I went to bed night before last and my computer installed some updates before shutting down. I woke up the next morning and after a while of surfing I disabled my firewall to check something out in itunes. Suddenly my computer restarts and keeps trying to install AV Pro. I couldn't get norton or to open. So I ran a trojan remover, AF cleaner, Avast (which seemed to load more spyware than I had to begin with), Combo Fix, and Hijackthis. It's seems everythign is back to normal after running combo fix. The installer is gone. Could someone take a look at my logs? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:36:55 PM, on 11/14/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hphmon06.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\HP\KBD\KBD.EXE C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\nda.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netscape.aol.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: HP Organize.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: WMP10ctrl - http://www.cinemanow.com/WMP10ctrl.CAB O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v50/dinerdash/dinerdash.cab O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.cinemanow.com/dlControl_3_3.CAB O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/8102-b424h/rnl/java/RntX.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O20 - AppInit_DLLs: karna.dat fptane.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA01D Shared\Service\Software Jukebox v2.0 Service File.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- End of file - 9468 bytes And this is the log from combo-fix (I ran this before hijackthis) ComboFix 08-11-12.02 - HP_Owner 2008-11-14 13:00:24.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.132 [GMT -8:00] Running from: c:\documents and settings\HP_Owner\My Documents\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\HP_Owner\Application Data\gadcom c:\documents and settings\HP_Owner\Application Data\gadcom\gadcom.exe c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\dokeqat.db c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\ibiqogywun._dl c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\ufuwa.db c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\upopisima.bat c:\program files\GetModule c:\program files\GetModule\GetModule27.exe c:\program files\iCheck c:\program files\iCheck\Uninstall.exe c:\windows\brastk.exe c:\windows\IA c:\windows\IE4 Error Log.txt c:\windows\system32\bhmodl.dll c:\windows\system32\bqyykcid.dll c:\windows\system32\brastk.exe c:\windows\system32\cdpavqsn.ini c:\windows\system32\drivers\svchost.exe c:\windows\system32\egjlm.bak2 c:\windows\system32\egjlm.ini c:\windows\system32\egjlm.ini2 c:\windows\system32\egjlm.tmp c:\windows\system32\fptane.dll c:\windows\system32\iowsnvxv.ini c:\windows\system32\mlJYropP.dll c:\windows\system32\mlJYrspm.dll c:\windows\system32\mpsrYJlm.ini c:\windows\system32\mpsrYJlm.ini2 c:\windows\system32\msansspc.dll c:\windows\system32\nnnmnkHY.dll c:\windows\system32\nsqvapdc.dll c:\windows\system32\ps.a3d c:\windows\system32\qxqflbsr.dll c:\windows\system32\TDSShrxr.dll c:\windows\system32\TDSSkkbi.log c:\windows\system32\TDSSlrvd.dat c:\windows\system32\TDSSlxwp.dll c:\windows\system32\TDSSoiqt.dll c:\windows\system32\TDSSrtqp.dll c:\windows\system32\TDSSxfum.dll c:\windows\system32\wini1087100.exe c:\windows\system32\wini10894.exe c:\windows\system32\WinNB55.dll c:\windows\system32\wpv261226639170.cpx c:\windows\wiaserviv.log D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 ))))))))))))))))))))))))))))))) . 2008-11-14 02:22 . 2008-11-14 02:22 <DIR> d-------- c:\program files\Trend Micro 2008-11-14 00:40 . 2008-11-14 00:40 <DIR> d-------- c:\program files\Alwil Software 2008-11-14 00:35 . 2008-11-14 00:35 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\GetModule 2008-11-14 00:35 . 2008-11-14 00:35 18,432 --a------ c:\documents and settings\HP_Owner\~.exe 2008-11-14 00:22 . 2008-11-14 00:23 <DIR> d-------- c:\program files\Trojan Remover 2008-11-14 00:22 . 2008-11-14 00:22 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Simply Super Software 2008-11-14 00:22 . 2008-11-14 00:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software 2008-11-14 00:22 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll 2008-11-14 00:22 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll 2008-11-14 00:22 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll 2008-11-14 00:22 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll 2008-11-14 00:22 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll 2008-11-13 18:23 . 2008-11-13 18:23 1,689 --a------ c:\windows\Sysvxd.exe 2008-11-13 16:35 . 2008-11-13 16:35 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Webroot 2008-11-13 15:57 . 2008-11-13 16:13 <DIR> d-------- c:\program files\RogueRemover FREE 2008-11-13 15:34 . 2008-11-13 15:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-11-13 15:18 . 2008-11-13 15:18 <DIR> d-------- c:\windows\system32\drivers\NAV 2008-11-13 15:18 . 2008-11-13 15:18 <DIR> d-------- c:\program files\Windows Sidebar 2008-11-13 13:47 . 2008-11-13 13:47 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT 2008-11-13 13:47 . 2008-11-13 13:47 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF 2008-11-13 13:46 . 2008-11-13 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2008-11-13 13:41 . 2008-11-13 13:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSettings 2008-11-13 12:54 . 2008-11-13 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2008-11-13 10:51 . 2008-11-13 23:52 10,752 --a------ c:\windows\brastk.exe.vir 2008-11-13 10:33 . 2008-11-13 10:33 19,262 --a------ c:\windows\gufih.scr 2008-11-13 10:33 . 2008-11-13 10:33 18,973 --a------ c:\documents and settings\All Users\Application Data\likyqe.com 2008-11-13 10:33 . 2008-11-13 10:33 17,507 --a------ c:\windows\ipul.vbs 2008-11-13 10:33 . 2008-11-13 10:33 16,179 --a------ c:\windows\yrigehatik.dat 2008-11-13 10:33 . 2008-11-13 10:33 15,820 --a------ c:\documents and settings\HP_Owner\Application Data\acaw.exe 2008-11-13 10:33 . 2008-11-13 10:33 14,056 --a------ c:\windows\system32\ulik.pif 2008-11-13 10:33 . 2008-11-13 10:33 13,776 --a------ c:\documents and settings\HP_Owner\Application Data\kuvija.scr 2008-11-13 10:33 . 2008-11-13 10:33 12,638 --a------ c:\documents and settings\HP_Owner\Application Data\wudicex.sys 2008-11-13 10:33 . 2008-11-13 10:33 11,181 --a------ c:\windows\atalyzuk.com 2008-11-13 10:33 . 2008-11-13 10:33 10,826 --a------ c:\windows\system32\unybuvul.exe 2008-11-13 10:28 . 2008-11-13 07:56 156 --a------ c:\documents and settings\HP_Owner\delself.bat 2008-11-13 10:26 . 2008-11-13 23:52 10,752 --a------ c:\windows\system32\brastk.exe.vir 2008-11-13 08:16 . 2008-11-13 08:18 <DIR> d-------- C:\a84bebd03b14490a27 2008-11-13 08:16 . 2008-11-13 08:16 19,120 --a------ c:\windows\xasilufy.db 2008-11-13 08:16 . 2008-11-13 08:16 17,444 --a------ c:\windows\system32\puba.inf 2008-11-13 08:16 . 2008-11-13 08:16 16,964 --a------ c:\documents and settings\HP_Owner\Application Data\soma.exe 2008-11-13 08:16 . 2008-11-13 08:16 16,857 --a------ c:\windows\zutes._dl 2008-11-13 08:16 . 2008-11-13 08:16 16,561 --a------ c:\windows\obumer.sys 2008-11-13 08:16 . 2008-11-13 08:16 15,977 --a------ c:\windows\system32\ucalipe.db 2008-11-13 08:16 . 2008-11-13 08:16 14,351 --a------ c:\windows\dykasyw.dat 2008-11-13 08:16 . 2008-11-13 08:16 13,422 --a------ c:\program files\Common Files\cagyxake.reg 2008-11-13 08:16 . 2008-11-13 08:16 13,204 --a------ c:\windows\nodat.inf 2008-11-13 08:16 . 2008-11-13 08:16 12,937 --a------ c:\documents and settings\All Users\Application Data\awodawesad.bat 2008-11-13 08:16 . 2008-11-13 08:16 12,312 --a------ c:\windows\iqopop.com 2008-11-13 08:16 . 2008-11-13 08:16 11,210 --a------ c:\documents and settings\HP_Owner\Application Data\fonasy.com 2008-11-12 13:53 . 2008-09-04 09:15 1,106,944 --a--c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 13:53 . 2008-10-24 03:21 455,296 --a--c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-06 16:40 . 2008-11-14 00:26 <DIR> d-------- c:\program files\Common 2008-10-28 19:51 . 2008-10-28 19:51 <DIR> d-------- c:\program files\Windows Media Connect 2 2008-10-28 19:46 . 2008-10-28 19:46 <DIR> d-------- c:\windows\system32\LogFiles 2008-10-28 19:46 . 2008-10-28 19:48 <DIR> d-------- c:\windows\system32\drivers\UMDF 2008-10-24 11:21 . 2008-10-15 08:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-14 16:15 . 2008-08-14 02:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-14 16:15 . 2008-08-14 02:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-14 16:15 . 2008-08-14 01:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-14 16:15 . 2008-08-14 01:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-14 16:11 . 2008-09-08 02:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys 2008-10-14 16:06 . 2008-09-15 04:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-14 20:55 4,124 ----a-w c:\windows\viassary-hp.reg 2008-11-14 09:25 --------- d-----w c:\program files\Puzzle Hero 2008-11-14 08:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-11-13 23:18 --------- d-----w c:\program files\Norton AntiVirus 2008-11-13 21:47 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL 2008-11-13 21:47 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS 2008-11-13 21:47 --------- d-----w c:\program files\Symantec 2008-11-13 18:33 11,869 ----a-w c:\program files\Common Files\rafadax.inf 2008-11-13 16:16 13,705 ----a-w c:\program files\Common Files\urezecyg._sy 2008-11-06 06:05 --------- d-----w c:\program files\LimeWire 2008-11-06 06:05 --------- d-----w c:\program files\Incomplete 2008-11-05 08:43 --------- d-----w c:\program files\ABC Amber LIT Converter 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2(2).dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-13 02:07 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT 2008-10-13 02:07 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT 2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-21 21:21 --------- d-----w c:\program files\InterActual 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-12 22:21 98,304 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\PluginCtrl.dll 2008-09-12 22:21 3,072 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\pchealthde.exe 2008-09-12 22:21 139,264 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\ContentUpdater.exe 2008-09-12 22:20 69,632 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\msxmlwrapper.dll 2008-09-12 22:20 5,632 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\GUI.dll 2008-09-12 22:20 4,096 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\winverifytrustwrapper.dll 2008-09-12 22:20 356,352 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\client_motkt.dll 2008-09-12 22:20 315,392 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\pchmsxml.dll 2008-09-12 22:20 307,200 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\pchnotify.exe 2008-09-12 22:20 282,624 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\clientutil52.dll 2008-09-12 22:20 213,089 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\motive.zip 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-09-04 02:34 0 ----a-w c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat 2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll 2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe 2005-09-26 16:47 424,685 --sh--w c:\windows\system\bilsp.bak1 2005-10-01 17:27 425,991 --sh--w c:\windows\system\bilsp.bak2 2005-10-01 22:56 182,819 --sh--w c:\windows\system\bilsp.ini2 2005-03-10 07:03 56 --sh--r c:\windows\system32\5383F6A747.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152] "HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-17 118784] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706] "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-05-10 11776] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064] "TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2008-11-08 1233800] "VTTimer"="VTTimer.exe" [2004-10-22 c:\windows\system32\VTTimer.exe] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe] c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-11 36864] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664] InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-09-17 200704] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-01-29 118784] Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-11 16423] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=karna.dat fptane.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.PIXL"= pclepixl.dll "VIDC.NTN1"= NUVision.ax [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk backup=c:\windows\pss\SpySubtract.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2006-08-01 15:35 67112 c:\program files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan] --a------ 2005-09-11 17:04 937984 c:\program files\Athan\Athan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] --a------ 2004-08-22 16:05 81920 c:\program files\D-Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] --a------ 2005-11-16 14:38 3759104 c:\program files\Webroot\Spy Sweeper\SpySweeper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2008-09-26 18:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"= "c:\\Program Files\\interMute\\SpySubtract\\SpySub.exe"= "c:\\Program Files\\BitTorrent\\btdownloadgui.exe"= "c:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe"= "c:\\Program Files\\SmartFTP\\SmartFTP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\burst\\core-shad0w5.7.6\\btdownloadheadless.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\WINDOWS\\system32\\FSCAgent.exe"= "c:\\WINDOWS\\system32\\ClubBox.exe"= "c:\\WINDOWS\\system32\\pdbox28.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "4662:TCP"= 4662:TCP:emule: tcp incoming R0 SSI;SSI;c:\windows\system32\Drivers\SSI.SYS [2005-11-16 78336] R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2008-04-13 14336] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe WUSB54Gv42.exe [ ] S3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\DRIVERS\nuvvid2.sys [2001-12-03 155264] S3 SPCP825K;Sunplus Serial port driver;c:\windows\system32\DRIVERS\SPCP825K.sys [ ] S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 *Newly Created Service* - GTNDIS5 . Contents of the 'Scheduled Tasks' folder 2008-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] . - - - - ORPHANS REMOVED - - - - BHO-{8FEF4547-2D46-4C6A-9CBF-F74CAC69D043} - c:\windows\system32\mlJYrspm.dll BHO-{B0B3393C-62D1-44D8-ABF5-08E0F067F29E} - c:\windows\system32\mlJYropP.dll HKCU-Run-zziz - c:\progra~1\COMMON~1\zziz\zzizm.exe HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe HKCU-Run-GetModule27 - c:\program files\GetModule\GetModule27.exe HKCU-Run-brastk - c:\windows\system32\brastk.exe HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe HKLM-Run-NAV - c:\documents and settings\HP_Owner\My Documents\NAV[1].2009.90.Days_Patch\NAV.2009.90.Days+Patch\NAV2009_16.0.exe HKLM-Run-d8e99d0d - c:\windows\system32\nsqvapdc.dll HKLM-Run-ClubBox - (no file) ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file) ShellExecuteHooks-{B0B3393C-62D1-44D8-ABF5-08E0F067F29E} - c:\windows\system32\mlJYropP.dll MSConfigStartUp-Antivirus Pro 2009 - c:\program files\AntivirusPro2009\AntivirusPro2009.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\2kx2aisv.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://iheartlakorns.com/ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-14 13:15:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\progra~1\COMMON~1\AOL\ACS\acsd.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\ewido\security suite\ewidoctrl.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Webroot\Spy Sweeper\WRSSSDK.exe c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\HEWLET~1\HPORGA~1\bin\nda.exe c:\windows\system32\msiexec.exe c:\windows\system32\msiexec.exe c:\progra~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe c:\windows\system32\msiexec.exe . ************************************************************************** . Completion time: 2008-11-14 13:27:33 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-14 21:27:27 Pre-Run: 29,661,110,272 bytes free Post-Run: 30,181,736,448 bytes free 338 --- E O F --- 2008-11-13 16:18:06 Thanks in Advance!
Addign a new Hijackthis log afer scanning with Panda Internet Security: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:30:49 PM, on 11/14/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Security\Panda Internet Security 2009\TPSrv.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Panda Security\Panda Internet Security 2009\PsCtrls.exe C:\Program Files\Panda Security\Panda Internet Security 2009\PavFnSvr.exe C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe C:\Program Files\Panda Security\Panda Internet Security 2009\PsImSvc.exe C:\Program Files\Panda Security\Panda Internet Security 2009\PskSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Panda Security\Panda Internet Security 2009\ApvxdWin.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe C:\Program Files\Panda Security\Panda Internet Security 2009\pavsrv51.exe C:\Program Files\Panda Security\Panda Internet Security 2009\AVENGINE.EXE c:\program files\panda security\panda internet security 2009\firewall\PSHOST.EXE C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hphmon06.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\HP\KBD\KBD.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2009\WebProxy.exe C:\Program Files\Panda Security\Panda Internet Security 2009\SRVLOAD.EXE C:\Program Files\Panda Security\Panda Internet Security 2009\PavBckPT.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmjb.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_director.exe C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Panda Security\Panda Internet Security 2009\psimreal.exe C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netscape.aol.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2009\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2009\Inicio.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: HP Organize.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: WMP10ctrl - http://www.cinemanow.com/WMP10ctrl.CAB O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v50/dinerdash/dinerdash.cab O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.cinemanow.com/dlControl_3_3.CAB O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/8102-b424h/rnl/java/RntX.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O20 - AppInit_DLLs: karna.dat fptane.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PsCtrls.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\pavsrv51.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2009\firewall\PSHOST.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PsImSvc.exe O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PskSvc.exe O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA01D Shared\Service\Software Jukebox v2.0 Service File.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\TPSrv.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- End of file - 11726 bytes
Hi oryfan Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required. Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop. Configuring Malwarebytes • Click on the tab Settings. • Make sure only these boxes are checked: Code: Terminate Internet Explorer Automatically save and display logfile after removal Always scan memory objects Always scan registry objects Always scan filesystem Always scan extra and heuristics objects Updating Malwarebytes • Click on the tab Update. • Press the button Check for Updates • Wait for Malwarebytes to be fully updated. Scanning Time • Click on the tab Scanner. • Check Perform full scan and click on Scan • Wait for the scan to complete, and then click on Show Results. • Make sure all items are checked, then click on Remove Selected. **If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately. Post A Log • A text box will pop up after the removal process is over. Post the contents of the text here. • If no text box pops up, launch Malwarebytes, and click on the tab Logs. • The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open. • Post the log here. Best Regards
Thanks for your help! Here's my MBAM log Malwarebytes' Anti-Malware 1.30 Database version: 1400 Windows 5.1.2600 Service Pack 3 11/15/2008 2:57:37 PM mbam-log-2008-11-15 (14-57-37).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 193750 Time elapsed: 1 hour(s), 45 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 9 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 79 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\nowstarter.nowstarterctrl.1 (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{6f553c18-15e6-4e5e-8f44-add50de754ed} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{0409743c-e5e3-4bdd-9ec7-eff622530282} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{40722371-e24c-4b36-8e76-010bb6c7185b} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{825c19d3-35ce-428f-876b-88e080466689} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/system32/nowstarter.ocx (Adware.CWS) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\antiviruspro2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\NowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\HP_Owner\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\NowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\brastk.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\fptane.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\bhmodl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\bqyykcid.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\brastk.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\mlJYrspm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\nsqvapdc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\qxqflbsr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP746\A0205800.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP747\A0205803.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP747\A0205831.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP747\A0205832.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP748\A0206831.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP748\A0206832.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP748\A0207831.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP748\A0207832.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP750\A0207833.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP750\A0207834.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP750\A0208833.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP750\A0208834.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP750\A0209833.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP750\A0209834.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0209835.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0209836.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0210835.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0210836.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0210837.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0210838.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0210839.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0210840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0211839.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0211840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0212839.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0212840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0213839.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0213840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0214839.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0214840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0215839.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0216839.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0216840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0217839.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0217840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0218839.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0218840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0219839.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0219840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0220839.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0220840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0221844.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0221845.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0221847.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0221864.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0221877.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0215840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP751\A0221846.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP752\A0221919.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222142.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222143.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222144.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222147.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222151.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222152.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222155.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222157.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222158.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222159.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222160.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222161.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222162.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222164.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222165.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP753\A0222166.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Owner\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Owner\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Owner\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Owner\~.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Owner\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
ComboFix 08-11-12.02 - HP_Owner 2008-11-16 12:06:25.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.94 [GMT -8:00] Running from: c:\documents and settings\HP_Owner\My Documents\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 ))))))))))))))))))))))))))))))) . 2008-11-16 11:56 . 2008-11-16 11:56 13,880 --a------ c:\windows\system32\drivers\COMFiltr.sys 2008-11-15 13:08 . 2008-11-15 13:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-15 13:08 . 2008-11-15 13:08 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes 2008-11-15 13:08 . 2008-11-15 13:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-15 13:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-15 13:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-14 16:05 . 2008-11-16 12:05 8,627 --a------ c:\windows\system32\PAV_FOG.OPC 2008-11-14 15:54 . 2008-11-16 12:02 237,096 --a------ c:\windows\system32\drivers\APPFCONT.DAT.bck 2008-11-14 15:54 . 2008-11-16 12:02 237,096 --a------ c:\windows\system32\drivers\APPFCONT.DAT 2008-11-14 15:54 . 2008-06-18 16:06 193,792 --a------ c:\windows\system32\drivers\idsflt.sys 2008-11-14 15:54 . 2008-04-28 17:35 84,024 --a------ c:\windows\system32\drivers\pavdrv51.sys 2008-11-14 15:54 . 2008-06-18 16:06 52,992 --a------ c:\windows\system32\drivers\dsaflt.sys 2008-11-14 15:54 . 2008-06-18 16:06 46,720 --a------ c:\windows\system32\drivers\wnmflt.sys 2008-11-14 15:54 . 2008-11-16 11:56 1,132 --a------ c:\windows\system32\drivers\APPFLTR.CFG.bck 2008-11-14 15:54 . 2008-11-16 11:56 1,132 --a------ c:\windows\system32\drivers\APPFLTR.CFG 2008-11-14 15:54 . 2008-11-14 15:54 261 --a------ c:\windows\system32\PavCPL.dat 2008-11-14 15:53 . 2008-11-14 15:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Backup 2008-11-14 15:53 . 2008-07-11 14:58 158,848 --a------ c:\windows\system32\drivers\NETFLTDI.SYS 2008-11-14 15:53 . 2008-06-25 15:42 73,728 --a------ c:\windows\system32\drivers\APPFLT.SYS 2008-11-14 15:53 . 2007-03-15 19:38 54,832 --a------ c:\windows\system32\pavcpl.cpl 2008-11-14 15:53 . 2008-03-28 11:25 22,072 --a------ c:\windows\system32\drivers\fnetmon.sys 2008-11-14 15:52 . 2008-11-14 15:52 <DIR> d-------- c:\windows\system32\PAV 2008-11-14 15:52 . 2008-11-14 15:52 <DIR> d-------- c:\program files\Panda Security 2008-11-14 15:52 . 2008-11-14 15:52 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Panda Security 2008-11-14 15:52 . 2008-11-14 15:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Panda Security 2008-11-14 15:52 . 2008-06-18 18:03 520,448 --a------ c:\windows\system32\PavSHook.dll 2008-11-14 15:52 . 2003-10-22 18:23 446,464 --a------ c:\windows\system32\HHActiveX.dll 2008-11-14 15:52 . 2008-06-26 11:25 197,888 --a------ c:\windows\system32\drivers\neti1634.sys 2008-11-14 15:52 . 2008-06-24 14:48 193,280 --a------ c:\windows\system32\TpUtil.dll 2008-11-14 15:52 . 2007-02-08 11:53 107,568 --a------ c:\windows\system32\SYSTOOLS.DLL 2008-11-14 15:52 . 2008-06-18 18:03 87,296 --a------ c:\windows\system32\PavLspHook.dll 2008-11-14 15:52 . 2008-03-18 16:58 58,672 --a------ c:\windows\system32\avldr.dll 2008-11-14 15:52 . 2008-06-18 18:03 55,552 --a------ c:\windows\system32\pavipc.dll 2008-11-14 15:49 . 2008-02-07 12:03 179,640 --a------ c:\windows\system32\drivers\PavProc.sys 2008-11-14 15:49 . 2008-03-04 15:59 41,144 --a------ c:\windows\system32\drivers\ShlDrv51.sys 2008-11-14 15:49 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys 2008-11-14 15:35 . 2008-11-14 15:35 <DIR> d-------- c:\program files\Common Files\Panda Security 2008-11-14 14:58 . 2008-11-14 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-14 14:35 . 2008-11-14 15:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec 2008-11-14 14:27 . 2008-11-14 15:56 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2008-11-14 02:22 . 2008-11-14 02:22 <DIR> d-------- c:\program files\Trend Micro 2008-11-14 00:40 . 2008-11-14 00:40 <DIR> d-------- c:\program files\Alwil Software 2008-11-14 00:22 . 2008-11-14 00:23 <DIR> d-------- c:\program files\Trojan Remover 2008-11-14 00:22 . 2008-11-14 00:22 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Simply Super Software 2008-11-14 00:22 . 2008-11-14 00:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software 2008-11-14 00:22 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll 2008-11-14 00:22 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll 2008-11-14 00:22 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll 2008-11-14 00:22 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll 2008-11-14 00:22 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll 2008-11-13 18:23 . 2008-11-13 18:23 1,689 --a------ c:\windows\Sysvxd.exe 2008-11-13 16:35 . 2008-11-13 16:35 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Webroot 2008-11-13 15:57 . 2008-11-13 16:13 <DIR> d-------- c:\program files\RogueRemover FREE 2008-11-13 15:34 . 2008-11-13 15:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-11-13 15:18 . 2008-11-13 15:18 <DIR> d-------- c:\windows\system32\drivers\NAV 2008-11-13 15:18 . 2008-11-13 15:18 <DIR> d-------- c:\program files\Windows Sidebar 2008-11-13 13:46 . 2008-11-13 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2008-11-13 13:41 . 2008-11-13 13:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSettings 2008-11-13 12:54 . 2008-11-13 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2008-11-13 10:33 . 2008-11-13 10:33 19,262 --a------ c:\windows\gufih.scr 2008-11-13 10:33 . 2008-11-13 10:33 18,973 --a------ c:\documents and settings\All Users\Application Data\likyqe.com 2008-11-13 10:33 . 2008-11-13 10:33 17,507 --a------ c:\windows\ipul.vbs 2008-11-13 10:33 . 2008-11-13 10:33 16,179 --a------ c:\windows\yrigehatik.dat 2008-11-13 10:33 . 2008-11-13 10:33 15,820 --a------ c:\documents and settings\HP_Owner\Application Data\acaw.exe 2008-11-13 10:33 . 2008-11-13 10:33 14,056 --a------ c:\windows\system32\ulik.pif 2008-11-13 10:33 . 2008-11-13 10:33 13,776 --a------ c:\documents and settings\HP_Owner\Application Data\kuvija.scr 2008-11-13 10:33 . 2008-11-13 10:33 12,638 --a------ c:\documents and settings\HP_Owner\Application Data\wudicex.sys 2008-11-13 10:33 . 2008-11-13 10:33 11,181 --a------ c:\windows\atalyzuk.com 2008-11-13 10:33 . 2008-11-13 10:33 10,826 --a------ c:\windows\system32\unybuvul.exe 2008-11-13 08:16 . 2008-11-13 08:18 <DIR> d-------- C:\a84bebd03b14490a27 2008-11-13 08:16 . 2008-11-13 08:16 19,120 --a------ c:\windows\xasilufy.db 2008-11-13 08:16 . 2008-11-13 08:16 17,444 --a------ c:\windows\system32\puba.inf 2008-11-13 08:16 . 2008-11-13 08:16 16,964 --a------ c:\documents and settings\HP_Owner\Application Data\soma.exe 2008-11-13 08:16 . 2008-11-13 08:16 16,857 --a------ c:\windows\zutes._dl 2008-11-13 08:16 . 2008-11-13 08:16 16,561 --a------ c:\windows\obumer.sys 2008-11-13 08:16 . 2008-11-13 08:16 15,977 --a------ c:\windows\system32\ucalipe.db 2008-11-13 08:16 . 2008-11-13 08:16 14,351 --a------ c:\windows\dykasyw.dat 2008-11-13 08:16 . 2008-11-13 08:16 13,422 --a------ c:\program files\Common Files\cagyxake.reg 2008-11-13 08:16 . 2008-11-13 08:16 13,204 --a------ c:\windows\nodat.inf 2008-11-13 08:16 . 2008-11-13 08:16 12,937 --a------ c:\documents and settings\All Users\Application Data\awodawesad.bat 2008-11-13 08:16 . 2008-11-13 08:16 12,312 --a------ c:\windows\iqopop.com 2008-11-13 08:16 . 2008-11-13 08:16 11,210 --a------ c:\documents and settings\HP_Owner\Application Data\fonasy.com 2008-11-12 13:53 . 2008-09-04 09:15 1,106,944 --a--c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 13:53 . 2008-10-24 03:21 455,296 --a--c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-06 16:40 . 2008-11-14 00:26 <DIR> d-------- c:\program files\Common 2008-10-28 19:51 . 2008-10-28 19:51 <DIR> d-------- c:\program files\Windows Media Connect 2 2008-10-28 19:46 . 2008-10-28 19:46 <DIR> d-------- c:\windows\system32\LogFiles 2008-10-28 19:46 . 2008-10-28 19:48 <DIR> d-------- c:\windows\system32\drivers\UMDF 2008-10-24 11:21 . 2008-10-15 08:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-16 19:57 4,124 ----a-w c:\windows\viassary-hp.reg 2008-11-15 00:45 --------- d-----w c:\program files\Go-Go Gourmet 2008-11-15 00:45 --------- d-----w c:\program files\Diner Dash 2 2008-11-14 23:52 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-14 22:41 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Symantec 2008-11-14 09:25 --------- d-----w c:\program files\Puzzle Hero 2008-11-14 08:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-11-13 23:18 --------- d-----w c:\program files\Norton AntiVirus 2008-11-13 18:33 11,869 ----a-w c:\program files\Common Files\rafadax.inf 2008-11-13 16:16 13,705 ----a-w c:\program files\Common Files\urezecyg._sy 2008-11-06 06:05 --------- d-----w c:\program files\LimeWire 2008-11-06 06:05 --------- d-----w c:\program files\Incomplete 2008-11-05 08:43 --------- d-----w c:\program files\ABC Amber LIT Converter 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-13 02:07 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT 2008-10-13 02:07 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT 2008-09-21 21:21 --------- d-----w c:\program files\InterActual 2008-09-04 02:34 0 ----a-w c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat 2005-09-26 16:47 424,685 --sh--w c:\windows\system\bilsp.bak1 2005-10-01 17:27 425,991 --sh--w c:\windows\system\bilsp.bak2 2005-10-01 22:56 182,819 --sh--w c:\windows\system\bilsp.ini2 2005-03-10 07:03 56 --sh--r c:\windows\system32\5383F6A747.sys . ((((((((((((((((((((((((((((( snapshot@2008-11-14_13.26.50.96 ))))))))))))))))))))))))))))))))))))))))) . - 2006-02-23 19:41:02 466,944 ----a-w c:\windows\system32\capicom.dll + 2007-04-11 19:11:20 511,328 ----a-w c:\windows\system32\capicom.dll - 2008-01-29 19:01:28 16,168 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys + 2008-04-17 21:12:54 15,464 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys + 2008-04-17 21:12:54 107,368 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspi.dll + 2008-04-17 21:12:54 15,464 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspiWDM.sys - 2008-01-29 19:02:30 107,368 ----a-w c:\windows\system32\GEARAspi.dll + 2008-04-17 21:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll - 2008-11-14 20:57:38 69,436 ----a-w c:\windows\system32\perfc009.dat + 2008-11-16 19:58:50 69,436 ----a-w c:\windows\system32\perfc009.dat - 2008-11-14 20:57:38 419,350 ----a-w c:\windows\system32\perfh009.dat + 2008-11-16 19:58:50 419,350 ----a-w c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152] "HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-17 118784] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706] "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-05-10 11776] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064] "TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2008-11-08 1233800] "APVXDWIN"="c:\program files\Panda Security\Panda Internet Security 2009\APVXDWIN.EXE" [2008-07-16 857344] "SCANINICIO"="c:\program files\Panda Security\Panda Internet Security 2009\Inicio.exe" [2008-07-07 50432] "VTTimer"="VTTimer.exe" [2004-10-22 c:\windows\system32\VTTimer.exe] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe] c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-11 36864] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664] InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-09-17 200704] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-01-29 118784] Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-11 16423] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] 2008-03-18 16:58 58672 c:\windows\system32\avldr.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=karna.dat fptane.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.PIXL"= pclepixl.dll "VIDC.NTN1"= NUVision.ax [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk backup=c:\windows\pss\SpySubtract.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2006-08-01 15:35 67112 c:\program files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan] --a------ 2005-09-11 17:04 937984 c:\program files\Athan\Athan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] --a------ 2004-08-22 16:05 81920 c:\program files\D-Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] --a------ 2005-11-16 14:38 3759104 c:\program files\Webroot\Spy Sweeper\SpySweeper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2008-09-26 18:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"= "c:\\Program Files\\interMute\\SpySubtract\\SpySub.exe"= "c:\\Program Files\\BitTorrent\\btdownloadgui.exe"= "c:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe"= "c:\\Program Files\\SmartFTP\\SmartFTP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\burst\\core-shad0w5.7.6\\btdownloadheadless.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\WINDOWS\\system32\\FSCAgent.exe"= "c:\\WINDOWS\\system32\\ClubBox.exe"= "c:\\WINDOWS\\system32\\pdbox28.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "4662:TCP"= 4662:TCP:emule: tcp incoming R0 pavboot;Panda boot driver;c:\windows\system32\Drivers\pavboot.sys [2008-06-19 28544] R0 SSI;SSI;c:\windows\system32\Drivers\SSI.SYS [2005-11-16 78336] R1 APPFLT;App Filter Plugin;c:\windows\system32\Drivers\APPFLT.SYS [2008-06-25 73728] R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\Drivers\DSAFLT.SYS [2008-06-18 52992] R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\Drivers\fnetmon.SYS [2008-03-28 22072] R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\Drivers\IDSFLT.SYS [2008-06-18 193792] R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\Drivers\NETFLTDI.SYS [2008-07-11 14:58 158848] R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\Drivers\ShlDrv51.sys [2008-03-04 41144] R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\Drivers\WNMFLT.SYS [2008-06-18 46720] R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k Panda [ ] R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2008-04-13 14336] R2 PavProc;Panda Process Protection Driver;c:\windows\system32\DRIVERS\PavProc.sys [2008-02-07 179640] R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Internet Security 2009\PskSvc.exe [2008-06-25 28928] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe WUSB54Gv42.exe [ ] R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\DRIVERS\COMFiltr.sys [2008-11-16 13880] R3 NETIMFLT01060034;PANDA NDIS IM Filter Miniport v1.6.0.34;c:\windows\system32\DRIVERS\neti1634.sys [2008-06-26 197888] R3 PavTPK.sys;PavTPK.sys;c:\windows\system32\PavTPK.sys [ ] S3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\DRIVERS\nuvvid2.sys [2001-12-03 155264] S3 SPCP825K;Sunplus Serial port driver;c:\windows\system32\DRIVERS\SPCP825K.sys [ ] S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] panda REG_MULTI_SZ Gwmsrv *Newly Created Service* - COMFILTR *Newly Created Service* - GTNDIS5 *Newly Created Service* - PSEXESVC . Contents of the 'Scheduled Tasks' folder 2008-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\2kx2aisv.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://iheartlakorns.com/ . . ------- File Associations ------- . JSEFile=c:\progra~1\PANDAS~1\PANDAI~1\PavScrip.exe "%1" %* VBEFile=c:\progra~1\PANDAS~1\PANDAI~1\PavScrip.exe "%1" %* VBSFile=c:\progra~1\PANDAS~1\PANDAI~1\PavScrip.exe "%1" %* . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-16 12:16:43 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-11-16 12:27:38 ComboFix-quarantined-files.txt 2008-11-16 20:27:32 Pre-Run: 27,978,694,656 bytes free Post-Run: 29,467,779,072 bytes free 293 --- E O F --- 2008-11-13 16:18:06
Hey oryfan Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection. Open Notepad and copy/paste the text in the code box below into it: Code: File:: c:\windows\gufih.scr c:\documents and settings\All Users\Application Data\likyqe.com c:\windows\ipul.vbs c:\windows\yrigehatik.dat c:\documents and settings\HP_Owner\Application Data\acaw.exe c:\windows\system32\ulik.pif c:\documents and settings\HP_Owner\Application Data\kuvija.scr c:\documents and settings\HP_Owner\Application Data\wudicex.sys c:\windows\atalyzuk.com c:\windows\system32\unybuvul.exe c:\windows\xasilufy.db c:\windows\system32\puba.inf c:\documents and settings\HP_Owner\Application Data\soma.exe c:\windows\zutes._dl c:\windows\obumer.sys c:\windows\system32\ucalipe.db c:\windows\dykasyw.dat c:\program files\Common Files\cagyxake.reg c:\windows\nodat.inf c:\documents and settings\All Users\Application Data\awodawesad.bat c:\windows\iqopop.com c:\documents and settings\HP_Owner\Application Data\fonasy.com c:\windows\viassary-hp.reg c:\windows\system32\karna.dat C:\WINDOWS\karna.dat Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=- DirLook:: C:\a84bebd03b14490a27 • Save this as CFScript.txt in the same folder as ComboFix. • Then drag the CFScript.txt into Combo-Fix.exe. • This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt). Do not click on the ComoboFix window, as it may cause it to stall. After that, zip this folder C:\Qoobox and upload it to http://www.uploadmalware.com/ Best Regards
I submitted the file and here's my log ComboFix 08-11-12.02 - HP_Owner 2008-11-17 12:42:59.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.101 [GMT -8:00] Running from: c:\documents and settings\HP_Owner\My Documents\combo\ComboFix.exe Command switches used :: c:\documents and settings\HP_Owner\My Documents\combo\CFScript.txt * Created a new restore point FILE :: c:\documents and settings\All Users\Application Data\awodawesad.bat c:\documents and settings\All Users\Application Data\likyqe.com c:\documents and settings\HP_Owner\Application Data\acaw.exe c:\documents and settings\HP_Owner\Application Data\fonasy.com c:\documents and settings\HP_Owner\Application Data\kuvija.scr c:\documents and settings\HP_Owner\Application Data\soma.exe c:\documents and settings\HP_Owner\Application Data\wudicex.sys c:\program files\Common Files\cagyxake.reg c:\windows\atalyzuk.com c:\windows\dykasyw.dat c:\windows\gufih.scr c:\windows\ipul.vbs c:\windows\iqopop.com c:\windows\karna.dat c:\windows\nodat.inf c:\windows\obumer.sys c:\windows\system32\karna.dat c:\windows\system32\puba.inf c:\windows\system32\ucalipe.db c:\windows\system32\ulik.pif c:\windows\system32\unybuvul.exe c:\windows\viassary-hp.reg c:\windows\xasilufy.db c:\windows\yrigehatik.dat c:\windows\zutes._dl . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\awodawesad.bat c:\documents and settings\All Users\Application Data\likyqe.com c:\documents and settings\HP_Owner\Application Data\acaw.exe c:\documents and settings\HP_Owner\Application Data\fonasy.com c:\documents and settings\HP_Owner\Application Data\kuvija.scr c:\documents and settings\HP_Owner\Application Data\soma.exe c:\documents and settings\HP_Owner\Application Data\wudicex.sys c:\program files\Common Files\cagyxake.reg c:\windows\atalyzuk.com c:\windows\dykasyw.dat c:\windows\gufih.scr c:\windows\ipul.vbs c:\windows\iqopop.com c:\windows\nodat.inf c:\windows\obumer.sys c:\windows\system32\puba.inf c:\windows\system32\ucalipe.db c:\windows\system32\ulik.pif c:\windows\system32\unybuvul.exe c:\windows\viassary-hp.reg c:\windows\xasilufy.db c:\windows\yrigehatik.dat c:\windows\zutes._dl . ((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 ))))))))))))))))))))))))))))))) . 2008-11-16 11:56 . 2008-11-17 09:36 13,880 --a------ c:\windows\system32\drivers\COMFiltr.sys 2008-11-15 13:08 . 2008-11-15 13:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-15 13:08 . 2008-11-15 13:08 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes 2008-11-15 13:08 . 2008-11-15 13:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-15 13:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-15 13:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-14 16:05 . 2008-11-16 12:05 8,627 --a------ c:\windows\system32\PAV_FOG.OPC 2008-11-14 15:54 . 2008-11-17 09:36 237,096 --a------ c:\windows\system32\drivers\APPFCONT.DAT.bck 2008-11-14 15:54 . 2008-11-17 09:36 237,096 --a------ c:\windows\system32\drivers\APPFCONT.DAT 2008-11-14 15:54 . 2008-06-18 16:06 193,792 --a------ c:\windows\system32\drivers\idsflt.sys 2008-11-14 15:54 . 2008-04-28 17:35 84,024 --a------ c:\windows\system32\drivers\pavdrv51.sys 2008-11-14 15:54 . 2008-06-18 16:06 52,992 --a------ c:\windows\system32\drivers\dsaflt.sys 2008-11-14 15:54 . 2008-06-18 16:06 46,720 --a------ c:\windows\system32\drivers\wnmflt.sys 2008-11-14 15:54 . 2008-11-17 12:39 1,132 --a------ c:\windows\system32\drivers\APPFLTR.CFG.bck 2008-11-14 15:54 . 2008-11-17 12:39 1,132 --a------ c:\windows\system32\drivers\APPFLTR.CFG 2008-11-14 15:54 . 2008-11-14 15:54 261 --a------ c:\windows\system32\PavCPL.dat 2008-11-14 15:53 . 2008-11-14 15:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Backup 2008-11-14 15:53 . 2008-07-11 14:58 158,848 --a------ c:\windows\system32\drivers\NETFLTDI.SYS 2008-11-14 15:53 . 2008-06-25 15:42 73,728 --a------ c:\windows\system32\drivers\APPFLT.SYS 2008-11-14 15:53 . 2007-03-15 19:38 54,832 --a------ c:\windows\system32\pavcpl.cpl 2008-11-14 15:53 . 2008-03-28 11:25 22,072 --a------ c:\windows\system32\drivers\fnetmon.sys 2008-11-14 15:52 . 2008-11-14 15:52 <DIR> d-------- c:\windows\system32\PAV 2008-11-14 15:52 . 2008-11-14 15:52 <DIR> d-------- c:\program files\Panda Security 2008-11-14 15:52 . 2008-11-14 15:52 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Panda Security 2008-11-14 15:52 . 2008-11-14 15:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Panda Security 2008-11-14 15:52 . 2008-06-18 18:03 520,448 --a------ c:\windows\system32\PavSHook.dll 2008-11-14 15:52 . 2003-10-22 18:23 446,464 --a------ c:\windows\system32\HHActiveX.dll 2008-11-14 15:52 . 2008-06-26 11:25 197,888 --a------ c:\windows\system32\drivers\neti1634.sys 2008-11-14 15:52 . 2008-06-24 14:48 193,280 --a------ c:\windows\system32\TpUtil.dll 2008-11-14 15:52 . 2007-02-08 11:53 107,568 --a------ c:\windows\system32\SYSTOOLS.DLL 2008-11-14 15:52 . 2008-06-18 18:03 87,296 --a------ c:\windows\system32\PavLspHook.dll 2008-11-14 15:52 . 2008-03-18 16:58 58,672 --a------ c:\windows\system32\avldr.dll 2008-11-14 15:52 . 2008-06-18 18:03 55,552 --a------ c:\windows\system32\pavipc.dll 2008-11-14 15:49 . 2008-02-07 12:03 179,640 --a------ c:\windows\system32\drivers\PavProc.sys 2008-11-14 15:49 . 2008-03-04 15:59 41,144 --a------ c:\windows\system32\drivers\ShlDrv51.sys 2008-11-14 15:49 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys 2008-11-14 15:35 . 2008-11-14 15:35 <DIR> d-------- c:\program files\Common Files\Panda Security 2008-11-14 14:58 . 2008-11-14 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-14 14:35 . 2008-11-14 15:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec 2008-11-14 14:27 . 2008-11-14 15:56 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2008-11-14 02:22 . 2008-11-14 02:22 <DIR> d-------- c:\program files\Trend Micro 2008-11-14 00:40 . 2008-11-14 00:40 <DIR> d-------- c:\program files\Alwil Software 2008-11-13 18:23 . 2008-11-13 18:23 1,689 --a------ c:\windows\Sysvxd.exe 2008-11-13 16:35 . 2008-11-13 16:35 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Webroot 2008-11-13 15:57 . 2008-11-13 16:13 <DIR> d-------- c:\program files\RogueRemover FREE 2008-11-13 15:34 . 2008-11-13 15:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-11-13 15:18 . 2008-11-13 15:18 <DIR> d-------- c:\windows\system32\drivers\NAV 2008-11-13 15:18 . 2008-11-13 15:18 <DIR> d-------- c:\program files\Windows Sidebar 2008-11-13 13:46 . 2008-11-13 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2008-11-13 13:41 . 2008-11-13 13:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSettings 2008-11-13 12:54 . 2008-11-13 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2008-11-13 08:16 . 2008-11-13 08:18 <DIR> d-------- C:\a84bebd03b14490a27 2008-11-12 13:53 . 2008-09-04 09:15 1,106,944 --a--c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 13:53 . 2008-10-24 03:21 455,296 --a--c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-06 16:40 . 2008-11-14 00:26 <DIR> d-------- c:\program files\Common 2008-10-28 19:51 . 2008-10-28 19:51 <DIR> d-------- c:\program files\Windows Media Connect 2 2008-10-28 19:46 . 2008-10-28 19:46 <DIR> d-------- c:\windows\system32\LogFiles 2008-10-28 19:46 . 2008-10-28 19:48 <DIR> d-------- c:\windows\system32\drivers\UMDF 2008-10-24 11:21 . 2008-10-15 08:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-16 20:40 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Lavasoft 2008-11-15 00:45 --------- d-----w c:\program files\Go-Go Gourmet 2008-11-15 00:45 --------- d-----w c:\program files\Diner Dash 2 2008-11-14 23:52 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-14 22:41 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Symantec 2008-11-14 09:25 --------- d-----w c:\program files\Puzzle Hero 2008-11-14 08:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-11-13 23:18 --------- d-----w c:\program files\Norton AntiVirus 2008-11-13 18:33 11,869 ----a-w c:\program files\Common Files\rafadax.inf 2008-11-13 16:16 13,705 ----a-w c:\program files\Common Files\urezecyg._sy 2008-11-06 06:05 --------- d-----w c:\program files\LimeWire 2008-11-06 06:05 --------- d-----w c:\program files\Incomplete 2008-11-05 08:43 --------- d-----w c:\program files\ABC Amber LIT Converter 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-13 02:07 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT 2008-10-13 02:07 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT 2008-09-21 21:21 --------- d-----w c:\program files\InterActual 2008-09-04 02:34 0 ----a-w c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat 2005-09-26 16:47 424,685 --sh--w c:\windows\system\bilsp.bak1 2005-10-01 17:27 425,991 --sh--w c:\windows\system\bilsp.bak2 2005-10-01 22:56 182,819 --sh--w c:\windows\system\bilsp.ini2 2005-03-10 07:03 56 --sh--r c:\windows\system32\5383F6A747.sys . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\a84bebd03b14490a27 ---- 2008-11-03 16:19 896390 --a------ c:\a84bebd03b14490a27\mrt.exe._p 2008-11-03 16:10 44992 --a------ c:\a84bebd03b14490a27\mrtstub.exe ((((((((((((((((((((((((((((( snapshot@2008-11-14_13.26.50.96 ))))))))))))))))))))))))))))))))))))))))) . - 2006-02-23 19:41:02 466,944 ----a-w c:\windows\system32\capicom.dll + 2007-04-11 19:11:20 511,328 ----a-w c:\windows\system32\capicom.dll - 2008-01-29 19:01:28 16,168 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys + 2008-04-17 21:12:54 15,464 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys + 2008-04-17 21:12:54 107,368 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspi.dll + 2008-04-17 21:12:54 15,464 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspiWDM.sys - 2008-01-29 19:02:30 107,368 ----a-w c:\windows\system32\GEARAspi.dll + 2008-04-17 21:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll - 2008-11-14 20:57:38 69,436 ----a-w c:\windows\system32\perfc009.dat + 2008-11-17 18:10:54 69,436 ----a-w c:\windows\system32\perfc009.dat - 2008-11-14 20:57:38 419,350 ----a-w c:\windows\system32\perfh009.dat + 2008-11-17 18:10:54 419,350 ----a-w c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152] "HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-17 118784] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706] "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-05-10 11776] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064] "APVXDWIN"="c:\program files\Panda Security\Panda Internet Security 2009\APVXDWIN.EXE" [2008-10-22 869632] "SCANINICIO"="c:\program files\Panda Security\Panda Internet Security 2009\Inicio.exe" [2008-07-07 50432] "VTTimer"="VTTimer.exe" [2004-10-22 c:\windows\system32\VTTimer.exe] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe] c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-11 36864] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664] InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-09-17 200704] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-01-29 118784] Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-11 16423] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] 2008-03-18 16:58 58672 c:\windows\system32\avldr.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.PIXL"= pclepixl.dll "VIDC.NTN1"= NUVision.ax [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk backup=c:\windows\pss\SpySubtract.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2006-08-01 15:35 67112 c:\program files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan] --a------ 2005-09-11 17:04 937984 c:\program files\Athan\Athan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] --a------ 2004-08-22 16:05 81920 c:\program files\D-Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2008-09-26 18:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"= "c:\\Program Files\\interMute\\SpySubtract\\SpySub.exe"= "c:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe"= "c:\\Program Files\\SmartFTP\\SmartFTP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\burst\\core-shad0w5.7.6\\btdownloadheadless.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\WINDOWS\\system32\\FSCAgent.exe"= "c:\\WINDOWS\\system32\\ClubBox.exe"= "c:\\WINDOWS\\system32\\pdbox28.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "4662:TCP"= 4662:TCP:emule: tcp incoming R0 pavboot;Panda boot driver;c:\windows\system32\Drivers\pavboot.sys [2008-06-19 28544] R1 APPFLT;App Filter Plugin;c:\windows\system32\Drivers\APPFLT.SYS [2008-06-25 73728] R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\Drivers\DSAFLT.SYS [2008-06-18 52992] R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\Drivers\fnetmon.SYS [2008-03-28 22072] R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\Drivers\IDSFLT.SYS [2008-06-18 193792] R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\Drivers\NETFLTDI.SYS [2008-07-11 14:58 158848] R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\Drivers\ShlDrv51.sys [2008-03-04 41144] R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\Drivers\WNMFLT.SYS [2008-06-18 46720] R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k Panda [ ] R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2008-04-13 14336] R2 PavProc;Panda Process Protection Driver;c:\windows\system32\DRIVERS\PavProc.sys [2008-02-07 179640] R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Internet Security 2009\PskSvc.exe [2008-06-25 28928] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe WUSB54Gv42.exe [ ] R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\DRIVERS\COMFiltr.sys [2008-11-17 13880] R3 NETIMFLT01060034;PANDA NDIS IM Filter Miniport v1.6.0.34;c:\windows\system32\DRIVERS\neti1634.sys [2008-06-26 197888] R3 PavTPK.sys;PavTPK.sys;c:\windows\system32\PavTPK.sys [ ] S3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\DRIVERS\nuvvid2.sys [2001-12-03 155264] S3 SPCP825K;Sunplus Serial port driver;c:\windows\system32\DRIVERS\SPCP825K.sys [ ] S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] panda REG_MULTI_SZ Gwmsrv *Newly Created Service* - GTNDIS5 . Contents of the 'Scheduled Tasks' folder 2008-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeper.exe ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-17 12:48:42 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-11-17 12:59:51 ComboFix-quarantined-files.txt 2008-11-17 20:59:47 ComboFix2.txt 2008-11-16 20:27:39 Pre-Run: 28,590,931,968 bytes free Post-Run: 29,209,890,816 bytes free 303 --- E O F --- 2008-11-13 16:18:06
