Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan-backdoor-rustock [Solved]

Started by Nishie , May 09 2009 08:25 AM

  • This topic is locked This topic is locked

#1
Nishie
Posted 09 May 2009 - 08:25 AM

Nishie

    Member

  • Member
  • PipPip
  • 13 posts
Hello all. My Spysweeper keeps finding this Trojan, but anything else i scan with can't seem to pick it up! Everytime i delete it, or even put it into Quarantine, it just pops right back up again. Any ideas?
  • 0

Advertisements

#2
andrewuk
Posted 09 May 2009 - 09:47 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hello Nishie

welcome to geekstogo :)

Please go to this page here and start at Step Five: Rootkit Detection and post the Rooter.exe log and OTListIT logs here in reply.

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#3
Nishie
Posted 09 May 2009 - 10:00 AM

Nishie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks for getting back so fast! Here is the Rooter-


Microsoft Windows XP Professional (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:181790 Mo/Free:2335 Mo)
D:\ [Fixed] - FAT32 - (Total:8972 Mo/Free:432 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Removable] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)

Sat 05/09/2009|10:55

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\arservice.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
---------- C:\WINDOWS\eHome\ehRecvr.exe
---------- C:\WINDOWS\eHome\ehSched.exe
---------- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
---------- C:\WINDOWS\ehome\mcrdsvc.exe
---------- C:\WINDOWS\ehome\ehtray.exe
---------- C:\WINDOWS\RTHDCPL.EXE
---------- C:\WINDOWS\ARPWRMSG.EXE
---------- C:\Program Files\DISC\DiscUpdMgr.exe
---------- C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
---------- C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
---------- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
---------- C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
---------- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\eHome\ehmsas.exe
---------- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
---------- C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\WINDOWS\system32\dllhost.exe
---------- C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
---------- C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
---------- C:\HP\KBD\KBD.EXE
---------- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
---------- c:\windows\system\hpsysdrv.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
---------- C:\WINDOWS\system32\msiexec.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe

----------------------\\ Tasks

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Sat 05/09/2009| 9:03
2 - "C:\Rooter$\Rooter_2.txt" - Sat 05/09/2009|10:56

----------------------\\ Scan completed at 10:56


I'll run the OTListIT next....
  • 0

#4
Nishie
Posted 09 May 2009 - 10:09 AM

Nishie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
And here is the OTListIt-

OTListIt logfile created on: 5/9/2009 11:03:08 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.5 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.36 Mb Total Physical Memory | 382.76 Mb Available Physical Memory | 39.90% Memory free
2.26 Gb Paging File | 1.90 Gb Available in Paging File | 83.90% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.53 Gb Total Space | 114.28 Gb Free Space | 64.37% Space Free | Partition Type: NTFS
Drive D: | 8.76 Gb Total Space | 0.42 Gb Free Space | 4.81% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-4DACD0EA75
Current User Name: HP_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe (Webroot Software, Inc. )
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\arservice.exe (Microsoft)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
PRC - C:\WINDOWS\eHome\ehRecvr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\eHome\ehSched.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE (HP)
PRC - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Webroot Software, Inc. (www.webroot.com))
PRC - C:\WINDOWS\ehome\mcrdsvc.exe (Microsoft Corporation)
PRC - C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\ARPWRMSG.EXE (Microsoft)
PRC - C:\Program Files\DISC\DiscUpdMgr.exe (Digital Interactive Systems Corporation, Inc.)
PRC - C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe (Sonic Solutions)
PRC - C:\Program Files\HP\HP Software Update\HPwuSchd2.exe (Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Webroot Software, Inc.)
PRC - C:\WINDOWS\eHome\ehmsas.exe (Microsoft Corporation)
PRC - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe (Hewlett-Packard)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe (Yahoo! Inc.)
PRC - C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe (Hewlett-Packard Development Company, L.P.)
PRC - C:\HP\KBD\KBD.EXE (Hewlett-Packard Company)
PRC - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
PRC - c:\windows\system\hpsysdrv.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Webroot Software, Inc. (www.webroot.com))
PRC - C:\Documents and Settings\HP_Administrator\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (ARSVC [Auto | Running]) -- C:\WINDOWS\arservice.exe (Microsoft)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (Automatic LiveUpdate Scheduler [Auto | Running]) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (ehRecvr [Auto | Running]) -- C:\WINDOWS\eHome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [Auto | Running]) -- C:\WINDOWS\eHome\ehSched.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (LightScribeService [Auto | Running]) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE (Symantec Corporation)
SRV - (McrdSvc [Auto | Running]) -- C:\WINDOWS\ehome\mcrdsvc.exe (Microsoft Corporation)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (MHN [On_Demand | Stopped]) -- C:\WINDOWS\System32\mhn.dll (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE (HP)
SRV - (sdAuxService [On_Demand | Stopped]) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
SRV - (sdCoreService [On_Demand | Stopped]) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
SRV - (UMWdf [On_Demand | Stopped]) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
SRV - (webrootspysweeperservice [Auto | Running]) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Webroot Software, Inc. (www.webroot.com))
SRV - (WMConnectCDS [On_Demand | Stopped]) -- C:\Program Files\Windows Media Connect 2\wmccds.exe (Microsoft Corporation)
SRV - (wrconsumerservice [Auto | Running]) -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe (Webroot Software, Inc. )

========== Driver Services (SafeList) ==========

DRV - (Afc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\Afc.sys (Arcsoft, Inc.)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (HSXHWBS2 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSX_DP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSX_DP.sys (Conexant Systems, Inc.)
DRV - (iaStor [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (IKFileSec [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ikfilesec.sys (PCTools Research Pty Ltd.)
DRV - (IKSysFlt [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\iksysflt.sys (PCTools Research Pty Ltd.)
DRV - (IKSysSec [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\iksyssec.sys (PCTools Research Pty Ltd.)
DRV - (IntcAzAudAddService [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (Ps2 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\PS2.sys (Hewlett-Packard Company)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (RTL8023xp [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (rtl8139 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS (Realtek Semiconductor Corporation)
DRV - (Secdrv [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SMCWGU(SMC) [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\SMCWGU.sys (SMC Corporation)
DRV - (ssfs0bbc [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys (Webroot Software, Inc. (www.webroot.com))
DRV - (sshrmd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sshrmd.sys (Webroot Software, Inc. (www.webroot.com))
DRV - (ssidrv [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ssidrv.sys (Webroot Software, Inc. (www.webroot.com))
DRV - (SymEvent [On_Demand | Stopped]) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (winachsx [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....e...-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\CNNSI, = search.sportsillustrated.cnn.com/pages/search.jsp?query=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Dictionary, = dictionary.reference.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Google, = google.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleGroups, = groups-beta.google.com/groups?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleImages, = images.google.com/images?hl=en&lr=&q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleNews, = news.google.com/news?tab=gn&hl=en&ie=UTF-8&q=%s&btnG=Search+News
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\KB, = support.microsoft.com/search/default.aspx?query=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\KBDLL, = support.microsoft.com/dllhelp/default.aspx?dlltype=file&l=55&alpha=%s&S=1
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Movies, = fandango.com/my_box_office.asp?searchby=2&txtCityZip=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\MSN, = search.msn.com/results.asp?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Thesaurus, = thesaurus.reference.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Weather, = weather.com/weather/local/%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Yahoo, = search.yahoo.com/search?p=%s
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD [2008/10/08 20:07:20 | 00,000,000 | ---D | M]

[2008/12/28 12:58:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Firefox\Profiles\y2marzsr.default\extensions
[2007/12/25 10:48:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Firefox\Profiles\y2marzsr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/03/21 20:58:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Firefox\Profiles\y2marzsr.default\extensions\{991A772A-BA13-4c1d-A9EF-F897F31DEC7D}
[2009/01/03 12:06:24 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2007/10/30 21:40:17 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/01/08 19:45:02 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/04/14 07:25:37 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

O1 HOSTS File: (713 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {47A834AF-7A3B-4606-BF3E-48C9ED832D71} - C:\WINDOWS\system32\cbXRLfCT.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [AlwaysReady Power Message APP] "C:\WINDOWS\ARPWRMSG.EXE" (Microsoft)
O4 - HKLM..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" (Apple Inc.)
O4 - HKLM..\Run: [DiscUpdateManager] "C:\Program Files\DISC\DiscUpdMgr.exe" (Digital Interactive Systems Corporation, Inc.)
O4 - HKLM..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" (Sonic Solutions)
O4 - HKLM..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" (Hewlett-Packard)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [PCDrProfiler] File not found
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE" ()
O4 - HKLM..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" (SoftThinks)
O4 - HKLM..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE" (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray (Webroot Software, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKLM..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (Yahoo! Inc)
O4 - HKCU..\Run: [Search Protection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (Yahoo! Inc)
O4 - HKCU..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe (Hewlett-Packard)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O8 - Extra context menu item: &Search - Reg Error: Value error. File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm File not found
O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: trymedia.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: trymedia.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} http://www.miniclip....er/igloader.CAB (igLoader Content on Demand)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\jKARiFut: DllName - jKARiFut.dll - File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O30 - LSA: Authentication Packages - (OWS\s) - File not found
O30 - LSA: Security Packages - (ecurity) - File not found
O30 - LSA: Security Packages - (Packages) - File not found
O30 - LSA: Security Packages - (settings...) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/22 05:17:51 | 00,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 15:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 07:01:14 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2 C:\WINDOWS\*.tmp files]
[2009/05/09 10:58:43 | 00,501,760 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTListIt2.exe
[2009/05/09 10:55:26 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\Rooter.exe
[2009/05/09 09:02:39 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/05/08 23:47:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/05/08 23:46:50 | 00,000,603 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\ERUNT.lnk
[2009/05/08 23:46:50 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/05/08 23:45:47 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\HP_Administrator\Desktop\erunt_setup.exe
[2009/05/08 23:43:49 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\HP_Administrator\Desktop\SysRestorePoint.exe
[2009/05/08 22:19:19 | 00,001,652 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spy Sweeper.lnk
[2009/05/08 22:18:08 | 00,000,164 | ---- | C] () -- C:\WINDOWS\install.dat
[2009/05/07 16:40:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\AVG8
[2009/04/29 21:55:53 | 00,034,816 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\Death is a central aspect of the Way of the Samurai.doc
[2009/04/02 14:30:04 | 00,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2009/02/12 19:11:10 | 00,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/01/25 14:17:06 | 00,093,420 | ---- | C] () -- C:\WINDOWS\System32\drivers\a0cb4211.sys
[2008/08/30 18:44:51 | 00,102,912 | ---- | C] () -- C:\WINDOWS\System32\islzma.dll
[2008/07/30 12:19:33 | 00,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2008/03/21 21:02:37 | 00,000,050 | ---- | C] () -- C:\WINDOWS\MegaManager.INI
[2007/08/16 22:18:30 | 00,000,191 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/02/07 18:13:28 | 00,000,030 | ---- | C] () -- C:\WINDOWS\mavis15.INI
[2007/01/30 16:45:58 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Mavis Beacon Teaches Typing.INI
[2006/07/22 05:50:03 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/07/22 05:26:39 | 00,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/07/22 05:21:00 | 00,014,317 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2006/07/22 05:20:51 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2006/07/22 05:18:08 | 00,000,174 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/07/22 05:15:05 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/22 05:02:07 | 00,000,157 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/07/22 05:01:26 | 00,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/07/22 04:43:28 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/07/22 04:38:31 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/07/22 04:14:55 | 00,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
[2006/07/22 04:14:55 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
[2006/07/22 04:14:33 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2006/03/17 19:23:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/30 23:02:00 | 00,000,593 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/08/30 15:52:36 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/08/05 23:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/08/03 01:19:16 | 00,050,176 | ---- | C] () -- C:\WINDOWS\armcex.dll
[2005/04/27 13:38:00 | 00,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2005/04/27 13:37:49 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2004/07/26 09:51:38 | 00,000,560 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/01/08 00:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/07 00:30:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2 C:\Documents and Settings\HP_Administrator\My Documents\*.tmp files]
[2009/05/09 11:04:10 | 00,093,420 | ---- | M] () -- C:\WINDOWS\System32\drivers\a0cb4211.sys
[2009/05/09 11:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2009/05/09 11:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2009/05/09 10:58:58 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTListIt2.exe
[2009/05/09 10:55:43 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\Rooter.exe
[2009/05/09 10:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2009/05/09 10:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2009/05/09 09:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2009/05/09 09:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2009/05/09 08:52:34 | 00,000,186 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2009/05/09 08:51:15 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/09 08:50:06 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/09 08:50:03 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\HP_Administrator\Local Settings\desktop.ini
[2009/05/09 08:49:54 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/09 08:49:49 | 10,060,30848 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/09 08:46:16 | 00,001,696 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_L07172F48DC2D4E2FB30FDAF278D622F0.job
[2009/05/09 00:39:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2009/05/09 00:28:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2009/05/08 23:47:34 | 00,000,603 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\ERUNT.lnk
[2009/05/08 23:46:05 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\HP_Administrator\Desktop\erunt_setup.exe
[2009/05/08 23:44:00 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\HP_Administrator\Desktop\SysRestorePoint.exe
[2009/05/08 23:00:00 | 00,000,762 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper20080902224558.job
[2009/05/08 23:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2009/05/08 23:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2009/05/08 22:19:19 | 00,001,652 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spy Sweeper.lnk
[2009/05/08 22:18:09 | 00,000,164 | ---- | M] () -- C:\WINDOWS\install.dat
[2009/05/08 22:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2009/05/08 22:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2009/05/08 21:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2009/05/08 21:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2009/05/08 20:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2009/05/08 20:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2009/05/08 19:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2009/05/08 19:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2009/05/08 18:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2009/05/08 18:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2009/05/08 17:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2009/05/08 17:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2009/05/08 16:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2009/05/08 16:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2009/05/08 15:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2009/05/08 15:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2009/05/08 14:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2009/05/08 14:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2009/05/08 13:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2009/05/08 13:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2009/05/08 12:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2009/05/08 12:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2009/05/08 08:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2009/05/08 08:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2009/05/08 07:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2009/05/08 07:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2009/05/08 06:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2009/05/08 06:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2009/05/08 05:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2009/05/08 05:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2009/05/08 04:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2009/05/08 04:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2009/05/08 03:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2009/05/08 03:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2009/05/08 02:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2009/05/08 02:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2009/05/08 01:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2009/05/08 01:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2009/05/06 15:38:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/30 00:43:05 | 00,034,816 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\Death is a central aspect of the Way of the Samurai.doc
< End of report >







OTListIt Extras logfile created on: 5/9/2009 11:03:08 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.5 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.36 Mb Total Physical Memory | 382.76 Mb Available Physical Memory | 39.90% Memory free
2.26 Gb Paging File | 1.90 Gb Available in Paging File | 83.90% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.53 Gb Total Space | 114.28 Gb Free Space | 64.37% Space Free | Partition Type: NTFS
Drive D: | 8.76 Gb Total Space | 0.42 Gb Free Space | 4.81% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-4DACD0EA75
Current User Name: HP_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP (Hewlett-Packard)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe (Hewlett-Packard Development Company, L.P.)
C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe (Hewlett-Packard Co.)
C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe (Hewlett-Packard Co.)
C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe (Hewlett-Packard Co.)
C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe ()
C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe (Hewlett-Packard)
C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe (Hewlett-Packard Co.)
C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe (Hewlett-Packard)
C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe (Hewlett-Packard Co.)
C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe (Hewlett-Packard)
C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe ( )
C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe (Hewlett-Packard Co.)
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe (Hewlett-Packard Development Company, L.P.)
C:\Program Files\DISC\DISCover.exe:*:Enabled:DISCover Drop & Play System (Digital Interactive Systems Corporation)
C:\Program Files\DISC\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub (Digital Interactive Systems Corporation, Inc.)
C:\Program Files\DISC\myFTP.exe:*:Enabled:DISCover FTP (Digital Interactive Systems Corporation, Inc.)
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP (Hewlett-Packard)
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink File not found
C:\Program Files\Microsoft Games\Age of Mythology\aom.exe:*:Enabled:Age of Mythology (Ensemble Studios)
C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger (Microsoft Corporation)
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger (Yahoo! Inc.)
C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server (Yahoo! Inc.)
C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent File not found
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)
C:\Program Files\HP Rhapsody\rhapsody.exe:*:Disabled:Rhapsody (RealNetworks, Inc.)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:??????? File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0BF5FBE7-3907-4A1F-9E48-8B66E52850D6}" = TrayApp
"{1341D838-719C-4A05-B50F-49420CA1B4BB}" = HP Boot Optimizer
"{13f3917b56cd4c25848bdc69916971bb}" = DivX Converter
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{18d10072035c4515918f7e37eafaacfc}" = AutoUpdate
"{1E1F1E70-14D8-4380-8652-BD1A895A7D65}" = Status
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}" = Rhapsody Player Engine
"{22e9cf2b-4063-4dab-a251-93fa46f7decc}_is1" = Spy Sweeper
"{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{27428D1B-8CBA-4EEA-B9C0-A23CA7B4FCC1}" = muvee autoProducer 5.0
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{2C5D07FB-31A2-4F2D-9FDA-0B24ACD42BD0}" = HP Deskjet Printer Preload
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{31263605-FC84-4787-B847-BA445B147E24}" = ScannerCopy
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{33D6CC28-9F75-4d1b-A11D-98895B3A3729}" = HP Photosmart 330,380,420,470,7800,8000,8200 Series
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352F5013-07DC-446D-8DB6-38F339086C60}" = LightScribe 1.4.84.1
"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3819891A-030B-4a4e-98ED-B28A649E48AB}" = HP Deskjet 3900 series
"{3CF99DC3-38FD-46E6-A6B4-9C70074E020C}" = DocumentViewer
"{3DE0053C-FD9A-483E-B7C9-B06E4392206E}" = iTunes
"{3E8C2BA2-F4CA-4A1D-A690-6B9A411DAF8B}" = ArcSoft PhotoImpression 5
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{3fc7cbbc4c1e11dca1a752ea55d89593}" = DivX Version Checker
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{42F6BED9-41DD-40F1-85A8-8E0350493626}" = HPDeskjet3900Series
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 2.1
"{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}" = Apple Mobile Device Support
"{4BE53DB2-C1F2-44D1-A9AB-1630BA7F2AF1}" = SolutionCenter
"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B
"{5D61626A-BD55-4e42-82EE-4AE89D8FD050}" = HP Photosmart Cameras 6.0
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{5FDD0538-C67A-4F67-B3F8-09D1AAF04D99}" = muvee autoProducer unPlugged 2.0
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A118C80-B382-41c0-8907-CDD0BF5EFE6E}" = CameraDrivers
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{729DF902-05F9-4C00-9E6D-411119824E5F}" = hpiCamDrvQFolder
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{755EC5E3-FD51-46bd-A57F-7A2D56FBF061}" = PSTAPlugin
"{767cc44c-9bbc-438d-bad3-fd4595dd148b}" = VC80CRTRedist - 8.0.50727.762
"{769A295C-DCF4-41d6-AFBA-7D9394B23AFE}" = PSPrinters08
"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware
"{7b63b2922b174135afc0e1377dd81ec2}" = DivX Codec
"{82081779-4175-4666-A457-AB711CD37EF0}" = cp_LightScribeConfig
"{829DAAD6-BB11-4BB7-921B-07FFB703F944}" = CP_Package_Variety3
"{82E55892-6FFD-403F-AA97-D726846768AA}" = CP_AtenaShokunin1Config
"{866A0078-DEA7-4348-9C9A-999AF2991EAA}" = SlideShowMusic
"{8A534F71-3202-4464-A422-B767295E67B9}" = CP_Package_Variety2
"{8adfc4160d694100b5b8a22de9dcabd9}" = DivX Player
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{93E5A317-24EC-4744-812C-16FECFE86E6A}" = CP_Package_Variety1
"{A01FC76F-CC09-4658-9E37-5C2F635EE708}" = Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A3455242-DAE0-4523-8242-FD82706ABF4B}" = CameraDrivers
"{a96e97134ca649888820bcde5e300bbd}" = H.264 Decoder
"{aac389499aef40428987b3d30cfc76c9}" = MKV Splitter
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{aef9dc35addf4825b049acbfd1c6eb37}" = AAC Decoder
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{b13a7c41581b411290fbc0395694e2a9}" = DivX Converter
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{b7050cbdb2504b34bc2a9ca0a692cc29}" = DivX Web Player
"{B9DD2DE0-27BE-4e6b-AAD8-0D960ABF87FD}" = CameraUserGuides
"{BF4E9ED0-EF26-4A4C-A123-6A6A1ABEE411}" = DocProc
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C3FAA091-B278-44A7-BF48-190811C5F9F7}" = cp_UpdateProjectsConfig
"{C6812939-B117-48E6-A3BA-1709C14A3C8C}" = Scan
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{C98E8D9D-21DE-4F87-A9B7-142BB89840FC}" = Toolbox
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax
"{DAAD5187-62C5-4AD6-A526-803C18C4944D}" = HP Web Helper
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DEBB2986-15B0-4D28-95FA-5C966A396589}" = HPProductAssistant
"{E5A1DE9A-A21C-43A1-B06D-5146BAF62033}" = PanoStandAlone
"{E5A8DDAB-AE80-48C6-A75B-D0FAB83B299D}" = HP PSC & OfficeJet 6.1.A
"{EC2715CE-C182-483C-84CC-81D7D914CF14}" = WebReg
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{f333a33d-125c-32a2-8dce-5c5d14231e27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{f333a33d-125c-32a2-8dce-5c5d14231e27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F80239D8-7811-4D5E-B033-0D0BBFE32920}" = HP DigitalMedia Archive
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express
"adobe flash player activex" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Age of Mythology 1.0" = Age of Mythology
"ATI Display Driver" = ATI Display Driver
"AwayMode160" = Microsoft Away Mode
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Data Fax SoftModem with SmartCP
"DISCover" = DISCover
"divx plus directshow filters" = DivX Plus DirectShow Filters
"erunt_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 1.99.1
"HP Document Viewer" = HP Document Viewer 6.1
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Photosmart for Media Center PC" = HP Photosmart for Media Center PC
"HP Rhapsody" = HP Rhapsody
"HP Solution Center & Imaging Support Tools" = HP Solution Center and Imaging Support Tools 6.1
"HPExtendedCapabilities" = HP Extended Capabilities 5.0
"HPOOVClient-9972322 Uninstaller" = Updates from HP (remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"malwarebytes' anti-malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Money2006b" = Microsoft Money 2006
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC-Doctor 5 for Windows" = PC-Doctor 5 for Windows
"Python 2.2.3" = Python 2.2.3
"pywin32-py2.2" = Python 2.2 pywin32 extensions (build 203)
"RealPlayer 6.0" = RealPlayer
"Spyware Doctor" = Spyware Doctor 6.0
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMCSetup" = Windows Media Connect
"Yahoo! Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"YInstHelper" = Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/28/2009 7:39:50 PM | Computer Name = YOUR-4DACD0EA75 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winword.exe, version 11.0.5604.0, stamp 3f314a2f,
faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address
0x00720061.

Error - 4/29/2009 10:55:18 PM | Computer Name = YOUR-4DACD0EA75 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x031f23ac.

[ System Events ]
Error - 5/9/2009 9:55:55 AM | Computer Name = YOUR-4DACD0EA75 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 5/9/2009 9:55:55 AM | Computer Name = YOUR-4DACD0EA75 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 5/9/2009 10:00:00 AM | Computer Name = YOUR-4DACD0EA75 | Source = Schedule | ID = 7901
Description = The At10.job command failed to start due to the following error: %%2147942405

Error - 5/9/2009 10:00:00 AM | Computer Name = YOUR-4DACD0EA75 | Source = Schedule | ID = 7901
Description = The At34.job command failed to start due to the following error: %%2147942405

Error - 5/9/2009 11:00:00 AM | Computer Name = YOUR-4DACD0EA75 | Source = Schedule | ID = 7901
Description = The At11.job command failed to start due to the following error: %%2147942405

Error - 5/9/2009 11:00:00 AM | Computer Name = YOUR-4DACD0EA75 | Source = Schedule | ID = 7901
Description = The At35.job command failed to start due to the following error: %%2147942405

Error - 5/9/2009 11:30:43 AM | Computer Name = YOUR-4DACD0EA75 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 5/9/2009 11:30:43 AM | Computer Name = YOUR-4DACD0EA75 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 5/9/2009 12:00:00 PM | Computer Name = YOUR-4DACD0EA75 | Source = Schedule | ID = 7901
Description = The At12.job command failed to start due to the following error: %%2147942405

Error - 5/9/2009 12:00:00 PM | Computer Name = YOUR-4DACD0EA75 | Source = Schedule | ID = 7901
Description = The At36.job command failed to start due to the following error: %%2147942405


< End of report >
  • 0

#5
andrewuk
Posted 09 May 2009 - 10:17 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.


also:

We will run OTListIt , but go for a shortened log.
  • Close all windows and open it by double clicking on the icon
  • we are targetting a selective output, hence:
    • on the left hand side, in the box titled "Processes" select none
    • on the left hand side, in the box titled "Drivers" select none
    • on the left hand side, in the box titled "Extra Registry" select none
    • on the right hand side, in the box titled "Files created within" select none
    • on the right hand side, in the box titled "Files modified within" select none
    • tick both the boxes marked Purity check and Lop check
  • Click Run Scan and let the program run uninterrupted
  • It will produce one log for you called OTListIt.txt. Please post both that log here in reply.
  • You may need to use two posts to get it all on the forum
andrewuk
  • 0

#6
Nishie
Posted 09 May 2009 - 11:23 AM

Nishie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here's the Combofix-

ComboFix 09-05-08.03 - HP_Administrator 05/09/2009 12:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.340 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\a0cb4211.sys
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_a0cb4211


((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
.

2009-05-09 14:02 . 2009-05-09 15:57 -------- d-----w C:\Rooter$
2009-05-09 04:46 . 2009-05-09 04:47 -------- d-----w c:\program files\ERUNT
2009-05-09 03:18 . 2009-05-09 03:18 164 ----a-w c:\windows\install.dat
2009-05-07 21:40 . 2009-05-07 21:40 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\AVG8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 21:04 . 2009-01-01 17:31 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 . 2009-01-01 17:31 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-01-01 17:31 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 18:32 . 2008-10-29 04:34 1563008 ----a-w c:\windows\WRSetup.dll
2009-04-02 19:30 . 2008-10-02 09:15 176752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-04-02 19:30 . 2008-10-02 09:15 23152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-04-02 19:30 . 2008-10-02 09:15 29808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-27 12:28 . 2007-07-19 04:38 -------- d-----w c:\program files\DivX
2009-03-27 12:28 . 2009-03-27 12:27 -------- d-----w c:\program files\Common Files\DivX Shared
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\backupiconoverlayid]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 18:26 238968 ----a-w c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2006-03-08 16010240]
"AlwaysReady Power Message APP"="c:\windows\ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdMgr.exe" [2006-03-16 61440]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-16 49152]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-09 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-04-06 6345840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-7-22 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wrconsumerservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/22/2009 8:45 PM 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [10/2/2008 4:15 AM 29808]
R2 wrconsumerservice;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [10/28/2008 11:34 PM 1181040]
R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [7/17/2007 9:41 AM 408064]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/29/2008 7:55 PM 356920]
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-09 c:\windows\Tasks\At1.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At10.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At11.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At12.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At13.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At14.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At15.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At16.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At17.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At18.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At19.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At2.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At20.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At21.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At22.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At23.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At24.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At3.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At4.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At5.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At6.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At7.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At8.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At9.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\wrSpySweeper20080902224558.job
- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe [2009-04-02 19:29]

2009-05-09 c:\windows\Tasks\wrSpySweeper_L07172F48DC2D4E2FB30FDAF278D622F0.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-10-29 18:32]

2009-05-09 c:\windows\Tasks\wrSpySweeper_L07172F48DC2D4E2FB30FDAF278D622F0.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-10-29 18:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{47A834AF-7A3B-4606-BF3E-48C9ED832D71} - c:\windows\system32\cbXRLfCT.dll
HKLM-Run-PCDrProfiler - (no file)
Notify-jKARiFut - jKARiFut.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 12:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3292)
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2009-05-09 12:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-09 17:19

Pre-Run: 122,672,349,184 bytes free
Post-Run: 122,780,352,512 bytes free

228 --- E O F --- 2009-02-13 00:11
  • 0

#7
Nishie
Posted 09 May 2009 - 11:26 AM

Nishie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
and here is the OTListlt-

OTListIt logfile created on: 5/9/2009 12:24:54 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.15.5 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.36 Mb Total Physical Memory | 537.44 Mb Available Physical Memory | 56.02% Memory free
2.26 Gb Paging File | 1.88 Gb Available in Paging File | 83.18% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.53 Gb Total Space | 114.34 Gb Free Space | 64.41% Space Free | Partition Type: NTFS
Drive D: | 8.76 Gb Total Space | 0.42 Gb Free Space | 4.81% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-4DACD0EA75
Current User Name: HP_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (ARSVC [Auto | Running]) -- C:\WINDOWS\arservice.exe (Microsoft)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (Automatic LiveUpdate Scheduler [Auto | Running]) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (ehRecvr [Auto | Running]) -- C:\WINDOWS\eHome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [Auto | Running]) -- C:\WINDOWS\eHome\ehSched.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (LightScribeService [Auto | Running]) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE (Symantec Corporation)
SRV - (McrdSvc [Auto | Running]) -- C:\WINDOWS\ehome\mcrdsvc.exe (Microsoft Corporation)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (MHN [On_Demand | Stopped]) -- C:\WINDOWS\System32\mhn.dll (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE (HP)
SRV - (sdAuxService [On_Demand | Stopped]) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
SRV - (sdCoreService [On_Demand | Stopped]) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
SRV - (UMWdf [On_Demand | Stopped]) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
SRV - (webrootspysweeperservice [Auto | Running]) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Webroot Software, Inc. (www.webroot.com))
SRV - (WMConnectCDS [On_Demand | Stopped]) -- C:\Program Files\Windows Media Connect 2\wmccds.exe (Microsoft Corporation)
SRV - (wrconsumerservice [Auto | Running]) -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe (Webroot Software, Inc. )

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....e...-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\CNNSI, = search.sportsillustrated.cnn.com/pages/search.jsp?query=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Dictionary, = dictionary.reference.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Google, = google.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleGroups, = groups-beta.google.com/groups?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleImages, = images.google.com/images?hl=en&lr=&q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleNews, = news.google.com/news?tab=gn&hl=en&ie=UTF-8&q=%s&btnG=Search+News
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\KB, = support.microsoft.com/search/default.aspx?query=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\KBDLL, = support.microsoft.com/dllhelp/default.aspx?dlltype=file&l=55&alpha=%s&S=1
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Movies, = fandango.com/my_box_office.asp?searchby=2&txtCityZip=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\MSN, = search.msn.com/results.asp?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Thesaurus, = thesaurus.reference.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Weather, = weather.com/weather/local/%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Yahoo, = search.yahoo.com/search?p=%s
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD [2008/10/08 20:07:20 | 00,000,000 | ---D | M]

[2008/12/28 12:58:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Firefox\Profiles\y2marzsr.default\extensions
[2007/12/25 10:48:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Firefox\Profiles\y2marzsr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/03/21 20:58:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Firefox\Profiles\y2marzsr.default\extensions\{991A772A-BA13-4c1d-A9EF-F897F31DEC7D}
[2009/01/03 12:06:24 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2007/10/30 21:40:17 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/01/08 19:45:02 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/04/14 07:25:37 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [AlwaysReady Power Message APP] "C:\WINDOWS\ARPWRMSG.EXE" (Microsoft)
O4 - HKLM..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" (Apple Inc.)
O4 - HKLM..\Run: [DiscUpdateManager] "C:\Program Files\DISC\DiscUpdMgr.exe" (Digital Interactive Systems Corporation, Inc.)
O4 - HKLM..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" (Sonic Solutions)
O4 - HKLM..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" (Hewlett-Packard)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE" ()
O4 - HKLM..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" (SoftThinks)
O4 - HKLM..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE" (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray (Webroot Software, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKLM..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (Yahoo! Inc)
O4 - HKCU..\Run: [Search Protection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (Yahoo! Inc)
O4 - HKCU..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe (Hewlett-Packard)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Search - Reg Error: Value error. File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm File not found
O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: trymedia.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: trymedia.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} http://www.miniclip....er/igloader.CAB (igLoader Content on Demand)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O30 - LSA: Security Packages - (ecurity) - File not found
O30 - LSA: Security Packages - (Packages) - File not found
O30 - LSA: Security Packages - (settings...) - File not found
O30 - LSA: Security Packages - (RA) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/22 05:17:51 | 00,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 15:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== LOP Check ==========

[2009/02/22 20:32:55 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/05/19 16:30:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/06/12 14:41:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/07/23 23:24:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2008/07/01 19:55:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Astar Games
[2007/12/01 15:03:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Awem
[2007/01/30 16:49:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
[2006/07/22 05:09:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2006/07/22 05:00:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Digital Interactive Systems Corporation
[2007/10/28 17:16:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eGames
[2007/10/09 21:51:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Escape From Paradise
[2008/05/14 22:21:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EscapeTheMuseum
[2008/09/10 20:10:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FarmFrenzy2
[2008/03/22 13:34:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fashion Solitaire 1.2
[2007/12/20 21:25:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flood Light Games
[2007/09/09 13:32:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FloodLightGames
[2008/05/11 15:09:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fugazo
[2008/02/07 21:20:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Genimo
[2008/03/21 21:00:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2006/07/22 05:44:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
[2008/01/20 16:35:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HiddenSecretsNightmare
[2006/07/22 04:49:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HP
[2008/11/29 12:25:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
[2006/07/22 05:03:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2006/07/22 05:18:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2008/03/09 00:14:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2009/02/22 20:45:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/07/08 23:20:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ludia
[2009/01/01 12:31:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2007/07/18 23:39:22 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2008/04/08 17:39:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MonteCristo
[2009/01/11 10:54:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Mushroom Age
[2007/11/13 20:58:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NeptunesAdve
[2009/01/15 00:42:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2007/07/29 21:09:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2008/01/31 20:59:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QB9 S.R.L
[2007/11/22 11:32:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Reflexive
[2008/10/08 20:03:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2006/07/22 04:39:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2007/12/24 10:38:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecretsOfOlympus
[2009/01/12 23:20:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Shockwave
[2006/07/22 04:45:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sonic
[2008/07/15 13:45:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpinTop Games
[2008/12/10 08:33:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2008/10/31 21:52:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/05/18 11:55:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trymedia
[2008/10/29 07:42:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Webroot
[2007/07/26 16:48:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2006/09/03 14:28:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2008/07/22 23:10:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2009/05/07 16:40:58 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\HP_Administrator\Application Data
[2007/07/26 16:49:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\7Wonders
[2008/05/19 16:04:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
[2008/05/19 16:04:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
[2007/12/31 12:53:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Age of Japan II
[2008/09/12 18:27:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Ancient Quest of Saqqarah__reflexive
[2008/09/13 21:10:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Apple Computer
[2008/08/03 11:21:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\ArcSoft
[2008/02/09 17:52:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Aveyond II
[2009/05/07 16:40:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\AVG8
[2008/01/27 19:46:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Big Fish Games
[2008/01/31 20:57:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\BloodTies
[2008/02/07 18:25:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Bloom
[2008/06/18 15:19:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Boomzap
[2007/01/30 16:47:34 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Broderbund
[2008/03/23 23:44:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\DivX
[2007/10/28 17:16:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\eGames
[2007/12/20 21:25:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Flood Light Games
[2007/09/09 13:32:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\FloodLightGames
[2007/10/09 19:16:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\ForgottenRiddles
[2008/03/23 22:41:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\funkitron
[2008/01/19 22:27:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Gamelab
[2008/06/20 22:47:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\GamesCafe
[2008/02/07 21:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Genimo
[2008/09/10 21:17:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Go-Go Gourmet Chef of the Year
[2007/08/05 15:49:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Google
[2006/09/03 17:49:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\HP
[2006/09/03 18:15:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\HPQ
[2005/11/14 20:04:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Identities
[2009/02/21 10:52:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Image Zone Express
[2008/03/21 21:00:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\InstallShield
[2006/07/22 05:18:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Intuit
[2009/02/04 14:05:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Leadertech
[2008/07/08 23:20:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Ludia
[2006/09/03 14:26:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Macromedia
[2008/05/17 17:18:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Magic Seeds
[2007/09/21 21:30:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Magic Stones
[2009/01/01 12:31:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
[2008/03/21 20:58:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Megaupload
[2008/04/07 21:07:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Meridian93
[2008/11/04 18:06:40 | 00,000,000 | --SD | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft
[2007/09/13 21:47:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mind Control Software
[2007/10/30 21:41:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla
[2008/07/22 23:09:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\MSNInstaller
[2007/09/08 11:54:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mysteryville2
[2008/10/29 19:55:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\PC Tools
[2008/01/17 23:21:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Pi Eye Games
[2009/01/15 00:42:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\PlayFirst
[2009/01/12 23:59:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Playrix Entertainment
[2008/01/24 17:17:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Real
[2008/05/13 19:17:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Runes of Avalon 2
[2008/11/06 22:15:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Skip-Bo
[2009/02/04 14:05:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Sonic
[2008/03/16 20:48:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Spandex Force
[2008/05/13 18:15:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Sudden Games
[2006/09/27 17:30:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Sun
[2007/07/18 18:08:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Symantec
[2007/10/30 21:42:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Talkback
[2006/09/03 17:27:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Template
[2007/12/03 23:23:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\URSE Games
[2008/08/30 18:44:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Webroot
[2008/07/30 12:09:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\WinBatch
[2008/10/15 03:10:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!
[2007/08/06 18:41:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Zen Puzzle Garden
[2009/05/06 15:38:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2009/05/09 00:28:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2009/05/09 09:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2009/05/09 10:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2009/05/09 11:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2009/05/09 12:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2009/05/08 13:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2009/05/08 14:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2009/05/08 15:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2009/05/08 16:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2009/05/08 17:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2009/05/08 18:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2009/05/08 01:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2009/05/08 19:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2009/05/08 20:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2009/05/08 21:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2009/05/08 22:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2009/05/08 23:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2009/05/09 00:39:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2009/05/08 01:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
[2009/05/08 02:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
[2009/05/08 03:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
[2009/05/08 04:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At29.job
[2009/05/08 02:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2009/05/08 05:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At30.job
[2009/05/08 06:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At31.job
[2009/05/08 07:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At32.job
[2009/05/08 08:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At33.job
[2009/05/09 09:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At34.job
[2009/05/09 10:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At35.job
[2009/05/09 11:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At36.job
[2009/05/09 12:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At37.job
[2009/05/08 13:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At38.job
[2009/05/08 14:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At39.job
[2009/05/08 03:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2009/05/08 15:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At40.job
[2009/05/08 16:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At41.job
[2009/05/08 17:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At42.job
[2009/05/08 18:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At43.job
[2009/05/08 19:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At44.job
[2009/05/08 20:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At45.job
[2009/05/08 21:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At46.job
[2009/05/08 22:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At47.job
[2009/05/08 23:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At48.job
[2009/05/08 04:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2009/05/08 05:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2009/05/08 06:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2009/05/08 07:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2009/05/08 08:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2004/08/10 06:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/05/09 12:14:10 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/05/08 23:00:00 | 00,000,762 | ---- | M] () -- C:\WINDOWS\Tasks\wrSpySweeper20080902224558.job
[2009/05/09 08:46:16 | 00,001,696 | ---- | M] () -- C:\WINDOWS\Tasks\wrSpySweeper_L07172F48DC2D4E2FB30FDAF278D622F0.job

========== Purity Check ==========


========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CF39FA77
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
  • 0

#8
andrewuk
Posted 09 May 2009 - 12:20 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\0SqtDGhb.exe
C:\WINDOWS\system32\WME126vh.exe 

AtJob::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{00000000-0000-0000-0000-000000000000}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


and could you run rooter.exe again and post the log in reply please.

andrewuk
  • 0

#9
Nishie
Posted 09 May 2009 - 01:01 PM

Nishie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here's the ComboFix-

ComboFix 09-05-08.03 - HP_Administrator 05/09/2009 13:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.540 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt.lnk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
.

2009-05-09 14:02 . 2009-05-09 15:57 -------- d-----w C:\Rooter$
2009-05-09 04:46 . 2009-05-09 04:47 -------- d-----w c:\program files\ERUNT
2009-05-09 03:18 . 2009-05-09 03:18 164 ----a-w c:\windows\install.dat
2009-05-07 21:40 . 2009-05-07 21:40 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\AVG8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 21:04 . 2009-01-01 17:31 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 . 2009-01-01 17:31 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-01-01 17:31 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 18:32 . 2008-10-29 04:34 1563008 ----a-w c:\windows\WRSetup.dll
2009-04-02 19:30 . 2008-10-02 09:15 176752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-04-02 19:30 . 2008-10-02 09:15 23152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-04-02 19:30 . 2008-10-02 09:15 29808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-27 12:28 . 2007-07-19 04:38 -------- d-----w c:\program files\DivX
2009-03-27 12:28 . 2009-03-27 12:27 -------- d-----w c:\program files\Common Files\DivX Shared
.

((((((((((((((((((((((((((((( SnapShot@2009-05-09_17.14.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-31 04:02 . 2009-05-09 17:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-08-31 04:02 . 2009-05-09 13:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-08-30 20:51 . 2009-05-09 17:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-08-30 20:51 . 2009-05-09 13:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-08-30 20:51 . 2009-05-09 17:14 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-08-30 20:51 . 2009-05-09 13:49 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\backupiconoverlayid]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 18:26 238968 ----a-w c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2006-03-08 16010240]
"AlwaysReady Power Message APP"="c:\windows\ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdMgr.exe" [2006-03-16 61440]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-16 49152]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-09 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-04-06 6345840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-7-22 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wrconsumerservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/22/2009 8:45 PM 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [10/2/2008 4:15 AM 29808]
R2 wrconsumerservice;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [10/28/2008 11:34 PM 1181040]
R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [7/17/2007 9:41 AM 408064]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/29/2008 7:55 PM 356920]
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-09 c:\windows\Tasks\At1.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At10.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At11.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At12.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At13.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At14.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At15.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At16.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At17.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At18.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At19.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At2.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At20.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At21.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At22.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At23.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\At24.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At3.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At4.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At5.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At6.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At7.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At8.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-08 c:\windows\Tasks\At9.job
- c:\windows\system32\0SqtDGhb.exe [2008-10-12 02:04 . 2008-10-12 02:03]

2009-05-09 c:\windows\Tasks\wrSpySweeper20080902224558.job
- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe [2009-04-02 19:29]

2009-05-09 c:\windows\Tasks\wrSpySweeper_L07172F48DC2D4E2FB30FDAF278D622F0.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-10-29 18:32]

2009-05-09 c:\windows\Tasks\wrSpySweeper_L07172F48DC2D4E2FB30FDAF278D622F0.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-10-29 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 13:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4056)
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2009-05-09 13:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-09 18:59
ComboFix2.txt 2009-05-09 17:19

Pre-Run: 122,653,831,168 bytes free
Post-Run: 122,644,635,648 bytes free

228 --- E O F --- 2009-02-13 00:11
  • 0

#10
Nishie
Posted 09 May 2009 - 01:03 PM

Nishie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
And the Rooter-

Microsoft Windows XP Professional (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:181790 Mo/Free:2290 Mo)
D:\ [Fixed] - FAT32 - (Total:8972 Mo/Free:431 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Removable] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)

Sat 05/09/2009|14:01

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\WINDOWS\arservice.exe
---------- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
---------- C:\WINDOWS\eHome\ehRecvr.exe
---------- C:\WINDOWS\eHome\ehSched.exe
---------- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
---------- C:\WINDOWS\ehome\mcrdsvc.exe
---------- C:\WINDOWS\system32\dllhost.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\ehome\ehtray.exe
---------- C:\WINDOWS\RTHDCPL.EXE
---------- C:\WINDOWS\eHome\ehmsas.exe
---------- C:\WINDOWS\ARPWRMSG.EXE
---------- C:\Program Files\DISC\DiscUpdMgr.exe
---------- C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
---------- C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
---------- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
---------- C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
---------- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
---------- C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
---------- C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
---------- C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
---------- C:\WINDOWS\explorer.exe
---------- C:\HP\KBD\KBD.EXE
---------- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
---------- c:\windows\system\hpsysdrv.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\WME126vh.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe
Trojan ! .. C:\WINDOWS\system32\0SqtDGhb.exe

----------------------\\ Tasks

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Sat 05/09/2009| 9:03
2 - "C:\Rooter$\Rooter_2.txt" - Sat 05/09/2009|10:56
3 - "C:\Rooter$\Rooter_3.txt" - Sat 05/09/2009|14:01

----------------------\\ Scan completed at 14:01


Now when i start Rooter, there's this 'No Disk' warning that pops up. Is that normal?
  • 0

Advertisements

#11
andrewuk
Posted 09 May 2009 - 01:15 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
hmm . . .that did not go to plan, lets go this route:

Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{00000000-0000-0000-0000-000000000000}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}]

:Files
C:\WINDOWS\system32\0SqtDGhb.exe 
C:\WINDOWS\system32\WME126vh.exe 
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

:Commands
[resethosts]
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log
and could you run the rooter.exe again please and post the log in the reply.

andrewuk
  • 0

#12
Nishie
Posted 09 May 2009 - 01:34 PM

Nishie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
When i try to run OTListIt2 with the code you gave me, a " Connot create file C:/WINDOWS/SYSTEM32/drivers/ect/Hosts " comes up, and then it just kind of goes really slow. Should i just leave it run, or stop it?

Edited by Nishie, 09 May 2009 - 01:35 PM.

  • 0

#13
Nishie
Posted 09 May 2009 - 02:35 PM

Nishie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Nevermind, i think i got it to work...kind of. here's what came up after i ran OTListIT2:

Error: Unable to interpret <[resethosts]> in the current context!
Error: Unable to interpret <[purity]> in the current context!
Error: Unable to interpret <[emptytemp]> in the current context!
Error: Unable to interpret <[start explorer]> in the current context!
Error: Unable to interpret <[Reboot]> in the current context!

OTListIt2 by OldTimer - Version 2.0.15.5 log created on 05092009_153331
  • 0

#14
Nishie
Posted 09 May 2009 - 02:36 PM

Nishie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
And here's rooter-

Microsoft Windows XP Professional (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:181790 Mo/Free:2260 Mo)
D:\ [Fixed] - FAT32 - (Total:8972 Mo/Free:431 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Removable] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)

Sat 05/09/2009|15:35

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\WINDOWS\arservice.exe
---------- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
---------- C:\WINDOWS\eHome\ehRecvr.exe
---------- C:\WINDOWS\eHome\ehSched.exe
---------- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
---------- C:\WINDOWS\ehome\mcrdsvc.exe
---------- C:\WINDOWS\system32\dllhost.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\ehome\ehtray.exe
---------- C:\WINDOWS\RTHDCPL.EXE
---------- C:\WINDOWS\eHome\ehmsas.exe
---------- C:\WINDOWS\ARPWRMSG.EXE
---------- C:\Program Files\DISC\DiscUpdMgr.exe
---------- C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
---------- C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
---------- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
---------- C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
---------- C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
---------- C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
---------- C:\HP\KBD\KBD.EXE
---------- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
---------- c:\windows\system\hpsysdrv.exe
---------- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
---------- C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
---------- C:\WINDOWS\explorer.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Sat 05/09/2009| 9:03
2 - "C:\Rooter$\Rooter_2.txt" - Sat 05/09/2009|10:56
3 - "C:\Rooter$\Rooter_3.txt" - Sat 05/09/2009|14:01
4 - "C:\Rooter$\Rooter_4.txt" - Sat 05/09/2009|15:35

----------------------\\ Scan completed at 15:35
  • 0

#15
andrewuk
Posted 09 May 2009 - 03:07 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
well, it seemed to do the trick.

in this post we will do some general scans to clear out the remnants and ensure nothing else sneaked onto your machine.

the scans will likely take 4 hours, quite possibly much longer. so just let them run.

we will also update your java.


====STEP 1====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 2====
we will update and re-run your malwarebytes:

double click the malwarebytes icon on your desktop to open the program
  • on the tabs at the top, select Update and then press the Check for Updates button on that page. If an update is found, it will download and install the latest version.
  • once complete (a new version of malwarebytes may download) select the tab Scanner
  • select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 3====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
====STEP 4====
Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts. A log will appear (JavaRa.log), no need to post the log here
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
====STEP 5====
Please do an online scan with Kaspersky WebScanner (this will identify any issues, we will clear them in the following post)

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 13.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")
In your next reply could i see:
1. the malwarebytes log
2. the superantispyware log
3. the kaspersky log
4. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP