Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Zlob.rtk & other [Solved]

Started by 10Ck3D , Feb 06 2009 01:25 PM

  • This topic is locked This topic is locked

#1
10Ck3D
Posted 06 February 2009 - 01:25 PM

10Ck3D

    Member

  • Member
  • PipPip
  • 32 posts
i scanned with norton and malware byte's antimalware and got no problems but when i scanned with spybot search and destroy i got these results:

Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

Zlob.rtk: [SBI $8903D5AA] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\msliksurserv.sys

Zlob.rtk: [SBI $169DC7A8] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\msliksurserv.sys

even though it says it's fixed if i scan again the same problems come back up...

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:26 PM, on 06/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\HP_Administrator\My Documents\Philip's Games\Homer\Homer.exe
C:\Documents and Settings\HP_Administrator\My Documents\Philip's Games\SetPoint\KEM.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\HP_Administrator\My Documents\Philip's Games\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Homer - Localhost webserver] C:\Documents and Settings\HP_Administrator\My Documents\Philip's Games\Homer\Homer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; InfoPath.2)" -"http://arcade.pixelp...ca/hockey.html"
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Documents and Settings\HP_Administrator\My Documents\Philip's Games\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Search - ?p=ZUxdm513YYCA
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {2D0280B1-DC42-4DFA-9525-09BD48838539} (OSAKitPro.OSAKit) - http://www.newstarso...m/OSAKitPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.share....RichUpload.cab
O16 - DPF: {EB2AB471-8FD8-43CD-BA61-348984013593} - mk:@MSITStore:C:\Program%20Files\HHD%20Software\Hex%20Editor%203.x\Hex%20Editor.chm::/swfbehavior.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 14440 bytes

I had experienced a computer crash yesterday and all that happened was it restarted and later said it had recoverd from a critical error...
I think my computer may be running slower than usual but it may just be my imagination:
I use this http://mvps.org/winhelp2002/hosts.htm so my host files are protected and use Homer to stop an error message from occuring when i browse the web, hopefully this does not slow my system down.
I just think my HJT log should be analyzed to make sure I don't have any problems...
Waiting for some help!
  • 0

Advertisements

#2
Rorschach112
Posted 06 February 2009 - 02:09 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
10Ck3D
Posted 08 February 2009 - 01:26 PM

10Ck3D

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Report.txt:

SDFix: Version 1.240
Run by HP_Administrator on 08/02/2009 at 01:16 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 13:45:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"="C:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Blubster\\Blubster.exe"="C:\\Program Files\\Blubster\\Blubster.exe:*:Enabled:Blubster"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :



Files with Hidden Attributes :

Sat 8 Mar 2008 211 A.SHR --- "C:\BOOT.BAK"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Tue 1 Jul 2008 14,243,082 A.SH. --- "C:\Program Files\vixy.net\conv.exe"
Sat 3 Jan 2009 145,920 ..SHR --- "C:\Program Files\WinPatrol\Setup.exe"
Sat 20 Jan 2007 22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Thu 27 Jun 2002 73,728 A..H. --- "C:\WINDOWS\system32\IETie.dll"
Tue 17 Oct 2006 304,736 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\Maint.exe"
Tue 17 Oct 2006 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\uinstrsc.dll"
Sun 18 Feb 2007 169 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti3D.tmp"
Sat 8 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 28 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Tue 28 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Mon 19 Sep 2005 788,568 A..H. --- "C:\Program Files\Online Services\Canada\KOL\client.exe"
Wed 17 Aug 2005 13,459,528 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\nsb-install-8-0.exe"
Wed 17 Aug 2005 233,472 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\webutil8.exe"
Wed 17 Aug 2005 389,120 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\WinsockFix.exe"
Sat 10 Jan 2004 26,112 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Writing Documents\Resume\~WRL0842.tmp"
Fri 3 Oct 2003 26,624 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Writing Documents\Resume\~WRL2014.tmp"
Mon 15 Sep 2003 25,600 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Writing Documents\Resume\~WRL2387.tmp"
Fri 3 Oct 2003 26,112 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Writing Documents\Resume\~WRL2407.tmp"
Fri 5 Sep 2003 25,088 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Writing Documents\Resume\~WRL3108.tmp"
Sat 10 Jan 2004 27,136 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Writing Documents\Resume\~WRL3347.tmp"
Fri 3 Oct 2003 25,600 A..H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Writing Documents\Resume\~WRL3473.tmp"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL"
Mon 19 Sep 2005 77,824 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\AcsInstN.dll"
Mon 19 Sep 2005 6,961,146 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acsnet.zip"
Mon 19 Sep 2005 3,058,888 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acssetup.exe"
Mon 19 Sep 2005 307,289 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspcheck.dll"
Mon 19 Sep 2005 7,083,361 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspsetup.exe"
Wed 21 Sep 2005 1,960,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\autoit\autoit-v3.zip"
Mon 19 Sep 2005 550,488 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\deskbar\deskbr.exe"
Mon 19 Sep 2005 553,984 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\flash\FlashAX.exe"
Mon 19 Sep 2005 2,242,759 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\nisale.exe"
Mon 19 Sep 2005 24,064 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\NISChk.dll"
Mon 19 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpchk.dll"
Mon 19 Sep 2005 748,728 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpinst.exe"
Mon 19 Sep 2005 7,515,304 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\qt.exe"
Mon 19 Sep 2005 86,016 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\QTInsInf.dll"
Mon 19 Sep 2005 45,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealChk.dll"
Mon 19 Sep 2005 5,111,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealPl8.EXE"
Mon 19 Sep 2005 4,378,673 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\real_upd.exe"
Mon 19 Sep 2005 360,448 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\rp9codec.exe"
Mon 19 Sep 2005 40,960 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SiNdInst.dll"
Mon 19 Sep 2005 473,736 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SinfInst.exe"
Mon 19 Sep 2005 12,288 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbinst.dll"
Mon 19 Sep 2005 516,032 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbsetup.exe"
Mon 19 Sep 2005 597,080 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\toolbar\toolbr.exe"
Mon 19 Sep 2005 590,688 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\TSsetup.exe"
Mon 19 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\tsverchk.dll"
Mon 19 Sep 2005 49,152 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\AOLVPChk.dll"
Mon 19 Sep 2005 61,440 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\VPPrePop.exe"
Mon 19 Sep 2005 3,858,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\Vwpt.exe"

Finished!

Combofix.txt log:

ComboFix 09-02-07.01 - HP_Administrator 2009-02-08 13:55:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1439 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton Security Online *On-access scanning enabled* (Updated)
FW: Norton Security Online *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\resycled

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-08 13:15 . 2009-02-08 13:15 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-02-08 13:12 . 2009-02-08 13:12 <DIR> d-------- c:\windows\ERUNT
2009-02-08 13:09 . 2009-02-08 13:49 <DIR> d-------- C:\SDFix
2009-02-05 20:41 . 2009-02-05 20:41 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-05 20:41 . 2009-02-05 20:41 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-05 20:25 . 2009-02-05 20:26 <DIR> d-------- C:\2ee2d75deb2978fcbb19c1a960c97b
2009-02-05 20:25 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-02-05 20:25 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-05 20:25 . 2008-07-06 05:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-05 20:25 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-02-05 20:25 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-05 20:25 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-02-05 20:25 . 2008-07-06 07:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-05 20:24 . 2009-02-05 20:27 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-05 20:21 . 2009-02-05 20:21 <DIR> d-------- C:\71765abeb81bea995e07
2009-02-05 20:21 . 2009-02-05 20:25 <DIR> d-------- C:\544d16133a4a65c02ed7a5fea4
2009-02-05 20:06 . 2009-02-05 20:06 <DIR> d-------- c:\program files\ERUNT
2009-01-28 19:37 . 2009-01-28 19:37 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\GPass-3
2009-01-28 19:35 . 2009-01-28 19:35 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\GPass
2009-01-26 15:30 . 1996-09-30 13:46 24,576 --------- c:\windows\UniFISH.exe
2009-01-23 17:04 . 2009-01-23 17:04 <DIR> d-------- c:\program files\Hasbro Interactive
2009-01-13 18:19 . 2009-01-13 18:19 <DIR> d-------- c:\program files\7-Zip
2009-01-11 15:47 . 2009-01-11 15:47 <DIR> d-------- C:\Sandbox
2009-01-11 14:18 . 2009-01-11 14:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Artificial Dynamics
2009-01-11 14:15 . 2009-01-11 14:15 <DIR> d-------- c:\program files\MSXML 6.0
2009-01-10 19:18 . 2009-02-08 13:05 <DIR> d-------- c:\documents and settings\HP_Administrator\Tracing
2009-01-10 19:07 . 2008-06-14 16:47 28,672 --a------ c:\windows\system\msimg32.dll
2009-01-10 19:06 . 2008-06-14 16:47 28,672 --a------ c:\windows\msimg32.dll
2009-01-10 19:02 . 2009-01-10 19:02 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-01-10 19:02 . 2009-01-10 19:02 <DIR> d-------- c:\program files\Microsoft
2009-01-10 18:59 . 2009-01-10 18:59 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-01-10 18:46 . 2009-01-10 18:49 <DIR> d-------- c:\program files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 18:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-06 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-06 01:41 --------- d-----w c:\program files\MSBuild
2009-02-06 00:39 11,376 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-02-04 23:39 --------- d-----w c:\program files\Blubster
2009-02-03 03:15 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-01-27 02:22 18,544 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-01-15 06:02 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-14 20:36 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 20:34 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-11 19:32 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-11 00:01 --------- d-----w c:\program files\Windows Live
2009-01-09 02:41 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 02:41 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 02:41 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 02:41 --------- d-----w c:\program files\Symantec
2009-01-04 23:20 --------- d-----w c:\program files\WinPatrol
2009-01-03 21:30 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\ZoomBrowser EX
2009-01-03 21:25 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-01-03 20:38 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\WinPatrol
2009-01-03 01:33 --------- d-----w c:\program files\CCleaner
2008-12-29 20:06 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-12-24 18:48 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Canon
2008-12-22 21:11 --------- d-----w c:\program files\Java
2008-12-17 00:43 --------- d-----w c:\program files\Winamp
2008-12-17 00:42 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Winamp
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2007-04-28 00:30 81,920 ------w c:\documents and settings\HP_Administrator\Application Data\ezpinst.exe
2007-04-28 00:30 47,360 ------w c:\documents and settings\HP_Administrator\Application Data\pcouffin.sys
2007-03-15 22:29 32 ----a-r c:\documents and settings\All Users\hash.dat
2007-01-20 22:19 22 --sha-w c:\windows\SMINST\HPCD.sys
2008-09-01 03:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" [2007-10-12 136504]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Homer - Localhost webserver"="c:\documents and settings\HP_Administrator\My Documents\Philip's Games\Homer\Homer.exe" [2008-01-26 295424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-28 8466432]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2006-07-18 549376]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-28 714608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"WinPatrol"="c:\program files\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"nwiz"="nwiz.exe" [2007-08-28 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
PowerReg Scheduler.exe [2007-06-09 189952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Logitech SetPoint.lnk - c:\documents and settings\HP_Administrator\My Documents\Philip's Games\SetPoint\KEM.exe [2007-01-28 581632]
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{9E266E6A-3A1E-11D3-A3E4-00C04F7989D8}\378E453F.exe [2007-06-16 29184]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-09-20 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msliksurserv.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-06-21 18:32 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2008-06-03 16:49 509224 c:\progra~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-28 149352]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-09 14336]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-08-28 23888]
S3 EraserUtilDrv10820;EraserUtilDrv10820;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys [?]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-23 27904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\Norton Security Online - Run Full System Scan - HP_Administrator.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-28 19:43]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET
HKLM-Run-Launch LGDCore - c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &Search - ?p=ZUxdm513YYCA
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: trymedia.com
DPF: {2D0280B1-DC42-4DFA-9525-09BD48838539} - hxxp://www.newstarsoccer.com/OSAKitPro.CAB
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://secure.shared.live.com/Pa6vGqB728AxD-ckvrPc0A/etc/Microsoft.Live.Folders.RichUpload.cab
DPF: {EB2AB471-8FD8-43CD-BA61-348984013593} - mk:@MSITStore:c:\program%20files\HHD%20Software\Hex%20Editor%203.x\Hex%20Editor.chm::/swfbehavior.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 13:59:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3449060499-1417542300-810885797-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\searchindexer.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-02-08 14:05:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-08 19:05:08

Pre-Run: 154,291,044,352 bytes free
Post-Run: 154,097,582,080 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
235 --- E O F --- 2009-02-06 01:45:06
  • 0

#4
Rorschach112
Posted 08 February 2009 - 01:38 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#5
10Ck3D
Posted 08 February 2009 - 03:39 PM

10Ck3D

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-08 16:37:54
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 897290C8 ZwAlertResumeThread
SSDT 89729188 ZwAlertThread
SSDT 89709DC8 ZwAllocateVirtualMemory
SSDT 89DDEE08 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAFA03020]
SSDT 89700880 ZwCreateMutant
SSDT 89709E10 ZwCreateThread
SSDT 89711F28 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAFA032A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAFA03800]
SSDT 8971F090 ZwFreeVirtualMemory
SSDT 8970D9A8 ZwImpersonateAnonymousToken
SSDT 8970DA88 ZwImpersonateThread
SSDT 89704080 ZwMapViewOfSection
SSDT 897007A0 ZwOpenEvent
SSDT 89703828 ZwOpenProcessToken
SSDT 89709570 ZwOpenSection
SSDT 89715918 ZwOpenThreadToken
SSDT 897036F8 ZwResumeThread
SSDT 8971F058 ZwSetContextThread
SSDT 897159A8 ZwSetInformationProcess
SSDT 8971E078 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAFA03A50]
SSDT 89709650 ZwSuspendProcess
SSDT 89714130 ZwSuspendThread
SSDT 8968F058 ZwTerminateProcess
SSDT 897050F0 ZwTerminateThread
SSDT 89701D38 ZwUnmapViewOfSection
SSDT 89703DF0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1140] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Elkbd.sys (Intel Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.14 ----

File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT 16384 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\290YGJ7Z 0 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\290YGJ7Z\desktop.ini 67 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\290YGJ7Z\ie7[1].css 206 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\290YGJ7Z\leftNav[1].css 2047 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\290YGJ7Z\logo[1].gif 8914 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\290YGJ7Z\mainImg2[1].jpg 34737 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\290YGJ7Z\play_a[1].gif 171 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\290YGJ7Z\version_en_win_ax[1].xml 1216 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\290YGJ7Z\WebResource[1].axd 41646 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\61ARJ9PZ 0 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\61ARJ9PZ\2[1].jpg 2801 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\61ARJ9PZ\desktop.ini 67 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\61ARJ9PZ\favicon[1].ico 1150 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\61ARJ9PZ\homepage[1].css 5740 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\61ARJ9PZ\reset[1].css 992 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\61ARJ9PZ\SPK-mealplanner[1].jpg 20510 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\61ARJ9PZ\SPK-products[1].jpg 25141 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\61ARJ9PZ\WebResource[1].axd 3820 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\61ARJ9PZ\WebResource[2].axd 14412 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini 67 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\IF8XD8HZ 0 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\IF8XD8HZ\desktop.ini 67 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\IF8XD8HZ\footerLogo[1].gif 2146 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\IF8XD8HZ\nav_logo3[1].png 6336 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\IF8XD8HZ\shadowBg[1].jpg 426 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\IF8XD8HZ\shadowTop[1].jpg 1380 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\IF8XD8HZ\ThumbnailServer2[1].jpg 5146 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\IF8XD8HZ\WebResource[1].axd 30827 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat 49152 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K2NB68VS 0 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K2NB68VS\desktop.ini 67 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K2NB68VS\footerShadow[1].jpg 888 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K2NB68VS\ga[1].png 146 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K2NB68VS\google_ca[1].htm 6326 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K2NB68VS\ldrBrd_feelnGood3_EN[1].swf 63035 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K2NB68VS\search[1].htm 25741 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K2NB68VS\specialk_ca[1].htm 13567 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K2NB68VS\WebResource[1].axd 5285 bytes
File C:\Documents and Settings\All Users\Application Data\Artificial Dynamics\VIRTUAL\SafeSpace.S-1-5-21-3449060499-1417542300-810885797-1007\Device\HarddiskVolume1\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K2NB68VS\WebResource[2].axd 1580 bytes

---- EOF - GMER 1.0.14 ----
  • 0

#6
Rorschach112
Posted 09 February 2009 - 07:51 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#7
10Ck3D
Posted 09 February 2009 - 02:48 PM

10Ck3D

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Mbam:
Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 3

09/02/2009 3:44:49 PM
mbam-log-2009-02-09 (15-44-49).txt

Scan type: Quick Scan
Objects scanned: 64144
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ftutil2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#8
Rorschach112
Posted 09 February 2009 - 02:50 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
post a new HJT Log with the Kaspersky log
  • 0

#9
10Ck3D
Posted 09 February 2009 - 08:26 PM

10Ck3D

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Kaspersky scan results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, February 9, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, February 09, 2009 21:19:31
Records in database: 1775657
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 155740
Threat name: 1
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 04:40:38


File name / Threat name / Threats count
C:\hp\bin\wbug\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\APPS\APP29272\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\APPS\APP29272\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.

New HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:00 PM, on 09/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\HP_Administrator\My Documents\Philip's Games\SetPoint\KEM.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Administrator\My Documents\Philip's Games\Homer\Homer.exe
C:\Documents and Settings\HP_Administrator\My Documents\Philip's Games\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Homer - Localhost webserver] C:\Documents and Settings\HP_Administrator\My Documents\Philip's Games\Homer\Homer.exe
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Documents and Settings\HP_Administrator\My Documents\Philip's Games\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Search - ?p=ZUxdm513YYCA
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {2D0280B1-DC42-4DFA-9525-09BD48838539} (OSAKitPro.OSAKit) - http://www.newstarso...m/OSAKitPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.share....RichUpload.cab
O16 - DPF: {EB2AB471-8FD8-43CD-BA61-348984013593} - mk:@MSITStore:C:\Program%20Files\HHD%20Software\Hex%20Editor%203.x\Hex%20Editor.chm::/swfbehavior.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 13161 bytes
  • 0

#10
Rorschach112
Posted 10 February 2009 - 11:20 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Please download OTMoveIt3 by OldTimer
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
explorer.exe

:Services

:Reg

:Files
C:\hp\bin\wbug\HPPavillion_Spring06.exe
D:\I386\APPS\APP29272\src\CompaqPresario_Spring06.exe
D:\I386\APPS\APP29272\src\HPPavillion_Spring06.exe


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  • 0

#11
10Ck3D
Posted 10 February 2009 - 11:00 PM

10Ck3D

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\hp\bin\wbug\HPPavillion_Spring06.exe moved successfully.
D:\I386\APPS\APP29272\src\CompaqPresario_Spring06.exe moved successfully.
D:\I386\APPS\APP29272\src\HPPavillion_Spring06.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Perflib_Perfdata_f80.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF12B2.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF12CF.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~ROMFN_00000E14 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JET7927.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2f8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02102009_230523

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll NOT unregistered.
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll moved successfully.
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Perflib_Perfdata_f80.dat not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF12B2.tmp not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF12CF.tmp not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~ROMFN_00000E14 not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\JET7927.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_2f8.dat not found!
  • 0

#12
Rorschach112
Posted 11 February 2009 - 03:36 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



Download ToolsCleaner2 to your desktop and run it ( by de A.Rothstein & Dj Quiou )
  • Click the Pt. Restauration button and press OK to the prompts.
  • Click the Corbeille button and press OK to the prompt.
  • Click the Fichiers temp button and press OK to the prompt.
  • Click the Recherche button and let it run ( it may look like it freezes but let it continue )
  • Once it is done click the Suppression button and let it remove anything it finds.
  • Close the program



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html




Below I have included a number of recommendations for how to protect your computer against malware infections.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
    Here


    If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
    • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

  • Please read my guide on how to prevent malware and about safe computing here
Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
10Ck3D
Posted 11 February 2009 - 05:05 PM

10Ck3D

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
thanks for all your help... :)
  • 0

#14
Rorschach112
Posted 11 February 2009 - 05:33 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP