Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help with malware - HJT Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help with malware - HJT Log

Unread postby JPicard » July 27th, 2009, 1:10 pm

Hello,
After doing every possible thing I know, I cannot remove every problem from this laptop. First, it will not let me run Malwarebyte's Anti-Malware or HijackThis without changing the file name. I cannot run Spybot S&D at all. Oftentimes, these programs freeze while scanning. Secondly, I get a blue screen while running AVG virus scan and anything else at the same time. Finally, if it helps at all, the system clock always encounters an error when I syncronize it with any of the internet time options, making me change the date and time manually. The anti-malware programs I have used were only able to get rid of the majority of the problems this computer had. Help is greatly appreciated. Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:20, on 7/27/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThisA\HijackThisA.exe
C:\Windows\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {F08555B0-9CC3-11D2-AA8E-000000000567} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9121 bytes
JPicard
Active Member
 
Posts: 8
Joined: July 27th, 2009, 12:35 pm
Advertisement
Register to Remove

Re: Help with malware - HJT Log

Unread postby Bio-Hazard » July 30th, 2009, 10:00 am

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

No Reply Within 3 Days Will Result In Your Topic Being Closed!!
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Help with malware - HJT Log

Unread postby Bio-Hazard » July 30th, 2009, 10:04 am

----------------------------------------------------------
Please note: Due to the restrictions on Vista, all tools should be started by Right-Click ---> Run As Administrator
----------------------------------------------------------


STEP 1

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

Image
Download DDS and save it to your desktop from:

Link 1
Link 2

Please disable any anti-malware program that will block scripts from running before running DDS.

  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply


STEP 2


Gmer

Please download Gmer by Gmer and save it to your desktop.

  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.



Next Reply

Please reply with:
  • DDS.txt
  • Attach.txt
  • Gmer log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Help with malware - HJT Log

Unread postby JPicard » July 30th, 2009, 7:42 pm

Thank you so much for your reply.
I have followed your directions exactly. The DDS scan ran without problems; however, gmer gave me
a blue screen a few times. I was able to get one scan completed to get a log. Here are the logs:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Thea at 15:33:33.96 on Mon 07/27/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.256 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Spyware Terminator *disabled* (Updated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Thea\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/home.php
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\thea\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\3572475\program\Compaq Connections.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/200 ... oader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-20 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-23 108552]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-7-24 142592]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-23 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-23 298776]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-9-21 38160]

=============== Created Last 30 ================

2009-07-27 08:13 <DIR> --d----- c:\program files\Trend Micro
2009-07-27 05:52 16,392 a------- c:\windows\3099zsp95bot32c.bin
2009-07-25 09:33 17,281 a------- c:\windows\system32\694zthrea591097.exe
2009-07-24 16:01 <DIR> --d----- c:\windows\system32\eu-ES
2009-07-24 16:01 <DIR> --d----- c:\windows\system32\ca-ES
2009-07-24 16:01 <DIR> --d----- c:\windows\system32\vi-VN
2009-07-24 15:26 <DIR> --d----- c:\programdata\Lavasoft
2009-07-24 15:20 <DIR> --d----- c:\windows\system32\EventProviders
2009-07-24 15:17 378,368 a------- c:\windows\system32\imapi2.dll
2009-07-24 15:16 1,122,304 a------- c:\windows\system32\appwiz.cpl
2009-07-24 15:15 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-07-24 15:11 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-24 15:11 <DIR> --d----- c:\users\thea\appdata\roaming\Spyware Terminator
2009-07-24 15:11 <DIR> --d----- c:\programdata\Spyware Terminator
2009-07-24 15:11 <DIR> --d----- c:\progra~2\Spyware Terminator
2009-07-24 15:11 <DIR> --d----- c:\program files\Spyware Terminator
2009-07-24 14:48 166,860,205 a------- c:\windows\MEMORY.DMP
2009-07-24 14:11 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-24 13:47 <DIR> --d----- c:\users\thea\appdata\roaming\IObit
2009-07-24 13:47 <DIR> --d----- c:\program files\IObit
2009-07-24 13:42 <DIR> --d----- c:\programdata\WindowsSearch
2009-07-24 11:06 2,034,688 a------- c:\windows\system32\win32k.sys
2009-07-24 11:06 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-24 11:06 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-24 11:06 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-24 11:06 34,304 a------- c:\windows\system32\atmlib.dll
2009-07-24 11:06 23,552 a------- c:\windows\system32\lpk.dll
2009-07-24 11:06 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-24 11:05 623,616 a------- c:\windows\system32\localspl.dll
2009-07-24 11:05 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-07-24 10:51 41,984 a------- c:\windows\system32\netfxperf.dll
2009-07-24 10:46 873,310 a------- c:\windows\system32\oem41.inf
2009-07-23 17:11 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-23 16:32 17,404 a------- c:\windows\system32\aze9teal3540.dll
2009-07-23 14:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-23 14:13 <DIR> --d----- c:\programdata\McAfee
2009-07-23 13:41 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-07-23 13:41 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-23 13:40 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-23 13:40 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-22 18:05 17,221 a------- c:\windows\system32\679bvirz053.cpl
2009-07-21 14:29 2,660 a------- c:\windows\b9aspywa5e1394z.bin
2009-07-20 11:00 7,565 a------- c:\windows\4985vir8z5.ocx
2009-07-20 03:54 3,183 a------- c:\windows\4099vir5z3e7.exe
2009-07-19 15:19 5,076 a------- c:\windows\system32\4z85worm398.bin
2009-07-19 03:19 11,806 a------- c:\windows\system32\197zt5o92b2.ocx
2009-07-19 00:25 10,043 a------- c:\windows\system32\12034hackt9oz454.exe
2009-07-18 14:19 17,355 a------- c:\windows\109dvirz9955.dll
2009-07-18 05:18 4,537 a------- c:\windows\system32\7zb9sparse1325.dll
2009-07-14 20:32 4,898 a------- c:\windows\system32\1dz4b9ckdoor559.exe
2009-07-12 14:19 13,977 a------- c:\windows\system32\90375spam5otze6.cpl
2009-07-11 18:47 10,524 a------- c:\windows\3955threat1z6915.dll
2009-07-11 01:39 4,334 a------- c:\windows\7645thre9t575z.ocx
2009-07-11 00:52 12,875 a------- c:\windows\24f59pzware1389.exe
2009-07-10 16:02 6,723 a------- c:\windows\system32\6033thiez99155.dll
2009-07-10 07:25 5,255 a------- c:\windows\362759oj53z.cpl
2009-07-08 16:48 15,118 a------- c:\windows\95800spy500z.exe
2009-07-07 10:29 4,750 a------- c:\windows\system32\7940vir5z92.bin
2009-07-07 04:42 4,933 a------- c:\windows\system32\667cad5war9101z.dll
2009-07-06 17:56 7,146 a------- c:\windows\z59dspyware9345.cpl
2009-07-06 17:00 9,473 a------- c:\windows\system32\8445spamb95z70.cpl
2009-07-03 13:06 14,204 a------- c:\windows\5bdfaddwaze15915.ocx
2009-07-03 02:02 16,996 a------- c:\windows\system32\2556zhr5at12989.ocx
2009-07-02 21:30 16,448 a------- c:\windows\32542h9cktool550z.ocx
2009-07-01 12:01 10,401 a------- c:\windows\system32\4z62add9are1592.ocx
2009-07-01 08:05 5,119 a------- c:\windows\system32\250z3not-a5vi9us17e.exe
2009-06-27 23:03 18,216 a------- c:\windows\39d8sp5zse17739.bin

==================== Find3M ====================

2009-07-24 16:12 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-24 16:12 86,016 a------- c:\windows\inf\infstor.dat
2009-07-24 16:12 51,200 a------- c:\windows\inf\infpub.dat
2009-07-24 16:01 665,600 a------- c:\windows\inf\drvindex.dat
2009-07-24 14:16 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-23 17:11 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-13 14:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 14:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-27 12:12 2,620 a------- c:\windows\95187z5rm70f.bin
2009-06-24 19:07 2,874 a------- c:\windows\6958th5eat5379z.exe
2009-06-23 02:10 9,128 a------- c:\windows\system32\21154hackto9z235.bin
2009-06-21 18:24 3,484 a------- c:\windows\3d98zparse52069.exe
2009-06-19 08:23 10,942 a------- c:\windows\system32\31416zor5697.exe
2009-06-16 09:29 8,077 a------- c:\windows\system32\55cdthreat2907z.dll
2009-06-15 06:34 12,273 a------- c:\windows\system32\51978spy19z.bin
2009-06-14 02:12 11,027 a------- c:\windows\13a0thief591z.bin
2009-06-13 17:28 15,919 a------- c:\windows\189at5reat1z584.bin
2009-06-13 10:17 14,069 a------- c:\windows\system32\492azdd5are423.exe
2009-06-08 21:47 8,620 a------- c:\windows\2cd5vzr3059.dll
2009-06-08 06:41 9,681 a------- c:\windows\system32\6814bazkd59r135.dll
2009-06-07 16:23 17,100 a------- c:\windows\system32\30aa9ownlzader13955.dll
2009-06-06 02:31 15,115 a------- c:\windows\system32\5c47dowzlo9der1408.dll
2009-06-05 02:59 4,147 a------- c:\windows\system32\946edowzloa5er1712.exe
2009-06-03 13:08 13,833 a------- c:\windows\z2a39ownloa5er2198.bin
2009-06-02 10:53 17,928 a------- c:\windows\55909hiez2000.dll
2009-06-01 19:55 8,393 a------- c:\windows\73955irus77bz.dll
2009-06-01 08:26 17,852 a------- c:\windows\1195znot-a-virus1b8.exe
2009-05-25 21:20 14,936 a------- c:\windows\system32\6595vzr1694.exe
2009-05-25 20:11 14,479 a------- c:\windows\10999sp5m9ot75z.bin
2009-05-24 10:10 6,695 a------- c:\windows\system32\351fsp5rse51z9.dll
2009-05-20 12:34 5,136 a------- c:\windows\system32\14739hazkt5ol9e4.bin
2009-05-19 19:54 4,336 a------- c:\windows\2dbviz9455.bin
2009-05-18 01:11 3,947 a------- c:\windows\system32\90756spambot35z5.exe
2009-05-16 19:23 16,888 a------- c:\windows\5719troj2z1.exe
2009-05-16 07:09 7,644 a------- c:\windows\system32\5a11sp5w9re66z.exe
2009-05-16 05:14 9,961 a------- c:\windows\system32\19701w5rm2zf.bin
2009-05-12 23:57 13,179 a------- c:\windows\4d16sp9warez25.exe
2009-05-10 22:45 15,790 a------- c:\windows\2b90steal146z5.dll
2009-05-10 17:01 3,088 a------- c:\windows\system32\11929notza-v9rus19a5.bin
2009-05-10 11:31 17,897 a------- c:\windows\system32\6151t9zef2856.bin
2009-05-09 00:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 00:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-07 14:51 3,228 a------- c:\windows\79135py9bz.dll
2009-05-06 18:36 13,350 a------- c:\windows\system32\e1zthief13859.dll
2009-05-04 06:11 7,972 a------- c:\windows\system32\5871backd59r2z48.dll
2009-05-03 06:01 6,574 a------- c:\windows\5c5395r1951z.exe
2009-05-02 04:30 2,600 a------- c:\windows\4ca35py9are2573z.bin
2009-05-01 22:59 14,336 a------- c:\windows\1z280vi5us189.exe
2009-05-01 00:00 14,203 a------- c:\windows\system32\7285vir911z.bin
2008-12-12 15:25 1,752 a------- c:\users\thea\appdata\roaming\wklnhst.dat
2008-09-17 21:42 174 a--sh--- c:\program files\desktop.ini
2008-07-04 03:18 502 a------- c:\users\thea\571.bat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-12-12 16:12 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-12 16:12 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-12 16:12 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2005-07-29 16:24 472 a--shr-- c:\windows\vghlyq\p315sk.vbs

============= FINISH: 15:36:46.52 ===============

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 5/29/2007 6:54:11 AM
System Uptime: 7/27/2009 3:29:14 PM (0 hours ago)

Motherboard: Quanta | | 30BB
Processor: Genuine Intel(R) CPU T2080 @ 1.73GHz | U2E1 | 1733/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 68 GiB total, 23.69 GiB free.
D: is FIXED (NTFS) - 6 GiB total, 0.007 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP141: 7/24/2009 2:52:49 PM - Windows Update
RP143: 7/24/2009 3:17:55 PM - Spyware Terminator - restore point
RP140: 7/24/2009 3:27:15 PM - Windows Vista™ Service Pack 2
RP145: 7/24/2009 3:50:39 PM - Spyware Terminator - restore point
RP146: 7/24/2009 4:35:51 PM - Windows Update

==== Installed Programs ======================

Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11.5
Apple Mobile Device Support
Apple Software Update
ASL_HS_Installer32
AutoUpdate
AVG Free 8.5
Bonjour
CCleaner (remove only)
Compaq Connections (remove only)
Conexant HD Audio
DivX
Express Burn
FileHippo.com Update Checker
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.4
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Help and Support
HP Quick Launch Buttons 6.10 B9
HP QuickPlay 3.0
HP Total Care Advisor
HP Update
HP User Guide 0048
HP Wireless Assistant
HPNetworkAssistant
Intel(R) Graphics Media Accelerator Driver
Intel(R) Network Connections Drivers
iTunes
Java(TM) 6 Update 14
LightScribe 1.4.124.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Monopoly Here & Now Edition
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
My HP Games
QuickTime
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Smart Defrag 1.20
Sonic Activation Module
Spybot - Search & Destroy
Spyware Terminator
SpywareBlaster 4.2
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Mobile Device Center Driver Update
Windows Mobile® Device Handbook

==== Event Viewer Messages From Past Week ========

7/27/2009 8:11:14 AM, Error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find message text for message number 0xMBAMSwissArmy in the message file for The system cannot find message text for message number 0x%1 in the message file for %2..
7/27/2009 8:08:17 AM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001A7346F266. The following error occurred: The wait operation timed out.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
7/27/2009 8:07:02 AM, Error: Microsoft-Windows-Kernel-General [5] - {Registry Hive Recovered} Registry hive (file): '\??\C:\Users\Thea\AppData\Local\Microsoft\Windows\UsrClass.dat' was corrupted and it has been recovered. Some data might have been lost.
7/27/2009 8:05:21 AM, Error: EventLog [6008] - The previous system shutdown at 8:51:27 AM on 7/27/2009 was unexpected.
7/27/2009 8:05:20 AM, Error: EventLog [6008] - The previous system shutdown at 8:25:11 AM on 7/27/2009 was unexpected.
7/27/2009 8:05:18 AM, Error: EventLog [6008] - The previous system shutdown at 8:13:07 AM on 7/27/2009 was unexpected.
7/27/2009 3:31:31 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +264340 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->207.46.197.32:123) is working properly.
7/27/2009 3:30:44 PM, Error: Service Control Manager [7000] - The rimsptsk service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/27/2009 3:30:44 PM, Error: Service Control Manager [7000] - The rimmptsk service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/27/2009 3:30:44 PM, Error: Service Control Manager [7000] - The Ricoh xD-Picture Card Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/27/2009 3:30:44 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/27/2009 3:29:43 PM, Error: EventLog [6008] - The previous system shutdown at 3:34:28 PM on 7/27/2009 was unexpected.
7/24/2009 4:19:32 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +229466 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.nist.gov,0x9 (ntp.m|0x9|0.0.0.0:123->192.43.244.18:123) is working properly.
7/24/2009 4:19:20 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +229466 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time-b.nist.gov,0x9 (ntp.m|0x9|0.0.0.0:123->129.6.15.29:123) is working properly.
7/24/2009 4:18:53 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +229466 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time-nw.nist.gov,0x9 (ntp.m|0x9|0.0.0.0:123->131.107.13.100:123) is working properly.
7/24/2009 3:29:24 PM, Error: Service Control Manager [7030] - The Lavasoft Ad-Aware Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
7/24/2009 3:02:34 PM, Error: EventLog [6008] - The previous system shutdown at 3:40:59 PM on 7/24/2009 was unexpected.
7/24/2009 2:51:40 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2009 2:51:33 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/24/2009 2:51:32 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/24/2009 2:51:22 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2009 2:51:22 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2009 2:50:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
7/24/2009 2:50:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/24/2009 2:50:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/24/2009 2:50:15 PM, Error: EventLog [6008] - The previous system shutdown at 2:58:11 PM on 7/24/2009 was unexpected.
7/24/2009 2:48:46 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

==== End Of File ===========================

GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-07-27 15:47:58
Windows 6.0.6002 Service Pack 2


---- System - GMER 1.0.15 ----

Code 85804368 ZwEnumerateKey
Code 858182D8 ZwFlushInstructionCache
Code 857F837D IofCallDriver
Code 85814516 IofCompleteRequest
Code 8581230D ZwSaveKey
Code 8581D2ED ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 81C46912 5 Bytes JMP 857F8382
.text ntkrnlpa.exe!IofCompleteRequest 81C4697F 5 Bytes JMP 8581451B
.text ntkrnlpa.exe!ZwSaveKey 81C4B8D0 5 Bytes JMP 85812312
.text ntkrnlpa.exe!ZwSaveKeyEx 81C4B8E4 5 Bytes JMP 8581D2F2
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81DB1EF5 5 Bytes JMP 858182DC
PAGE ntkrnlpa.exe!ZwEnumerateKey 81DFF0BA 5 Bytes JMP 8580436C

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\ESQULopiibttdvyueltkenvsoxtsqpcrsvfjp.sys (*** hidden *** ) [SYSTEM] ESQULserv.sys <-- ROOTKIT !!!
JPicard
Active Member
 
Posts: 8
Joined: July 27th, 2009, 12:35 pm

Re: Help with malware - HJT Log

Unread postby Bio-Hazard » July 31st, 2009, 5:35 pm

----------------------------------------------------------
Please note: Due to the restrictions on Vista, all tools should be started by Right-Click ---> Run As Administrator
----------------------------------------------------------

Download and Run ComboFix

  • ComboFix SHOULD NOT be used unless requested by a forum helper.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
  • Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2

    Image


    Image

  • Double click on Combo-Fix.exe and follow the prompts.
  • When finished, it will produce a report for you (C:\ComboFix.txt )
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • Combofix should never take more that 20 minutes including the reboot if malware is detected.

    IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.

    Next Reply

    Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Help with malware - HJT Log

Unread postby JPicard » July 31st, 2009, 8:27 pm

I ran combofix just as you requested without problem.
Here is the combofix and hijackthis log:

ComboFix 09-07-31.02 - Thea 07/31/2009 18:18.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.113 [GMT -5:00]
Running from: c:\users\Thea\Desktop\Combo-Fix.exe
SP: Spyware Terminator *disabled* (Updated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2028457093-1401123635-1720962910-500
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3
c:\windows\100za5dware9149.ocx
c:\windows\1039zhreat7595.exe
c:\windows\1058zspamb5t3a89.dll
c:\windows\10999sp5m9ot75z.bin
c:\windows\109dvirz9955.dll
c:\windows\1109z9cktool75b5.bin
c:\windows\11591spa59otzf1.exe
c:\windows\1195znot-a-virus1b8.exe
c:\windows\11d4zhreat524049.exe
c:\windows\12713nz5-a-9irus91.ocx
c:\windows\12895spamb5t7ffz.bin
c:\windows\12962hackto5l6ez.dll
c:\windows\13479sz94955.dll
c:\windows\13518w9zm3c95.bin
c:\windows\13a0thief591z.bin
c:\windows\13a1steaz5991.dll
c:\windows\1403n9t-a-vir5s25bz.ocx
c:\windows\14325aczdoor1920.bin
c:\windows\144fad5zare2927.ocx
c:\windows\14597troj6z35.bin
c:\windows\14bfd95nloazer839.ocx
c:\windows\14d3z9ief5483.dll
c:\windows\15243not-5-vir9s267z.cpl
c:\windows\155315pambz958d.bin
c:\windows\15599viru53dz.bin
c:\windows\155z5spamb9t546.ocx
c:\windows\15658hackt9z56b2.exe
c:\windows\1569tzoje5.ocx
c:\windows\1607azd9are7115.cpl
c:\windows\1631z5orm729.ocx
c:\windows\16700not5a-viru9398z.bin
c:\windows\173d5p9warez081.dll
c:\windows\17509ackdoor2718z.exe
c:\windows\1781dow59oaderz197.ocx
c:\windows\17z5vi9765.exe
c:\windows\180915izus413.cpl
c:\windows\1809th9zf1576.ocx
c:\windows\186949a5ktooz6ed.cpl
c:\windows\187495pz91f.bin
c:\windows\188935orm2z3.bin
c:\windows\189at5reat1z584.bin
c:\windows\1904sparsez509.dll
c:\windows\1952v9ruz259.bin
c:\windows\195z7virus267.dll
c:\windows\19995trojzcb.exe
c:\windows\19f5zt9al1355.cpl
c:\windows\19z53not-a-vir9s110.ocx
c:\windows\1a94th5zf391.dll
c:\windows\1b5backdz5r2859.cpl
c:\windows\1b6daddzar91335.cpl
c:\windows\1cf59pzware680.ocx
c:\windows\1d395ownloader3067z.exe
c:\windows\1da9stezl2995.ocx
c:\windows\1z280vi5us189.exe
c:\windows\1z354tr5j693.exe
c:\windows\20395s5yz59.dll
c:\windows\2057zsp56879.cpl
c:\windows\2085szyware2933.exe
c:\windows\2098downloa9e532z1.dll
c:\windows\20z17tro5599.bin
c:\windows\2159z9orm29.exe
c:\windows\21859spz59e.dll
c:\windows\21z17worm295.bin
c:\windows\21z19spambot125.dll
c:\windows\22987viruz6be5.exe
c:\windows\23472not-azvi9us485.cpl
c:\windows\23591tzoj7125.ocx
c:\windows\23612zp9475.bin
c:\windows\23952worz551.cpl
c:\windows\23b1zhre9t58192.exe
c:\windows\24328z5ck9ool578.cpl
c:\windows\246765py60z9.cpl
c:\windows\249z65or9606.cpl
c:\windows\249zd5wnloader1451.exe
c:\windows\24aed9wnloazer255.ocx
c:\windows\24f59pzware1389.exe
c:\windows\2500vi91787z.bin
c:\windows\2500zot-a-v5r9s4be.ocx
c:\windows\25192tzoj391.cpl
c:\windows\25339not-a-9zrus5fd.ocx
c:\windows\2553zackdoor2399.dll
c:\windows\256thrzat5379.cpl
c:\windows\2579bazkdoor2679.cpl
c:\windows\2679hz5ktool774.bin
c:\windows\27615pyz9.cpl
c:\windows\2795zhackto9l1a9.ocx
c:\windows\27997hac5tzol19a.ocx
c:\windows\285dztea92309.ocx
c:\windows\28825zot-a-virus29a5.bin
c:\windows\290edowzloader3551.cpl
c:\windows\2916spa5se1659z.exe
c:\windows\292365py7e4z.exe
c:\windows\294z35pambotcd.bin
c:\windows\29549spy728z.ocx
c:\windows\295zvir209.bin
c:\windows\29750wo5m57z.dll
c:\windows\2984spywa5e301z.cpl
c:\windows\29bzsteal1530.exe
c:\windows\29e5thizf3057.dll
c:\windows\2ac8t5zea915508.dll
c:\windows\2b65s9ywarz1447.exe
c:\windows\2b90steal146z5.dll
c:\windows\2c76add9z5e2824.exe
c:\windows\2cd5vzr3059.dll
c:\windows\2cdthze5t9788.exe
c:\windows\2czd9ir10205.dll
c:\windows\2dbviz9455.bin
c:\windows\2ef3dow95oader1634z.ocx
c:\windows\2fdbste5l9z49.cpl
c:\windows\2z235hacktool951.dll
c:\windows\2z27th9ea514662.bin
c:\windows\2z39steal1755.dll
c:\windows\2z662sp558e9.cpl
c:\windows\2z89vir5794.exe
c:\windows\2z959virus7e5.bin
c:\windows\2zbcadd5are29579.ocx
c:\windows\30021v5zu93d9.exe
c:\windows\300z15pambot19c.cpl
c:\windows\3012spambot97z5.cpl
c:\windows\3013not-azv9rus7f5.exe
c:\windows\30209hz5k9ool3c0.ocx
c:\windows\30625n5t9a-virusz7d.cpl
c:\windows\3065zviru95d5.exe
c:\windows\30951szy49a.bin
c:\windows\3099zsp95bot32c.bin
c:\windows\30d4zdd5are2879.exe
c:\windows\31zddownload9r3154.exe
c:\windows\32294hacktool59cz.exe
c:\windows\32542h9cktool550z.ocx
c:\windows\32759tzo5247.ocx
c:\windows\329359r7z.exe
c:\windows\32z15sp59d9.dll
c:\windows\350zdo9nl5ader755.exe
c:\windows\355downzoader5679.ocx
c:\windows\3580d9wnlzader1722.bin
c:\windows\35927spy54bz.ocx
c:\windows\362759oj53z.cpl
c:\windows\3898virz5698.exe
c:\windows\3899bac9door5z88.bin
c:\windows\389zsp5rse1807.cpl
c:\windows\38z3sp9mb5t645.cpl
c:\windows\3955threat1z6915.dll
c:\windows\39d8sp5zse17739.bin
c:\windows\39f45h9ez2585.cpl
c:\windows\39f9th5ef24z3.exe
c:\windows\39z42not-a-5irus2f5.ocx
c:\windows\3b95tzreat23839.dll
c:\windows\3d15addwar91222z.exe
c:\windows\3d98zparse52069.exe
c:\windows\3e07z5dwa9e2459.dll
c:\windows\3eeadzwnl5a9er553.exe
c:\windows\3fe9thre5z31907.bin
c:\windows\3z365orm9f4.exe
c:\windows\3z747wo9m754.bin
c:\windows\3za6threa93095.ocx
c:\windows\4099vir5z3e7.exe
c:\windows\42a4spyw9rz1985.bin
c:\windows\42c3t9re5z6556.cpl
c:\windows\4518zh5e9677.ocx
c:\windows\455dspywzr91099.exe
c:\windows\458asp5ware2790z.cpl
c:\windows\4596thi9f5347z.bin
c:\windows\45a5bazkdoo9768.dll
c:\windows\4601virzs259.bin
c:\windows\46165roz951.dll
c:\windows\4699virzs395.exe
c:\windows\46z9add5are2778.dll
c:\windows\4705backd9zr1545.cpl
c:\windows\4782spzmbot695.exe
c:\windows\495zth9ef385.cpl
c:\windows\4985vir8z5.ocx
c:\windows\4992hacktz5l700.ocx
c:\windows\49bz5ir1603.cpl
c:\windows\4a16spaz5e229.exe
c:\windows\4a95addzare107.bin
c:\windows\4a98d5wnloazer2448.exe
c:\windows\4bf9vi9z527.cpl
c:\windows\4c62s5eal619z.dll
c:\windows\4ca35py9are2573z.bin
c:\windows\4cd1thzeat189355.cpl
c:\windows\4d16sp9warez25.exe
c:\windows\4d5bback9oorz105.exe
c:\windows\4d9adowzl5ader2897.ocx
c:\windows\4e9bdown5oader224z.exe
c:\windows\4f59steal2z19.ocx
c:\windows\4z7dvir97665.dll
c:\windows\5095spywaz9620.exe
c:\windows\509esparse265z.cpl
c:\windows\50f8bazkdoor57999.ocx
c:\windows\5152zorm399.exe
c:\windows\5156spzr9e247.ocx
c:\windows\51999spzmbot6be.ocx
c:\windows\51z5steal795.exe
c:\windows\52565troz990.ocx
c:\windows\52569zief1093.dll
c:\windows\5290spyzare2528.bin
c:\windows\5365tro95ze.dll
c:\windows\53fzad5ware1589.bin
c:\windows\5480worz958.exe
c:\windows\549sparsez019.cpl
c:\windows\5511tz5ef27579.dll
c:\windows\55559ir185z.exe
c:\windows\55909hiez2000.dll
c:\windows\5695spambot2za.ocx
c:\windows\569c5pars97z5.dll
c:\windows\56c2addwzre1897.cpl
c:\windows\56fspars5z4859.exe
c:\windows\5719troj2z1.exe
c:\windows\57298szy667.cpl
c:\windows\57695troj71z.dll
c:\windows\577bspy5aze9005.cpl
c:\windows\58186worm9z9.ocx
c:\windows\58819hacztool612.ocx
c:\windows\591z5teal1229.ocx
c:\windows\5929tr5z5fe.exe
c:\windows\5975irz958.exe
c:\windows\597z8spamb9t8d.cpl
c:\windows\5998spyzare3195.dll
c:\windows\599dth9ezt13591.cpl
c:\windows\5a0daddwarz3975.bin
c:\windows\5a1azhre5t4219.dll
c:\windows\5bdfaddwaze15915.ocx
c:\windows\5c5395r1951z.exe
c:\windows\5c599zief16.dll
c:\windows\5d75sp9ware2463z.bin
c:\windows\5dfzaddwa5999.dll
c:\windows\5e29th9ez42.dll
c:\windows\5f19vzr1744.exe
c:\windows\5f9steal285z.ocx
c:\windows\5z00thief5095.ocx
c:\windows\5z879p5ware555.bin
c:\windows\5zdfdow5loader957.dll
c:\windows\6000st9zl5255.bin
c:\windows\60a5azdware2739.cpl
c:\windows\6109v5ruz32e9.ocx
c:\windows\6156threat7z79.exe
c:\windows\6158virz994.ocx
c:\windows\639ethreat95664z.bin
c:\windows\63c5dowzload9r3050.bin
c:\windows\63c7z95al1131.dll
c:\windows\63czspar9e542.dll
c:\windows\6439threat2551z.ocx
c:\windows\6520t9iefz197.bin
c:\windows\65655hiez2592.exe
c:\windows\6657ha5ktoolz229.dll
c:\windows\6701tzoj5f19.exe
c:\windows\6904downlz5der1053.bin
c:\windows\6949bac5dz9r314.dll
c:\windows\69519ackdozr578.ocx
c:\windows\6958th5eat5379z.exe
c:\windows\6999spyware217z5.exe
c:\windows\6a21a9dwar53253z.ocx
c:\windows\6e96zhief5737.ocx
c:\windows\6f9ado9nloaderz9445.exe
c:\windows\7099threat35553z.dll
c:\windows\7147dow5loadez9485.ocx
c:\windows\72499hzeat25677.exe
c:\windows\73955irus77bz.dll
c:\windows\742cdownzoad5r9426.cpl
c:\windows\7453tr9jdaz.ocx
c:\windows\7535bzckdo9r1487.ocx
c:\windows\75389zdw5re1595.dll
c:\windows\754bzhreat27918.bin
c:\windows\757este9l116z.ocx
c:\windows\75z4add5ar91098.ocx
c:\windows\75z75ot-a-9irusd2.exe
c:\windows\7629not-9-virusz05.exe
c:\windows\7645thre9t575z.ocx
c:\windows\79135py9bz.dll
c:\windows\7994not-a-vir5z606.bin
c:\windows\79b5virz45.bin
c:\windows\7czead5ware2998.exe
c:\windows\7d5zaddw5re9670.cpl
c:\windows\7dz7back9oo5333.dll
c:\windows\7ebzdownloa5e92215.ocx
c:\windows\7f1za5dware2279.ocx
c:\windows\8459worm489z.ocx
c:\windows\8600ha5kt9ol766z.exe
c:\windows\8632h5ckto9lzd.dll
c:\windows\8739vzru95c7.cpl
c:\windows\8799ackdooz5695.bin
c:\windows\90dba5kdoor3z58.cpl
c:\windows\917znot-a-vir9535d.bin
c:\windows\91914spy5e1z.bin
c:\windows\91z55irus5629.exe
c:\windows\9202w9zm2615.exe
c:\windows\9336downloadz51072.cpl
c:\windows\944z4not-a-virus563.bin
c:\windows\9452w9rz105.bin
c:\windows\9498not-a-viru5584z.exe
c:\windows\94z07spy5d1.dll
c:\windows\95187z5rm70f.bin
c:\windows\95535pamboz2e5.exe
c:\windows\9574szy557.bin
c:\windows\95800spy500z.exe
c:\windows\958vir33z5.bin
c:\windows\96668zpam5ot417.cpl
c:\windows\96815orm6ez.dll
c:\windows\9792t5z9679.bin
c:\windows\9795zspy1c55.exe
c:\windows\98218s5yz86.exe
c:\windows\9897hacktooz599.dll
c:\windows\98z25ir1180.bin
c:\windows\9908spam5oz15a.dll
c:\windows\99520worz758.dll
c:\windows\9952nzt-a-viru928c.bin
c:\windows\9965tzr5at27875.exe
c:\windows\996bbackz5or2685.ocx
c:\windows\9974tzoj95.bin
c:\windows\9c1zdownloader555.dll
c:\windows\9d2a5parse2z62.dll
c:\windows\9d5zt5reat797.ocx
c:\windows\9z50sparse204.exe
c:\windows\9z794spy2d45.bin
c:\windows\9ze45parse3256.bin
c:\windows\a16a5dware17z9.ocx
c:\windows\b5backdoorz925.dll
c:\windows\b9aspywa5e1394z.bin
c:\windows\c1f5zreat32497.dll
c:\windows\cd9downlozder5513.cpl
c:\windows\d7e5teal2z59.bin
c:\windows\f10zp9rs5479.ocx
c:\windows\system32\10299s5yz4f.dll
c:\windows\system32\1051no9-a-zirus755.cpl
c:\windows\system32\11149worm7z15.dll
c:\windows\system32\11301spamb594e5z.bin
c:\windows\system32\11929notza-v9rus19a5.bin
c:\windows\system32\1196zworm5e5.ocx
c:\windows\system32\12034hackt9oz454.exe
c:\windows\system32\12841nzt-a-9iru57ff.dll
c:\windows\system32\12937hack5oolze9.dll
c:\windows\system32\1294t9zj655.exe
c:\windows\system32\12z95tr9j1cd.exe
c:\windows\system32\1357sp5r9z45.cpl
c:\windows\system32\1360add9arz1050.dll
c:\windows\system32\13659orz75.exe
c:\windows\system32\13901virzs555.ocx
c:\windows\system32\14262t9o5404z.exe
c:\windows\system32\145039ot-a-virzs2cd5.ocx
c:\windows\system32\14739hazkt5ol9e4.bin
c:\windows\system32\147fdownload5z2689.ocx
c:\windows\system32\1487zv5rus6c59.exe
c:\windows\system32\15062spazb9t5e6.ocx
c:\windows\system32\151z9virus235.ocx
c:\windows\system32\1529z5acktool9f5.exe
c:\windows\system32\152z3not-a-9ir5s1eb.dll
c:\windows\system32\153209zt-a-v5rus1b9.dll
c:\windows\system32\1553t9iefz039.cpl
c:\windows\system32\1585backzo9r1385.cpl
c:\windows\system32\1595spaz9ot5a1.dll
c:\windows\system32\15996spambzt1c6.ocx
c:\windows\system32\159z5troj783.cpl
c:\windows\system32\15bathreaz98090.ocx
c:\windows\system32\15ebspyw9re51z.dll
c:\windows\system32\15z709orm58b.cpl
c:\windows\system32\1655spyzare1794.exe
c:\windows\system32\165z5worm92.cpl
c:\windows\system32\168459zkdoor1673.dll
c:\windows\system32\16z5spar9e3539.ocx
c:\windows\system32\17016z5cktool9c4.bin
c:\windows\system32\404Fix.exe
c:\windows\system32\drivers\ESQULopiibttdvyueltkenvsoxtsqpcrsvfjp.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\ESQULmbweupirfptqgaippvbpvdyxraitdthn.dll
c:\windows\system32\ESQULnbxkydnwcomprcqkqrnmnbsdmxeqpswr.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\z1149v5rus590.bin
c:\windows\z119spyware456.exe
c:\windows\z16dspa5s91583.bin
c:\windows\z199downloader5226.dll
c:\windows\z1a4s9ywar51386.exe
c:\windows\z1f5ad5ware9625.cpl
c:\windows\z2379hacktoo5553.dll
c:\windows\z255vir9922.dll
c:\windows\z2a39ownloa5er2198.bin
c:\windows\z508spy1519.bin
c:\windows\z5120hacktool49b.dll
c:\windows\z5639ir661.bin
c:\windows\z59dspyware9345.cpl
c:\windows\z5d5add5are2967.cpl
c:\windows\z6593viru5209.ocx
c:\windows\z6798troj20a5.dll
c:\windows\z751spy9are5159.bin
c:\windows\z75b5ir2259.ocx
c:\windows\z8427not-a5virus973.cpl
c:\windows\z86695a9ktool543.ocx
c:\windows\z935ir2597.exe
c:\windows\z950a9dware1748.cpl
c:\windows\z9743spy58d9.dll
c:\windows\z9d9addware596.bin
c:\windows\za85spars9119.ocx
c:\windows\zb89addware4455.exe
c:\windows\zc69threat5845.cpl
c:\windows\zcd2thr9at52661.ocx
c:\windows\zcf89pars52914.bin
c:\windows\zd995teal938.cpl
c:\windows\ze7bdownloade59748.cpl
c:\windows\zf9athief9515.cpl

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-12-23 18:36 . 2009-12-23 18:36 18142 ----a-w- c:\windows\system32\382b5ownlozder9408.exe
2009-12-20 23:28 . 2009-12-20 23:28 16638 ----a-w- c:\windows\system32\617zaddwar913975.dll
2009-12-10 08:24 . 2009-12-10 08:24 11089 ----a-w- c:\windows\system32\9z49s5eal2916.bin
2009-12-04 00:31 . 2009-12-04 00:31 17782 ----a-w- c:\windows\system32\3605b9ckdoorz7.dll
2009-11-26 13:37 . 2009-11-26 13:37 3083 ----a-w- c:\windows\system32\55a1download951z65.exe
2009-11-20 16:21 . 2009-11-20 16:21 12686 ----a-w- c:\windows\system32\9991not5a-virus5eez.bin
2009-11-20 04:40 . 2009-11-20 04:40 4515 ----a-w- c:\windows\system32\23009zpambot5b49.dll
2009-11-17 03:00 . 2009-11-17 03:00 17692 ----a-w- c:\windows\system32\4b4c9teal9z5.dll
2009-11-15 17:50 . 2009-11-15 17:50 2540 ----a-w- c:\windows\system32\197z5troj38b.dll
2009-11-14 09:52 . 2009-11-14 09:52 17623 ----a-w- c:\windows\system32\1z4et5ief9066.exe
2009-11-13 23:19 . 2009-11-13 23:19 7949 ----a-w- c:\windows\system32\30349virus659z.exe
2009-11-13 00:57 . 2009-11-13 00:57 12931 ----a-w- c:\windows\system32\6b15b5ckdooz919.exe
2009-11-09 10:43 . 2009-11-09 10:43 7656 ----a-w- c:\windows\1694zs5y2.bin
2009-11-09 04:46 . 2009-11-09 04:46 5646 ----a-w- c:\windows\system32\z297spy6d95.dll
2009-11-09 01:21 . 2009-11-09 01:21 13709 ----a-w- c:\windows\system32\499cadd5arz3033.exe
2009-11-05 10:56 . 2009-11-05 10:56 15371 ----a-w- c:\windows\system32\z5b25py9are1409.exe
2009-10-25 01:30 . 2009-10-25 01:30 10305 ----a-w- c:\windows\system32\91071tr5z18.bin
2009-10-21 17:03 . 2009-10-21 17:03 12451 ----a-w- c:\windows\system32\z56espy5are9748.bin
2009-10-20 04:58 . 2009-10-20 04:58 6649 ----a-w- c:\windows\system32\3z43st95l695.bin
2009-10-20 03:51 . 2009-10-20 03:51 10943 ----a-w- c:\windows\system32\7ae4ste5l99z5.bin
2009-10-18 23:52 . 2009-10-18 23:52 3944 ----a-w- c:\windows\system32\319955zy4a.exe
2009-10-14 01:52 . 2009-10-14 01:52 12379 ----a-w- c:\windows\system32\1cc4azdware29645.bin
2009-10-10 10:48 . 2009-10-10 10:48 11428 ----a-w- c:\windows\system32\51098zirus66a.bin
2009-10-09 08:38 . 2009-10-09 08:38 15135 ----a-w- c:\windows\system32\3897ste9l3225z.bin
2009-10-07 02:49 . 2009-10-07 02:49 7154 ----a-w- c:\windows\system32\5685roj7zd9.bin
2009-10-06 17:59 . 2009-10-06 17:59 14993 ----a-w- c:\windows\system32\z954threat25082.dll
2009-10-06 12:44 . 2009-10-06 12:44 13627 ----a-w- c:\windows\system32\346espywarz5956.bin
2009-10-06 02:56 . 2009-10-06 02:56 7324 ----a-w- c:\windows\system32\3990virusz5.dll
2009-10-04 14:31 . 2009-10-04 14:31 8517 ----a-w- c:\windows\system32\98057woz56a.dll
2009-09-26 11:03 . 2009-09-26 11:03 10204 ----a-w- c:\windows\system32\95651not-a-vzrus59e.bin
2009-09-24 19:54 . 2009-09-24 19:54 17052 ----a-w- c:\windows\system32\3199zpambot553.dll
2009-09-13 01:30 . 2009-09-13 01:30 14332 ----a-w- c:\windows\system32\5372worm59z.exe
2009-09-11 02:37 . 2009-09-11 02:37 8760 ----a-w- c:\windows\system32\30938not-azvirus5255.bin
2009-09-08 00:38 . 2009-09-08 00:38 2793 ----a-w- c:\windows\system32\5990h5cktool60z.bin
2009-08-27 13:45 . 2009-08-27 13:45 11003 ----a-w- c:\windows\system32\7ez6sp9rse5358.bin
2009-08-25 22:00 . 2009-08-25 22:00 17061 ----a-w- c:\windows\system32\25399not-a-vi5us4d3z.dll
2009-08-24 20:56 . 2009-08-24 20:56 5037 ----a-w- c:\windows\system32\7756back9oor1z88.dll
2009-08-20 22:47 . 2009-08-20 22:47 3214 ----a-w- c:\windows\system32\4c6fszyw9re520.dll
2009-08-08 05:06 . 2009-08-08 05:06 9006 ----a-w- c:\windows\system32\1d4cstealz591.dll
2009-08-05 22:34 . 2009-08-05 22:34 12050 ----a-w- c:\windows\system32\598z7spa9bot2ce.exe
2009-08-01 01:58 . 2009-08-01 01:58 17523 ----a-w- c:\windows\system32\45deba9kdoor85z.exe
2009-07-27 13:13 . 2009-07-27 13:10 -------- d-----w- c:\program files\Trend Micro
2009-07-25 14:33 . 2009-07-25 14:33 17281 ----a-w- c:\windows\system32\694zthrea591097.exe
2009-07-24 21:01 . 2009-07-24 21:04 -------- d-----w- c:\windows\system32\ca-ES
2009-07-24 21:01 . 2009-07-24 21:04 -------- d-----w- c:\windows\system32\eu-ES
2009-07-24 21:01 . 2009-07-24 21:04 -------- d-----w- c:\windows\system32\vi-VN
2009-07-24 20:26 . 2009-07-27 13:11 -------- d-----w- c:\progra~2\Lavasoft
2009-07-24 20:20 . 2009-07-24 20:20 -------- d-----w- c:\windows\system32\EventProviders
2009-07-24 20:17 . 2009-04-11 06:28 351744 ----a-w- c:\windows\system32\mssph.dll
2009-07-24 20:16 . 2009-04-11 06:32 122344 ----a-w- c:\windows\system32\drivers\Storport.sys
2009-07-24 20:15 . 2009-04-11 06:22 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2009-07-24 20:11 . 2009-07-24 20:11 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-24 20:11 . 2009-07-27 13:19 -------- d-----w- c:\users\Thea\AppData\Roaming\Spyware Terminator
2009-07-24 20:11 . 2009-07-27 20:29 -------- d-----w- c:\progra~2\Spyware Terminator
2009-07-24 20:11 . 2009-07-27 13:20 -------- d-----w- c:\program files\Spyware Terminator
2009-07-24 19:11 . 2009-07-27 13:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-24 18:47 . 2009-07-24 18:47 -------- d-----w- c:\users\Thea\AppData\Roaming\IObit
2009-07-24 18:47 . 2009-07-24 18:47 -------- d-----w- c:\program files\IObit
2009-07-24 18:42 . 2009-07-24 18:42 -------- d-----w- c:\progra~2\WindowsSearch
2009-07-24 16:06 . 2009-04-21 11:39 2034688 ----a-w- c:\windows\system32\win32k.sys
2009-07-24 16:06 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-24 16:06 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-24 16:06 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-24 16:06 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-24 16:06 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-24 16:06 . 2009-04-11 06:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-07-24 16:05 . 2009-04-23 12:14 623616 ----a-w- c:\windows\system32\localspl.dll
2009-07-24 16:05 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-07-24 15:51 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-07-24 15:49 . 2009-05-09 05:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-24 15:49 . 2009-05-09 05:50 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-23 21:32 . 2009-07-23 21:32 17404 ----a-w- c:\windows\system32\aze9teal3540.dll
2009-07-23 19:14 . 2009-07-23 19:13 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-23 19:13 . 2009-07-23 19:13 -------- d-----w- c:\progra~2\McAfee
2009-07-23 18:49 . 2009-07-23 18:45 -------- d-----w- c:\program files\Google
2009-07-23 18:45 . 2009-07-23 18:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-23 18:41 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-23 18:41 . 2009-03-19 21:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-23 18:40 . 2009-07-23 18:41 -------- d-----w- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-23 18:36 . 2009-07-23 18:37 -------- d-----w- c:\program files\QuickTime
2009-07-19 20:19 . 2009-07-19 20:19 5076 ----a-w- c:\windows\system32\4z85worm398.bin
2009-07-18 10:18 . 2009-07-18 10:18 4537 ----a-w- c:\windows\system32\7zb9sparse1325.dll
2009-07-15 01:32 . 2009-07-15 01:32 4898 ----a-w- c:\windows\system32\1dz4b9ckdoor559.exe
2009-07-10 21:02 . 2009-07-10 21:02 6723 ----a-w- c:\windows\system32\6033thiez99155.dll
2009-07-07 15:29 . 2009-07-07 15:29 4750 ----a-w- c:\windows\system32\7940vir5z92.bin
2009-07-07 09:42 . 2009-07-07 09:42 4933 ----a-w- c:\windows\system32\667cad5war9101z.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 23:30 . 2006-12-27 16:55 12 ----a-w- c:\windows\bthservsdp.dat
2009-07-27 20:37 . 2008-07-04 10:22 1356 ----a-w- c:\users\Thea\AppData\Local\d3d9caps.dat
2009-07-27 13:12 . 2008-09-20 15:45 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-07-27 13:10 . 2008-09-20 16:10 -------- d-----w- c:\program files\SpywareBlaster
2009-07-24 21:40 . 2006-11-02 12:35 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-07-24 21:05 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-07-24 21:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-24 21:05 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-07-24 21:05 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-24 21:05 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-07-24 21:01 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-07-24 18:50 . 2006-12-27 18:16 -------- d-----w- c:\program files\Java
2009-07-24 16:34 . 2007-05-28 20:14 96192 ----a-w- c:\users\Thea\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-24 16:02 . 2006-12-27 17:40 -------- d-----w- c:\progra~2\Microsoft Help
2009-07-24 15:41 . 2006-12-27 17:38 -------- d-----w- c:\program files\Microsoft Works
2009-07-23 18:45 . 2008-09-20 15:15 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-23 18:41 . 2008-09-23 08:11 -------- d-----w- c:\program files\iTunes
2009-07-23 18:41 . 2008-09-23 08:11 -------- d-----w- c:\program files\iPod
2009-07-23 18:41 . 2008-09-20 20:14 -------- d-----w- c:\program files\Common Files\Apple
2009-07-23 18:37 . 2008-09-23 08:09 -------- d-----w- c:\program files\Bonjour
2009-07-13 19:36 . 2008-09-21 20:57 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 19:36 . 2008-09-21 20:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-01 13:05 . 2009-07-01 13:05 5119 ----a-w- c:\windows\system32\250z3not-a5vi9us17e.exe
2009-06-23 07:10 . 2009-06-23 07:10 9128 ----a-w- c:\windows\system32\21154hackto9z235.bin
2009-06-19 13:23 . 2009-06-19 13:23 10942 ----a-w- c:\windows\system32\31416zor5697.exe
2009-06-16 14:29 . 2009-06-16 14:29 8077 ----a-w- c:\windows\system32\55cdthreat2907z.dll
2009-06-15 11:34 . 2009-06-15 11:34 12273 ----a-w- c:\windows\system32\51978spy19z.bin
2009-06-13 15:17 . 2009-06-13 15:17 14069 ----a-w- c:\windows\system32\492azdd5are423.exe
2009-06-08 11:41 . 2009-06-08 11:41 9681 ----a-w- c:\windows\system32\6814bazkd59r135.dll
2009-06-07 21:23 . 2009-06-07 21:23 17100 ----a-w- c:\windows\system32\30aa9ownlzader13955.dll
2009-06-06 07:31 . 2009-06-06 07:31 15115 ----a-w- c:\windows\system32\5c47dowzlo9der1408.dll
2009-06-05 07:59 . 2009-06-05 07:59 4147 ----a-w- c:\windows\system32\946edowzloa5er1712.exe
2009-05-26 02:20 . 2009-05-26 02:20 14936 ----a-w- c:\windows\system32\6595vzr1694.exe
2009-05-24 15:10 . 2009-05-24 15:10 6695 ----a-w- c:\windows\system32\351fsp5rse51z9.dll
2009-05-18 06:11 . 2009-05-18 06:11 3947 ----a-w- c:\windows\system32\90756spambot35z5.exe
2009-05-16 12:09 . 2009-05-16 12:09 7644 ----a-w- c:\windows\system32\5a11sp5w9re66z.exe
2009-05-16 10:14 . 2009-05-16 10:14 9961 ----a-w- c:\windows\system32\19701w5rm2zf.bin
2009-05-10 16:31 . 2009-05-10 16:31 17897 ----a-w- c:\windows\system32\6151t9zef2856.bin
2009-05-06 23:36 . 2009-05-06 23:36 13350 ----a-w- c:\windows\system32\e1zthief13859.dll
2009-05-04 11:11 . 2009-05-04 11:11 7972 ----a-w- c:\windows\system32\5871backd59r2z48.dll
2005-07-29 21:24 . 2008-07-04 08:16 472 --sha-r- c:\windows\VGhlYQ\p315sk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-07-24 3055616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-11-24 167936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-23 148888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\Thea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe [2006-12-27 34520]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-11-20 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):14,aa,c4,1b,a3,0c,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{24EA3332-175B-45DE-8075-E981D66C1494}"= UDP:c:\program files\HP\QuickPlay\QP.exe:QP
"{6FFF7A56-4D8D-42A7-812B-3F8F692CA5F7}"= TCP:c:\program files\HP\QuickPlay\QP.exe:QP
"{762C8BF0-C943-457D-9A54-E667A4F386E5}"= UDP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{0213B23F-F201-47E8-9DC7-458C4F7BE7AE}"= c:\program files\Compaq Connections\3572475\Program\Compaq Connections:Compaq Connections
"{034BAEFA-F887-4B09-9479-E903C50C2FFE}"= UDP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{8B415799-1811-4F8A-8541-9A6321AE5D3F}"= TCP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{FF13C7B8-91C1-44B0-90DE-C35D865BEBB9}"= UDP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{288EE93E-5363-456B-8000-21472609C5CF}"= TCP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{6C573B97-25D8-4A8E-808F-40640892C4D6}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4F29941F-55AA-42F5-A38F-E4BF53A94217}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E7BC04DB-3748-433F-8D14-0589CF8C111F}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AD7A7B70-8F1F-4FCB-8F57-2EE31B1ACAAD}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0A8B46C5-5866-4C3A-BE20-6FBCB0982D8F}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F0FA5848-E9C5-47E3-AD43-8F68C7981B77}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0FAD178C-EF62-4A92-9966-19D2EF549067}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D1469041-50C4-463B-971B-D747EDCE6811}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{10697C5A-45CC-4C57-AB4B-67485CD91731}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A3C1E22E-5909-4B90-B8E1-575046B10D95}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{E3152EA2-93F7-42C6-B276-1B25879A045E}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{11E86912-2D2B-438D-AAA4-975E54474A98}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{4A6E3E67-1CCB-49A0-8BD9-1CF5C6E072F5}c:\\program files\\hp games\\jeopardy\\jeopardy!.exe"= UDP:c:\program files\hp games\jeopardy\jeopardy!.exe:JEOPARDY!
"UDP Query User{E7F6439E-3773-4482-A7AA-61A4058B0D05}c:\\program files\\hp games\\jeopardy\\jeopardy!.exe"= TCP:c:\program files\hp games\jeopardy\jeopardy!.exe:JEOPARDY!
"TCP Query User{EE496437-9120-4A0F-BDE2-D28138CEFB87}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{CAE30495-6BAA-4C70-BBF3-61A5A648C6FA}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{B9B21548-740C-4C8F-B1F9-8E9212F32B0C}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{21BA1DFB-3B19-4DBF-AE1C-7B49E57EB5F7}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4E542CF1-AC64-4868-A565-A058E02D6FC2}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A4A252D0-8B1B-4E8D-AB11-27C794805CBC}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{EEAE341F-5792-41F0-BE49-31D39F50069B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D4CA2B34-D9D7-48CE-9506-573465035CBE}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{C47C5989-E746-42D7-8B7C-D84E0B52D94A}c:\\program files\\spyware terminator\\spywareterminatorupdate.exe"= UDP:c:\program files\spyware terminator\spywareterminatorupdate.exe:Crawler Spyware Terminator
"UDP Query User{4A042543-AB95-4D8A-BFD4-E0D13E35BFD7}c:\\program files\\spyware terminator\\spywareterminatorupdate.exe"= TCP:c:\program files\spyware terminator\spywareterminatorupdate.exe:Crawler Spyware Terminator
"{550A3DF6-A99A-4572-B777-63590A237BA7}"= UDP:990:LocalSubnet:LocalSubnet|IF={B71EB6A6-593D-4028-A71F-EEE1E1A10C83}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\System32\drivers\sp_rsdrv2.sys [7/24/2009 3:11 PM 142592]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [9/21/2008 3:57 PM 38160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{F08555B0-9CC3-11D2-AA8E-000000000567} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 18:17
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3895441010-3899080723-1055044066-1000\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-3895441010-3899080723-1055044066-1000\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-3895441010-3899080723-1055044066-1000\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-3895441010-3899080723-1055044066-1000\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:00000013

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\progra~1\HEWLET~1\Shared\HPQTOA~1.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-31 18:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-31 23:27

Pre-Run: 26,939,109,376 bytes free
Post-Run: 26,533,634,048 bytes free

721 --- E O F --- 2009-07-24 21:42


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:40, on 7/31/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThisA\HijackThisA.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8001 bytes
JPicard
Active Member
 
Posts: 8
Joined: July 27th, 2009, 12:35 pm

Re: Help with malware - HJT Log

Unread postby Bio-Hazard » August 1st, 2009, 5:45 am

----------------------------------------------------------
Please note: Due to the restrictions on Vista, all tools should be started by Right-Click ---> Run As Administrator
----------------------------------------------------------

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code: Select all
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=44652&p=458670#p458670
Collect::
c:\windows\system32\382b5ownlozder9408.exe
c:\windows\system32\617zaddwar913975.dll
c:\windows\system32\9z49s5eal2916.bin
c:\windows\system32\3605b9ckdoorz7.dll
c:\windows\system32\55a1download951z65.exe
c:\windows\system32\9991not5a-virus5eez.bin
c:\windows\system32\23009zpambot5b49.dll
c:\windows\system32\4b4c9teal9z5.dll
c:\windows\system32\197z5troj38b.dll
c:\windows\system32\1z4et5ief9066.exe
c:\windows\system32\30349virus659z.exe
c:\windows\system32\6b15b5ckdooz919.exe
c:\windows\1694zs5y2.bin
c:\windows\system32\z297spy6d95.dll
c:\windows\system32\499cadd5arz3033.exe
c:\windows\system32\z5b25py9are1409.exe
c:\windows\system32\91071tr5z18.bin
c:\windows\system32\z56espy5are9748.bin
c:\windows\system32\3z43st95l695.bin
c:\windows\system32\7ae4ste5l99z5.bin
c:\windows\system32\319955zy4a.exe
c:\windows\system32\1cc4azdware29645.bin
c:\windows\system32\51098zirus66a.bin
c:\windows\system32\3897ste9l3225z.bin
c:\windows\system32\5685roj7zd9.bin
c:\windows\system32\z954threat25082.dll
c:\windows\system32\346espywarz5956.bin
c:\windows\system32\3990virusz5.dll
c:\windows\system32\98057woz56a.dll
c:\windows\system32\95651not-a-vzrus59e.bin
c:\windows\system32\3199zpambot553.dll
c:\windows\system32\5372worm59z.exe
c:\windows\system32\30938not-azvirus5255.bin
c:\windows\system32\5990h5cktool60z.bin
c:\windows\system32\7ez6sp9rse5358.bin
c:\windows\system32\25399not-a-vi5us4d3z.dll
c:\windows\system32\7756back9oor1z88.dll
c:\windows\system32\4c6fszyw9re520.dll
c:\windows\system32\1d4cstealz591.dll
c:\windows\system32\598z7spa9bot2ce.exe
c:\windows\system32\45deba9kdoor85z.exe
c:\windows\system32\694zthrea591097.exe
c:\windows\system32\aze9teal3540.dll
c:\windows\system32\4z85worm398.bin
c:\windows\system32\7zb9sparse1325.dll
c:\windows\system32\1dz4b9ckdoor559.exe
c:\windows\system32\6033thiez99155.dll
c:\windows\system32\7940vir5z92.bin
c:\windows\system32\667cad5war9101z.dll
c:\windows\system32\250z3not-a5vi9us17e.exe
c:\windows\system32\21154hackto9z235.bin
c:\windows\system32\31416zor5697.exe
c:\windows\system32\55cdthreat2907z.dll
c:\windows\system32\51978spy19z.bin
c:\windows\system32\492azdd5are423.exe
c:\windows\system32\6814bazkd59r135.dll
c:\windows\system32\30aa9ownlzader13955.dll
c:\windows\system32\5c47dowzlo9der1408.dll
c:\windows\system32\946edowzloa5er1712.exe
c:\windows\system32\6595vzr1694.exe
c:\windows\system32\351fsp5rse51z9.dll
c:\windows\system32\90756spambot35z5.exe
c:\windows\system32\5a11sp5w9re66z.exe
c:\windows\system32\19701w5rm2zf.bin
c:\windows\system32\6151t9zef2856.bin
c:\windows\system32\e1zthief13859.dll
c:\windows\system32\5871backd59r2z48.dll

Folder::
c:\windows\VGhlYQ

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{10697C5A-45CC-4C57-AB4B-67485CD91731}"=-
"{A3C1E22E-5909-4B90-B8E1-575046B10D95}"=-
"TCP Query User{EE496437-9120-4A0F-BDE2-D28138CEFB87}c:\\program files\\limewire\\limewire.exe"=-
"UDP Query User{CAE30495-6BAA-4C70-BBF3-61A5A648C6FA}c:\\program files\\limewire\\limewire.exe"=-


  • Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

    Image
  • Refering to the picture below, drag CFScript into ComboFix.exe

    Image
  • When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.



ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.



Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.



Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • ComboFix log (found at C:\Combofix.txt)
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Help with malware - HJT Log

Unread postby JPicard » August 2nd, 2009, 5:18 pm

The computer seems to be running perfectly. I am able to syncronize with windows time successfully now. I am able to run Spybot, Malwarebyte's, and HijackThis without having to change the file name. Here are the logs you requested. In the Kaspersky Online Scan, I am unable to copy/paste the entire log because it is so long. Almost the entire thing is music files that look like they have the same infection. For this case, I will only post one as an example with the rest of the log being unchanged.

ComboFix 09-07-31.04 - Thea 07/31/2009 18:35.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.359 [GMT -5:00]
Running from: c:\users\Thea\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Thea\Desktop\CFScript.txt
SP: Spyware Terminator *disabled* (Updated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\windows\1694zs5y2.bin
file zipped: c:\windows\system32\19701w5rm2zf.bin
file zipped: c:\windows\system32\197z5troj38b.dll
file zipped: c:\windows\system32\1cc4azdware29645.bin
file zipped: c:\windows\system32\1d4cstealz591.dll
file zipped: c:\windows\system32\1dz4b9ckdoor559.exe
file zipped: c:\windows\system32\1z4et5ief9066.exe
file zipped: c:\windows\system32\21154hackto9z235.bin
file zipped: c:\windows\system32\23009zpambot5b49.dll
file zipped: c:\windows\system32\250z3not-a5vi9us17e.exe
file zipped: c:\windows\system32\25399not-a-vi5us4d3z.dll
file zipped: c:\windows\system32\30349virus659z.exe
file zipped: c:\windows\system32\30938not-azvirus5255.bin
file zipped: c:\windows\system32\30aa9ownlzader13955.dll
file zipped: c:\windows\system32\31416zor5697.exe
file zipped: c:\windows\system32\319955zy4a.exe
file zipped: c:\windows\system32\3199zpambot553.dll
file zipped: c:\windows\system32\346espywarz5956.bin
file zipped: c:\windows\system32\351fsp5rse51z9.dll
file zipped: c:\windows\system32\3605b9ckdoorz7.dll
file zipped: c:\windows\system32\382b5ownlozder9408.exe
file zipped: c:\windows\system32\3897ste9l3225z.bin
file zipped: c:\windows\system32\3990virusz5.dll
file zipped: c:\windows\system32\3z43st95l695.bin
file zipped: c:\windows\system32\45deba9kdoor85z.exe
file zipped: c:\windows\system32\492azdd5are423.exe
file zipped: c:\windows\system32\499cadd5arz3033.exe
file zipped: c:\windows\system32\4b4c9teal9z5.dll
file zipped: c:\windows\system32\4c6fszyw9re520.dll
file zipped: c:\windows\system32\4z85worm398.bin
file zipped: c:\windows\system32\51098zirus66a.bin
file zipped: c:\windows\system32\51978spy19z.bin
file zipped: c:\windows\system32\5372worm59z.exe
file zipped: c:\windows\system32\55a1download951z65.exe
file zipped: c:\windows\system32\55cdthreat2907z.dll
file zipped: c:\windows\system32\5685roj7zd9.bin
file zipped: c:\windows\system32\5871backd59r2z48.dll
file zipped: c:\windows\system32\598z7spa9bot2ce.exe
file zipped: c:\windows\system32\5990h5cktool60z.bin
file zipped: c:\windows\system32\5a11sp5w9re66z.exe
file zipped: c:\windows\system32\5c47dowzlo9der1408.dll
file zipped: c:\windows\system32\6033thiez99155.dll
file zipped: c:\windows\system32\6151t9zef2856.bin
file zipped: c:\windows\system32\617zaddwar913975.dll
file zipped: c:\windows\system32\6595vzr1694.exe
file zipped: c:\windows\system32\667cad5war9101z.dll
file zipped: c:\windows\system32\6814bazkd59r135.dll
file zipped: c:\windows\system32\694zthrea591097.exe
file zipped: c:\windows\system32\6b15b5ckdooz919.exe
file zipped: c:\windows\system32\7756back9oor1z88.dll
file zipped: c:\windows\system32\7940vir5z92.bin
file zipped: c:\windows\system32\7ae4ste5l99z5.bin
file zipped: c:\windows\system32\7ez6sp9rse5358.bin
file zipped: c:\windows\system32\7zb9sparse1325.dll
file zipped: c:\windows\system32\90756spambot35z5.exe
file zipped: c:\windows\system32\91071tr5z18.bin
file zipped: c:\windows\system32\946edowzloa5er1712.exe
file zipped: c:\windows\system32\95651not-a-vzrus59e.bin
file zipped: c:\windows\system32\98057woz56a.dll
file zipped: c:\windows\system32\9991not5a-virus5eez.bin
file zipped: c:\windows\system32\9z49s5eal2916.bin
file zipped: c:\windows\system32\aze9teal3540.dll
file zipped: c:\windows\system32\e1zthief13859.dll
file zipped: c:\windows\system32\z297spy6d95.dll
file zipped: c:\windows\system32\z56espy5are9748.bin
file zipped: c:\windows\system32\z5b25py9are1409.exe
file zipped: c:\windows\system32\z954threat25082.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\1694zs5y2.bin
c:\windows\system32\17153zot-a-virus3229.ocx
c:\windows\system32\17666spamb5t99z.bin
c:\windows\system32\17z915acktoo94b5.cpl
c:\windows\system32\18304not-a-zir5s859.bin
c:\windows\system32\1905z95ware777.bin
c:\windows\system32\190z3vir5s2639.ocx
c:\windows\system32\191205zt-a-virus1d6.dll
c:\windows\system32\19152z9yeb.ocx
c:\windows\system32\19198not-a-zirus652.bin
c:\windows\system32\19255tzoj225.cpl
c:\windows\system32\19328spam5oz29.dll
c:\windows\system32\193fv5r2238z.cpl
c:\windows\system32\195559orm7zf.exe
c:\windows\system32\19701w5rm2zf.bin
c:\windows\system32\197z5troj38b.dll
c:\windows\system32\197zt5o92b2.ocx
c:\windows\system32\19899sp9mbz52ad.cpl
c:\windows\system32\19907vi5uz4e9.ocx
c:\windows\system32\19dt5reat3063z.ocx
c:\windows\system32\19z59hacktool33d9.cpl
c:\windows\system32\19z959roj3f1.cpl
c:\windows\system32\1b8caddw9ze1185.dll
c:\windows\system32\1c205hi9f59z.exe
c:\windows\system32\1c8aaz5ware2905.ocx
c:\windows\system32\1cc4azdware29645.bin
c:\windows\system32\1d4cstealz591.dll
c:\windows\system32\1dz4b9ckdoor559.exe
c:\windows\system32\1f3v9z1895.dll
c:\windows\system32\1fde5t9az241.bin
c:\windows\system32\1z450spambot595.dll
c:\windows\system32\1z498s5y4d.bin
c:\windows\system32\1z4et5ief9066.exe
c:\windows\system32\1z59sp52129.dll
c:\windows\system32\1z9cth9ef18645.cpl
c:\windows\system32\2006v9rus265z.bin
c:\windows\system32\20109not-a-5izus6f4.ocx
c:\windows\system32\20130v5rz938e.ocx
c:\windows\system32\2053not-5-virzs6c9.cpl
c:\windows\system32\2085szy49b.bin
c:\windows\system32\21154hackto9z235.bin
c:\windows\system32\21215notza-virus5995.ocx
c:\windows\system32\21549tr9j3z5.ocx
c:\windows\system32\21865vizus9e1.dll
c:\windows\system32\21995h9eaz20087.bin
c:\windows\system32\21e5s9ealz357.ocx
c:\windows\system32\21z50spy49d.exe
c:\windows\system32\22054tz9j6325.exe
c:\windows\system32\22760hz5k9ool7f.ocx
c:\windows\system32\22azst5al599.ocx
c:\windows\system32\22z75spamb9t5ac.cpl
c:\windows\system32\23009zpambot5b49.dll
c:\windows\system32\2324downlozde59994.cpl
c:\windows\system32\23b6steaz91915.cpl
c:\windows\system32\2417doznloade53980.exe
c:\windows\system32\2419ztroj35e.cpl
c:\windows\system32\24645paz9e2807.bin
c:\windows\system32\24796wo595zd.dll
c:\windows\system32\24956zroj595.exe
c:\windows\system32\250z3not-a5vi9us17e.exe
c:\windows\system32\25191w5zm76a.exe
c:\windows\system32\25399not-a-vi5us4d3z.dll
c:\windows\system32\254fbackdoor596z.dll
c:\windows\system32\2556zhr5at12989.ocx
c:\windows\system32\255dthze92717.bin
c:\windows\system32\25698hzcktoo956b.dll
c:\windows\system32\25781notz5-virus44d9.cpl
c:\windows\system32\2589zhacktool7c2.ocx
c:\windows\system32\259z5hacktool669.bin
c:\windows\system32\25a3thrzat97971.cpl
c:\windows\system32\25abszarse14589.cpl
c:\windows\system32\25d6th9ea520132z.cpl
c:\windows\system32\25z15vir9s96.dll
c:\windows\system32\25z55spa5bo97ec.dll
c:\windows\system32\261bth5eatz04369.ocx
c:\windows\system32\26275trzj789.ocx
c:\windows\system32\2652zpa9se1288.cpl
c:\windows\system32\270bbackdzor5960.ocx
c:\windows\system32\274199irz5668.bin
c:\windows\system32\282z7sp5m9ot22a.cpl
c:\windows\system32\28509z5y5b9.ocx
c:\windows\system32\288z0vi5us969.exe
c:\windows\system32\28e5b5c9door65z.ocx
c:\windows\system32\295389irzs5ce.bin
c:\windows\system32\29571s9yzc2.bin
c:\windows\system32\29895wozm127.bin
c:\windows\system32\29z62hacktool795.exe
c:\windows\system32\2ab8ste592z8.ocx
c:\windows\system32\2c67dzwnloa5er30809.cpl
c:\windows\system32\2e75bac5doorz149.dll
c:\windows\system32\2z359troj557.ocx
c:\windows\system32\2z559wo5m129.exe
c:\windows\system32\2z56859rm6a9.bin
c:\windows\system32\2z905ac9door3246.ocx
c:\windows\system32\2z956v5rus6fe9.ocx
c:\windows\system32\30349virus659z.exe
c:\windows\system32\308cth9eat3z3985.bin
c:\windows\system32\30938not-azvirus5255.bin
c:\windows\system32\30aa9ownlzader13955.dll
c:\windows\system32\30dethie5999z.dll
c:\windows\system32\31416zor5697.exe
c:\windows\system32\31534szy959.dll
c:\windows\system32\319955zy4a.exe
c:\windows\system32\3199zpambot553.dll
c:\windows\system32\31a39ir30z5.cpl
c:\windows\system32\31z3t5re9t25208.exe
c:\windows\system32\32300n9t-a-5izus95.ocx
c:\windows\system32\32451z9rm5a4.ocx
c:\windows\system32\3335spzmb9t3b7.dll
c:\windows\system32\3357zirus429.bin
c:\windows\system32\346espywarz5956.bin
c:\windows\system32\35011wo9z390.bin
c:\windows\system32\351b5ddwa9ez143.bin
c:\windows\system32\351fsp5rse51z9.dll
c:\windows\system32\3529a5dwarez049.cpl
c:\windows\system32\35545owzloader972.cpl
c:\windows\system32\35za9ownl5ader1093.cpl
c:\windows\system32\3605b9ckdoorz7.dll
c:\windows\system32\3654thr9at1z153.bin
c:\windows\system32\382b5ownlozder9408.exe
c:\windows\system32\3897ste9l3225z.bin
c:\windows\system32\38e8spy9zre35.ocx
c:\windows\system32\3944b5ck9ooz1838.cpl
c:\windows\system32\3958zddware1303.cpl
c:\windows\system32\396fvi5229z.bin
c:\windows\system32\3990virusz5.dll
c:\windows\system32\39942s5y1zb.bin
c:\windows\system32\3b89s5ywarz2297.ocx
c:\windows\system32\3c449parsez715.cpl
c:\windows\system32\3c51zack9oor645.dll
c:\windows\system32\3d9bviz592.exe
c:\windows\system32\3z43st95l695.bin
c:\windows\system32\4110sparse1509z.ocx
c:\windows\system32\412zbac5door394.ocx
c:\windows\system32\42cdsp9wzre950.exe
c:\windows\system32\4397downlzade51967.cpl
c:\windows\system32\43b55tezl2679.cpl
c:\windows\system32\445d5hiez2895.bin
c:\windows\system32\450fba9zdoor2439.exe
c:\windows\system32\454dsparze6769.cpl
c:\windows\system32\4580backdoor299z.exe
c:\windows\system32\45deba9kdoor85z.exe
c:\windows\system32\4640vizus5409.exe
c:\windows\system32\47eabzck5oo91393.dll
c:\windows\system32\4908thi5f3z52.exe
c:\windows\system32\492azdd5are423.exe
c:\windows\system32\4935spa5se1z48.cpl
c:\windows\system32\4972thiz5153.dll
c:\windows\system32\499cadd5arz3033.exe
c:\windows\system32\4a7595zkdoor2973.exe
c:\windows\system32\4b49z5wnloader2218.cpl
c:\windows\system32\4b4c9teal9z5.dll
c:\windows\system32\4c6fszyw9re520.dll
c:\windows\system32\4d04thr9atz2552.dll
c:\windows\system32\4d295z2938.exe
c:\windows\system32\4d90szywa9e1675.exe
c:\windows\system32\4f03th9eat28519z.bin
c:\windows\system32\4z62add9are1592.ocx
c:\windows\system32\4z85worm398.bin
c:\windows\system32\50603vizus2d69.cpl
c:\windows\system32\50efspa5s9372z.bin
c:\windows\system32\51098zirus66a.bin
c:\windows\system32\5130zs9y436.cpl
c:\windows\system32\51639pamboz79a.ocx
c:\windows\system32\51978spy19z.bin
c:\windows\system32\51deszyware52549.bin
c:\windows\system32\52119vir9saz.cpl
c:\windows\system32\52381not-9-viruszdc.dll
c:\windows\system32\5241trojz495.cpl
c:\windows\system32\5331thie9z746.bin
c:\windows\system32\536zvir5189.exe
c:\windows\system32\5372worm59z.exe
c:\windows\system32\549939irus2zf.ocx
c:\windows\system32\54z95spy71.dll
c:\windows\system32\5543vi915z7.cpl
c:\windows\system32\55791worm10z.exe
c:\windows\system32\5595threzt206799.ocx
c:\windows\system32\55a1download951z65.exe
c:\windows\system32\55cdthreat2907z.dll
c:\windows\system32\55fbaddwarez5809.exe
c:\windows\system32\55fzir13809.bin
c:\windows\system32\5609z9y407.ocx
c:\windows\system32\565z9re5t6097.ocx
c:\windows\system32\5685roj7zd9.bin
c:\windows\system32\56z8hacktoo93e4.cpl
c:\windows\system32\5762hac9to5l124z.ocx
c:\windows\system32\58462not-a-vir9s6zf.dll
c:\windows\system32\5871backd59r2z48.dll
c:\windows\system32\58a9thie5z79.cpl
c:\windows\system32\5900threaz8157.ocx
c:\windows\system32\5904hzcktool759.exe
c:\windows\system32\5910spyzef5.exe
c:\windows\system32\59574troj2b5z.cpl
c:\windows\system32\596z1spy4b.bin
c:\windows\system32\5989worm3a8z.cpl
c:\windows\system32\598z7spa9bot2ce.exe
c:\windows\system32\5990h5cktool60z.bin
c:\windows\system32\599evzr5045.cpl
c:\windows\system32\599zwormb5.exe
c:\windows\system32\5a11sp5w9re66z.exe
c:\windows\system32\5a99thief5z5.dll
c:\windows\system32\5acbackzoo51179.cpl
c:\windows\system32\5b79dow9zoader2371.cpl
c:\windows\system32\5c47dowzlo9der1408.dll
c:\windows\system32\5e4asparse28z29.dll
c:\windows\system32\5e5zsp9rse914.exe
c:\windows\system32\5e819ir2108z.cpl
c:\windows\system32\5f25dow9zoader415.bin
c:\windows\system32\5f57backdoo9z966.ocx
c:\windows\system32\5f8zthi9f5463.ocx
c:\windows\system32\5z59threat633.exe
c:\windows\system32\5z5downl5ade9322.cpl
c:\windows\system32\6033thiez99155.dll
c:\windows\system32\60f9spywa5e1z14.exe
c:\windows\system32\6151t9zef2856.bin
c:\windows\system32\617zaddwar913975.dll
c:\windows\system32\6203dow5zo9der1508.bin
c:\windows\system32\63bspy5aze2958.cpl
c:\windows\system32\6583threat23z39.ocx
c:\windows\system32\6595vzr1694.exe
c:\windows\system32\65e7thr9at260z.cpl
c:\windows\system32\667cad5war9101z.dll
c:\windows\system32\66n5t-a-zirus39d.exe
c:\windows\system32\67115zeal2729.ocx
c:\windows\system32\679bvirz053.cpl
c:\windows\system32\6814bazkd59r135.dll
c:\windows\system32\687dd5wzloader997.ocx
c:\windows\system32\6945steaz5895.ocx
c:\windows\system32\694zthrea591097.exe
c:\windows\system32\6968z5oj1d7.bin
c:\windows\system32\6975downz5ader1675.cpl
c:\windows\system32\69a5zpyware785.ocx
c:\windows\system32\69c9do5nloadez616.exe
c:\windows\system32\6az5th9ef2724.exe
c:\windows\system32\6b15b5ckdooz919.exe
c:\windows\system32\6dbeaddzar98625.ocx
c:\windows\system32\6ea2a9dware52z3.ocx
c:\windows\system32\6ez6backdoo9585.ocx
c:\windows\system32\6z12s5a9se1647.bin
c:\windows\system32\6z5bdownloader21599.bin
c:\windows\system32\7085woz9574.dll
c:\windows\system32\7285vir911z.bin
c:\windows\system32\737zspambo5191.ocx
c:\windows\system32\7609vi5u9735z.cpl
c:\windows\system32\76fzadd9are5075.cpl
c:\windows\system32\7756back9oor1z88.dll
c:\windows\system32\78z3spy5a9e583.cpl
c:\windows\system32\7932sparse179z5.dll
c:\windows\system32\7940vir5z92.bin
c:\windows\system32\794athz9f52.bin
c:\windows\system32\795cs5arze762.exe
c:\windows\system32\7a0ed5wnlzade91968.bin
c:\windows\system32\7ae4ste5l99z5.bin
c:\windows\system32\7b20s95rse770z.cpl
c:\windows\system32\7b39ac5door51z.ocx
c:\windows\system32\7bedzo9nloade51551.ocx
c:\windows\system32\7c579hrzat272.bin
c:\windows\system32\7dz95ir2124.exe
c:\windows\system32\7ez6sp9rse5358.bin
c:\windows\system32\7zb9sparse1325.dll
c:\windows\system32\8445spamb95z70.cpl
c:\windows\system32\8528ha5ktooz4239.cpl
c:\windows\system32\856vir2961z.cpl
c:\windows\system32\8645spaz9ot266.exe
c:\windows\system32\8z75worm976.cpl
c:\windows\system32\90375spam5otze6.cpl
c:\windows\system32\9045zworm504.ocx
c:\windows\system32\9050zspy71.cpl
c:\windows\system32\90756spambot35z5.exe
c:\windows\system32\9095szeal705.cpl
c:\windows\system32\91071tr5z18.bin
c:\windows\system32\9133doznloader27825.exe
c:\windows\system32\9141zvi5us6da.ocx
c:\windows\system32\919i5us36z.ocx
c:\windows\system32\92286tzoj555.ocx
c:\windows\system32\92833hackzool1885.cpl
c:\windows\system32\9301not5azvirus787.ocx
c:\windows\system32\9358spywarez23.cpl
c:\windows\system32\946edowzloa5er1712.exe
c:\windows\system32\95651not-a-vzrus59e.bin
c:\windows\system32\95zadd9are255.cpl
c:\windows\system32\962z9virus555.cpl
c:\windows\system32\9655troz261.dll
c:\windows\system32\9665zhreat25366.dll
c:\windows\system32\98057woz56a.dll
c:\windows\system32\9858s5z7bb.cpl
c:\windows\system32\986cvir545z.dll
c:\windows\system32\98z92v5rus14.ocx
c:\windows\system32\99075pambot1a8z.bin
c:\windows\system32\9924w5rmzdc9.ocx
c:\windows\system32\9956spy6z5.bin
c:\windows\system32\9991not5a-virus5eez.bin
c:\windows\system32\9995vz5us91f.dll
c:\windows\system32\99z5not5a-viru9565.cpl
c:\windows\system32\9c2backdooz5709.dll
c:\windows\system32\9ccspy5ar91594z.cpl
c:\windows\system32\9ce0threzt5596.exe
c:\windows\system32\9ddownlozder2459.dll
c:\windows\system32\9fcespyzar51020.exe
c:\windows\system32\9z18sp916a5.ocx
c:\windows\system32\9z49s5eal2916.bin
c:\windows\system32\9z62ad5ware769.ocx
c:\windows\system32\a15doznloa95r2704.bin
c:\windows\system32\a22zhreat295995.cpl
c:\windows\system32\af95parsez43.ocx
c:\windows\system32\aze9teal3540.dll
c:\windows\system32\b08spars593z5.cpl
c:\windows\system32\b85viz21109.ocx
c:\windows\system32\c85t9reat53z2.bin
c:\windows\system32\e11downlo9dzr595.bin
c:\windows\system32\e1zthief13859.dll
c:\windows\system32\z0097no5-a-virus5df.ocx
c:\windows\system32\z05cv9r1263.ocx
c:\windows\system32\z0aestea520749.exe
c:\windows\system32\z0be9pywar5238.bin
c:\windows\system32\z1064not-9-virus6375.bin
c:\windows\system32\z1c6do5n9oader435.ocx
c:\windows\system32\z297spy6d95.dll
c:\windows\system32\z2a5down9oader591.exe
c:\windows\system32\z3f29ddw5re1019.bin
c:\windows\system32\z56espy5are9748.bin
c:\windows\system32\z5b25py9are1409.exe
c:\windows\system32\z763steal92185.ocx
c:\windows\system32\z851s5y987.ocx
c:\windows\system32\z904dow9load5r1143.cpl
c:\windows\system32\z909virus3bd5.dll
c:\windows\system32\z9345irus696.dll
c:\windows\system32\z9399virus155.cpl
c:\windows\system32\z954threat25082.dll
c:\windows\system32\z977spy592.dll
c:\windows\system32\z9798not-a-viru599b.exe
c:\windows\system32\z995vir615.exe
c:\windows\system32\zc05downloa9er2998.cpl
c:\windows\system32\zdeea9dwar5566.bin
c:\windows\system32\zee69hi5f2883.exe
c:\windows\system32\zf9dthreat28952.exe
c:\windows\VGhlYQ
c:\windows\VGhlYQ\p315sk.vbs

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-07-31 23:44 . 2009-07-31 23:44 -------- d-----w- c:\users\Thea\AppData\Local\temp
2009-07-31 23:26 . 2009-07-31 23:26 -------- d-----w- c:\users\Thea\AppData\Roaming\AVG8
2009-07-27 13:13 . 2009-07-27 13:10 -------- d-----w- c:\program files\Trend Micro
2009-07-24 21:01 . 2009-07-24 21:04 -------- d-----w- c:\windows\system32\ca-ES
2009-07-24 21:01 . 2009-07-24 21:04 -------- d-----w- c:\windows\system32\eu-ES
2009-07-24 21:01 . 2009-07-24 21:04 -------- d-----w- c:\windows\system32\vi-VN
2009-07-24 20:26 . 2009-07-27 13:11 -------- d-----w- c:\programdata\Lavasoft
2009-07-24 20:20 . 2009-07-24 20:20 -------- d-----w- c:\windows\system32\EventProviders
2009-07-24 20:17 . 2009-04-11 06:28 351744 ----a-w- c:\windows\system32\mssph.dll
2009-07-24 20:16 . 2009-04-11 06:32 122344 ----a-w- c:\windows\system32\drivers\Storport.sys
2009-07-24 20:15 . 2009-04-11 06:22 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2009-07-24 20:11 . 2009-07-24 20:11 6144 ----a-w- c:\programdata\Spyware Terminator\sp_rsdel.exe
2009-07-24 20:11 . 2009-07-24 20:11 5632 ----a-w- c:\programdata\Spyware Terminator\fileobjinfo.sys
2009-07-24 20:11 . 2009-07-24 20:11 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-24 20:11 . 2009-07-27 13:19 -------- d-----w- c:\users\Thea\AppData\Roaming\Spyware Terminator
2009-07-24 20:11 . 2009-07-27 20:29 -------- d-----w- c:\programdata\Spyware Terminator
2009-07-24 20:11 . 2009-07-27 13:20 -------- d-----w- c:\program files\Spyware Terminator
2009-07-24 19:11 . 2009-07-31 23:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-24 18:47 . 2009-07-24 18:47 -------- d-----w- c:\users\Thea\AppData\Roaming\IObit
2009-07-24 18:47 . 2009-07-24 18:47 -------- d-----w- c:\program files\IObit
2009-07-24 18:42 . 2009-07-24 18:42 -------- d-----w- c:\programdata\WindowsSearch
2009-07-24 16:06 . 2009-04-21 11:39 2034688 ----a-w- c:\windows\system32\win32k.sys
2009-07-24 16:06 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-24 16:06 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-24 16:06 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-24 16:06 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-24 16:06 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-24 16:06 . 2009-04-11 06:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-07-24 16:05 . 2009-04-23 12:14 623616 ----a-w- c:\windows\system32\localspl.dll
2009-07-24 16:05 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-07-24 15:51 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-07-23 19:14 . 2009-07-23 19:13 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-23 19:13 . 2009-07-23 19:13 -------- d-----w- c:\programdata\McAfee
2009-07-23 18:49 . 2009-07-23 18:45 -------- d-----w- c:\program files\Google
2009-07-23 18:45 . 2009-07-23 18:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-23 18:41 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-23 18:41 . 2009-03-19 21:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-23 18:40 . 2009-07-23 18:41 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-23 18:36 . 2009-07-23 18:37 -------- d-----w- c:\program files\QuickTime
2009-07-13 19:22 . 2009-07-13 19:22 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 23:24 . 2008-09-20 15:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-07-31 23:24 . 2006-12-27 16:55 12 ----a-w- c:\windows\bthservsdp.dat
2009-07-31 23:16 . 2008-09-20 15:15 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-27 20:37 . 2008-07-04 10:22 1356 ----a-w- c:\users\Thea\AppData\Local\d3d9caps.dat
2009-07-27 13:10 . 2008-09-20 16:10 -------- d-----w- c:\program files\SpywareBlaster
2009-07-24 21:40 . 2006-11-02 12:35 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-07-24 21:05 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-07-24 21:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-24 21:05 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-07-24 21:05 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-24 21:05 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-07-24 21:01 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-07-24 18:50 . 2006-12-27 18:16 -------- d-----w- c:\program files\Java
2009-07-24 16:34 . 2007-05-28 20:14 96192 ----a-w- c:\users\Thea\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-24 16:02 . 2006-12-27 17:40 -------- d-----w- c:\programdata\Microsoft Help
2009-07-24 15:41 . 2006-12-27 17:38 -------- d-----w- c:\program files\Microsoft Works
2009-07-23 18:41 . 2008-09-23 08:11 -------- d-----w- c:\program files\iTunes
2009-07-23 18:41 . 2008-09-23 08:11 -------- d-----w- c:\program files\iPod
2009-07-23 18:41 . 2008-09-20 20:14 -------- d-----w- c:\program files\Common Files\Apple
2009-07-23 18:37 . 2008-09-23 08:09 -------- d-----w- c:\program files\Bonjour
2009-07-21 21:52 . 2009-07-31 23:37 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-31 23:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-31 23:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-31 23:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-13 19:36 . 2008-09-21 20:57 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 19:36 . 2008-09-21 20:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-31_23.17.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-31 23:23 . 2009-07-31 23:23 97280 c:\windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80.dll
+ 2009-07-31 23:37 . 2009-07-22 05:58 71680 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.22903_none_a94676798d617013\iesetup.dll
+ 2009-07-31 23:37 . 2009-07-22 05:58 55808 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.22903_none_a94676798d617013\iernonce.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 71680 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18813_none_a8b209c2744bec3a\iesetup.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 55808 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18813_none_a8b209c2744bec3a\iernonce.dll
+ 2009-07-31 23:37 . 2009-07-22 04:26 13312 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.22903_none_dfc3b05f09aa2a6a\msfeedssync.exe
+ 2009-07-31 23:37 . 2009-07-22 05:59 55296 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.22903_none_dfc3b05f09aa2a6a\msfeedsbs.dll
+ 2009-07-31 23:37 . 2009-07-21 20:13 13312 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.18813_none_df2f43a7f094a691\msfeedssync.exe
+ 2009-07-31 23:37 . 2009-07-21 21:48 55296 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.18813_none_df2f43a7f094a691\msfeedsbs.dll
+ 2009-07-31 23:37 . 2009-07-22 06:03 64512 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.22903_none_e55eb4d2d0bb388b\WininetPlugin.dll
+ 2009-07-31 23:37 . 2009-07-22 05:58 25600 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.22903_none_e55eb4d2d0bb388b\jsproxy.dll
+ 2009-07-31 23:37 . 2009-07-21 21:52 64512 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18813_none_e4ca481bb7a5b4b2\WininetPlugin.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 25600 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18813_none_e4ca481bb7a5b4b2\jsproxy.dll
+ 2006-11-02 13:02 . 2009-07-31 23:19 60888 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-05-28 20:03 . 2009-07-31 23:19 15558 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3895441010-3899080723-1055044066-1000_UserData.bin
+ 2009-07-31 23:37 . 2009-07-21 20:13 13312 c:\windows\System32\msfeedssync.exe
- 2009-07-24 15:46 . 2009-03-08 11:31 13312 c:\windows\System32\msfeedssync.exe
- 2009-07-24 15:46 . 2009-03-08 11:31 55296 c:\windows\System32\msfeedsbs.dll
+ 2009-07-31 23:37 . 2009-07-21 21:48 55296 c:\windows\System32\msfeedsbs.dll
- 2009-07-24 15:49 . 2009-05-09 05:50 64512 c:\windows\System32\migration\WininetPlugin.dll
+ 2009-07-31 23:37 . 2009-07-21 21:52 64512 c:\windows\System32\migration\WininetPlugin.dll
- 2009-07-24 15:49 . 2009-05-09 05:35 25600 c:\windows\System32\jsproxy.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 25600 c:\windows\System32\jsproxy.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 55808 c:\windows\System32\iernonce.dll
- 2009-07-24 15:49 . 2009-05-09 05:34 55808 c:\windows\System32\iernonce.dll
+ 2008-09-18 02:10 . 2008-01-19 05:49 15872 c:\windows\System32\drivers\mouhid.sys
- 2006-11-02 08:51 . 2006-11-02 08:51 15872 c:\windows\System32\drivers\mouhid.sys
+ 2009-07-24 20:16 . 2009-04-11 04:42 12800 c:\windows\System32\drivers\hidusb.sys
+ 2008-09-18 02:09 . 2008-01-19 05:53 25472 c:\windows\System32\drivers\hidparse.sys
- 2006-11-02 08:55 . 2006-11-02 08:55 25472 c:\windows\System32\drivers\hidparse.sys
+ 2009-07-24 20:16 . 2009-04-11 04:42 39424 c:\windows\System32\drivers\hidclass.sys
- 2007-05-28 20:12 . 2009-07-27 20:34 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-05-28 20:12 . 2009-07-31 23:31 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-05-28 20:12 . 2009-07-27 20:34 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-05-28 20:12 . 2009-07-31 23:31 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-05-28 20:12 . 2009-07-31 23:31 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-05-28 20:12 . 2009-07-27 20:34 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-31 23:17 . 2009-07-31 23:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-07-31 23:17 . 2009-07-31 23:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-31 23:37 . 2009-07-22 05:58 164352 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.22903_none_48182df4dd072fee\ieui.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 164352 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.18813_none_4783c13dc3f1ac15\ieui.dll
+ 2009-07-31 23:37 . 2009-07-22 05:58 109056 c:\windows\winsxs\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.6001.22903_none_ff07db25e8e4acd8\iesysprep.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 109056 c:\windows\winsxs\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.6001.18813_none_fe736e6ecfcf28ff\iesysprep.dll
+ 2009-07-31 23:37 . 2009-07-22 04:27 173056 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.22903_none_a94676798d617013\ie4uinit.exe
+ 2009-07-31 23:37 . 2009-07-21 20:13 173056 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18813_none_a8b209c2744bec3a\ie4uinit.exe
+ 2009-07-31 23:37 . 2009-07-22 06:02 129536 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.22903_none_2b196baebb6c56e8\sqmapi.dll
+ 2009-07-31 23:37 . 2009-07-21 21:51 129536 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.18813_none_2a84fef7a256d30f\sqmapi.dll
+ 2009-07-31 23:37 . 2009-07-22 06:01 206848 c:\windows\winsxs\x86_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.6001.22903_none_1a9c2981430b3c56\occache.dll
+ 2009-07-31 23:37 . 2009-07-21 21:50 206848 c:\windows\winsxs\x86_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.6001.18813_none_1a07bcca29f5b87d\occache.dll
+ 2009-07-31 23:37 . 2009-07-22 06:04 638232 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22903_none_12d7c15e48e6a76e\iexplore.exe
+ 2009-07-31 23:37 . 2009-07-22 04:27 133632 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22903_none_12d7c15e48e6a76e\ieUnatt.exe
+ 2009-07-31 23:37 . 2009-07-21 21:53 638216 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18813_none_124354a72fd12395\iexplore.exe
+ 2009-07-31 23:37 . 2009-07-21 20:13 133632 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18813_none_124354a72fd12395\ieUnatt.exe
+ 2009-07-31 23:37 . 2009-07-22 05:58 197632 c:\windows\winsxs\x86_microsoft-windows-ie-ieshims_31bf3856ad364e35_8.0.6001.22903_none_2b02f14ac9212978\IEShims.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 197632 c:\windows\winsxs\x86_microsoft-windows-ie-ieshims_31bf3856ad364e35_8.0.6001.18813_none_2a6e8493b00ba59f\IEShims.dll
+ 2009-07-31 23:37 . 2009-07-22 05:58 246272 c:\windows\winsxs\x86_microsoft-windows-ie-ieproxy_31bf3856ad364e35_8.0.6001.22903_none_73a4a5b47978c30a\ieproxy.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 246272 c:\windows\winsxs\x86_microsoft-windows-ie-ieproxy_31bf3856ad364e35_8.0.6001.18813_none_731038fd60633f31\ieproxy.dll
+ 2009-07-31 23:37 . 2009-07-22 05:59 594432 c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.6001.22903_none_435c4ba1695e8b43\msfeeds.dll
+ 2009-07-31 23:37 . 2009-07-21 21:48 594432 c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.6001.18813_none_42c7deea5049076a\msfeeds.dll
+ 2009-07-31 23:37 . 2009-07-22 05:58 184320 c:\windows\winsxs\x86_microsoft-windows-ie-behaviors_31bf3856ad364e35_8.0.6001.22903_none_2039460420f600ed\iepeers.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 184320 c:\windows\winsxs\x86_microsoft-windows-ie-behaviors_31bf3856ad364e35_8.0.6001.18813_none_1fa4d94d07e07d14\iepeers.dll
+ 2009-07-31 23:37 . 2009-07-22 05:58 386048 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitbranding_31bf3856ad364e35_8.0.6001.22903_none_57c62dce86655952\iedkcs32.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 386048 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitbranding_31bf3856ad364e35_8.0.6001.18813_none_5731c1176d4fd579\iedkcs32.dll
+ 2009-07-31 23:37 . 2009-07-22 06:03 915456 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.22903_none_e55eb4d2d0bb388b\wininet.dll
+ 2009-07-31 23:37 . 2009-07-21 21:52 915456 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18813_none_e4ca481bb7a5b4b2\wininet.dll
+ 2009-07-31 23:37 . 2009-07-21 21:50 206848 c:\windows\System32\occache.dll
+ 2009-07-31 23:37 . 2009-07-21 21:48 594432 c:\windows\System32\msfeeds.dll
- 2009-07-24 15:46 . 2009-03-08 11:32 594432 c:\windows\System32\msfeeds.dll
- 2009-07-24 15:49 . 2009-05-09 05:34 164352 c:\windows\System32\ieui.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 164352 c:\windows\System32\ieui.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 184320 c:\windows\System32\iepeers.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 386048 c:\windows\System32\iedkcs32.dll
- 2009-07-24 15:49 . 2009-05-09 03:36 173056 c:\windows\System32\ie4uinit.exe
+ 2009-07-31 23:37 . 2009-07-21 20:13 173056 c:\windows\System32\ie4uinit.exe
+ 2009-07-24 16:30 . 2009-07-31 23:21 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-24 16:30 . 2009-07-27 20:34 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-31 23:23 . 2009-07-31 23:23 248832 c:\windows\Installer\5f57a.msi
+ 2009-07-31 23:37 . 2009-07-22 05:58 1985536 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.22903_none_2b196baebb6c56e8\iertutil.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 1985536 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.18813_none_2a84fef7a256d30f\iertutil.dll
+ 2009-07-31 23:37 . 2009-07-22 05:59 5938176 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.22903_none_f6b8d3f15111a1c1\mshtml.dll
+ 2009-07-31 23:37 . 2009-07-21 21:48 5937152 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18813_none_f624673a37fc1de8\mshtml.dll
+ 2009-07-31 23:37 . 2009-07-22 06:02 1208832 c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.6001.22903_none_9858d93105b211f8\urlmon.dll
+ 2009-07-31 23:37 . 2009-07-21 21:52 1208832 c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.6001.18813_none_97c46c79ec9c8e1f\urlmon.dll
+ 2009-07-31 23:37 . 2009-07-21 21:52 1208832 c:\windows\System32\urlmon.dll
+ 2006-11-02 10:22 . 2009-07-31 23:18 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2009-07-24 21:26 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-31 23:37 . 2009-07-21 21:48 5937152 c:\windows\System32\mshtml.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 1985536 c:\windows\System32\iertutil.dll
+ 2009-07-31 23:33 . 2009-07-31 23:33 6156288 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2009-07-31 23:37 . 2009-07-22 05:58 11068416 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.22903_none_48182df4dd072fee\ieframe.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 11067392 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.18813_none_4783c13dc3f1ac15\ieframe.dll
+ 2009-07-31 23:37 . 2009-07-21 21:47 11067392 c:\windows\System32\ieframe.dll
+ 2009-07-31 23:24 . 2009-07-31 23:24 15705600 c:\windows\Installer\5f582.msp
+ 2009-07-24 18:33 . 2009-07-31 23:23 183200881 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-07-24 3055616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-11-24 167936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-23 148888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\Thea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe [2006-12-27 34520]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-11-20 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):14,aa,c4,1b,a3,0c,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{24EA3332-175B-45DE-8075-E981D66C1494}"= UDP:c:\program files\HP\QuickPlay\QP.exe:QP
"{6FFF7A56-4D8D-42A7-812B-3F8F692CA5F7}"= TCP:c:\program files\HP\QuickPlay\QP.exe:QP
"{762C8BF0-C943-457D-9A54-E667A4F386E5}"= UDP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{0213B23F-F201-47E8-9DC7-458C4F7BE7AE}"= c:\program files\Compaq Connections\3572475\Program\Compaq Connections:Compaq Connections
"{034BAEFA-F887-4B09-9479-E903C50C2FFE}"= UDP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{8B415799-1811-4F8A-8541-9A6321AE5D3F}"= TCP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{FF13C7B8-91C1-44B0-90DE-C35D865BEBB9}"= UDP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{288EE93E-5363-456B-8000-21472609C5CF}"= TCP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{6C573B97-25D8-4A8E-808F-40640892C4D6}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4F29941F-55AA-42F5-A38F-E4BF53A94217}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E7BC04DB-3748-433F-8D14-0589CF8C111F}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AD7A7B70-8F1F-4FCB-8F57-2EE31B1ACAAD}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0A8B46C5-5866-4C3A-BE20-6FBCB0982D8F}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F0FA5848-E9C5-47E3-AD43-8F68C7981B77}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0FAD178C-EF62-4A92-9966-19D2EF549067}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D1469041-50C4-463B-971B-D747EDCE6811}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{E3152EA2-93F7-42C6-B276-1B25879A045E}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{11E86912-2D2B-438D-AAA4-975E54474A98}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{4A6E3E67-1CCB-49A0-8BD9-1CF5C6E072F5}c:\\program files\\hp games\\jeopardy\\jeopardy!.exe"= UDP:c:\program files\hp games\jeopardy\jeopardy!.exe:JEOPARDY!
"UDP Query User{E7F6439E-3773-4482-A7AA-61A4058B0D05}c:\\program files\\hp games\\jeopardy\\jeopardy!.exe"= TCP:c:\program files\hp games\jeopardy\jeopardy!.exe:JEOPARDY!
"{B9B21548-740C-4C8F-B1F9-8E9212F32B0C}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{21BA1DFB-3B19-4DBF-AE1C-7B49E57EB5F7}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4E542CF1-AC64-4868-A565-A058E02D6FC2}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A4A252D0-8B1B-4E8D-AB11-27C794805CBC}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{EEAE341F-5792-41F0-BE49-31D39F50069B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D4CA2B34-D9D7-48CE-9506-573465035CBE}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{C47C5989-E746-42D7-8B7C-D84E0B52D94A}c:\\program files\\spyware terminator\\spywareterminatorupdate.exe"= UDP:c:\program files\spyware terminator\spywareterminatorupdate.exe:Crawler Spyware Terminator
"UDP Query User{4A042543-AB95-4D8A-BFD4-E0D13E35BFD7}c:\\program files\\spyware terminator\\spywareterminatorupdate.exe"= TCP:c:\program files\spyware terminator\spywareterminatorupdate.exe:Crawler Spyware Terminator
"{550A3DF6-A99A-4572-B777-63590A237BA7}"= UDP:990:LocalSubnet:LocalSubnet|IF={B71EB6A6-593D-4028-A71F-EEE1E1A10C83}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\System32\drivers\sp_rsdrv2.sys [7/24/2009 3:11 PM 142592]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [9/21/2008 3:57 PM 38160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-31 c:\windows\Tasks\AutoSmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-07-24 14:22]

2009-08-01 c:\windows\Tasks\User_Feed_Synchronization-{339945D0-7637-4B0E-975C-4C3B43391292}.job
- c:\windows\system32\msfeedssync.exe [2009-07-31 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 18:44
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3895441010-3899080723-1055044066-1000\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-3895441010-3899080723-1055044066-1000\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-3895441010-3899080723-1055044066-1000\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-3895441010-3899080723-1055044066-1000\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:00000013

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-07-31 18:48
ComboFix-quarantined-files.txt 2009-07-31 23:48
ComboFix2.txt 2009-07-31 23:27

Pre-Run: 35,373,350,912 bytes free
Post-Run: 35,170,426,880 bytes free

731 --- E O F --- 2009-07-31 23:24
Upload was successful


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, August 2, 2009
Operating System: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, August 02, 2009 17:13:57
Records in database: 2575398
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 237249
Threat name: 7
Infected objects: 59060
Suspicious objects: 0
Duration of the scan: 04:59:58


File name / Threat name / Threats count
*Most files are like this one*
C:\Users\Thea\!\Abba - Dance (While The Music Still Goes On).mp3 Infected: Trojan-Downloader.WMA.GetCodec.a 1

C:\Qoobox\Quarantine\C\Windows\System32\ESQULmbweupirfptqgaippvbpvdyxraitdthn.dll.vir Infected: Packed.Win32.Tdss.w 1
C:\Qoobox\Quarantine\C\Windows\System32\ESQULnbxkydnwcomprcqkqrnmnbsdmxeqpswr.dll.vir Infected: Packed.Win32.Tdss.w 1
C:\Windows\System32\ithbehlklu.exe Infected: Trojan-Downloader.NSIS.Agent.av 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:50, on 8/2/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7443 bytes
JPicard
Active Member
 
Posts: 8
Joined: July 27th, 2009, 12:35 pm

Re: Help with malware - HJT Log

Unread postby Bio-Hazard » August 3rd, 2009, 5:59 pm

Hello!

Regarding your music collection it would be wise to delete ALL the infected files.

Do you still have the Kaspersky scan log?

Are you still using AVG8 as your antivirus program?

----------------------------------------------------------
Please note: Due to the restrictions on Vista, all tools should be started by Right-Click ---> Run As Administrator
----------------------------------------------------------


Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform full scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest


Download and run OTM

Download OTM by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Paste the following code under the Image area. Do not include the word Code.
Code: Select all
:Services
CLTNetCnService

:Files
c:\Program Files\Common Files\Symantec Shared
C:\Windows\System32\ithbehlklu.exe

:Commands
[emptytemp]
[Reboot]

  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Push the large Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Answer to my questions.
  • Malwarebytes Antimalware log
  • OTM Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Help with malware - HJT Log

Unread postby JPicard » August 4th, 2009, 9:57 pm

Ok, I deleted all of those music files that kaspersky flagged as infected. The only way I could get to C:\Users\Thea\! was to manually type in the path of the folder. I was able to delete all of the files except for 2 and the folder itself, giving me a window that said, "This file is no longer located in C:\Users\Thea. Verify the item's location and try again." Yes, I do still have the Kaspersky log, and yes, I am still using AVG as my antivirus. I only uninstalled it in order to run ComboFix safely; I have re-installed it. As far as how my computer is behaving, everything seems to be working just fine. Here are the logs:

Malwarebytes' Anti-Malware 1.40
Database version: 2560
Windows 6.0.6002 Service Pack 2

8/4/2009 7:55:15 PM
mbam-log-2009-08-04 (19-55-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 283487
Time elapsed: 1 hour(s), 54 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Windows\System32\ESQULmbweupirfptqgaippvbpvdyxraitdthn.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\ESQULnbxkydnwcomprcqkqrnmnbsdmxeqpswr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.


OTM log


All processes killed
========== SERVICES/DRIVERS ==========

Service\Driver CLTNetCnService deleted successfully.
========== FILES ==========
c:\Program Files\Common Files\Symantec Shared\CCPD-LC moved successfully.
c:\Program Files\Common Files\Symantec Shared moved successfully.
C:\Windows\System32\ithbehlklu.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 651744 bytes
->Temporary Internet Files folder emptied: 76613763 bytes
->Java cache emptied: 467851 bytes

User: Public

User: Thea
->Temp folder emptied: 248910643 bytes
->Temporary Internet Files folder emptied: 21429747 bytes
->Java cache emptied: 20595410 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
File delete failed. C:\Windows\System32\SET1901.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\System32\SET1B94.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\System32\SET1BD6.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\System32\SET1CF3.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\System32\SET1D35.tmp scheduled to be deleted on reboot.
%systemroot%\System32 .tmp files removed: 390656 bytes
Windows Temp folder emptied: 4462 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 352.00 mb


OTM by OldTimer - Version 3.0.0.5 log created on 08042009_202140

Files moved on Reboot...
File move failed. C:\Windows\System32\SET1901.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\System32\SET1B94.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\System32\SET1BD6.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\System32\SET1CF3.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\System32\SET1D35.tmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:31, on 8/4/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8135 bytes
JPicard
Active Member
 
Posts: 8
Joined: July 27th, 2009, 12:35 pm

Re: Help with malware - HJT Log

Unread postby Bio-Hazard » August 5th, 2009, 8:07 am

Hello!

It is looking good. lets see if that folder still exist.

----------------------------------------------------------
Please note: Due to the restrictions on Vista, all tools should be started by Right-Click ---> Run As Administrator
----------------------------------------------------------



SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :dir
    C:\Users\Thea
    
     

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt



Optional Fix

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything bad. This may change,read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself.

To uninstall the the Viewpoint components :
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.


    How to prevent it from being recreated every time you run the AOL software:
    • Open AOL
    • Go to Help on the toolbar
    • Select About AOL
    • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • SystemLook.txt
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Help with malware - HJT Log

Unread postby JPicard » August 5th, 2009, 10:32 pm

I have removed Viewpoint as I see no purpose in it. The computer is running just fine. I see no evident problems. Just for the sake of curiosity, I'm just wondering about the purpose of the folders C:\Qoobox and C:\_OTM and if they are needed to be there. Here is the SystemLook and HijackThis logs:

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 21:12 on 04/08/2009 by Thea (Administrator - Elevation successful)

========== dir ==========

C:\Users\Thea - Parameters: "(none)"

---Files---
571.bat --a--- 502 bytes [08:18 04/07/2008] [08:18 04/07/2008]
ntuser.dat --a--- 6029312 bytes [20:01 28/05/2007] [02:11 05/08/2009]
ntuser.dat.LOG1 --ah-- 262144 bytes [20:01 28/05/2007] [02:11 05/08/2009]
ntuser.dat.LOG2 --ah-- 262144 bytes [20:01 28/05/2007] [04:03 13/12/2008]
ntuser.dat{38b6db73-874a-11dd-85ce-001b242f28e0}.TM.blf --ahs- 65536 bytes [01:36 21/09/2008] [01:59 05/08/2009]
ntuser.dat{38b6db73-874a-11dd-85ce-001b242f28e0}.TMContainer00000000000000000001.regtrans-ms --ahs- 524288 bytes [01:36 21/09/2008] [01:59 05/08/2009]
ntuser.dat{38b6db73-874a-11dd-85ce-001b242f28e0}.TMContainer00000000000000000002.regtrans-ms --ahs- 524288 bytes [01:36 21/09/2008] [02:14 21/09/2008]
NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf --ahs- 65536 bytes [20:02 28/05/2007] [01:34 21/09/2008]
NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms --ahs- 524288 bytes [20:02 28/05/2007] [01:34 21/09/2008]
NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms --ahs- 524288 bytes [20:02 28/05/2007] [05:20 29/05/2007]
ntuser.ini ---hs- 20 bytes [20:02 28/05/2007] [20:02 28/05/2007]

---Folders---
! d--hs- [08:18 04/07/2008]
AppData d--h-- [20:01 28/05/2007]
Application Data d--hs- [20:02 28/05/2007]
Contacts dr---- [20:13 28/05/2007]
Cookies d--hs- [20:02 28/05/2007]
Desktop dr---- [20:01 28/05/2007]
Documents dr---- [20:01 28/05/2007]
Downloads dr---- [20:01 28/05/2007]
Favorites dr---- [20:01 28/05/2007]
Links dr---- [20:01 28/05/2007]
Local Settings d--hs- [20:02 28/05/2007]
My Documents d--hs- [20:02 28/05/2007]
NetHood d--hs- [20:02 28/05/2007]
Pictures dr---- [20:01 28/05/2007]
PrintHood d--hs- [20:02 28/05/2007]
Recent d--hs- [20:02 28/05/2007]
Saved Games dr---- [20:01 28/05/2007]
Searches dr---- [20:13 28/05/2007]
SendTo d--hs- [20:02 28/05/2007]
Shared d----- [03:12 01/06/2007]
Start Menu d--hs- [20:02 28/05/2007]
Templates d--hs- [20:02 28/05/2007]
Videos dr---- [20:01 28/05/2007]

-=End Of File=-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:08, on 8/4/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7756 bytes
JPicard
Active Member
 
Posts: 8
Joined: July 27th, 2009, 12:35 pm

Re: Help with malware - HJT Log

Unread postby Bio-Hazard » August 7th, 2009, 9:34 am

Hello!

We are almost done.

Just for the sake of curiosity, I'm just wondering about the purpose of the folders C:\Qoobox and C:\_OTM and if they are needed to be there.


Those folders belong to tools we used, Combofix and OTM. We delete them when we are finished.

----------------------------------------------------------
Please note: Due to the restrictions on Vista, all tools should be started by Right-Click ---> Run As Administrator
----------------------------------------------------------

Re-run OTM
  • Double-click OTM.exe to run it.
  • Paste the following code under the Image area. Do not include the word Code.
Code: Select all
:Files
C:\Users\Thea\!
:Commands
[emptytemp]
[Reboot]

  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Push the large Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • OTM Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Help with malware - HJT Log

Unread postby JPicard » August 7th, 2009, 10:30 am

Hello, everything is running fantastic! Here's the OTM log and HijackThis log:

All processes killed
========== FILES ==========
C:\Users\Thea\! moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: Public

User: Thea
->Temp folder emptied: 820833 bytes
File delete failed. C:\Users\Thea\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 27986751 bytes
->Java cache emptied: 13425503 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
File delete failed. C:\Windows\System32\SET1901.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\System32\SET1B94.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\System32\SET1BD6.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\System32\SET1CF3.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\System32\SET1D35.tmp scheduled to be deleted on reboot.
%systemroot%\System32 .tmp files removed: 390656 bytes
Windows Temp folder emptied: 4538 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 40.65 mb


OTM by OldTimer - Version 3.0.0.5 log created on 08072009_075516

Files moved on Reboot...
File move failed. C:\Windows\System32\SET1901.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\System32\SET1B94.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\System32\SET1BD6.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\System32\SET1CF3.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\System32\SET1D35.tmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:38, on 8/7/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7898 bytes
JPicard
Active Member
 
Posts: 8
Joined: July 27th, 2009, 12:35 pm

Re: Help with malware - HJT Log

Unread postby Bio-Hazard » August 7th, 2009, 1:33 pm

----------------------------------------------------------
Please note: Due to the restrictions on Vista, all tools should be started by Right-Click ---> Run As Administrator
----------------------------------------------------------



Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:
  • DDS - (You can just delete the exe file from your desktop)
  • ATF cleaner - (You can just delete the exe file from your desktop)
  • Systemlookup - (You can just delete the exe file from your desktop)

    Delete ComboFix and Clean Up
    Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
    Image
    Please advise if this step is missed for any reason as it performs some important actions.

    OTC

    Download OTC by Old Timer and save it to your Desktop.

    • Double-click OTC.exe
    • Click the CleanUp! button
    • Select Yes when the Begin cleanup Process? Prompt appears
    • If you are prompted to Reboot during the cleanup, select Yes
    • The tool will delete itself once it finishes, if not delete it by yourself

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

    • Make sure that you keep your antivirus updated
      New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
      NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    • Security Updates for Windows, Internet Explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
      NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
    • Update Non-Microsoft Programs
      Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

    • WinPatrol
      As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
    • Hosts File
      For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
    • Use an alternative Internet Browser
      Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
      Firefox
      Opera
      Google Chrome

Here is a great article by miekiemoes How to prevent Malware.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware