Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

my toolbar is missing and my icons [RESOLVED]

Started by navajo , Jun 26 2008 06:33 AM

This topic is locked

#1
navajo

Posted 26 June 2008 - 06:33 AM

New Member

Member
7 posts

hi

well my problems are my toolbar and icons is missing or disappering all time lolol

man

well i did this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:41 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Documents and Settings\HP_Administrator\My Documents\My Downloads\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\MYWEBS~1\bar\6.bin\m3SrchMn.exe
C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Documents and Settings\HP_Administrator\Application Data\earbt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QUICKCARE] "C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" /P QUICKCARE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Documents and Settings\HP_Administrator\My Documents\My Downloads\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\6.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Amok Eggs Four Web] "C:\Documents and Settings\All Users\Application Data\part dead amok eggs\Show Trust.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Exit Ooze] "C:\DOCUME~1\HP_ADM~1\APPLIC~1\idlebias\Ping Send New.exe"
O4 - HKCU\..\Run: [Weather] "C:\Program Files\AWS\WeatherBug\Weather.exe" 1
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] "C:\Documents and Settings\HP_Administrator\Application Data\earbt.exe"
O4 - HKCU\..\Run: [Zinaps2008] "C:\Documents and Settings\HP_Administrator\Application Data\Zinaps2008\Zinaps.exe" /MIN
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZKxdm021YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167697363640
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12207 bytes

thank u

for this bye

#2
miekiemoes

Posted 26 June 2008 - 04:50 PM

Malware Expert

Member
5,503 posts

Hi,

Your computer is infected, that's for sure.

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

Also, you have a LOT of programs installed which are adware/spyware. So I recommend you to uninstall them. But for that, I need an extra log with a list of all programs installed, so I can tell you what programs you have to uninstall. To get that list.... Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

So post that list in your next reply as well.

By the way, also let me know in your next reply if you purchased Spysweeper... This is important to know.

Edited by miekiemoes, 26 June 2008 - 04:51 PM.

#3
navajo

Posted 27 June 2008 - 12:02 PM

New Member

Topic Starter
Member
7 posts

thank you but my nightmare just start, my keyboard is mess up my fbuttons don't work my esc button don't work

is there a another way to reboot my compter

but i did that one anitvirse and report

Avira AntiVir Personal
Report file date: Friday, June 27, 2008 00:00

Scanning for 1363126 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: YOUR-4DACD0EA75

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 18:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 17:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 17:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 17:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 05:05:46
ANTIVIR2.VDF : 7.0.5.2 2048 Bytes 6/24/2008 05:05:46
ANTIVIR3.VDF : 7.0.5.13 73216 Bytes 6/26/2008 05:05:49
Engineversion : 8.1.0.59
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 18:58:21
AESCRIPT.DLL : 8.1.0.44 278907 Bytes 6/27/2008 05:07:18
AESCN.DLL : 8.1.0.22 119157 Bytes 6/27/2008 05:07:14
AERDL.DLL : 8.1.0.20 418165 Bytes 6/27/2008 05:07:12
AEPACK.DLL : 8.1.1.6 364918 Bytes 6/27/2008 05:07:00
AEOFFICE.DLL : 8.1.0.20 192891 Bytes 6/27/2008 05:06:49
AEHEUR.DLL : 8.1.0.32 1274231 Bytes 6/27/2008 05:06:43
AEHELP.DLL : 8.1.0.15 115063 Bytes 6/27/2008 05:06:17
AEGEN.DLL : 8.1.0.29 307573 Bytes 6/27/2008 05:06:13
AEEMU.DLL : 8.1.0.6 430451 Bytes 6/27/2008 05:06:00
AECORE.DLL : 8.1.0.31 168310 Bytes 6/27/2008 05:05:52
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/24/2008 02:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 19:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/24/2008 02:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 17:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/24/2008 02:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 23:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 21:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, June 27, 2008 00:00

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'AcroRd32.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msn.exe' - '1' Module(s) have been scanned
Scan process 'ssu.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'usnsvc.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'SPUVolumeWatcher.exe' - '1' Module(s) have been scanned
Scan process 'LimeWire.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'FSRremoS.EXE' - '1' Module(s) have been scanned
Scan process 'Weather.exe' - '1' Module(s) have been scanned
Scan process 'mssysmgr.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeperUI.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'ipoint.exe' - '1' Module(s) have been scanned
Scan process 'MWSOEMON.EXE' - '1' Module(s) have been scanned
Scan process 'M3SRCHMN.EXE' - '1' Module(s) have been scanned
Scan process 'PicasaMediaDetector.exe' - '1' Module(s) have been scanned
Scan process 'ico.exe' - '1' Module(s) have been scanned
Scan process 'arpwrmsg.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeper.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'StarWindServiceAE.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'arservice.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
61 processes with 61 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '33' files ).

Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\jeremiah\Local Settings\Temporary Internet Files\Content.IE5\9L4W75E2\show[1].htm
[DETECTION] Contains suspicious code HEUR/HTML.Malware
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '48d39996.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I18FGZ67\upgrade[1].cab
[0] Archive type: CAB (Microsoft)
--> upgrade.exe
[DETECTION] Contains detection pattern of the dropper DR/Agent.aqr
[NOTE] The file was moved to '48cb9e78.qua'!
C:\Documents and Settings\roundeye\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-4e7e982a.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains detection pattern of the exploits EXP/Java.Gimsh.B.1
[NOTE] The file was moved to '48d1a1b1.qua'!
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe
[DETECTION] Contains detection pattern of the dropper DR/Agent.aeh
[NOTE] The file was moved to '48c5a5f4.qua'!
C:\RECYCLER\S-1-5-21-1278811825-1092043983-1128913109-1015\Dc398.exe
[0] Archive type: ZIP SFX (self extracting)
--> resource.0000.pkg
[1] Archive type: ZIP
--> RPCInstall_US.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.hym
--> RPCInstall_INTL.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.hym.1
--> freezetoolbar_installer.exe
[DETECTION] Contains detection pattern of the dropper DR/Mostofate.BT.5
--> blinksetup.exe
[2] Archive type: RSRC
--> Object
[DETECTION] Contains detection pattern of the dropper DR/Agent.aqr.1
--> ShopperReports.exe
[DETECTION] Contains detection pattern of the dropper DR/Shopper.K.13
--> osfreez118.exe
[2] Archive type: RSRC
--> Object
[DETECTION] Contains detection pattern of the dropper DR/OneStep.A
[NOTE] The file was moved to '4897a701.qua'!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP225\A0209716.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4896a755.qua'!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252\A0240400.ax
[DETECTION] Is the Trojan horse TR/Obfuscated.IB.1
[NOTE] The file was moved to '4896a80a.qua'!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP301\A0334745.exe
[DETECTION] Is the Trojan horse TR/Dldr.JKDC.2
[NOTE] The file was moved to '4897aa8a.qua'!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP301\A0334746.exe
[DETECTION] Is the Trojan horse TR/Click.Ag.78848.B
[NOTE] The file was moved to '4897aa8e.qua'!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP301\A0334747.exe
[DETECTION] Contains detection pattern of the dropper DR/Agent.aeh
[NOTE] The file was moved to '4897aa91.qua'!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP301\A0334748.exe
[0] Archive type: ZIP SFX (self extracting)
--> resource.0000.pkg
[1] Archive type: ZIP
--> RPCInstall_US.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.hym
--> RPCInstall_INTL.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.hym.1
--> freezetoolbar_installer.exe
[DETECTION] Contains detection pattern of the dropper DR/Mostofate.BT.5
--> blinksetup.exe
[2] Archive type: RSRC
--> Object
[DETECTION] Contains detection pattern of the dropper DR/Agent.aqr.1
--> ShopperReports.exe
[DETECTION] Contains detection pattern of the dropper DR/Shopper.K.13
--> osfreez118.exe
[2] Archive type: RSRC
--> Object
[DETECTION] Contains detection pattern of the dropper DR/OneStep.A
[NOTE] The file was moved to '4897aa9a.qua'!
C:\WINDOWS\system32\qoMdETMD.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\BLI143B.tmp\upgrade.exe
[DETECTION] Contains detection pattern of the dropper DR/Agent.aqr
[NOTE] The file was moved to '48cbaeda.qua'!
Begin scan in 'D:\' <HP_RECOVERY>

End of the scan: Friday, June 27, 2008 02:20
Used time: 2:20:05 min

The scan has been done completely.

18368 Scanning directories
717172 Files were scanned
22 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
12 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
717150 Files not concerned
18240 Archives were scanned
8 Warnings
12 Notes

ps i do have spysweeper

thank u for help me

#4
navajo

Posted 27 June 2008 - 12:06 PM

New Member

Topic Starter
Member
7 posts

i did that list of programs

32 Bit HP CIO Components Installer
Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player 11
Advanced WindowsCare Personal
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Avira AntiVir Personal – Free Antivirus
Bonjour
Browser Optimizer Adssite
Customer Experience Enhancement
Deer Hunter 2004 - Legendary Hunting
Enhanced Multimedia Keyboard Solution
free-downloads.net Toolbar
FrostWire 4.13.4
getPlus®_ocx
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
Hotfix for Windows XP (KB935448)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 2.1
HP Photosmart for Media Center PC
HP Smart Web Printing
HP Update
HP Web Helper
HP Wireless Rechargeable Optical Mouse
HPSSupply
iTunes
Java™ 6 Update 3
LimeWire 4.16.6
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003 60 days trial
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
My Web Search (Webfetti)
MyLayout Profile Editor
NetZero Internet and Voice Offer
NVIDIA Drivers
Otto
PC-Doctor 5 for Windows
Print Artist Gold 21
Quicken 2006
QuickTime
Qwest QuickCare 2.0
Realtek High Definition Audio Driver
RegCure 1.5.0.1
Rhapsody
Rhapsody Player Engine
Sandlot Games Client Services
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Smart Menus (Windows Live Toolbar)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sony Picture Utility
Spy Sweeper
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB904942)
Update for Windows XP (KB912945)
Update for Windows XP (KB920342)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB953356)
Updates from HP (remove only)
URGE
VideoLAN VLC media player 0.8.6f
Walgreens PhotoShow Express 4
WeatherBug
WildTangent Web Driver
Windows Driver Package - Camera Maker (MR97310_USB_DUAL_CAMERA) Image 05/02/2006 2.0.1.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
Xvid 1.1.3 final uninstall

there and again thank you so much

#5
miekiemoes

Posted 27 June 2008 - 12:21 PM

Malware Expert

Member
5,503 posts

Hi,

Uninstall the following programs:

Ask Toolbar
Browser Optimizer Adssite
free-downloads.net Toolbar
My Web Search (Webfetti)
RegCure 1.5.0.1 <== I don't recommend Registry Cleaners as they may damage more
Spy Sweeper <== uninstall it if you didn't purchase it
WeatherBug <== uninstall it if you didn't purchase it

Reboot afterwards.

In case your explorer doesn't launch... (since you're also dealing with Vundo which causes explorer to crash), to reboot, hold CTRL-ALT-DEL in order to open taskmanager and from the menu on top, select Shut Down and select Restart from there.

After reboot, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#6
navajo

Posted 27 June 2008 - 05:31 PM

New Member

Topic Starter
Member
7 posts

lol that took awhile

well here the log

ComboFix 08-06-20.4 - HP_Administrator 2008-06-27 15:46:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.306 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\My Documents\My Downloads\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\bigclaw\Application Data\FunWebProducts
C:\Documents and Settings\bigclaw\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\HP_Administrator\Application Data\FunWebProducts
C:\Documents and Settings\HP_Administrator\Application Data\FunWebProducts\Data\HP_Administrator\avatar.dat
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\jeremiah\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\jesse\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\kids\Application Data\FunWebProducts
C:\Documents and Settings\kids\Application Data\FunWebProducts\Data\kids\avatar.dat
C:\Documents and Settings\kids\Application Data\FunWebProducts\Data\kids\wffavs.dat
C:\Documents and Settings\kids\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\rachel\Application Data\FunWebProducts
C:\Documents and Settings\rachel\Application Data\FunWebProducts\Data\rachel\avatar.dat
C:\Documents and Settings\rachel\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\roundeye\Application Data\FunWebProducts
C:\Documents and Settings\roundeye\Application Data\FunWebProducts\Data\roundeye\avatar.dat
C:\Documents and Settings\roundeye\Application Data\FunWebProducts\Data\roundeye\wffavs.dat
C:\Documents and Settings\roundeye\Application Data\macromedia\Flash Player\#SharedObjects\DQN4Y3T4\www.broadcaster.com
C:\Documents and Settings\roundeye\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\roundeye\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\roundeye\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Cache\00D58BE8.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Cache\00D97BE7
C:\Program Files\FunWebProducts\ScreenSaver\Cache\files.ini
C:\Program Files\FunWebProducts\ScreenSaver\Images\00059988.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00177D4E.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\001E466D.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\0023FB0F.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\0049A0E0.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00D3E2DB.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00D59FBE.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\00D85F4B.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00D9BD93.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\00DC15FA.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135\00D59FBE.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Images\f3wallpp.bmp
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MySignatureInsertBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MySignaturePreviewBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\WebfettiBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\WebfettiBtn-new.htmlx
C:\Program Files\FunWebProducts\Shared\Cache\WebfettiBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\6.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\6.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\6.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\6.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\6.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\6.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\6.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\6.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\6.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\6.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\6.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\6.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\6.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\6.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\6.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\6.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\0002B6C3
C:\Program Files\MyWebSearch\bar\Cache\00086327.bin
C:\Program Files\MyWebSearch\bar\Cache\0008677D.bin
C:\Program Files\MyWebSearch\bar\Cache\00086B84.bin
C:\Program Files\MyWebSearch\bar\Cache\00086F3D.bin
C:\Program Files\MyWebSearch\bar\Cache\00087383.bin
C:\Program Files\MyWebSearch\bar\Cache\009FD377.bin
C:\Program Files\MyWebSearch\bar\Cache\009FDCBE.bin
C:\Program Files\MyWebSearch\bar\Cache\009FEB35.bin
C:\Program Files\MyWebSearch\bar\Cache\009FF0E2.bin
C:\Program Files\MyWebSearch\bar\Cache\00A00044.bin
C:\Program Files\MyWebSearch\bar\Cache\00A0046A.bin
C:\Program Files\MyWebSearch\bar\Cache\00A0302D.bin
C:\Program Files\MyWebSearch\bar\Cache\00A034B2.bin
C:\Program Files\MyWebSearch\bar\Cache\00A04413
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\center.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\protect.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\shocked.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\stop.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\systray.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\systrayp.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\warn.gif
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL
C:\Program Files\outlook
C:\Temp\gbRve12
C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\_000001_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\aqVreo18
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\DMTEdMoq.ini
C:\WINDOWS\system32\DMTEdMoq.ini2
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini2
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-27 14:28 . 2008-01-14 14:36 267,592 --a------ C:\Program Files\Uninstall Ask Toolbar.dll
2008-06-26 21:54 . 2008-06-26 21:54 <DIR> d-------- C:\Program Files\Avira
2008-06-26 21:54 . 2008-06-26 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-21 06:16 . 2008-06-21 06:16 <DIR> d-------- C:\Program Files\idlebias
2008-06-20 14:57 . 2008-06-20 14:57 <DIR> d-------- C:\Program Files\IObit
2008-06-18 16:19 . 2008-06-18 16:19 285,696 --a------ C:\WINDOWS\system32\qoMdETMD.dll
2008-06-18 16:14 . 2008-06-05 18:24 47 --a------ C:\Documents and Settings\HP_Administrator\readme.bat
2008-06-17 23:15 . 2008-06-17 23:15 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Zinaps2008
2008-06-14 15:44 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-06-14 15:41 . 2008-06-14 15:44 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-14 15:41 . 2008-06-18 09:21 <DIR> d-------- C:\WINDOWS\Logs
2008-06-14 15:36 . 2008-06-14 15:36 <DIR> d-------- C:\Program Files\NovaLogic
2008-06-13 15:05 . 2008-06-13 15:05 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\vlc
2008-06-13 15:02 . 2008-06-13 15:02 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-11 05:47 . 2008-06-11 05:47 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-10 12:36 . 2008-06-13 06:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 12:36 . 2008-06-13 06:10 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 20:04 . 2008-06-08 20:04 <DIR> d--hs---- C:\found.001
2008-06-05 13:01 . 2008-06-05 13:02 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\MSNInstaller
2008-06-03 15:08 . 2008-06-04 09:00 <DIR> d-------- C:\Documents and Settings\kids\Contacts
2008-06-01 19:59 . 2008-06-01 19:59 1,409 --a------ C:\WINDOWS\system32\tmpEC30C.FOT
2008-06-01 19:59 . 2008-06-01 19:59 1,409 --a------ C:\WINDOWS\system32\tmpA540C.FOT
2008-06-01 19:59 . 2008-06-01 19:59 1,409 --a------ C:\WINDOWS\system32\tmp7D40C.FOT
2008-06-01 19:59 . 2008-06-01 19:59 1,409 --a------ C:\WINDOWS\system32\tmp5920C.FOT
2008-06-01 19:59 . 2008-06-01 19:59 1,409 --a------ C:\WINDOWS\system32\tmp1530C.FOT
2008-05-29 16:51 . 2008-05-29 16:51 1,409 --a------ C:\WINDOWS\system32\tmpE5325.FOT
2008-05-29 16:51 . 2008-05-29 16:51 1,409 --a------ C:\WINDOWS\system32\tmpC1125.FOT
2008-05-29 16:51 . 2008-05-29 16:51 1,409 --a------ C:\WINDOWS\system32\tmp99125.FOT
2008-05-29 16:51 . 2008-05-29 16:51 1,409 --a------ C:\WINDOWS\system32\tmp90F15.FOT
2008-05-29 16:51 . 2008-05-29 16:51 1,409 --a------ C:\WINDOWS\system32\tmp14025.FOT
2008-05-28 17:17 . 2008-05-28 17:18 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-05-28 17:17 . 2008-05-28 17:17 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-05-28 17:17 . 2008-06-11 21:48 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Contacts
2008-05-28 17:12 . 2008-05-28 17:16 <DIR> d-------- C:\Program Files\Windows Live
2008-05-28 17:12 . 2008-05-28 17:15 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-28 17:11 . 2008-05-28 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 23:15 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-06-27 22:42 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\MSN6
2008-06-27 21:38 --------- d-----w C:\Program Files\free-downloads.net
2008-06-27 21:38 --------- d-----w C:\Program Files\Conduit
2008-06-27 17:56 --------- d-----w C:\Documents and Settings\kids\Application Data\MSN6
2008-06-23 03:27 --------- d-----w C:\Program Files\Google
2008-06-21 13:17 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\idlebias
2008-06-21 13:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\part dead amok eggs
2008-06-20 05:18 --------- d-----w C:\Program Files\Trend Micro
2008-06-18 16:21 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Walgreens
2008-06-15 08:24 --------- d-----w C:\Program Files\FrostWire
2008-06-14 22:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-11 13:36 6,924 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-06-09 15:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-07 20:22 --------- d-----w C:\Program Files\LimeWire
2008-05-27 01:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SierraHome
2008-05-27 01:12 --------- d-----w C:\Program Files\SierraHome
2008-05-27 01:12 --------- d-----w C:\Program Files\Common Files\Nova Development
2008-05-24 01:48 --------- d-----w C:\Program Files\My.Freeze.com Toolbar with NetAssistant
2008-05-24 01:38 --------- d-----w C:\Program Files\MSN Messenger
2008-05-24 01:37 --------- d-----w C:\Program Files\GemMaster
2008-05-23 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-23 19:12 --------- d-----w C:\Program Files\Microsoft Money 2006
2008-05-23 19:12 --------- d-----w C:\Program Files\Atari
2008-05-22 02:25 --------- d-----w C:\Program Files\Yahoo!
2008-05-16 23:29 --------- d-----w C:\Program Files\AGEIA Technologies
2008-05-16 23:05 6,506 ----a-w C:\Documents and Settings\kids\Application Data\wklnhst.dat
2008-05-16 04:13 --------- d-----w C:\Program Files\Freeze.com
2008-05-16 04:13 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-05-16 04:13 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\WeatherBug
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-29 03:26 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\U3
2008-04-29 03:22 --------- d-----w C:\Documents and Settings\kids\Application Data\U3
2008-04-27 00:04 --------- d-----w C:\Program Files\Prison Tycoon
2007-10-03 01:55 270 ----a-w C:\Documents and Settings\jesse\Application Data\wklnhst.dat
2007-09-03 06:34 144 ----a-w C:\Documents and Settings\rachel\Application Data\wklnhst.dat
2007-08-22 13:49 5,192 ----a-w C:\Documents and Settings\bigclaw\Application Data\wklnhst.dat
2007-05-23 23:00 2,912 ----a-w C:\Documents and Settings\roundeye\Application Data\wklnhst.dat
2007-04-08 21:29 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31B51B6C-14D7-452F-9325-77293A8E9614}]
2008-06-18 16:19 285696 --a------ C:\WINDOWS\system32\qoMdETMD.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"Walgreens PhotoShow Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2006-04-19 23:35 237568]
"Exit Ooze"="C:\DOCUME~1\HP_ADM~1\APPLIC~1\idlebias\Ping Send New.exe" [2008-06-21 06:16 674304]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [ ]
"Zinaps2008"="C:\Documents and Settings\HP_Administrator\Application Data\Zinaps2008\Zinaps.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-26 13:39 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 22:01 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 14:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 00:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 15:50 7311360]
"nwiz"="nwiz.exe" [2006-05-09 15:50 1519616 C:\WINDOWS\system32\nwiz.exe]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 10:05 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 23:14 237568]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2006-11-07 21:07 192512]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 14:08 57344 C:\WINDOWS\system32\ico.exe]
"Picasa Media Detector"="C:\Documents and Settings\HP_Administrator\My Documents\My Downloads\Picasa2\PicasaMediaDetector.exe" [2007-05-01 23:08 366400]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\6.bin\m3SrchMn.exe" [ ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 18:09 842584]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\Show Trust.exe" [2008-06-27 16:16 4920320]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\Documents and Settings\rachel\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-11-11 20:13:14 27136]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-11-11 20:13:14 27136]

C:\Documents and Settings\jesse\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-11-11 20:13:14 27136]

C:\Documents and Settings\kids\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-11-11 20:13:14 27136]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 14:32:57 147456]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-05-12 18:39:06 344064]
PowerReg Scheduler V3.exe [2008-03-22 20:12:27 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmklLc]
pmnmklLc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtqpq]
tuvtqpq.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2006-02-15 23:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-06-13 20:05 16239616 C:\WINDOWS\RTHDCPL.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\HP_Administrator\\Desktop\\YGOJoey\\Yu-Gi-Oh! Power of Chaos 3 - Joey The Passion\\joey_pc.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 13:55]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2004-09-22 11:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa9d2bf2-b8fc-11dc-8c17-0018f35b46a4}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 00:31:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-27 23:16:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-06-27 23:19:49 C:\WINDOWS\Tasks\DMATask 0 {D2B22905-47C9-4b82-8E74-47AA9D2DE378} 0~0.job"
- c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe;Sched DMATask 0 {D2B22905-47C9-4b82-8E74-47AA9D2DE378} 0~0
"2008-05-01 04:55:26 C:\WINDOWS\Tasks\DMATask 1 {D2B22905-47C9-4b82-8E74-47AA9D2DE378} 0~0.job"
- c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe;Sched DMATask 1 {D2B22905-47C9-4b82-8E74-47AA9D2DE378} 0~0
"2008-06-21 16:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
"2008-06-21 22:52:11 C:\WINDOWS\Tasks\WebReg Deskjet F4100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
"2008-06-24 00:00:00 C:\WINDOWS\Tasks\wrSpySweeper_BB3012046B894F5D89F2914D4688E739.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_BB3012046B894F5D89F2914D4688E739
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-03-10 13:00:00 C:\WINDOWS\Tasks\wrSpySweeper_FE4624BB07B5462794BBAE776A3C0EC1.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_FE4624BB07B5462794BBAE776A3C0EC1
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-03-10 12:00:00 C:\WINDOWS\Tasks\wrSpySweeper_FFA7BF52D5B44FBEA7950F4AA5B91CA6.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_FFA7BF52D5B44FBEA7950F4AA5B91CA6
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 16:14:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\mssysmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-27 16:26:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-27 23:25:38

Pre-Run: 109,187,633,152 bytes free
Post-Run: 113,687,810,048 bytes free

427 --- E O F --- 2008-06-21 13:14:22

and again thank u so much

#7
miekiemoes

Posted 27 June 2008 - 11:15 PM

Malware Expert

Member
5,503 posts

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\qoMdETMD.dll
C:\Program Files\Uninstall Ask Toolbar.dll
C:\Documents and Settings\HP_Administrator\readme.bat
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
Folder::
C:\Documents and Settings\HP_Administrator\Application Data\Zinaps2008
C:\Documents and Settings\All Users\Application Data\part dead amok eggs
C:\Documents and Settings\HP_Administrator\Application Data\idlebias
C:\Program Files\idlebias
C:\Program Files\Freeze.com
C:\Program Files\free-downloads.net
C:\Program Files\Conduit
C:\Program Files\My.Freeze.com Toolbar with NetAssistant
C:\Program Files\Free Offers from Freeze.com
C:\Documents and Settings\HP_Administrator\Application Data\WeatherBug
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31B51B6C-14D7-452F-9325-77293A8E9614}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Exit Ooze"=-
"Weather"=-
"Zinaps2008"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"=-
"ISUSPM Startup"=-
"ISUSScheduler"=-
"My Web Search Bar Search Scope Monitor"=-
"Amok Eggs Four Web"="-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmklLc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtqpq]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#8
navajo

Posted 28 June 2008 - 05:10 AM

New Member

Topic Starter
Member
7 posts

hi again and thank u

moving closer to my problem lolol

ComboFix 08-06-20.4 - HP_Administrator 2008-06-28 3:25:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.325 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\My Documents\My Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\cfscript.txt
* Resident AV is active

FILE ::
C:\Documents and Settings\HP_Administrator\readme.bat
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\Program Files\Uninstall Ask Toolbar.dll
C:\WINDOWS\system32\qoMdETMD.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\part dead amok eggs
C:\Documents and Settings\All Users\Application Data\part dead amok eggs\Show Trust.exe
C:\Documents and Settings\HP_Administrator\Application Data\idlebias
C:\Documents and Settings\HP_Administrator\Application Data\idlebias\Balm thunk face.exe
C:\Documents and Settings\HP_Administrator\Application Data\idlebias\nebnihok.exe
C:\Documents and Settings\HP_Administrator\Application Data\idlebias\nrenbvrf.exe
C:\Documents and Settings\HP_Administrator\Application Data\idlebias\Ping Send New.exe
C:\Documents and Settings\HP_Administrator\Application Data\idlebias\pwgpmfhy.exe
C:\Documents and Settings\HP_Administrator\Application Data\idlebias\ukjpdvhb.exe
C:\Documents and Settings\HP_Administrator\Application Data\WeatherBug
C:\Documents and Settings\HP_Administrator\Application Data\Zinaps2008
C:\Documents and Settings\HP_Administrator\Application Data\Zinaps2008\settings.ini
C:\Documents and Settings\HP_Administrator\readme.bat
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\Program Files\Conduit
C:\Program Files\free-downloads.net
C:\Program Files\Free Offers from Freeze.com
C:\Program Files\Free Offers from Freeze.com\101_Free_Songs.ico
C:\Program Files\Free Offers from Freeze.com\3770.url
C:\Program Files\Free Offers from Freeze.com\4115.url
C:\Program Files\Free Offers from Freeze.com\4294.url
C:\Program Files\Free Offers from Freeze.com\control.txt
C:\Program Files\Free Offers from Freeze.com\dolphinico.ico
C:\Program Files\Free Offers from Freeze.com\games_icon2.ico
C:\Program Files\Freeze.com
C:\Program Files\Freeze.com\MyLayout Profile Editor\Files\csshover.htc
C:\Program Files\Freeze.com\MyLayout Profile Editor\first.lck
C:\Program Files\Freeze.com\MyLayout Profile Editor\freeze.ico
C:\Program Files\Freeze.com\MyLayout Profile Editor\ml.ini
C:\Program Files\Freeze.com\MyLayout Profile Editor\MyLayout.exe
C:\Program Files\Freeze.com\MyLayout Profile Editor\undata.exe
C:\Program Files\Freeze.com\MyLayout Profile Editor\undata.ini
C:\Program Files\Freeze.com\MyLayout Profile Editor\UNINSTAL.EXE
C:\Program Files\idlebias
C:\Program Files\My.Freeze.com Toolbar with NetAssistant
C:\Program Files\Uninstall Ask Toolbar.dll
C:\WINDOWS\system32\DMTEdMoq.ini
C:\WINDOWS\system32\DMTEdMoq.ini2
C:\WINDOWS\system32\qoMdETMD.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

2008-06-27 16:40 . 2008-06-28 02:45 <DIR> d-------- C:\Program Files\MagicISO
2008-06-26 21:54 . 2008-06-26 21:54 <DIR> d-------- C:\Program Files\Avira
2008-06-26 21:54 . 2008-06-26 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-20 14:57 . 2008-06-20 14:57 <DIR> d-------- C:\Program Files\IObit
2008-06-14 15:44 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-06-14 15:41 . 2008-06-14 15:44 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-14 15:41 . 2008-06-18 09:21 <DIR> d-------- C:\WINDOWS\Logs
2008-06-14 15:36 . 2008-06-14 15:36 <DIR> d-------- C:\Program Files\NovaLogic
2008-06-13 15:05 . 2008-06-13 15:05 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\vlc
2008-06-13 15:02 . 2008-06-13 15:02 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-11 05:47 . 2008-06-11 05:47 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-10 12:36 . 2008-06-13 06:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 12:36 . 2008-06-13 06:10 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 20:04 . 2008-06-08 20:04 <DIR> d--hs---- C:\found.001
2008-06-05 13:01 . 2008-06-05 13:02 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\MSNInstaller
2008-06-03 15:08 . 2008-06-04 09:00 <DIR> d-------- C:\Documents and Settings\kids\Contacts
2008-06-01 19:59 . 2008-06-01 19:59 1,409 --a------ C:\WINDOWS\system32\tmpEC30C.FOT
2008-06-01 19:59 . 2008-06-01 19:59 1,409 --a------ C:\WINDOWS\system32\tmpA540C.FOT
2008-06-01 19:59 . 2008-06-01 19:59 1,409 --a------ C:\WINDOWS\system32\tmp7D40C.FOT
2008-06-01 19:59 . 2008-06-01 19:59 1,409 --a------ C:\WINDOWS\system32\tmp5920C.FOT
2008-06-01 19:59 . 2008-06-01 19:59 1,409 --a------ C:\WINDOWS\system32\tmp1530C.FOT
2008-05-29 16:51 . 2008-05-29 16:51 1,409 --a------ C:\WINDOWS\system32\tmpE5325.FOT
2008-05-29 16:51 . 2008-05-29 16:51 1,409 --a------ C:\WINDOWS\system32\tmpC1125.FOT
2008-05-29 16:51 . 2008-05-29 16:51 1,409 --a------ C:\WINDOWS\system32\tmp99125.FOT
2008-05-29 16:51 . 2008-05-29 16:51 1,409 --a------ C:\WINDOWS\system32\tmp90F15.FOT
2008-05-29 16:51 . 2008-05-29 16:51 1,409 --a------ C:\WINDOWS\system32\tmp14025.FOT
2008-05-28 17:17 . 2008-05-28 17:18 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-05-28 17:17 . 2008-05-28 17:17 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-05-28 17:17 . 2008-06-11 21:48 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Contacts
2008-05-28 17:12 . 2008-05-28 17:16 <DIR> d-------- C:\Program Files\Windows Live
2008-05-28 17:12 . 2008-05-28 17:15 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-28 17:11 . 2008-05-28 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 10:19 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\MSN6
2008-06-28 10:07 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-06-28 09:00 --------- d-----w C:\Documents and Settings\kids\Application Data\MSN6
2008-06-23 03:27 --------- d-----w C:\Program Files\Google
2008-06-20 05:18 --------- d-----w C:\Program Files\Trend Micro
2008-06-18 16:21 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Walgreens
2008-06-15 08:24 --------- d-----w C:\Program Files\FrostWire
2008-06-14 22:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-11 13:36 6,924 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-06-09 15:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-07 20:22 --------- d-----w C:\Program Files\LimeWire
2008-05-27 01:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SierraHome
2008-05-27 01:12 --------- d-----w C:\Program Files\SierraHome
2008-05-27 01:12 --------- d-----w C:\Program Files\Common Files\Nova Development
2008-05-24 01:38 --------- d-----w C:\Program Files\MSN Messenger
2008-05-24 01:37 --------- d-----w C:\Program Files\GemMaster
2008-05-23 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-23 19:12 --------- d-----w C:\Program Files\Microsoft Money 2006
2008-05-23 19:12 --------- d-----w C:\Program Files\Atari
2008-05-22 02:25 --------- d-----w C:\Program Files\Yahoo!
2008-05-16 23:29 --------- d-----w C:\Program Files\AGEIA Technologies
2008-05-16 23:05 6,506 ----a-w C:\Documents and Settings\kids\Application Data\wklnhst.dat
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-29 03:26 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\U3
2008-04-29 03:22 --------- d-----w C:\Documents and Settings\kids\Application Data\U3
2007-10-03 01:55 270 ----a-w C:\Documents and Settings\jesse\Application Data\wklnhst.dat
2007-09-03 06:34 144 ----a-w C:\Documents and Settings\rachel\Application Data\wklnhst.dat
2007-08-22 13:49 5,192 ----a-w C:\Documents and Settings\bigclaw\Application Data\wklnhst.dat
2007-05-23 23:00 2,912 ----a-w C:\Documents and Settings\roundeye\Application Data\wklnhst.dat
2007-04-08 21:29 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-27_16.24.47.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-27 23:13:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-28 10:51:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"Walgreens PhotoShow Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2006-04-19 23:35 237568]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-26 13:39 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 22:01 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 14:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 00:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 15:50 7311360]
"nwiz"="nwiz.exe" [2006-05-09 15:50 1519616 C:\WINDOWS\system32\nwiz.exe]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 10:05 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 23:14 237568]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2006-11-07 21:07 192512]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 14:08 57344 C:\WINDOWS\system32\ico.exe]
"Picasa Media Detector"="C:\Documents and Settings\HP_Administrator\My Documents\My Downloads\Picasa2\PicasaMediaDetector.exe" [2007-05-01 23:08 366400]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 18:09 842584]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\Show Trust.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\Documents and Settings\rachel\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-11-11 20:13:14 27136]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-11-11 20:13:14 27136]

C:\Documents and Settings\jesse\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-11-11 20:13:14 27136]

C:\Documents and Settings\kids\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-11-11 20:13:14 27136]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-05-12 18:39:06 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2006-02-15 23:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-06-13 20:05 16239616 C:\WINDOWS\RTHDCPL.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\HP_Administrator\\Desktop\\YGOJoey\\Yu-Gi-Oh! Power of Chaos 3 - Joey The Passion\\joey_pc.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 13:55]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2004-09-22 11:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa9d2bf2-b8fc-11dc-8c17-0018f35b46a4}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 00:31:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-28 10:16:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-06-28 10:58:58 C:\WINDOWS\Tasks\DMATask 0 {D2B22905-47C9-4b82-8E74-47AA9D2DE378} 0~0.job"
- c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe;Sched DMATask 0 {D2B22905-47C9-4b82-8E74-47AA9D2DE378} 0~0
"2008-05-01 04:55:26 C:\WINDOWS\Tasks\DMATask 1 {D2B22905-47C9-4b82-8E74-47AA9D2DE378} 0~0.job"
- c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe;Sched DMATask 1 {D2B22905-47C9-4b82-8E74-47AA9D2DE378} 0~0
"2008-06-21 16:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
"2008-06-21 22:52:11 C:\WINDOWS\Tasks\WebReg Deskjet F4100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
"2008-06-24 00:00:00 C:\WINDOWS\Tasks\wrSpySweeper_BB3012046B894F5D89F2914D4688E739.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_BB3012046B894F5D89F2914D4688E739
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-03-10 13:00:00 C:\WINDOWS\Tasks\wrSpySweeper_FE4624BB07B5462794BBAE776A3C0EC1.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_FE4624BB07B5462794BBAE776A3C0EC1
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-03-10 12:00:00 C:\WINDOWS\Tasks\wrSpySweeper_FFA7BF52D5B44FBEA7950F4AA5B91CA6.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_FFA7BF52D5B44FBEA7950F4AA5B91CA6
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 03:52:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\mssysmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-06-28 4:05:40 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2008-06-28 11:05:01
ComboFix2.txt 2008-06-27 23:26:10

Pre-Run: 121,383,612,416 bytes free
Post-Run: 124,962,099,200 bytes free

275 --- E O F --- 2008-06-21 13:14:22

thank u for helping me

#9
miekiemoes

Posted 28 June 2008 - 08:47 AM

Malware Expert

Member
5,503 posts

Hi,

This looks OK again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
Click the "Download" button to the right.
For Platform, select "Windows"
For language, select your language
Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
Click Continue
Click on the link to download Windows Offline Installation and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs:
- Java 2 Runtime Environment, SE v1.4.2
- J2SE Runtime Environment 5.0
- J2SE Runtime Environment 5.0 Update 6
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

#10
navajo

Posted 28 June 2008 - 07:42 PM

New Member

Topic Starter
Member
7 posts

i think everthing is good

my toolbar and icons are back

#11
miekiemoes

Posted 28 June 2008 - 11:06 PM

Malware Expert

Member
5,503 posts

Good to hear.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

#12
miekiemoes

Posted 04 July 2008 - 06:32 AM

Malware Expert

Member
5,503 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.