05 16239616 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 23:19 77312 C:\WINDOWS\arpwrmsg.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 22:14 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 22:34 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 02:23 663552]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 06:11 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-08 02:10 180269]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 11:37 79224]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-08-08 01:33:27 27136]
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-08-08 01:33:27 27136]

C:\Documents and Settings\Brad2\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-08-08 01:33:27 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 05:05:26 29696]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-08-08 02:27:56 36903]
Free WebSite Tools.lnk - C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2007-05-13 20:11:12 372224]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-24 15:14 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11659:TCP"= 11659:TCP:BitComet 11659 TCP
"11659:UDP"= 11659:UDP:BitComet 11659 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 11:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 15:35:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 10:08:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-04-26 10:13:17
ComboFix-quarantined-files.txt 2008-04-26 17:12:15

Pre-Run: 115,572,310,016 bytes free
Post-Run: 115,561,717,760 bytes free

231 --- E O F --- 2008-04-25 16:24:53

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:39 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6683 bytes
  • 0

#8
andrewuk
Posted 26 April 2008 - 04:29 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
In this post we will remove the malware we found in the prior post, scan a couple of files and do another scan.


====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Program Files\BitComet\Downloads\Cakewalk Sonar Producer Edition v4.0.rar


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


====STEP 2====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\spmsg2.dll

Click on the submit button

Please also do the same with the following file (it is all one file, so just highlight it all and copy in):
C:\WINDOWS\system32\drivers\103C_HP_CPC_RE476AA-ABA SR2050NX NA680_YC_0Pres_QCNH641_E64NAemREA3_48_IAsterope3_SHewleet-Packard_V1.0_B3.16_T060622_WXP2_L409_M960_J250_7Intel_8Pentium D_92.8_#061213_N10EC8139_Z14F12F20_G10025A61.MRK


Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal


====STEP 3====
we will run your SUPERantispyware program.

Double-click the SUPERantispyware icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



In your next reply could i see:
1. the 2 complete jotti reports
2. the SUPERantispyware log
3. the combofix log
4. a new hijackthis log
5. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#9
BMAC23
Posted 26 April 2008 - 08:23 PM

BMAC23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I forgot to make a log of the anti-spyware, but it found nothing. As far as my computer, I am still having the same problems. Many of my programs either don't open or say they are not installed properly. However I cannot uninstall/reinstall them, because they do not show up in the add/remove programs list. These are programs I had been using for years w/o incident before this. Also, my Outlook Express still does not import mail (It says "congratulations on importing your mail" -- but nothing happens)

Jotti logs

File: spmsg2.dll
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 37044da1f53a8a6e5c54fca4c974511a
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 26 Apr 2008 23:03:35 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

File: 103C_HP_CPC_RE476AA-ABA_SR2050NX_NA680_YC_0Pres_QCNH641_E64NAemREA3_48_IAsterope3_SHewleet-Packard_V1.0_B3.16_T060622_WXP2_L409_M960_J250_7Intel_8Pentium_D_92.8_#061213_N1
0EC8139_Z14F12F20_G10025A61.MRK
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: eadf7d8203668646d7bd4f1879334d86
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 26 Apr 2008 23:11:24 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

ComboFix 08-04-24.1 - Compaq_Administrator 2008-04-26 15:52:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\BitComet\Downloads\Cakewalk Sonar Producer Edition v4.0.rar
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\BitComet\Downloads\Cakewalk Sonar Producer Edition v4.0.rar

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-25 19:00 . 2008-04-25 19:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 19:00 . 2008-04-25 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 15:46 . 2008-04-25 15:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 11:35 . 2008-04-25 11:35 <DIR> d-------- C:\Deckard
2008-04-25 10:54 . 2008-04-25 10:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 10:14 . 2008-04-25 10:14 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-25 10:14 . 2008-04-25 10:14 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-25 10:14 . 2008-04-25 10:14 <DIR> d-------- C:\Program Files\MSBuild
2008-04-25 10:14 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-04-25 10:13 . 2008-04-25 10:13 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-25 09:37 . 2002-12-17 16:23 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2008-04-25 09:37 . 2002-10-20 14:05 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2008-04-24 20:08 . 2008-04-24 20:08 <DIR> d-------- C:\Program Files\Sony Setup
2008-04-24 15:07 . 2008-04-24 15:07 <DIR> d-------- C:\Program Files\Easy Hi-Q Recorder
2008-04-24 15:07 . 2001-03-13 09:49 140,288 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-04-24 08:43 . 2008-04-24 08:43 <DIR> d-------- C:\Program Files\Panda Security
2008-04-23 18:55 . 2008-04-24 15:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-23 18:55 . 2008-04-23 18:55 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com
2008-04-23 18:55 . 2008-04-23 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-23 18:53 . 2008-04-23 18:55 <DIR> d-------- C:\movedfrom desktop
2008-04-23 18:28 . 2008-04-23 18:28 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
2008-04-23 18:27 . 2008-04-23 18:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 18:26 . 2008-04-23 18:26 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-23 14:59 . 2007-04-16 11:56 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Waves Audio
2008-04-23 14:59 . 2008-04-22 07:47 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Uniblue
2008-04-23 14:59 . 2006-12-14 19:56 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Template
2008-04-23 14:59 . 2006-12-15 19:27 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Sony Setup
2008-04-23 14:59 . 2006-12-16 11:44 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Sony
2008-04-23 14:59 . 2006-12-13 18:29 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Sonic
2008-04-23 14:59 . 2007-12-08 17:29 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Roxio
2008-04-23 14:59 . 2006-12-16 11:37 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Publish Providers
2008-04-23 14:59 . 2007-07-07 11:31 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Propellerhead Software
2008-04-23 14:59 . 2006-12-13 17:05 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Otto
2008-04-23 14:59 . 2007-05-18 06:56 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Nikon
2008-04-23 14:59 . 2008-03-14 11:43 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Netscape
2008-04-23 14:59 . 2006-12-16 11:37 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\NetMedia Providers
2008-04-23 14:59 . 2007-07-03 11:52 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\MixMeister Technology
2008-04-23 14:59 . 2008-03-17 09:46 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Media Player Classic
2008-04-23 14:59 . 2006-12-13 18:29 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Leadertech
2008-04-23 14:59 . 2006-12-13 10:56 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Lavasoft
2008-04-23 14:59 . 2007-04-16 08:32 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\InstallShield
2008-04-23 14:59 . 2006-12-13 10:34 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\HPQ
2008-04-23 14:59 . 2006-12-23 12:57 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\HP
2008-04-23 14:59 . 2008-04-22 07:57 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\GlarySoft
2008-04-23 14:59 . 2007-07-16 14:58 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Flickr
2008-04-23 14:59 . 2007-06-18 17:22 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\FastStone
2008-04-23 14:59 . 2007-10-17 18:59 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\DVD Flick
2008-04-23 14:59 . 2007-10-08 17:25 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\DivX
2008-04-23 14:59 . 2007-06-07 18:51 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Corel
2008-04-23 14:59 . 2007-05-13 20:12 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\CoffeeCup Software
2008-04-23 14:59 . 2007-04-18 11:21 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Applied Acoustics Systems
2008-04-23 14:59 . 2006-12-22 14:00 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Apple Computer
2008-04-23 14:59 . 2007-02-08 09:50 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\AdobeUM
2008-04-23 14:58 . 2008-04-23 14:59 <DIR> d---s---- C:\Documents and Settings\Brad\UserData
2008-04-23 14:49 . 2006-08-08 02:22 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-23 14:49 . 2006-08-08 02:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-23 14:49 . 2008-03-06 12:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-23 14:49 . 2008-04-23 14:49 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-23 14:49 . 2008-04-26 10:03 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 14:40 . 2006-08-08 02:22 <DIR> d-------- C:\Documents and Settings\Brad\WINDOWS
2008-04-23 14:40 . 2006-08-08 02:23 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Intuit
2008-04-23 14:40 . 2008-04-22 09:44 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Gtek
2008-04-23 14:40 . 2008-04-23 16:27 <DIR> d-------- C:\Documents and Settings\Brad
2008-04-23 14:40 . 2008-04-26 10:27 1,024 --ah----- C:\Documents and Settings\Brad\ntuser.dat.LOG
2008-04-23 14:37 . 2006-08-08 02:22 <DIR> d-------- C:\Documents and Settings\Brad2\WINDOWS
2008-04-23 14:37 . 2006-08-08 02:23 <DIR> d-------- C:\Documents and Settings\Brad2\Application Data\Intuit
2008-04-23 14:37 . 2008-03-06 12:20 <DIR> d-------- C:\Documents and Settings\Brad2\Application Data\Gtek
2008-04-23 14:37 . 2008-04-23 14:37 <DIR> d-------- C:\Documents and Settings\Brad2
2008-04-23 14:37 . 2008-04-26 10:27 1,024 --ah----- C:\Documents and Settings\Brad2\ntuser.dat.LOG
2008-04-23 13:34 . 2008-04-23 13:34 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-22 18:05 . 2008-04-22 18:05 <DIR> d-------- C:\Program Files\Recovery Toolbox for Outlook Express
2008-04-22 17:21 . 2008-04-22 17:21 <DIR> d-------- C:\Program Files\Power Email Recovery for Outlook Express
2008-04-22 16:40 . 2006-03-20 20:23 23,040 --------- C:\WINDOWS\kb913800.exe
2008-04-22 09:44 . 2008-04-22 09:44 1,899 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_RE476AA-ABA SR2050NX NA680_YC_0Pres_QCNH641_E64NAemREA3_48_IAsterope3_SHewleet-Packard_V1.0_B3.16_T060622_WXP2_L409_M960_J250_7Intel_8Pentium D_92.8_#061213_N10EC8139_Z14F12F20_G10025A61.MRK
2008-04-22 09:38 . 2006-08-08 02:22 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\WINDOWS
2008-04-22 09:38 . 2006-08-08 02:23 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Intuit
2008-04-22 09:38 . 2008-04-22 09:44 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Gtek
2008-04-22 09:38 . 2008-04-26 10:26 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator
2008-04-22 09:38 . 2008-04-26 15:57 1,024 --a------ C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG
2008-04-22 09:36 . 2006-08-08 02:22 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-04-22 09:36 . 2006-08-08 02:53 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-04-22 09:36 . 2006-08-08 02:23 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit
2008-04-22 09:36 . 2008-03-06 12:20 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek
2008-04-22 09:26 . 2008-04-26 10:03 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2008-04-22 08:44 . 2008-04-25 10:43 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-04-22 07:57 . 2008-04-22 07:57 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\GlarySoft
2008-04-22 07:54 . 2008-04-22 08:04 <DIR> d-------- C:\Program Files\Registry Repair
2008-04-22 07:47 . 2008-04-22 07:47 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Uniblue
2008-04-16 07:51 . 2008-04-16 07:51 <DIR> d-------- C:\videooutput
2008-04-13 14:32 . 2008-04-13 14:32 <DIR> d-------- C:\TubeHunter Ultra
2008-04-12 18:29 . 2008-04-12 18:29 <DIR> d-------- C:\Program Files\GPLGS
2008-04-12 18:28 . 2008-04-12 18:28 <DIR> d-------- C:\Program Files\Acro Software
2008-04-07 12:05 . 2008-04-16 07:51 <DIR> d-------- C:\Program Files\Smallvideosoft
2008-04-07 12:05 . 2008-04-07 12:05 <DIR> d-------- C:\Mp3 Output
2008-04-01 10:10 . 2008-04-01 10:10 <DIR> d-------- C:\Program Files\Neoretix
2008-04-01 10:08 . 2008-04-13 14:32 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-31 14:51 . 2008-03-31 15:48 <DIR> d-------- C:\Movie Magic Screenwriter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 16:35 --------- d-----w C:\Program Files\Sony
2008-04-25 03:08 4,820 ----a-w C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
2008-04-24 04:51 --------- d-----w C:\Program Files\music_now
2008-04-24 01:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 21:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-23 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 18:52 --------- d-----w C:\Program Files\Yahoo!
2008-04-23 16:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-04-23 15:13 --------- d-----w C:\Program Files\PC-Doctor 5 for Windows
2008-04-21 22:29 --------- d-----w C:\Program Files\RapidLeecher Ultimate 2007
2008-03-25 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-25 00:49 --------- d-----w C:\Program Files\Bonjour
2008-03-25 00:42 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-24 18:00 3,012 ----a-w C:\drmHeader.bin
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-18 16:07 --------- d-----w C:\Program Files\Player
2008-03-17 16:46 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Media Player Classic
2008-03-17 16:44 --------- d-----w C:\Program Files\Real Alternative
2008-03-14 22:01 --------- d-----w C:\Program Files\DivX
2008-03-14 18:43 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Netscape
2008-03-06 19:20 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2008-03-02 01:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 09:32 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-02-16 09:32 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-02-16 09:32 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-02-16 09:32 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2008-02-16 09:32 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-05-18 14:08 0 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2007-05-18 14:03 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2006-12-13 23:37 251 ----a-w C:\Program Files\wt3d.ini
.

((((((((((((((((((((((((((((( snapshot@2008-04-26_10.12.05.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 15:15:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 17:27:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 17:27:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_118.dat
+ 2008-04-26 17:27:18 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_518.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-24 15:14 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 21:01 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 14:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 20:05 16239616 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 23:19 77312 C:\WINDOWS\arpwrmsg.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 22:14 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 22:34 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 02:23 663552]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 06:11 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-08 02:10 180269]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 11:37 79224]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-08-08 01:33:27 27136]
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-08-08 01:33:27 27136]

C:\Documents and Settings\Brad2\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-08-08 01:33:27 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 05:05:26 29696]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-08-08 02:27:56 36903]
Free WebSite Tools.lnk - C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2007-05-13 20:11:12 372224]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-24 15:14 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11659:TCP"= 11659:TCP:BitComet 11659 TCP
"11659:UDP"= 11659:UDP:BitComet 11659 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 11:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 17:30:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 15:57:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-26 16:02:19
ComboFix-quarantined-files.txt 2008-04-26 23:01:32
ComboFix2.txt 2008-04-26 17:13:18

Pre-Run: 119,775,256,576 bytes free
Post-Run: 119,761,944,576 bytes free

236 --- E O F --- 2008-04-25 16:24:53

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:39 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6723 bytes
  • 0

#10
andrewuk
Posted 26 April 2008 - 09:04 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
From a malware point of view i think we are almost done.

could you just scan these two last files for me please and, its a long shot, but we will do another scan.


====STEP 1====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\spider.exe

Click on the submit button

Please also do the same with the following two files:
C:\WINDOWS\kb913800.exe

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal


====STEP 2====
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

andrewuk
  • 0

#11
BMAC23
Posted 27 April 2008 - 10:02 PM

BMAC23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks Andrewuk,

The jotti scan found nothing. Here is the Dr. Web.

KillWind.exe;C:\hp\bin;Tool.ProcessKill;Deleted.;
A0004275.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP20;Probably BACKDOOR.Trojan;Deleted.;
A0004309.bat;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP21;Probably BATCH.Virus;Deleted.;
A0004317.bat;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP21;Probably SCRIPT.Virus;Deleted.;
A0004347.bat;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP21;Probably BATCH.Virus;Deleted.;
A0004353.bat;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP21;Probably SCRIPT.Virus;Deleted.;
A0004415.bat;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP22;Probably BATCH.Virus;Deleted.;
A0004422.bat;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP22;Probably SCRIPT.Virus;Deleted.;
sb6adts.htc\Script.0;C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\sb6adts.htc;Probably SCRIPT.Virus;;
sb6adts.htc;C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts;Archive contains infected objects;Moved.;
firstopt.js;D:\I386\APPS\APP17197;Probably SCRIPT.Virus;Deleted.;

My computer seems nearly clear of a ton of malware. Thanks a lot. However, I still cannot open many of my programs nor reinstall/uninstall them because they do not appear in my program list.
  • 0

#12
andrewuk
Posted 28 April 2008 - 12:45 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi BMAC23

From a malware point of view, your logs are clean :)

once you have done the steps below, post back in the other part of the forum and say your machine is now clear of malware.

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.


====STEP 1====
clearing away the fix tools:

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
you can clear away any other remaining fix tools we used also.


====STEP 2====
Resetting the Restore Points:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

Instructions with screenshots to help is http://www.f-secure..../sfc_dis1.shtml

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405


====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help your further.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk
  • 0

#13
andrewuk
Posted 29 April 2008 - 12:31 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP