Thank you for the quick reply. After posting last night, I downloaded and installed Kaspersky AV and it seems to have taken care of most of the problem. After running the applications you suggested, the problem is even closer to being resolved. I am still unable to change the desktop wallpaper, but that should be fixed with some modifications to the group policy settings. Thank you very much for your time.
SmitfraudFix:
SmitFraudFix v2.329
Scan done at 20:37:58.73, Mon 07/14/2008
Run from C:\Documents and Settings\MyName\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\MyName
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\MyName\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MyN~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 65.164.201.148
DNS Server Search Order: 76.7.255.188
HKLM\SYSTEM\CCS\Services\Tcpip\..\{312BA2FB-8195-4878-BDB5-2DA57B536636}: DhcpNameServer=65.164.201.148 76.7.255.188
HKLM\SYSTEM\CS1\Services\Tcpip\..\{312BA2FB-8195-4878-BDB5-2DA57B536636}: DhcpNameServer=65.164.201.148 76.7.255.188
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.164.201.148 76.7.255.188
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.164.201.148 76.7.255.188
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Combofix:
ComboFix 08-07-14.2 - MyName 2008-07-14 20:42:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.629 [GMT -6:00]
Running from: C:\Documents and Settings\MyName\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\msnimport.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\fkvhypoy.ini
C:\WINDOWS\system32\gdngmwkd.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mswinup.exe
C:\WINDOWS\system32\RXwaJkkj.ini
C:\WINDOWS\system32\RXwaJkkj.ini2
C:\WINDOWS\system32\VuCcbcdd.ini
C:\WINDOWS\system32\VuCcbcdd.ini2
C:\WINDOWS\system32\winsvcup.exe
C:\WINDOWS\system32\winupsvc.exe
C:\WINDOWS\system32\wpxgfqtg.ini
C:\WINDOWS\system32\YHhOonmp.ini
C:\WINDOWS\system32\YHhOonmp.ini2
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CLBDRIVER
((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.
2008-07-14 20:38 . 2008-07-14 20:38 804 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-14 20:37 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-14 20:37 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-14 20:37 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-14 20:37 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-14 20:37 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-14 20:37 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-14 20:37 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-14 20:37 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-14 20:37 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-14 01:42 . 2008-07-14 02:18 <DIR> d-------- C:\HJT
2008-07-14 00:05 . 2008-07-14 00:05 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-13 23:55 . 2008-07-14 20:41 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-13 23:55 . 2008-07-14 20:41 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-13 23:53 . 2008-07-13 23:53 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-13 23:53 . 2008-07-14 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-13 23:53 . 2008-07-14 20:50 4,526,624 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-13 23:53 . 2008-07-14 20:49 62,720 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-13 23:53 . 2008-07-14 20:50 14,624 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-13 23:53 . 2008-07-14 20:49 3,440 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-13 23:36 . 2008-04-22 22:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-13 23:36 . 2007-04-17 03:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-13 23:36 . 2007-03-07 23:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-13 23:36 . 2008-04-22 22:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-13 23:36 . 2008-04-22 22:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-13 23:36 . 2008-04-22 22:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-13 23:36 . 2008-04-22 22:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-13 23:36 . 2008-04-22 22:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-13 23:36 . 2008-04-22 01:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-13 23:21 . 2008-07-13 23:21 <DIR> d-------- C:\kav
2008-07-13 21:07 . 2008-07-14 03:02 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-07-13 20:53 . 2008-07-13 20:54 <DIR> d-------- C:\Program Files\Opera
2008-07-13 20:18 . 2008-07-13 21:04 <DIR> d-------- C:\Program Files\ESET
2008-07-13 19:27 . 2008-07-13 22:37 2,148 --a------ C:\WINDOWS\system32\wpa.dbl
2008-07-13 19:23 . 2008-07-14 02:13 0 --a------ C:\WINDOWS\win.ini
2008-07-13 19:23 . 2008-07-14 20:51 0 --a------ C:\WINDOWS\system.ini
2008-07-13 17:33 . 2008-07-13 17:33 <DIR> d-------- C:\VundoFix Backups
2008-07-13 17:05 . 2008-07-13 21:14 <DIR> d--hs---- C:\Documents and Settings\MyName\Temporary Internet Files
2008-07-13 14:53 . 2008-07-13 14:57 <DIR> d-------- C:\Program Files\Unlocker
2008-07-12 23:29 . 2008-07-12 23:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-07-12 20:55 . 2008-07-13 14:40 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-12 20:54 . 2008-07-12 20:55 <DIR> d-------- C:\Program Files\CCleaner
2008-07-12 20:45 . 2008-07-12 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-12 17:31 . 2008-07-12 17:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-12 17:31 . 2008-07-12 17:31 <DIR> d-------- C:\Documents and Settings\MyName\Application Data\Lavasoft
2008-07-04 18:27 . 2008-07-04 18:27 <DIR> d-------- C:\Program Files\Ubisoft
2008-06-28 23:01 . 2008-06-28 23:01 <DIR> d-------- C:\WINDOWS\Installing Adobe Acrobat Reader
2008-06-28 20:39 . 2008-06-28 20:39 0 --a------ C:\WINDOWS\PowerReg.dat
2008-06-20 11:41 . 2008-06-20 11:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 04:44 . 2008-06-20 04:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 07:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-14 05:29 --------- d-----w C:\Program Files\Symantec
2008-07-14 02:31 --------- d-----w C:\Program Files\Download Manager
2008-07-12 23:24 --------- d-----w C:\Program Files\RGB
2008-07-09 23:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-05 00:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-05 00:24 --------- d-----w C:\Program Files\Electronic Arts
2008-06-29 05:01 --------- d-----w C:\Program Files\Microsoft Games
2008-06-21 05:23 --------- d-----w C:\Program Files\THQ
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:56 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-11 00:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-06-11 00:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-06-01 02:12 --------- d-----w C:\Program Files\Common Files\i2 Shared
2008-06-01 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2008-05-24 03:44 --------- d-----w C:\Program Files\Starcraft
2008-05-24 03:32 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-05-24 03:32 --------- d-----w C:\Program Files\Alcohol Soft
2008-05-24 03:28 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd0253.sys
2008-05-24 03:28 643,072 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-24 02:31 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-04-09 22:35 1,052 ----a-w C:\Documents and Settings\MyName\Application Data\wklnhst.dat
2007-11-19 21:20 22,328 ----a-w C:\Documents and Settings\MyName\Application Data\PnkBstrK.sys
2007-10-12 16:48 8,422 ----a-w C:\Program Files\install.log
2007-06-10 21:01 67,568 ----a-w C:\Documents and Settings\MyName\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
C:\Documents and Settings\MyName\Start Menu\Programs\Startup\
Microsoft Office Groove.lnk - C:\Program Files\Microsoft Office\Office12\GROOVE.EXE [2006-10-27 16:37:44 338216]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 17:02:06 581693]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sound Station.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sound Station.lnk
backup=C:\WINDOWS\pss\Sound Station.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^HOTLLAMA Update Check.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\HOTLLAMA Update Check.lnk
backup=C:\WINDOWS\pss\HOTLLAMA Update Check.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^Xfire.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2008-02-08 18:36 227856 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2006-02-22 09:03 40960 C:\Program Files\HPQ\Default Settings\Cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 09:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2008-06-10 18:52 1447168 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 17:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 17:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-04-15 12:26 7561216 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-04-15 12:26 86016 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-03-07 14:38 131072 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--------- 2006-04-11 22:54 102400 C:\Program Files\Hp\QuickPlay\QPService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-21 08:54 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
--------- 2005-10-11 11:23 1187840 C:\WINDOWS\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--------- 2006-02-09 10:52 643072 C:\WINDOWS\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-03 23:46 761948 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
--a------ 2005-03-28 19:24 28616 C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-04-18 05:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2007-07-06 06:46 177152 C:\WINDOWS\system32\mqrt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-04-15 17:26 1519616 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Vongo Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"NSCService"=2 (0x2)
"navapsvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindService"=2 (0x2)
"PnkBstrA"=2 (0x2)
"odserv"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"hpqwmiex"=2 (0x2)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"AVP"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"F:\\Games\\BF2.exe"=
"F:\\Games\\RavenShield\\system\\RavenShield.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"F:\\Games\\FEAR.exe"=
"F:\\Games\\FEARMP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"F:\\Games\\star wars battlefront\\BF2.exe"=
"F:\\Games\\supcom\\Supreme Commander\\bin\\SupremeCommander.exe"=
"F:\\Games\\supcom\\GPGNet\\GPG.Multiplayer.Client.exe"=
"F:\\Games\\Chernobyl\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"F:\\Games\\Chernobyl\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"F:\\Games\\neverwinter nights 2\\nwn2main.exe"=
"F:\\Games\\neverwinter nights 2\\nwn2main_amdxp.exe"=
"F:\\Games\\neverwinter nights 2\\nwupdate.exe"=
"F:\\Games\\neverwinter nights 2\\nwn2server.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London Demo\\Launcher.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"F:\\music\\Limewire\\LimeWire.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth \\game.dat"=
"C:\\Soldat\\Soldat.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"C:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe"=
"F:\\Games\\Half Life\\SteamApps\\bullseye659\\dark messiah might and magic multi-player\\mm.exe"=
"C:0\\Games\\Half Life\\SteamApps\\bullseye659\\dark messiah might and magic multi-player\\mm.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
R1 SbPd;SbPd;C:\WINDOWS\system32\Drivers\SbPd.sys [2006-07-23 10:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 uafilter;uafilter;C:\WINDOWS\system32\DRIVERS\uafilter.sys [2003-09-18 10:21]
S4 DNADownloader;DNADownloader;C:\Program Files\GameSpot\DownloadManager_Win32.exe []
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 15:38]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b9cf965-982f-11db-b9cc-0013025c0ed7}]
\Shell\AutoRun\command - G:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b9cf966-982f-11db-b9cc-0013025c0ed7}]
\Shell\AutoRun\command - G:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bb7186f-5f2f-11dc-ba1e-0013025c0ed7}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0634618-7762-11dc-ba2e-0013025c0ed7}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{F8AC36D7-F602-4B69-99B5-2A812E05779F} - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-38f594ae - C:\WINDOWS\system32\dkwmgndg.dll
MSConfigStartUp-ccApp - c:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-DIGStream - C:\Program Files\DIGStream\digstream.exe
MSConfigStartUp-Steam - F:\Games\Half Life\\Steam.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-07-14 20:52:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2008-07-14 21:06:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 03:06:41
Pre-Run: 14,371,610,624 bytes free
Post-Run: 18,950,184,960 bytes free
344 --- E O F --- 2008-07-14 09:04:24
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55:30, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF17827.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7307 bytes
Edited by teh.wyman, 16 July 2008 - 12:00 AM.