Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

troj/virtum-gen [RESOLVED]

Started by bob05 , Jun 16 2008 11:29 PM

  • This topic is locked This topic is locked

#1
bob05
Posted 16 June 2008 - 11:29 PM

bob05

    New Member

  • Member
  • Pip
  • 8 posts
Hi I somehow managed to get rid of some of the viruses on my computer but have not had any luck with this troj/virtum-gen. Hope someone can help. Here is my highjackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:58 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral...rizonarepublic/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {6823D1BB-337A-453C-89D1-61A02F4B3B74} - C:\WINDOWS\system32\cbXOIbxU.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [c061eeb3] "rundll32.exe" "C:\WINDOWS\system32\dikdtvui.dll",b
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [mschkdsk.exe] C:\WINDOWS\system32\mschkdsk.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [YourPrivacyGuard] "C:\Program Files\YourPrivacyGuard\GDC.exe"
O4 - HKCU\..\Run: [PCSecureSystem] "C:\Program Files\PCSecureSystem\pgs.exe" /min
O4 - HKCU\..\Run: [Gadwin PrintScreen] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - Startup: .protected
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm088YYUS
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimd...lidstateion.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...9.11/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer....l/installer.exe
O20 - Winlogon Notify: khfgdcbb - khfgdcbb.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: Privacy Protection - about:home

--
End of file - 11521 bytes


Thanks in advance.
  • 0

Advertisements

#2
Stamper19
Posted 17 June 2008 - 06:27 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi bob05,

Welcome to Geeks to Go!

My name is Stamper19 and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point. :)

----------------------------------------------------------------

Please download Deckard's System Scanner (DSS) to your Desktop.

  • Close all applications and windows.
  • Double-click on DSS.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, two text files will open - Main.txt and Extra.txt

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt and extra.txt from the C:\Deckard\System Scanner folder into your next reply.

----------------------------------------------------------------

Information to include in your next post:
  • main.txt and extra.txt from DSS

  • 0

#3
bob05
Posted 17 June 2008 - 09:00 AM

bob05

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
main.txt:

Deckard's System Scanner v20071014.68
Run by HP_Owner on 2008-06-17 07:51:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
26: 2008-06-17 14:51:13 UTC - RP302 - Deckard's System Scanner Restore Point
25: 2008-06-16 22:47:43 UTC - RP301 - Last known good configuration
24: 2008-06-16 22:47:36 UTC - RP300 - Installed Ad-Aware
23: 2008-06-16 22:47:36 UTC - RP299 - Installed Ad-Aware
22: 2008-06-16 22:47:36 UTC - RP298 - Last known good configuration


-- First Restore Point --
1: 2008-06-16 22:47:35 UTC - RP277 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 10.48 GiB (less than 15%) free.


-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:33 AM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\HP_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral...rizonarepublic/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {6823D1BB-337A-453C-89D1-61A02F4B3B74} - C:\WINDOWS\system32\cbXOIbxU.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [c061eeb3] "rundll32.exe" "C:\WINDOWS\system32\dikdtvui.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [mschkdsk.exe] C:\WINDOWS\system32\mschkdsk.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [YourPrivacyGuard] "C:\Program Files\YourPrivacyGuard\GDC.exe"
O4 - HKCU\..\Run: [PCSecureSystem] "C:\Program Files\PCSecureSystem\pgs.exe" /min
O4 - HKCU\..\Run: [Gadwin PrintScreen] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - Startup: .protected
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm088YYUS
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimd...lidstateion.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...9.11/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer....l/installer.exe
O20 - Winlogon Notify: khfgdcbb - khfgdcbb.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: Privacy Protection - about:home

--
End of file - 11514 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys (file missing)
S3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys (file missing)
S3 smserial - c:\windows\system32\drivers\smserial.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-14 14:29:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-16 21:54:38 0 d-------- C:\Program Files\Trend Micro
2008-06-16 19:56:05 0 d-------- C:\VundoFix Backups
2008-06-16 16:01:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-06-16 15:57:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\FaxCtr
2008-06-16 15:57:32 0 d--h----- C:\Documents and Settings\LocalService\SendTo
2008-06-16 15:57:09 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-06-16 15:57:09 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-15 23:16:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-15 23:15:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 09:58:40 743657 --ahs---- C:\WINDOWS\system32\UxbIOXbc.ini2
2008-06-15 08:53:32 0 d-------- C:\WINDOWS\system32\pb109
2008-06-15 08:53:32 0 d-------- C:\WINDOWS\system32\dgi
2008-06-15 08:53:31 0 d-------- C:\WINDOWS\system32\3039a
2008-06-15 08:53:23 0 d-------- C:\WINDOWS\system32\netrax01
2008-06-15 08:53:22 0 d-------- C:\Temp
2008-06-04 12:53:20 89600 --a------ C:\WINDOWS\system32\Winsdec.dll <Not Verified; EIDOS Technologies; ESCAPE VideoStudio 2.0>
2008-06-04 12:53:20 60416 --a------ C:\WINDOWS\system32\Winplay.dll <Not Verified; EIDOS Technologies; ESCAPE VideoStudio 2.0>
2008-06-04 12:53:20 117248 --a------ C:\WINDOWS\system32\Edec.dll <Not Verified; EIDOS Technologies; ESCAPE VideoStudio 2.0>
2008-06-04 12:53:20 98816 --a------ C:\WINDOWS\system32\Dec130.dll <Not Verified; Eidos plc; ESCAPE VideoStudio 2.0>
2008-06-04 12:53:19 80896 --a------ C:\WINDOWS\system32\Winstr.dll <Not Verified; EIDOS Technologies; ESCAPE VideoStudio 2.0>
2008-06-04 12:53:19 59392 -ra------ C:\WINDOWS\system32\Bwgld16r.dll <Not Verified; Sony Computer Entertainment Europe (Cambridge Studios); Glide rendering subsystem>
2008-06-04 12:53:19 73216 -ra------ C:\WINDOWS\system32\Bwd3d16r.dll <Not Verified; Sony Computer Entertainment Europe (Cambridge Studios); D3D rendering subsystem>
2008-06-04 12:53:19 120776 -ra------ C:\WINDOWS\system32\Bwd3d08r.dll <Not Verified; Sony Computer Entertainment Europe (Cambridge Studios); D3D rendering subsystem>


-- Find3M Report ---------------------------------------------------------------

2008-06-17 07:47:12 3645 --a------ C:\WINDOWS\viassary-hp.reg
2008-06-17 04:38:35 0 d-------- C:\Program Files\lx_cats
2008-06-16 15:16:15 0 d-------- C:\Program Files\Lavasoft
2008-06-15 23:15:31 0 d-------- C:\Program Files\Common Files
2008-06-15 12:52:24 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Azureus
2008-06-09 06:42:26 0 d-------- C:\Program Files\Broderbund Software
2008-06-09 06:41:44 0 d-------- C:\Program Files\Hasbro Interactive
2008-05-15 12:32:26 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-11 18:44:35 0 d-------- C:\Program Files\Symantec
2008-05-10 15:39:35 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Winamp
2008-05-10 15:37:04 0 d-------- C:\Program Files\iTunes
2008-05-10 15:36:29 0 d-------- C:\Program Files\iPod
2008-05-10 15:35:46 0 d-------- C:\Program Files\Bonjour
2008-05-10 15:35:32 0 d-------- C:\Program Files\QuickTime
2008-05-10 15:34:02 0 d-------- C:\Program Files\Apple Software Update
2008-05-10 15:32:40 0 d-------- C:\Program Files\Common Files\Apple
2008-05-10 15:25:43 0 d-------- C:\Program Files\Winamp
2008-04-24 15:15:19 0 d-------- C:\Program Files\FunWebProducts
2008-04-19 15:23:43 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6823D1BB-337A-453C-89D1-61A02F4B3B74}]
C:\WINDOWS\system32\cbXOIbxU.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [01/01/2002 10:29 AM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 04:04 PM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/18/2004 12:10 AM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [11/02/2004 03:59 PM]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 05:06 PM C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [06/07/2004 06:53 PM]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [06/07/2004 06:42 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 07:02 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [04/14/2004 08:43 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [10/25/2004 09:17 PM]
"SoundMan"="SOUNDMAN.EXE" [10/13/2004 09:01 PM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [10/13/2004 11:17 PM C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [10/13/2004 11:00 PM C:\WINDOWS\ALCMTR.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/14/2004 09:54 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 03:50 AM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [11/25/2003 09:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" [08/22/2007 05:15 PM]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" [08/22/2007 05:15 PM]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [06/25/2007 07:34 AM]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [06/25/2007 07:34 AM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [06/25/2007 07:35 AM]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [11/21/2006 10:27 AM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [01/13/2008 11:39 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"c061eeb3"="rundll32.exe" [08/04/2004 11:00 AM C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [07/19/2007 10:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 11:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"mschkdsk.exe"="C:\WINDOWS\system32\mschkdsk.exe" []
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" [08/22/2007 05:15 PM]
"YourPrivacyGuard"="C:\Program Files\YourPrivacyGuard\GDC.exe" []
"PCSecureSystem"="C:\Program Files\PCSecureSystem\pgs.exe" []
"Gadwin PrintScreen"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [08/20/2007 01:42 AM]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
.protected [9/2/2007 9:17:05 AM]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [1/1/2002 11:02:38 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
.protected [9/2/2007 9:17:05 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/5/2004 3:28:24 AM]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [1/1/2002 11:03:22 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{13F20E4F-F379-41EA-8F80-CCAAE787362A}"= C:\WINDOWS\system32\khfgdcbb.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgdcbb]
khfgdcbb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\cbXOIbxU

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe

*Newly Created Service* - GTNDIS5



-- End of Deckard's System Scanner: finished at 2008-06-17 07:54:34 ------------


extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 1015.29 MiB / 606.23 MiB
Pagefile Memory (total/avail): 2442.32 MiB / 2122.99 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.82 MiB

C: is Fixed (NTFS) - 178.7 GiB total, 10.48 GiB free.
D: is Fixed (FAT32) - 7.59 GiB total, 0.13 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3200822AS - 186.31 GiB - 2 partitions
\PARTITION0 - Unknown - 7.61 GiB - D:
\PARTITION1 (bootable) - Installable File System - 178.7 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
AntivirusOverride is set.

AV: Spy Sweeper with AntiVirus v5.5.7.48 (Webroot Software Inc)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe:*:Enabled:BackWeb for Pavilion"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1133322232\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1133322232\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\aoltpspd.exe:*:Enabled:aoltpspd"
"C:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphver06.exe"="C:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphver06.exe:*:Enabled:About"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\SolidStateNetworks\\SolidStateION\\solidnm.exe"="C:\\WINDOWS\\system32\\SolidStateNetworks\\SolidStateION\\solidnm.exe:*:Enabled:Solid State Networks Browser Plugin"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\lxcycoms.exe"="C:\\WINDOWS\\system32\\lxcycoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\HP_Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-4F1261A8E5
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\HP_Owner
LOGONSERVER=\\YOUR-4F1261A8E5
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HP_Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\HP_Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-4F1261A8E5
USERNAME=HP_Owner
USERPROFILE=C:\Documents and Settings\HP_Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

HP_Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Premiere Pro --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{084709F7-38C5-4609-B55F-2417939315EB}\setup.exe"
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Agere Systems PCI Soft Modem --> agrsmdel
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Blackhawk Striker 2 from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\58D1A004-6D3C-480A-9E0D-FAA58F3C2A62\Uninstall.exe"
Blasterball 2 from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8C4E79CC-03E1-43AA-9910-9A5113F24603\Uninstall.exe"
Blasterball 2 Remix from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B151D9AC-5E4E-4AD0-96C9-5A6C9EC23502\Uninstall.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Bounce Symphony from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D11F7128-8CBD-408B-8BF8-034604DEDD42\Uninstall.exe"
Crystal Maze from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\DAE7A92A-BAC7-42FA-AC62-53DEF1DC4292\Uninstall.exe"
DirectX Media Runtime 5.1 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DXM51.INF,Uninstall.NT
Disney's Toontown Online --> C:\PROGRA~1\Disney\DISNEY~1\Toontown\UNWISE.EXE /A C:\PROGRA~1\Disney\DISNEY~1\Toontown\INSTALL.LOG
Disney Pirates of the Caribbean Online --> C:\Program Files\Disney\Disney Online\PiratesOnline\uninst.exe
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
Gadwin PrintScreen --> C:\Program Files\Gadwin Systems\PrintScreen\Uninstall.exe
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Help and Support Additions --> C:\PROGRA~1\HELPAN~1\UNWISE.EXE C:\PROGRA~1\HELPAN~1\INSTALL.LOG
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Image Zone 4.5.3 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone Plus 4.5.3 --> C:\Program Files\HP\Digital Imaging\{D0420D64-8D33-4374-A2B2-9225C7925CA6}\setup\hpzscr01.exe -datfile hpdscr01.dat
HP Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
HP Photosmart Cameras 4.0 --> C:\Program Files\HP\Digital Imaging\{4C04DF1B-6A39-4299-9DD1-1FA60000266E}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 4.0 --> "C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update --> MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
HPIZplus450 --> MsiExec.exe /X{7B98685A-4E21-4A4F-A2D6-DC557042BADA}
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterVideo DiscLabel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3F058C0-A21C-452D-8D99-95B1A45F417D}\setup.exe" REMOVEALL
InterVideo WinDVD Creator --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Kappa Mikey Skate Jam Screen Saver --> C:\WINDOWS\system32\Kappa Mikey Skate Jam.scr /u
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lexmark 3400 Series --> C:\Program Files\Lexmark 3400 Series\Install\x86\Uninst.exe
Lexmark Fax Solutions --> C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe /R:faxunst
Linksys Wireless-G USB Network Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}\setup.exe" -l0x9
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Dancer LE --> MsiExec.exe /X{1A103D70-5C9B-4E1A-B306-5106C68F9914}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
muvee autoProducer 3.5 magicMoments - HPD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B103C8A7-D1CC-4B1A-BD41-883F652E097D}\setup.exe" -l0x9
My Web Search (Zwinky) --> rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsbar.dll,O
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express 2 SE --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Orbital from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\62067F4C-84A9-45B9-8573-B90468B0A3EF\Uninstall.exe"
Overball from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6723E59E-322A-417A-8E03-27A61E18253C\Uninstall.exe"
PC-Doctor for Windows --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA} /l1033
Photosmart 320,370,7400,8100,8400 Series --> C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\setup\hpzscr01.exe -datfile hphscr01.dat
Polar Bowler from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\36317AE4-57EC-4F3E-B828-009A3DD96BE8\Uninstall.exe"
Polar Golfer from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B2D3332F-EA2D-42B3-8E4A-F74D052BCBC1\Uninstall.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Professor Finkle's Times Table Factory --> C:\Program Files\Sing 'n' Learn\Times\uninst\fimain.exe
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
QuickTime 3.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\QuickTime\DeIsL3.isu" -c"C:\WINDOWS\system32\QTUninst.dll
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Road Ready Streetwise from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6B60434A-ABE1-48FF-906B-0EA67087AB25\Uninstall.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shrek 2 Ogre Bowler from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\703E3900-69DA-47C9-9768-C6514098F149\Uninstall.exe"
Solid State ION Internet Explorer Plugin --> C:\WINDOWS\system32\SolidStateNetworks\SolidStateION\soliduninstall.exe /Uninstall activex
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Super Granny from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\3F34F72F-9BB0-4B73-8312-558953ACF56F\Uninstall.exe"
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims 2 Nightlife --> C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe
The Sims 2 Open For Business --> C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
The Sims 2 Pets --> C:\Program Files\EA GAMES\The Sims 2 Pets\EAUninstall.exe
The Sims 2 University --> C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims™ 2 Bon Voyage --> C:\Program Files\EA GAMES\The Sims 2 Bon Voyage\EAUninstall.exe
The Sims™ Life Stories --> C:\Program Files\Electronic Arts\The Sims Life Stories\EAUninstall.exe
The X-Files --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Fox\The X-Files\Uninst.isu"
Tradewinds from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\F5215F01-DFC0-475D-A910-6F1AF94E807E\Uninstall.exe"
Updates from HP --> C:\WINDOWS\BWUnin-6.3.2.62.exe -AppId 309731
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
VideoLAN VLC media player 0.8.6b --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WebVideo Support --> C:\WINDOWS\main_uninstaller.exe
Where in the USA is Carmen Sandiego? --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL1.isu
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type7524 / Error
Event Submitted/Written: 06/16/2008 03:16:11 PM
Event ID/Source: 11722 / MsiInstaller
Event Description:
Product: Ad-Aware -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action Uninstall_Old1, location: C:\WINDOWS\system32\, command: cmd /c C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG

Event Record #/Type7512 / Error
Event Submitted/Written: 06/15/2008 11:16:43 PM
Event ID/Source: 11722 / MsiInstaller
Event Description:
Product: Ad-Aware -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action Uninstall_Old1, location: C:\WINDOWS\system32\, command: cmd /c C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG

Event Record #/Type7494 / Error
Event Submitted/Written: 06/15/2008 11:32:20 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application ImageReady.exe, version 9.0.0.196, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7457 / Error
Event Submitted/Written: 06/10/2008 07:12:37 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application vlc.exe, version 0.8.6.0, faulting module libwxwidgets_plugin.dll, version 0.0.0.0, fault address 0x00172a4a.
Processing media-specific event for [vlc.exe!ws!]

Event Record #/Type7411 / Warning
Event Submitted/Written: 06/03/2008 08:48:47 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type65300 / Warning
Event Submitted/Written: 06/17/2008 07:47:12 AM
Event ID/Source: 2504 / Server
Event Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{263CF5EE-7AC2-4B0B-8C3B-605B925CBD5F}.

Event Record #/Type65260 / Warning
Event Submitted/Written: 06/17/2008 04:41:10 AM
Event ID/Source: 1009 / Dhcp
Event Description:
A network error occurred when trying to send a message. The error code is: %%10004.

Event Record #/Type65237 / Warning
Event Submitted/Written: 06/16/2008 09:37:06 PM
Event ID/Source: 1009 / Dhcp
Event Description:
A network error occurred when trying to send a message. The error code is: %%10004.

Event Record #/Type65231 / Error
Event Submitted/Written: 06/16/2008 07:51:58 PM
Event ID/Source: 6161 / Print
Event Description:
The document http://www.geekstogo...nfecting-comput owned by HP_Owner failed to print on printer Lexmark 3400 Series. Data type: LEMF. Size of the spool file in bytes: 16353432. Number of bytes printed: 0. Total number of pages in the document: 16. Number of pages printed: 1. Client machine: \\YOUR-4F1261A8E5. Win32 error code returned by the print processor: http://www.geekstogo...fecting-comput0. http://www.geekstogo...fecting-comput1

Event Record #/Type65230 / Error
Event Submitted/Written: 06/16/2008 07:43:52 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}



-- End of Deckard's System Scanner: finished at 2008-06-17 07:54:34 ------------
  • 0

#4
Stamper19
Posted 17 June 2008 - 09:09 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi bob05,

First, I see that you are running, or have previously installed, Azureus. Although this application is not malware itself, the files downloaded with it are often a major source of infection. Hence, I strongly advise that it be removed. If you choose to do so, go to the Add/Remove Programs option in the Control Panel, and Uninstall Azureus Vuze.

----------------------------------------------------------------

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

My Web Search

----------------------------------------------------------------

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

----------------------------------------------------------------

Information to include in your next post:
  • ComboFix Log

  • 0

#5
bob05
Posted 17 June 2008 - 10:49 AM

bob05

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Combofix log:

ComboFix 08-06-16.5 - HP_Owner 2008-06-17 9:19:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.613 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
C:\Documents and Settings\HP_Owner\Application Data\FunWebProducts
C:\Documents and Settings\HP_Owner\Application Data\FunWebProducts\Data\HP_Owner\avatar.dat
C:\Documents and Settings\HP_Owner\ResErrors.log
C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\.protected
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\001E511B.urr
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\Uninstall Fun Web Products.dll
C:\Program Files\Win Stream plugin
C:\Program Files\Win Stream plugin\basis.xml
C:\Program Files\Win Stream plugin\cache\815dbd2ede4878fd25d37fe37f5d968c
C:\Program Files\Win Stream plugin\download.html
C:\Program Files\Win Stream plugin\icons.bmp_16.bmp
C:\Program Files\Win Stream plugin\tbhelper.dll
C:\Program Files\Win Stream plugin\version.txt
C:\Program Files\Win Stream plugin\win_stream_plugin.crc
C:\Program Files\Win Stream plugin\win_stream_plugin.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\UGA6P
C:\WINDOWS\.protected
C:\WINDOWS\cookies.ini
C:\WINDOWS\dat.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\msvb.dll
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\iuvtdkid.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\UxbIOXbc.ini
C:\WINDOWS\system32\UxbIOXbc.ini2
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FMTR


((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 07:50 . 2008-06-17 07:50 <DIR> d-------- C:\Deckard
2008-06-16 21:54 . 2008-06-16 21:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 19:56 . 2008-06-16 19:56 <DIR> d-------- C:\VundoFix Backups
2008-06-16 16:01 . 2008-06-16 16:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-06-16 15:57 . 2008-06-16 15:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\FaxCtr
2008-06-15 23:16 . 2008-06-15 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-15 23:15 . 2008-06-15 23:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 08:53 . 2008-06-15 11:14 <DIR> d-------- C:\WINDOWS\system32\pb109
2008-06-15 08:53 . 2008-06-15 08:53 <DIR> d-------- C:\WINDOWS\system32\netrax01
2008-06-15 08:53 . 2008-06-15 08:53 <DIR> d-------- C:\WINDOWS\system32\dgi
2008-06-15 08:53 . 2008-06-15 08:53 <DIR> d-------- C:\WINDOWS\system32\3039a
2008-06-15 08:53 . 2008-06-15 08:53 <DIR> d-------- C:\Temp\itmp4
2008-06-15 08:53 . 2008-06-17 09:19 <DIR> d-------- C:\Temp
2008-06-10 12:58 . 2008-04-14 04:01 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 12:58 . 2008-04-14 04:01 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 19:13 . 2008-06-07 19:13 32,768 --a------ C:\WINDOWS\system32\netrax01\netrax011065.exe
2008-06-04 12:53 . 1998-03-17 16:08 120,776 -ra------ C:\WINDOWS\system32\Bwd3d08r.dll
2008-06-04 12:53 . 1997-08-14 16:17 117,248 --a------ C:\WINDOWS\system32\Edec.dll
2008-06-04 12:53 . 1997-08-14 16:31 98,816 --a------ C:\WINDOWS\system32\Dec130.dll
2008-06-04 12:53 . 1997-08-14 16:24 89,600 --a------ C:\WINDOWS\system32\Winsdec.dll
2008-06-04 12:53 . 1997-08-14 11:10 80,896 --a------ C:\WINDOWS\system32\Winstr.dll
2008-06-04 12:53 . 1998-03-17 16:08 73,216 -ra------ C:\WINDOWS\system32\Bwd3d16r.dll
2008-06-04 12:53 . 1997-08-14 16:06 60,416 --a------ C:\WINDOWS\system32\Winplay.dll
2008-06-04 12:53 . 1998-03-17 16:08 59,392 -ra------ C:\WINDOWS\system32\Bwgld16r.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 16:32 3,645 ----a-w C:\WINDOWS\viassary-hp.reg
2008-06-17 15:59 --------- d-----w C:\Program Files\Azureus
2008-06-17 11:38 --------- d-----w C:\Program Files\lx_cats
2008-06-16 22:16 --------- d-----w C:\Program Files\Lavasoft
2008-06-15 19:52 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Azureus
2008-06-09 13:42 --------- d-----w C:\Program Files\Broderbund Software
2008-06-09 13:41 --------- d-----w C:\Program Files\Hasbro Interactive
2008-05-15 19:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-12 01:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-12 01:44 --------- d-----w C:\Program Files\Symantec
2008-05-10 22:39 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Winamp
2008-05-10 22:37 --------- d-----w C:\Program Files\iTunes
2008-05-10 22:36 --------- d-----w C:\Program Files\iPod
2008-05-10 22:35 --------- d-----w C:\Program Files\QuickTime
2008-05-10 22:35 --------- d-----w C:\Program Files\Bonjour
2008-05-10 22:34 --------- d-----w C:\Program Files\Apple Software Update
2008-05-10 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-10 22:32 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-10 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-10 22:25 --------- d-----w C:\Program Files\Winamp
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2005-12-01 22:43 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6823D1BB-337A-453C-89D1-61A02F4B3B74}]
C:\WINDOWS\system32\cbXOIbxU.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"mschkdsk.exe"="C:\WINDOWS\system32\mschkdsk.exe" [ ]
"YourPrivacyGuard"="C:\Program Files\YourPrivacyGuard\GDC.exe" [ ]
"PCSecureSystem"="C:\Program Files\PCSecureSystem\pgs.exe" [ ]
"Gadwin PrintScreen"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 01:42 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2002-01-01 10:29 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 00:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 15:59 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 17:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 18:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 18:42 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 21:17 90112]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 21:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 23:17 2742272 C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 21:54 253952]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 03:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-11-25 09:36 1232946]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 07:34 291504]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 07:34 82608]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 07:35 295600]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 10:27 106496]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-01-13 11:39 26112]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"c061eeb3"="rundll32.exe" [2004-08-04 11:00 33280 C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54 5361464]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2002-01-01 11:02:38 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 03:28:24 258048]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2002-01-01 11:03:22 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{13F20E4F-F379-41EA-8F80-CCAAE787362A}"= C:\WINDOWS\system32\khfgdcbb.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgdcbb]
khfgdcbb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphver06.exe"=
"C:\\WINDOWS\\system32\\SolidStateNetworks\\SolidStateION\\solidnm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\lxcycoms.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:SolidNetworkManager
"9842:UDP"= 9842:UDP:SolidNetworkManager

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 22:42]
R2 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2007-06-20 03:28]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 21:29:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 09:32:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ahead\InCD\incdsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-17 9:40:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 16:39:22

Pre-Run: 11,227,860,992 bytes free
Post-Run: 11,144,564,736 bytes free

210 --- E O F --- 2008-06-11 10:04:24


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:39 AM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral...rizonarepublic/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6823D1BB-337A-453C-89D1-61A02F4B3B74} - C:\WINDOWS\system32\cbXOIbxU.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [c061eeb3] "rundll32.exe" "C:\WINDOWS\system32\dikdtvui.dll",b
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [mschkdsk.exe] C:\WINDOWS\system32\mschkdsk.exe
O4 - HKCU\..\Run: [YourPrivacyGuard] "C:\Program Files\YourPrivacyGuard\GDC.exe"
O4 - HKCU\..\Run: [PCSecureSystem] "C:\Program Files\PCSecureSystem\pgs.exe" /min
O4 - HKCU\..\Run: [Gadwin PrintScreen] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm088YYUS
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimd...lidstateion.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...9.11/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer....l/installer.exe
O20 - Winlogon Notify: khfgdcbb - khfgdcbb.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: Privacy Protection - about:home

--
End of file - 10113 bytes
  • 0

#6
Stamper19
Posted 17 June 2008 - 10:57 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#7
bob05
Posted 17 June 2008 - 02:00 PM

bob05

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
MBAM doesn't detect anymore malicious items but I ran spy sweeper afterwards and the troj/virtum-gen is still showing up along with a new one called EICAR-AV-Test.

Here's the mbam log:

Malwarebytes' Anti-Malware 1.17
Database version: 864

10:19:03 AM 6/17/2008
mbam-log-6-17-2008 (10-19-03).txt

Scan type: Quick Scan
Objects scanned: 41503
Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c061eeb3 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\3039a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dgi (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pb109 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\PCSecureSystem (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\PCSecureSystem\Logs (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\Yourprivacyguard (Rogue.Yourprivacyguard) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\Yourprivacyguard\Logs (Rogue.Yourprivacyguard) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\HP_Owner\Application Data\PCSecureSystem\avtasks.dat (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\PCSecureSystem\Logs\av.log (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\PCSecureSystem\Logs\ga6Support.log (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\PCSecureSystem\Logs\update.log (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\Yourprivacyguard\Logs\update.log (Rogue.Yourprivacyguard) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
  • 0

#8
Stamper19
Posted 17 June 2008 - 03:02 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi bob05,

Can you tell me the file name and path of the alerts you are getting from SpySweeper? It is very possible that is picking up some quarantined files.

----------------------------------------------------------------

We are going to use ComboFix to delete some things.

  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
Folder::
C:\WINDOWS\system32\netrax01
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6823D1BB-337A-453C-89D1-61A02F4B3B74}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c061eeb3"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{13F20E4F-F379-41EA-8F80-CCAAE787362A}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgdcbb]

Posted Image

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

----------------------------------------------------------------

Please update Java.

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

----------------------------------------------------------------

Please clean out your temp files.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

----------------------------------------------------------------

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

----------------------------------------------------------------

Information to include in your next post:
  • ComboFix Log
  • Kapersky Scan Log

  • 0

#9
bob05
Posted 17 June 2008 - 08:05 PM

bob05

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the file name and paths from spy sweeper:
troj/virtum-gen
C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\hvuadykn.dll
C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\qreavdox.dll
C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\bvojscdo.dll

ComboFix Log:

ComboFix 08-06-16.5 - HP_Owner 2008-06-17 18:16:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.631 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\Temp\itmp4\mkbv4i.log
C:\WINDOWS\system32\netrax01
C:\WINDOWS\system32\netrax01\netrax011065.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 15:37 . 2008-06-17 15:37 <DIR> d-------- C:\Program Files\Sun
2008-06-17 15:37 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-17 15:31 . 2008-06-17 15:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-17 15:28 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-06-17 15:27 . 2008-06-17 15:27 164 --a------ C:\install.dat
2008-06-17 10:11 . 2008-06-17 10:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 10:11 . 2008-06-17 10:11 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
2008-06-17 10:11 . 2008-06-17 10:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 10:11 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 10:11 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 07:50 . 2008-06-17 07:50 <DIR> d-------- C:\Deckard
2008-06-16 21:54 . 2008-06-16 21:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 19:56 . 2008-06-16 19:56 <DIR> d-------- C:\VundoFix Backups
2008-06-16 16:01 . 2008-06-16 16:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-06-16 15:57 . 2008-06-16 15:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\FaxCtr
2008-06-15 23:16 . 2008-06-15 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-15 23:15 . 2008-06-15 23:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 12:58 . 2008-04-14 04:01 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 12:58 . 2008-04-14 04:01 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 12:53 . 1998-03-17 16:08 120,776 -ra------ C:\WINDOWS\system32\Bwd3d08r.dll
2008-06-04 12:53 . 1997-08-14 16:17 117,248 --a------ C:\WINDOWS\system32\Edec.dll
2008-06-04 12:53 . 1997-08-14 16:31 98,816 --a------ C:\WINDOWS\system32\Dec130.dll
2008-06-04 12:53 . 1997-08-14 16:24 89,600 --a------ C:\WINDOWS\system32\Winsdec.dll
2008-06-04 12:53 . 1997-08-14 11:10 80,896 --a------ C:\WINDOWS\system32\Winstr.dll
2008-06-04 12:53 . 1998-03-17 16:08 73,216 -ra------ C:\WINDOWS\system32\Bwd3d16r.dll
2008-06-04 12:53 . 1997-08-14 16:06 60,416 --a------ C:\WINDOWS\system32\Winplay.dll
2008-06-04 12:53 . 1998-03-17 16:08 59,392 -ra------ C:\WINDOWS\system32\Bwgld16r.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 22:36 --------- d-----w C:\Program Files\Java
2008-06-17 22:29 3,645 ----a-w C:\WINDOWS\viassary-hp.reg
2008-06-17 22:21 --------- d-----w C:\Program Files\Bonjour
2008-06-17 11:38 --------- d-----w C:\Program Files\lx_cats
2008-06-16 22:16 --------- d-----w C:\Program Files\Lavasoft
2008-06-15 19:52 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Azureus
2008-06-09 13:42 --------- d-----w C:\Program Files\Broderbund Software
2008-06-09 13:41 --------- d-----w C:\Program Files\Hasbro Interactive
2008-05-15 19:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-12 01:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-12 01:44 --------- d-----w C:\Program Files\Symantec
2008-05-10 22:39 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Winamp
2008-05-10 22:37 --------- d-----w C:\Program Files\iTunes
2008-05-10 22:36 --------- d-----w C:\Program Files\iPod
2008-05-10 22:35 --------- d-----w C:\Program Files\QuickTime
2008-05-10 22:34 --------- d-----w C:\Program Files\Apple Software Update
2008-05-10 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-10 22:32 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-10 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-10 22:25 --------- d-----w C:\Program Files\Winamp
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 05:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2005-12-01 22:43 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-17_ 9.38.52.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 16:32:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 22:29:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-07-20 05:42:36 21,816 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
+ 2008-01-05 03:34:34 21,872 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
- 2007-07-20 05:42:36 163,128 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
+ 2008-01-05 03:34:34 163,696 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
- 2007-07-20 05:42:36 23,864 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
+ 2008-01-05 03:34:36 23,920 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
- 2002-01-01 17:29:47 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2002-01-01 17:29:47 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2007-07-20 05:42:36 16,184 ----a-w C:\WINDOWS\system32\ssiefr.EXE
+ 2008-01-05 03:34:34 16,240 ----a-w C:\WINDOWS\system32\ssiefr.EXE
- 2007-07-20 05:42:36 219,448 ----a-w C:\WINDOWS\system32\WRLogonNtf.dll
+ 2008-01-05 03:34:36 219,504 ----a-w C:\WINDOWS\system32\WRLogonNtf.dll
- 2007-07-20 05:42:36 26,424 ----a-w C:\WINDOWS\system32\wrlzma.dll
+ 2008-01-05 03:34:36 26,480 ----a-w C:\WINDOWS\system32\wrlzma.dll
- 2007-07-20 05:54:32 1,521,464 ----a-w C:\WINDOWS\WRSetup.dll
+ 2008-01-05 03:56:58 1,526,640 ----a-w C:\WINDOWS\WRSetup.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6823D1BB-337A-453C-89D1-61A02F4B3B74}]
C:\WINDOWS\system32\cbXOIbxU.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"mschkdsk.exe"="C:\WINDOWS\system32\mschkdsk.exe" [ ]
"YourPrivacyGuard"="C:\Program Files\YourPrivacyGuard\GDC.exe" [ ]
"PCSecureSystem"="C:\Program Files\PCSecureSystem\pgs.exe" [ ]
"Gadwin PrintScreen"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 01:42 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 00:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 15:59 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 17:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 18:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 18:42 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 21:17 90112]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 21:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 23:17 2742272 C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 21:54 253952]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 03:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-11-25 09:36 1232946]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 07:34 291504]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 07:34 82608]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 07:35 295600]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 10:27 106496]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-01-13 11:39 26112]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2002-01-01 11:02:38 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 03:28:24 258048]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2002-01-01 11:03:22 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{13F20E4F-F379-41EA-8F80-CCAAE787362A}"= C:\WINDOWS\system32\khfgdcbb.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgdcbb]
khfgdcbb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphver06.exe"=
"C:\\WINDOWS\\system32\\SolidStateNetworks\\SolidStateION\\solidnm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\lxcycoms.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:SolidNetworkManager
"9842:UDP"= 9842:UDP:SolidNetworkManager

R2 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2007-06-20 03:28]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 21:29:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 18:21:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-17 18:22:32
ComboFix-quarantined-files.txt 2008-06-18 01:22:05
ComboFix2.txt 2008-06-17 16:40:38

Pre-Run: 10,423,132,160 bytes free
Post-Run: 10,447,241,216 bytes free

198 --- E O F --- 2008-06-11 10:04:24


Kaspersky Scan Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 17, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 17, 2008 22:22:51
Records in database: 877234
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 132436
Threat name: 9
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 01:55:47


File name / Threat name / Threats count
C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\NI.UGDC_0001_N111M1909\setup.exe Infected: not-a-virus:FraudTool.Win32.SanitarDiska.u 2
C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\NI.UGDC_0001_N111M1909\setup.exe Infected: not-a-virus:FraudTool.Win32.SanitarDiska.i 1
C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\NI.UGDC_0001_N111M1909\setup.exe Infected: not-a-virus:FraudTool.Win32.SanitarDiska.a 2
C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\NI.UGDC_0001_N111M1909\setup.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a 1
C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\snapsnet.exe Infected: Trojan-Downloader.Win32.VB.fao 1
C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.75397 Infected: Trojan-Downloader.Win32.Small.xhc 1
C:\QooBox\Quarantine\C\Program Files\Win Stream plugin\tbhelper.dll.vir Infected: not-a-virus:AdWare.Win32.Mostofate.cd 1
C:\QooBox\Quarantine\C\Program Files\Win Stream plugin\win_stream_plugin.dll.vir Infected: not-a-virus:AdWare.Win32.Mostofate.bv 1
C:\QooBox\Quarantine\C\WINDOWS\msvb.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.mi 1
C:\WINDOWS\system32\netrax01\netrax011065.exe Infected: Trojan-Downloader.Win32.VB.fao 1

The selected area was scanned.



I inadvertently did the kaspersky scan before the combofix part btw.
  • 0

#10
Stamper19
Posted 17 June 2008 - 08:12 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
The SpySweeper hits are nothing to worry about - they are just backup files that we will get rid of before we finish up.

Can you please post a fresh HiJackThis log as well? I forgot to ask for it before.

Thanks.
  • 0

Advertisements

#11
bob05
Posted 17 June 2008 - 08:36 PM

bob05

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here it is.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:11 PM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral...rizonarepublic/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [mschkdsk.exe] C:\WINDOWS\system32\mschkdsk.exe
O4 - HKCU\..\Run: [YourPrivacyGuard] "C:\Program Files\YourPrivacyGuard\GDC.exe"
O4 - HKCU\..\Run: [PCSecureSystem] "C:\Program Files\PCSecureSystem\pgs.exe" /min
O4 - HKCU\..\Run: [Gadwin PrintScreen] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimd...lidstateion.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...9.11/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer....l/installer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: Privacy Protection - about:home

--
End of file - 9586 bytes
  • 0

#12
Stamper19
Posted 18 June 2008 - 05:55 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Things are looking pretty good. How is it running?
  • 0

#13
bob05
Posted 18 June 2008 - 11:04 AM

bob05

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
It's running good. Are they pretty much all gone?
  • 0

#14
Stamper19
Posted 18 June 2008 - 11:13 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi bob05,

Yup - its all gone :)

Congrats - your logs are all clean :)

There are still a couple of things you should do for the sake of cleaning up.

---------------------------------------------------------------

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
----------------------------------------------------------------

Otherwise, unless you have any questions, you are all set. Included below are some tips for keeping your computer malware free in the future.

Cheers,
Stamper :)

----------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

  • 0

#15
bob05
Posted 18 June 2008 - 11:32 AM

bob05

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok thanks a lot for your help and time. Greatly appreciate it.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP