Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Is ipfw kernel mode driver in device manager a legit item

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Is ipfw kernel mode driver in device manager a legit item

Unread postby lilliejane » August 14th, 2009, 4:46 pm

Is ipfw kernel mode driver in device manager a legit item,or put there by malware,it has a yellow exclamation point beside? Sorry I forgot the log file...... here it is below.Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:35 PM, on 8/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 private.microsoft.com
O1 - Hosts: 209.44.111.62 aviremover-2009.com
O1 - Hosts: 209.44.111.62 hxxp://www.aviremover-2009.com
O1 - Hosts: 74.125.45.100 test1111.com
O1 - Hosts: 74.125.45.100 test1112.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 hxxp://www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 hxxp://www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 hxxp://www.getavplusnow.com
O1 - Hosts: 74.125.45.100 hxxp://www.securesoftwarebill.com
O1 - Hosts: 89.248.168.188 google.ae
O1 - Hosts: 89.248.168.188 google.as
O1 - Hosts: 89.248.168.188 google.at
O1 - Hosts: 89.248.168.188 google.az
O1 - Hosts: 89.248.168.188 google.ba
O1 - Hosts: 89.248.168.188 google.be
O1 - Hosts: 89.248.168.188 google.bg
O1 - Hosts: 89.248.168.188 google.bs
O1 - Hosts: 89.248.168.188 google.ca
O1 - Hosts: 89.248.168.188 google.cd
O1 - Hosts: 89.248.168.188 google.com.gh
O1 - Hosts: 89.248.168.188 google.com.hk
O1 - Hosts: 89.248.168.188 google.com.jm
O1 - Hosts: 89.248.168.188 google.com.mx
O1 - Hosts: 89.248.168.188 google.com.my
O1 - Hosts: 89.248.168.188 google.com.na
O1 - Hosts: 89.248.168.188 google.com.nf
O1 - Hosts: 89.248.168.188 google.com.ng
O1 - Hosts: 89.248.168.188 google.ch
O1 - Hosts: 89.248.168.188 google.com.np
O1 - Hosts: 89.248.168.188 google.com.pr
O1 - Hosts: 89.248.168.188 google.com.qa
O1 - Hosts: 89.248.168.188 google.com.sg
O1 - Hosts: 89.248.168.188 google.com.tj
O1 - Hosts: 89.248.168.188 google.com.tw
O1 - Hosts: 89.248.168.188 google.dj
O1 - Hosts: 89.248.168.188 google.de
O1 - Hosts: 89.248.168.188 google.dk
O1 - Hosts: 89.248.168.188 google.dm
O1 - Hosts: 89.248.168.188 google.ee
O1 - Hosts: 89.248.168.188 google.fi
O1 - Hosts: 89.248.168.188 google.fm
O1 - Hosts: 89.248.168.188 google.fr
O1 - Hosts: 89.248.168.188 google.ge
O1 - Hosts: 89.248.168.188 google.gg
O1 - Hosts: 89.248.168.188 google.gm
O1 - Hosts: 89.248.168.188 google.gr
O1 - Hosts: 89.248.168.188 google.ht
O1 - Hosts: 89.248.168.188 google.ie
O1 - Hosts: 89.248.168.188 google.im
O1 - Hosts: 89.248.168.188 google.in
O1 - Hosts: 89.248.168.188 google.it
O1 - Hosts: 89.248.168.188 google.ki
O1 - Hosts: 89.248.168.188 google.la
O1 - Hosts: 89.248.168.188 google.li
O1 - Hosts: 89.248.168.188 google.lv
O1 - Hosts: 89.248.168.188 google.ma
O1 - Hosts: 89.248.168.188 google.ms
O1 - Hosts: 89.248.168.188 google.mu
O1 - Hosts: 89.248.168.188 google.mw
O1 - Hosts: 89.248.168.188 google.nl
O1 - Hosts: 89.248.168.188 google.no
O1 - Hosts: 89.248.168.188 google.nr
O1 - Hosts: 89.248.168.188 google.nu
O1 - Hosts: 89.248.168.188 google.pl
O1 - Hosts: 89.248.168.188 google.pn
O1 - Hosts: 89.248.168.188 google.pt
O1 - Hosts: 89.248.168.188 google.ro
O1 - Hosts: 89.248.168.188 google.ru
O1 - Hosts: 89.248.168.188 google.rw
O1 - Hosts: 89.248.168.188 google.sc
O1 - Hosts: 89.248.168.188 google.se
O1 - Hosts: 89.248.168.188 google.sh
O1 - Hosts: 89.248.168.188 google.si
O1 - Hosts: 89.248.168.188 google.sm
O1 - Hosts: 89.248.168.188 google.sn
O1 - Hosts: 89.248.168.188 google.st
O1 - Hosts: 89.248.168.188 google.tl
O1 - Hosts: 89.248.168.188 google.tm
O1 - Hosts: 89.248.168.188 google.tt
O1 - Hosts: 89.248.168.188 google.us
O1 - Hosts: 89.248.168.188 google.vu
O1 - Hosts: 89.248.168.188 google.ws
O1 - Hosts: 89.248.168.188 google.co.ck
O1 - Hosts: 89.248.168.188 google.co.id
O1 - Hosts: 89.248.168.188 google.co.il
O1 - Hosts: 89.248.168.188 google.co.in
O1 - Hosts: 89.248.168.188 google.co.jp
O1 - Hosts: 89.248.168.188 google.co.kr
O1 - Hosts: 89.248.168.188 google.co.ls
O1 - Hosts: 89.248.168.188 google.co.ma
O1 - Hosts: 89.248.168.188 google.co.nz
O1 - Hosts: 89.248.168.188 google.co.tz
O1 - Hosts: 89.248.168.188 google.co.ug
O1 - Hosts: 89.248.168.188 google.co.uk
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {E8A5FFE5-52DF-4399-934C-02EB1D33310A} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servle ... 6.000000b5
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: mlJYsrrS - mlJYsrrS.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ipfw_helper (ipfw) - Unknown owner - C:\WINDOWS\system32\8904.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--
End of file - 11438 bytes
Last edited by silver on August 14th, 2009, 8:19 pm, edited 3 times in total.
Reason: disabled links in log
lilliejane
Regular Member
 
Posts: 20
Joined: August 11th, 2009, 4:19 pm
Advertisement
Register to Remove

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby melboy » August 15th, 2009, 7:15 am

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please DO NOT run any other tools or scans whilst I am helping you.
  5. It is important that you reply to this thread. Do not start a new topic.
  6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  7. Absence of symptoms does not mean that everything is clear.

No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time please inform me.

I notice that the log here looks remarkably similar. If it is your log, with reference to this, could you kindly post for closure at TSG and inform them you are being helped here at Malware Removal.
Thank you. :)


Uninstall list

Please post an Uninstall list.

  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location, such as your Desktop By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.


In your next reply.

1. Uninstall list.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

This is the uninstall list

Unread postby lilliejane » August 15th, 2009, 3:01 pm

Thank you in advance for helping me.I will close the other TGS they never responded anyway.


32 Bit HP CIO Components Installer
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 8.1.2
Agere Systems PCI Soft Modem
ArcSoft Software Suite
AVG Free 8.5
CCleaner (remove only)
Critical Update for Windows Media Player 11 (KB959772)
EPSON CardMonitor
EPSON PhotoStarter3.2
FLV Player 2.0, build 24
GdiplusUpgrade
Google Earth
Google Updater
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 9.0
HP Deskjet Preloaded Printer Drivers
HP Image Zone 4.2
HP Image Zone Plus 4.2
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photo & Imaging 3.5 - HP Devices
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP PSC & OfficeJet 4.0
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPIZ402
HPSSupply
Image Resizer Powertoy for Windows XP
Intel(R) Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 15
KBD
Learn2 Player (Uninstall Only)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2000 SR-1 Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 3.5 magicMoments - HPD
PC-Doctor for Windows
Photosmart 320,370,7400,8100,8400 Series
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealPlayer
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sonic RecordNow!
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Updates from HP
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WildTangent GameChannel (remove only)
Windows Backup Utility
Windows Defender
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Messenger
lilliejane
Regular Member
 
Posts: 20
Joined: August 11th, 2009, 4:19 pm

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby melboy » August 16th, 2009, 8:03 am

Hi Lillijane


Disable Spybot's TeaTimer. This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


Disable Windows Defender

From your log i can see this that you are running a Windows Defender. This might interfere with fixes we are about to do so we need to disable it. To disable your Windows Defender Real-time Protection.

  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • Close Windows Defender

Note:Once your log is clean you can re-enable Windows Defender Real Time Protection.


Disable SUPERAntiSpyware

From your log i can see this that you are running a SuperAntispyware. This might interfere with fixes we are about to do so we need to disable it.
  • Right-click on the shortcut from the system tray
  • Choose View Control Center (preferences/options)
  • On the General and Startup tab
  • Uncheck Start SUPERAntispyware when Windows starts
  • Click Close to exit


Disable AVG8
  • Open AVG8 Control Center, by right clicking on AVG8 icon on task bar.
  • Click on Tools.
  • Select Advanced.
  • In the left hand pane, scroll down to Resident Shield.
  • In the main pane, deselect the option to Enable Resident Shield.
Note: If you want to re-enable AVG, please select Enable Resident Shield again.

ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords
    please click No at the prompt.


    If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords
    please click No at the prompt.


  • Click Exit on the Main menu to close the program.


Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform full scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest


ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Ensure your security programs are disabled as instructed previously, to prevent them interfering with combofix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    Note: You can re-enable AVG8 after running combofix.

    In your next reply:
    1. Combofix log
    2. MBAM log
    3. A fresh HJT log.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby lilliejane » August 17th, 2009, 2:33 pm

Combo fix log:
ComboFix 09-08-10.06 - HP_Owner 08/17/2009 13:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.759.388 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\crosof~1.net
c:\windows\system32\AutoRun.inf
c:\windows\system32\Drivers\irijbenu.sys
D:\Autorun.inf


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPFW
-------\Legacy_IP_FW
-------\Service_ip_fw
-------\Service_ipfw


((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-13 14:03 . 2009-08-17 16:28 -------- d-----w- c:\program files\aaajia
2009-08-13 07:01 . 2009-08-13 07:01 -------- d-----w- c:\windows\ServicePackFiles
2009-08-10 12:39 . 2009-08-10 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\docume~1\HP_Owner\APPLIC~1\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-06 13:49 . 2009-08-06 17:05 -------- d-----w- c:\program files\cfsgfo
2009-08-04 23:28 . 2009-08-05 00:50 -------- d-----w- c:\program files\mslfni
2009-08-04 21:33 . 2009-08-05 00:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-08-03 16:32 . 2009-08-03 16:33 -------- d-----w- c:\program files\Windows Defender
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-03 00:48 . 2009-08-03 00:48 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-02 12:51 . 2009-08-02 12:51 -------- d-----w- c:\program files\Trend Micro
2009-07-31 18:57 . 2009-08-03 00:46 -------- d--h--w- c:\documents and settings\HP_Owner\Recent(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 15:10 . 2007-06-17 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-17 15:02 . 2006-09-26 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-17 00:37 . 2006-11-10 21:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 15:57 . 2006-10-11 15:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-11 14:01 . 2007-04-30 21:25 -------- d-----w- c:\program files\CCleaner
2009-08-10 12:39 . 2004-08-12 02:36 -------- d-----w- c:\program files\Java
2009-08-07 13:55 . 2008-06-11 15:31 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 09:11 . 2004-09-07 00:20 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:41 . 2005-08-01 16:03 -------- d-----w- c:\program files\Lavasoft
2009-08-05 00:40 . 2008-06-10 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-04 20:47 . 2008-06-10 20:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-03 01:15 . 2008-10-28 19:33 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-18 16:20 . 2004-09-07 00:21 1506304 ----a-w- c:\windows\system32\shdocvw(2)(3).dll
2009-07-17 18:55 . 2004-09-07 00:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-09-07 00:22 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:22 616448 ----a-w- c:\windows\system32\urlmon(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:21 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:20 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:44 . 2004-09-07 00:22 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-09-07 00:21 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-09-07 00:21 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-09-07 00:20 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2004-09-07 00:20 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-09-07 00:20 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2004-08-12 00:59 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-20 12:38 . 2008-06-11 15:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:55 . 2004-09-07 00:22 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-09-07 00:20 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-08-12 00:59 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-09-07 00:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-09-07 00:22 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-06 23:07 . 2005-01-23 00:57 886 -c--a-w- c:\windows\EntPack.dat
2009-06-05 07:42 . 2004-09-07 00:20 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-09-07 00:21 1290752 ----a-w- c:\windows\system32\quartz.dll
2006-06-27 02:06 . 2006-06-27 02:06 793602 -c--a-w- c:\program files\ntbackup.msi
2005-09-05 18:58 . 2005-09-05 18:58 4096 -csha-w- c:\program files\Common Files\Thumbs.db
2005-05-23 16:54 . 2005-05-23 16:54 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2004-08-04 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-12 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-22 185896]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Desktop Uninstall

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 20:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 12:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2008 11:31 AM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2008 11:31 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 2:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 12:26 PM 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 12:26 PM 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-08-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-17 07:53]

2009-08-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{E8A5FFE5-52DF-4399-934C-02EB1D33310A} - (no file)
Notify-mlJYsrrS - mlJYsrrS.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 14:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2436583772-3335135597-2161376037-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(384)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-08-17 14:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-17 18:14

Pre-Run: 20,474,830,848 bytes free
Post-Run: 20,368,986,112 bytes free

215 --- E O F --- 2009-08-17 03:15

This is mbam log
Malwarebytes' Anti-Malware 1.40
Database version: 2640
Windows 5.1.2600 Service Pack 2

8/17/2009 12:28:30 PM
mbam-log-2009-08-17 (12-28-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 169995
Time elapsed: 1 hour(s), 2 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\aaajia\cocusysguard.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

This is new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:57 PM, on 8/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servle ... 6.000000b5
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--
End of file - 7035 bytes

Sorry I posted in PM..........
lilliejane
Regular Member
 
Posts: 20
Joined: August 11th, 2009, 4:19 pm

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby lilliejane » August 17th, 2009, 2:33 pm

Combo fix log:
ComboFix 09-08-10.06 - HP_Owner 08/17/2009 13:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.759.388 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\crosof~1.net
c:\windows\system32\AutoRun.inf
c:\windows\system32\Drivers\irijbenu.sys
D:\Autorun.inf


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPFW
-------\Legacy_IP_FW
-------\Service_ip_fw
-------\Service_ipfw


((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-13 14:03 . 2009-08-17 16:28 -------- d-----w- c:\program files\aaajia
2009-08-13 07:01 . 2009-08-13 07:01 -------- d-----w- c:\windows\ServicePackFiles
2009-08-10 12:39 . 2009-08-10 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\docume~1\HP_Owner\APPLIC~1\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-06 13:49 . 2009-08-06 17:05 -------- d-----w- c:\program files\cfsgfo
2009-08-04 23:28 . 2009-08-05 00:50 -------- d-----w- c:\program files\mslfni
2009-08-04 21:33 . 2009-08-05 00:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-08-03 16:32 . 2009-08-03 16:33 -------- d-----w- c:\program files\Windows Defender
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-03 00:48 . 2009-08-03 00:48 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-02 12:51 . 2009-08-02 12:51 -------- d-----w- c:\program files\Trend Micro
2009-07-31 18:57 . 2009-08-03 00:46 -------- d--h--w- c:\documents and settings\HP_Owner\Recent(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 15:10 . 2007-06-17 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-17 15:02 . 2006-09-26 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-17 00:37 . 2006-11-10 21:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 15:57 . 2006-10-11 15:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-11 14:01 . 2007-04-30 21:25 -------- d-----w- c:\program files\CCleaner
2009-08-10 12:39 . 2004-08-12 02:36 -------- d-----w- c:\program files\Java
2009-08-07 13:55 . 2008-06-11 15:31 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 09:11 . 2004-09-07 00:20 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:41 . 2005-08-01 16:03 -------- d-----w- c:\program files\Lavasoft
2009-08-05 00:40 . 2008-06-10 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-04 20:47 . 2008-06-10 20:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-03 01:15 . 2008-10-28 19:33 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-18 16:20 . 2004-09-07 00:21 1506304 ----a-w- c:\windows\system32\shdocvw(2)(3).dll
2009-07-17 18:55 . 2004-09-07 00:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-09-07 00:22 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:22 616448 ----a-w- c:\windows\system32\urlmon(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:21 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:20 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:44 . 2004-09-07 00:22 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-09-07 00:21 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-09-07 00:21 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-09-07 00:20 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2004-09-07 00:20 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-09-07 00:20 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2004-08-12 00:59 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-20 12:38 . 2008-06-11 15:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:55 . 2004-09-07 00:22 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-09-07 00:20 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-08-12 00:59 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-09-07 00:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-09-07 00:22 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-06 23:07 . 2005-01-23 00:57 886 -c--a-w- c:\windows\EntPack.dat
2009-06-05 07:42 . 2004-09-07 00:20 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-09-07 00:21 1290752 ----a-w- c:\windows\system32\quartz.dll
2006-06-27 02:06 . 2006-06-27 02:06 793602 -c--a-w- c:\program files\ntbackup.msi
2005-09-05 18:58 . 2005-09-05 18:58 4096 -csha-w- c:\program files\Common Files\Thumbs.db
2005-05-23 16:54 . 2005-05-23 16:54 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2004-08-04 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-12 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-22 185896]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Desktop Uninstall

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 20:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 12:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2008 11:31 AM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2008 11:31 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 2:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 12:26 PM 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 12:26 PM 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-08-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-17 07:53]

2009-08-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{E8A5FFE5-52DF-4399-934C-02EB1D33310A} - (no file)
Notify-mlJYsrrS - mlJYsrrS.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 14:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2436583772-3335135597-2161376037-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(384)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-08-17 14:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-17 18:14

Pre-Run: 20,474,830,848 bytes free
Post-Run: 20,368,986,112 bytes free

215 --- E O F --- 2009-08-17 03:15

This is mbam log
Malwarebytes' Anti-Malware 1.40
Database version: 2640
Windows 5.1.2600 Service Pack 2

8/17/2009 12:28:30 PM
mbam-log-2009-08-17 (12-28-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 169995
Time elapsed: 1 hour(s), 2 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\aaajia\cocusysguard.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

This is new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:57 PM, on 8/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servle ... 6.000000b5
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--
End of file - 7035 bytes

Sorry I posted in PM..........
lilliejane
Regular Member
 
Posts: 20
Joined: August 11th, 2009, 4:19 pm

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby melboy » August 18th, 2009, 1:34 pm

Hi Lilliejane :)


Fix HijackThis entries
  • Run HijackThis
  • Click on the do a system scan only button
  • Put a check beside all of the items listed below (if present):

      O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE#
      O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servle ... 6.000000b5
      O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?f=11&t=45101
    
    Collect::
    C:\WINDOWS\warnhp.html
    
    DirLook::
    c:\documents and settings\All Users\Application Data\~0
    
    Folder::
    c:\program files\aaajia
    c:\program files\cfsgfo
    c:\program files\mslfni
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Next:
Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page").
Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.


If combofix doesn't reboot your PC, manually REBOOT it.


Optional:

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable autoupdating for the Viewpoint Manager the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. Before removing it from Add or Remove Programs, there is something we need to do to stop it from being recreated.
  • Open AOL.
  • Go to Help on the toolbar.
  • Select About AOL.
  • Hit Ctrl + D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.
  • You can return to Add or Remove Programs and remove Viewpoint Media Player
. To uninstall the Viewpoint components:.
  1. Click Start > Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight Viewpoint components, click Remove.
  4. Close the Add or Remove Programs and the Control Panel windows.
  5. Using Windows Explorer (Windows key+e), search for the Viewpoint components folder. If the program folder is still there, select/highlight the Viewpoint components folder. DELETE it. (File > Delete.) If Windows is not installed on the C drive, replace C:\ with the appropriate drive letter.
  6. Close Windows Explorer.
Do the same for each Viewpoint component.


I see you are using Wild Tangent. It is not malware, but is sometimes thought to bring malware along. Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although it’s not technically considered spyware, it does have built in components to update itself and gather information about the computer system including
  1. Operating System Version
  2. CPU Type and Speed
  3. Memory Amount
    Video Card type and Driver Version
  4. Sound Card type and Driver Version
  5. DirectX Version
    Location that the Web Driver was installed from
  6. It is also a MAJOR resource hog.
For more information, see WildTangent Removal Instructions and Help and Inside Wild Tangent-Delivering High-End 3-D Content To A Web Site Near You.
Unless you are an extremely avid games player, I recommend you uninstall Wild Tangent: To uninstall Wild Tangent:
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight Wild Tangent, click Remove.
  4. Close the Add or Remove Programs and the Control Panel windows.

In your next reply:
  1. Combofix.log
  2. A fresh Hjt log
  3. A description of how things are running now.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby lilliejane » August 18th, 2009, 8:34 pm

ComboFix 09-08-10.06 - HP_Owner 08/18/2009 16:35.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.759.382 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\aaajia
c:\program files\cfsgfo
c:\program files\mslfni


.
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-13 07:01 . 2009-08-13 07:01 -------- d-----w- c:\windows\ServicePackFiles
2009-08-10 12:39 . 2009-08-10 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\docume~1\HP_Owner\APPLIC~1\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 21:33 . 2009-08-05 00:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-08-03 16:32 . 2009-08-03 16:33 -------- d-----w- c:\program files\Windows Defender
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-03 00:48 . 2009-08-03 00:48 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-02 12:51 . 2009-08-02 12:51 -------- d-----w- c:\program files\Trend Micro
2009-07-31 18:57 . 2009-08-03 00:46 -------- d--h--w- c:\documents and settings\HP_Owner\Recent(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 20:06 . 2006-09-26 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-18 19:53 . 2005-01-08 03:59 -------- d-----w- c:\program files\WildTangent
2009-08-17 15:10 . 2007-06-17 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-17 00:37 . 2006-11-10 21:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 15:57 . 2006-10-11 15:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-11 14:01 . 2007-04-30 21:25 -------- d-----w- c:\program files\CCleaner
2009-08-10 12:39 . 2004-08-12 02:36 -------- d-----w- c:\program files\Java
2009-08-07 13:55 . 2008-06-11 15:31 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 09:11 . 2004-09-07 00:20 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:41 . 2005-08-01 16:03 -------- d-----w- c:\program files\Lavasoft
2009-08-05 00:40 . 2008-06-10 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-04 20:47 . 2008-06-10 20:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-03 01:15 . 2008-10-28 19:33 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-18 16:20 . 2004-09-07 00:21 1506304 ----a-w- c:\windows\system32\shdocvw(2)(3).dll
2009-07-17 18:55 . 2004-09-07 00:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-09-07 00:22 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:22 616448 ----a-w- c:\windows\system32\urlmon(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:21 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:20 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:44 . 2004-09-07 00:22 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-09-07 00:21 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-09-07 00:21 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-09-07 00:20 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2004-09-07 00:20 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-09-07 00:20 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2004-08-12 00:59 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-20 12:38 . 2008-06-11 15:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:55 . 2004-09-07 00:22 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-09-07 00:20 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-08-12 00:59 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-09-07 00:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-09-07 00:22 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-06 23:07 . 2005-01-23 00:57 886 -c--a-w- c:\windows\EntPack.dat
2009-06-05 07:42 . 2004-09-07 00:20 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-09-07 00:21 1290752 ----a-w- c:\windows\system32\quartz.dll
2006-06-27 02:06 . 2006-06-27 02:06 793602 -c--a-w- c:\program files\ntbackup.msi
2005-09-05 18:58 . 2005-09-05 18:58 4096 -csha-w- c:\program files\Common Files\Thumbs.db
2005-05-23 16:54 . 2005-05-23 16:54 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\~0 ----

2009-08-04 21:33 . 2009-07-08 17:28 578782 -c----w- c:\documents and settings\All Users\Application Data\~0\mia.lib
2009-08-04 21:33 . 2009-07-08 17:28 2920112 -c----w- c:\documents and settings\All Users\Application Data\~0\Ad-AwareAE.exe


((((((((((((((((((((((((((((( SnapShot@2009-08-17_18.08.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-18 19:47 . 2009-08-18 19:47 16384 c:\windows\Temp\Perflib_Perfdata_138.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-12 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-22 185896]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 20:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 12:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJYsrrS]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2008 11:31 AM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2008 11:31 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 2:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 12:26 PM 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 12:26 PM 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-08-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-17 07:53]

2009-08-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{E8A5FFE5-52DF-4399-934C-02EB1D33310A} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 16:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2436583772-3335135597-2161376037-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\COMRes.dll

- - - - - - - > 'explorer.exe'(3524)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-18 16:45
ComboFix-quarantined-files.txt 2009-08-18 20:45
ComboFix2.txt 2009-08-17 18:14

Pre-Run: 21,051,781,120 bytes free
Post-Run: 21,025,284,096 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=2 Sets=,1,2,3,4
201 --- E O F --- 2009-08-18 00:44


HJT Log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:05 PM, on 8/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: mlJYsrrS - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6818 bytes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:05 PM, on 8/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: mlJYsrrS - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6818 bytes


I have did all the other steps,the only thing I'm having trouble with is the AOL files came as a bundle deal with the computer,but was never used.I have 5 files in my search engine,deleted the veiwpoint media player from add and remove,nothing else there.How do I get these files to delete ? My computer is running much better now,is even quicker loading.Do you have a recommendation for a virus,or spyware detection ? Thank you Melboy for all your expertise you are a whiz !!!!
lilliejane
Regular Member
 
Posts: 20
Joined: August 11th, 2009, 4:19 pm

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby melboy » August 20th, 2009, 11:55 am

Hi Lillijane.

Thank you, your thanks are appreciated, but lets save them for when you are clean! We'll discuss how to secure your PC then as well, but for now we've a little bit more work to do.
the only thing I'm having trouble with is the AOL files came as a bundle deal with the computer,but was never used.I have 5 files in my search engine

What are the names of the files? Eg: Filename.exe

Did Combofix ask you about submitting files for further analysis? If so, did you receive a message saying whether it was successful or not?

Using windows explore by right-clicking the start button and left clicking Explore, navigate to C:\Qoobox\Quarantine\ and see if there is a .zip file present named [4]-Submit_Date_Time.zip (where [4]-Submit_Date_Time is the date and time of the upload eg: [4]-Submit_2009-08-18_1645.zip) If it is there, please inform me of this.

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Registry:: 
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJYsrrS]
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

  • Please post the Kaspersky log in your next reply along with:
  • The 5 AOL filenames
  • Combofix log.
  • Information for the zipped file.
  • A fresh HijackThis log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby lilliejane » August 21st, 2009, 9:29 pm

ComboFix 09-08-19.0C - HP_Owner 08/20/2009 15:00.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.759.348 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.

2009-08-19 16:29 . 2009-08-19 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-13 07:01 . 2009-08-13 07:01 -------- d-----w- c:\windows\ServicePackFiles
2009-08-10 12:39 . 2009-08-10 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-10 12:37 . 2009-08-10 12:37 152576 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 21:33 . 2009-08-05 00:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-08-04 21:33 . 2009-07-08 17:28 2920112 -c----w- c:\documents and settings\All Users\Application Data\~0\Ad-AwareAE.exe
2009-08-03 16:32 . 2009-08-03 16:33 -------- d-----w- c:\program files\Windows Defender
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-03 00:48 . 2009-08-03 00:48 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-02 12:51 . 2009-08-02 12:51 -------- d-----w- c:\program files\Trend Micro
2009-07-31 18:57 . 2009-08-03 00:46 -------- d--h--w- c:\documents and settings\HP_Owner\Recent(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 18:13 . 2007-06-17 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-19 20:00 . 2009-05-15 19:45 117760 ----a-w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-19 16:35 . 2006-09-26 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-19 16:25 . 2005-03-02 16:15 -------- d-----w- c:\program files\Common Files\AOL
2009-08-18 21:37 . 2004-08-12 04:27 -------- d-----w- c:\program files\Easy Internet signup
2009-08-17 00:37 . 2006-11-10 21:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 15:57 . 2006-10-11 15:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-11 14:01 . 2007-04-30 21:25 -------- d-----w- c:\program files\CCleaner
2009-08-10 12:39 . 2004-08-12 02:36 -------- d-----w- c:\program files\Java
2009-08-07 13:55 . 2008-06-11 15:31 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 09:11 . 2004-09-07 00:20 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:40 . 2008-06-10 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-04 20:47 . 2008-06-10 20:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-03 01:15 . 2008-10-28 19:33 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-18 16:20 . 2004-09-07 00:21 1506304 ----a-w- c:\windows\system32\shdocvw(2)(3).dll
2009-07-17 18:55 . 2004-09-07 00:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-09-07 00:22 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:22 616448 ----a-w- c:\windows\system32\urlmon(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:21 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:20 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:44 . 2004-09-07 00:22 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-09-07 00:21 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-09-07 00:21 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-09-07 00:20 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2004-09-07 00:20 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-09-07 00:20 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2004-08-12 00:59 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-20 12:38 . 2008-06-11 15:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:55 . 2004-09-07 00:22 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-09-07 00:20 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-08-12 00:59 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-09-07 00:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-09-07 00:22 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-06 23:07 . 2005-01-23 00:57 886 -c--a-w- c:\windows\EntPack.dat
2009-06-05 07:42 . 2004-09-07 00:20 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-09-07 00:21 1290752 ----a-w- c:\windows\system32\quartz.dll
2006-06-27 02:06 . 2006-06-27 02:06 793602 -c--a-w- c:\program files\ntbackup.msi
2005-09-05 18:58 . 2005-09-05 18:58 4096 -csha-w- c:\program files\Common Files\Thumbs.db
2005-05-23 16:54 . 2005-05-23 16:54 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-17_18.08.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-19 16:29 . 2009-08-19 16:29 16384 c:\windows\Temp\Perflib_Perfdata_104.dat
+ 2009-08-19 00:44 . 2009-08-19 00:44 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-10 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-12 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-22 185896]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 20:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 12:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2008 11:31 AM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2008 11:31 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 2:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 12:26 PM 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 12:26 PM 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-17 07:53]

2009-08-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{E8A5FFE5-52DF-4399-934C-02EB1D33310A} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 15:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2436583772-3335135597-2161376037-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3744)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-20 15:08
ComboFix-quarantined-files.txt 2009-08-20 19:08
ComboFix2.txt 2009-08-18 20:45
ComboFix3.txt 2009-08-17 18:14

Pre-Run: 21,000,949,760 bytes free
Post-Run: 20,958,601,216 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=2 Sets=,1,2,3,4
213 --- E O F --- 2009-08-20 14:22


KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 21, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 21, 2009 09:59:45
Records in database: 2669597


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases no

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics
Objects scanned 79353
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 02:51:51

No threats found. Scanned area is clean.
Selected area has been scanned.


There are no zip files......only catchme log,catchme.txt, registry backups

5 files are.... AOL (doc.& settings)all users-application data.KBD
AOL.dll ( C:\hp\common files
AOL ( C;\program files
F1308_hpqaol08.exe 869B68 .............2 files ( Quickprojects.cab)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:51 PM, on 8/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6927 bytes
lilliejane
Regular Member
 
Posts: 20
Joined: August 11th, 2009, 4:19 pm

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby lilliejane » August 21st, 2009, 9:30 pm

ComboFix 09-08-19.0C - HP_Owner 08/20/2009 15:00.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.759.348 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.

2009-08-19 16:29 . 2009-08-19 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-13 07:01 . 2009-08-13 07:01 -------- d-----w- c:\windows\ServicePackFiles
2009-08-10 12:39 . 2009-08-10 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-10 12:37 . 2009-08-10 12:37 152576 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 21:33 . 2009-08-05 00:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-08-04 21:33 . 2009-07-08 17:28 2920112 -c----w- c:\documents and settings\All Users\Application Data\~0\Ad-AwareAE.exe
2009-08-03 16:32 . 2009-08-03 16:33 -------- d-----w- c:\program files\Windows Defender
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-03 00:48 . 2009-08-03 00:48 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-02 12:51 . 2009-08-02 12:51 -------- d-----w- c:\program files\Trend Micro
2009-07-31 18:57 . 2009-08-03 00:46 -------- d--h--w- c:\documents and settings\HP_Owner\Recent(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 18:13 . 2007-06-17 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-19 20:00 . 2009-05-15 19:45 117760 ----a-w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-19 16:35 . 2006-09-26 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-19 16:25 . 2005-03-02 16:15 -------- d-----w- c:\program files\Common Files\AOL
2009-08-18 21:37 . 2004-08-12 04:27 -------- d-----w- c:\program files\Easy Internet signup
2009-08-17 00:37 . 2006-11-10 21:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 15:57 . 2006-10-11 15:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-11 14:01 . 2007-04-30 21:25 -------- d-----w- c:\program files\CCleaner
2009-08-10 12:39 . 2004-08-12 02:36 -------- d-----w- c:\program files\Java
2009-08-07 13:55 . 2008-06-11 15:31 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 09:11 . 2004-09-07 00:20 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:40 . 2008-06-10 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-04 20:47 . 2008-06-10 20:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-03 01:15 . 2008-10-28 19:33 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-18 16:20 . 2004-09-07 00:21 1506304 ----a-w- c:\windows\system32\shdocvw(2)(3).dll
2009-07-17 18:55 . 2004-09-07 00:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-09-07 00:22 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:22 616448 ----a-w- c:\windows\system32\urlmon(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:21 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:20 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:44 . 2004-09-07 00:22 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-09-07 00:21 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-09-07 00:21 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-09-07 00:20 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2004-09-07 00:20 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-09-07 00:20 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2004-08-12 00:59 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-20 12:38 . 2008-06-11 15:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:55 . 2004-09-07 00:22 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-09-07 00:20 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-08-12 00:59 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-09-07 00:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-09-07 00:22 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-06 23:07 . 2005-01-23 00:57 886 -c--a-w- c:\windows\EntPack.dat
2009-06-05 07:42 . 2004-09-07 00:20 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-09-07 00:21 1290752 ----a-w- c:\windows\system32\quartz.dll
2006-06-27 02:06 . 2006-06-27 02:06 793602 -c--a-w- c:\program files\ntbackup.msi
2005-09-05 18:58 . 2005-09-05 18:58 4096 -csha-w- c:\program files\Common Files\Thumbs.db
2005-05-23 16:54 . 2005-05-23 16:54 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-17_18.08.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-19 16:29 . 2009-08-19 16:29 16384 c:\windows\Temp\Perflib_Perfdata_104.dat
+ 2009-08-19 00:44 . 2009-08-19 00:44 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-10 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-12 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-22 185896]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 20:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 12:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2008 11:31 AM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2008 11:31 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 2:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 12:26 PM 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 12:26 PM 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-17 07:53]

2009-08-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{E8A5FFE5-52DF-4399-934C-02EB1D33310A} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 15:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2436583772-3335135597-2161376037-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3744)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-20 15:08
ComboFix-quarantined-files.txt 2009-08-20 19:08
ComboFix2.txt 2009-08-18 20:45
ComboFix3.txt 2009-08-17 18:14

Pre-Run: 21,000,949,760 bytes free
Post-Run: 20,958,601,216 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=2 Sets=,1,2,3,4
213 --- E O F --- 2009-08-20 14:22


KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 21, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 21, 2009 09:59:45
Records in database: 2669597


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases no

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics
Objects scanned 79353
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 02:51:51

No threats found. Scanned area is clean.
Selected area has been scanned.


There are no zip files......only catchme log,catchme.txt, registry backups

5 files are.... AOL (doc.& settings)all users-application data.KBD
AOL.dll ( C:\hp\common files
AOL ( C;\program files
F1308_hpqaol08.exe 869B68 .............2 files ( Quickprojects.cab)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:51 PM, on 8/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6927 bytes
lilliejane
Regular Member
 
Posts: 20
Joined: August 11th, 2009, 4:19 pm

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby melboy » August 22nd, 2009, 1:35 pm

Hi Lillijane :)

Why do you want to remove AOL? Is it no longer your ISP?

Can you be more specific please with the exact filenames and filepaths of the files.

EG:
C:\Program Files\AOL
C:\Documents and Settings\All Users\Application Data\KBD
etc...

Thanks. :)

Search For a File
  • Click Start
  • Click on Search
  • Click on All files and folders
  • Expand More advanced options, check Search system folders, Search hidden files and folders, and Search Subfolders
  • Copy and Paste the following into the All or part of the file name box:

C:\WINDOWS\warnhp.html

If this file is found please inform me.

Update Adobe Acrobat Reader
Your Adobe Acrobat Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 9.1 to your PC's desktop.
  • Uninstall Adobe(Acrobat) Reader via Start > Control Panel > Add/Remove Programs
    • Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    • Adobe Reader 8.1.2
  • Install the new downloaded updated software.

Uninstall Programs
  • click on start
  • Click on control panel
  • Double click the icon add/remove programs
  • click on the program below and click Remove
    Java 2 Runtime Environment, SE v1.4.2_03


Please post back with:
  1. Information about the file warnhp.html
  2. Information about AOL & the 5 files
  3. a fresh HJT log
  4. a description of how the computer is running now.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby lilliejane » August 22nd, 2009, 8:42 pm

No file warnhp.html found with search engine.

AOL was never my ISP it was a bundle deal with my computer,but never was used.I don't have to remove the files,I just thought it might be something bad.If you say leave them alone I will.
AOL\common files\ACS under that is acsd.exe,AcsInstall.dll,acssetup.exe
AOL\documents&settings\all users\applicationdata\KBD

My computer is running great no problems........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:48 PM, on 8/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {E8A5FFE5-52DF-4399-934C-02EB1D33310A} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: mlJYsrrS - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7064 bytes
lilliejane
Regular Member
 
Posts: 20
Joined: August 11th, 2009, 4:19 pm

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby melboy » August 23rd, 2009, 4:13 pm

Hi lillijane :)

No file warnhp.html found with search engine.
That's great.

With regards to the AOL files, it's a problem with a lot of programs that uninstaller's leave "leftovers". If the AOL files are proving difficult to delete then I would leave them. They aren't malicious in any way.

Please make sure Spybot S&D is disabled also, before disabling the following protection programs. All these programs are interfering with my fix and some baddies are coming back.
Do not re-enable them untill I let you know you are clean.

Disable Windows Defender

From your log i can see this that you are running a Windows Defender. This might interfere with fixes we are about to do so we need to disable it. To disable your Windows Defender Real-time Protection.

  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • Close Windows Defender

Disable SUPERAntiSpyware

From your log i can see this that you are running a SuperAntispyware. This might interfere with fixes we are about to do so we need to disable it.
  • Right-click on the shortcut from the system tray
  • Choose View Control Center (preferences/options)
  • On the General and Startup tab
  • Under Start-Up Options, Uncheck Start SUPERAntispyware when Windows starts
  • Click Close to exit
  • Again, Right-click on the shortcut from the system tray
  • Click exit. If you are prompted "Are you sure you want to exit" click OK.

Disable AVG8
  • Open AVG8 Control Center, by right clicking on AVG8 icon on task bar.
  • Click on Tools.
  • Select Advanced.
  • In the left hand pane, scroll down to Resident Shield.
  • In the main pane, deselect the option to Enable Resident Shield.


Fix HijackThis entries
  • Run HijackThis
  • Click on the do a system scan only button
  • Put a check beside all of the items listed below (if present):

      O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -

  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Registry:: 
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8A5FFE5-52DF-4399-934C-02EB1D33310A}]
    
    [-HKEY_CLASSES_ROOT\CLSID\{E8A5FFE5-52DF-4399-934C-02EB1D33310A}]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJYsrrS]
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next reply:
  1. Combofix log
  2. A fresh HJT log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Is ipfw kernel mode driver in device manager a legit item

Unread postby lilliejane » August 23rd, 2009, 5:21 pm

ComboFix 09-08-22.06 - HP_Owner 08/23/2009 17:09.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.759.317 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-19 16:29 . 2009-08-19 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-13 07:01 . 2009-08-13 07:01 -------- d-----w- c:\windows\ServicePackFiles
2009-08-10 12:39 . 2009-08-10 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-10 12:37 . 2009-08-10 12:37 152576 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 14:21 . 2009-08-08 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-08 14:21 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 21:33 . 2009-08-05 00:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-08-04 21:33 . 2009-07-08 17:28 2920112 -c----w- c:\documents and settings\All Users\Application Data\~0\Ad-AwareAE.exe
2009-08-03 16:32 . 2009-08-03 16:33 -------- d-----w- c:\program files\Windows Defender
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-03 01:15 . 2009-08-03 01:15 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-03 00:48 . 2009-08-03 00:48 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-02 12:51 . 2009-08-02 12:51 -------- d-----w- c:\program files\Trend Micro
2009-07-31 18:57 . 2009-08-03 00:46 -------- d--h--w- c:\documents and settings\HP_Owner\Recent(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 20:55 . 2009-05-15 19:45 117760 ----a-w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-23 20:48 . 2006-09-26 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-22 20:15 . 2007-06-17 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-22 19:48 . 2005-02-15 18:38 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-19 16:25 . 2005-03-02 16:15 -------- d-----w- c:\program files\Common Files\AOL
2009-08-18 21:37 . 2004-08-12 04:27 -------- d-----w- c:\program files\Easy Internet signup
2009-08-17 00:37 . 2006-11-10 21:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 15:57 . 2006-10-11 15:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-11 14:01 . 2007-04-30 21:25 -------- d-----w- c:\program files\CCleaner
2009-08-10 12:39 . 2004-08-12 02:36 -------- d-----w- c:\program files\Java
2009-08-07 13:55 . 2008-06-11 15:31 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 09:11 . 2004-09-07 00:20 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 20:47 . 2008-06-10 20:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-03 01:15 . 2008-10-28 19:33 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-18 16:20 . 2004-09-07 00:21 1506304 ----a-w- c:\windows\system32\shdocvw(2)(3).dll
2009-07-17 18:55 . 2004-09-07 00:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-09-07 00:22 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-09-07 00:22 659456 ----a-w- c:\windows\system32\wininet(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:22 616448 ----a-w- c:\windows\system32\urlmon(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:21 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-06-26 16:18 . 2004-09-07 00:20 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:44 . 2004-09-07 00:22 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-09-07 00:21 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-09-07 00:21 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-09-07 00:20 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2004-09-07 00:20 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-09-07 00:20 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2004-08-12 00:59 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-20 12:38 . 2008-06-11 15:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:55 . 2004-09-07 00:22 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-09-07 00:20 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-08-12 00:59 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-09-07 00:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-09-07 00:22 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-06 23:07 . 2005-01-23 00:57 886 -c--a-w- c:\windows\EntPack.dat
2009-06-05 07:42 . 2004-09-07 00:20 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-09-07 00:21 1290752 ----a-w- c:\windows\system32\quartz.dll
2006-06-27 02:06 . 2006-06-27 02:06 793602 -c--a-w- c:\program files\ntbackup.msi
2005-09-05 18:58 . 2005-09-05 18:58 4096 -csha-w- c:\program files\Common Files\Thumbs.db
2005-05-23 16:54 . 2005-05-23 16:54 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-17_18.08.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-22 21:10 . 2009-08-22 21:10 16384 c:\windows\Temp\Perflib_Perfdata_ec.dat
+ 2009-08-19 00:44 . 2009-08-19 00:44 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-08-22 19:49 . 2009-08-22 19:49 3938816 c:\windows\Installer\10277674.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-12 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-22 185896]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 20:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 12:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2008 11:31 AM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2008 11:31 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 2:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 12:26 PM 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 12:26 PM 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-08-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-17 07:53]

2009-08-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 17:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2436583772-3335135597-2161376037-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3736)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-23 17:17
ComboFix-quarantined-files.txt 2009-08-23 21:17
ComboFix2.txt 2009-08-20 19:08
ComboFix3.txt 2009-08-18 20:45
ComboFix4.txt 2009-08-17 18:14

Pre-Run: 21,181,304,832 bytes free
Post-Run: 21,195,198,464 bytes free

208 --- E O F --- 2009-08-20 14:22


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:35 PM, on 8/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6521 bytes
lilliejane
Regular Member
 
Posts: 20
Joined: August 11th, 2009, 4:19 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware