Bjorn,
Attached is the Combofix log followed by the new HJT log:
ComboFix 09-02-15.01 - HP_Owner 2009-02-17 16:50:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.667 [GMT -5:00]
Running from: K:\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\HP_Owner\reader_s.exe
c:\program files\system\smss.exe
c:\program files\system\smss.exe.assembly
c:\windows\IE4 Error Log.txt
c:\windows\system32\3.tmp
c:\windows\system32\5.tmp
c:\windows\system32\8.tmp
c:\windows\system32\9.tmp
c:\windows\system32\C.tmp
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\E.tmp
c:\windows\system32\reader_s.exe
D:\Autorun.inf
c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!!.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_Passthru
-------\Service_restore
((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.
2009-02-17 16:20 . 2005-02-24 22:35 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-02-14 14:31 . 2009-02-14 14:31 163,812 --a------ c:\windows\system32\2D.tmp
2009-02-14 14:31 . 2009-02-14 14:31 132 --a------ c:\windows\system32\2C.tmp
2009-02-14 14:12 . 2009-02-14 14:12 249,856 --a------ c:\windows\system32\pdfmona.dll
2009-02-14 14:12 . 2009-02-14 14:12 51,716 --a------ c:\windows\system32\pdf995mon.dll
2009-02-14 14:09 . 2009-02-14 14:12 163,812 --a------ c:\windows\system32\17.tmp
2009-02-14 14:09 . 2009-02-14 14:09 132 --a------ c:\windows\system32\16.tmp
2009-02-14 14:07 . 2009-02-14 14:08 110,080 --------- c:\windows\system32\58.tmp
2009-02-14 14:07 . 2009-02-14 14:07 0 --a------ c:\windows\system32\57.tmp
2009-02-14 14:04 . 2009-02-14 14:07 163,812 --a------ c:\windows\system32\56.tmp
2009-02-14 14:04 . 2009-02-14 14:04 132 --a------ c:\windows\system32\55.tmp
2009-02-14 13:26 . 2004-08-03 23:07 59,264 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2009-02-14 13:26 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-02-14 13:26 . 2001-08-17 14:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2009-02-14 13:22 . 2009-02-14 13:25 162,916 --a------ c:\windows\system32\15.tmp
2009-02-14 13:22 . 2009-02-14 13:22 132 --a------ c:\windows\system32\14.tmp
2009-02-14 13:17 . 2009-02-14 13:20 162,916 --a------ c:\windows\system32\13.tmp
2009-02-14 13:17 . 2009-02-14 13:17 132 --a------ c:\windows\system32\6.tmp
2009-02-14 11:41 . 2009-02-14 11:41 164,292 --a------ c:\windows\system32\22.tmp
2009-02-14 11:41 . 2009-02-14 11:41 132 --a------ c:\windows\system32\21.tmp
2009-02-14 11:27 . 2009-02-14 11:30 164,292 --a------ c:\windows\system32\12.tmp
2009-02-14 11:27 . 2009-02-14 11:27 132 --a------ c:\windows\system32\11.tmp
2009-02-14 11:23 . 2009-02-14 11:25 164,292 --a------ c:\windows\system32\10.tmp
2009-02-14 11:23 . 2009-02-14 11:23 132 --a------ c:\windows\system32\F.tmp
2009-02-14 10:30 . 2009-02-14 09:51 94,208 --a------ c:\windows\DUMP757e.tmp
2009-02-14 10:30 . 2009-02-14 15:47 94,208 --a------ c:\windows\DUMP6e0b.tmp
2009-02-14 10:30 . 2009-02-14 10:07 94,208 --a------ c:\windows\DUMP5beb.tmp
2009-02-14 10:12 . 2009-02-14 10:12 132 --a------ c:\windows\system32\D.tmp
2009-02-14 10:08 . 2009-02-14 10:24 <DIR> dr-hs---- c:\windows\system32\dllcache
2009-02-14 10:03 . 2009-02-14 10:03 <DIR> d-------- c:\program files\Trend Micro
2009-02-14 09:52 . 2009-02-14 09:52 132 --a------ c:\windows\system32\4.tmp
2009-02-14 09:52 . 2009-02-14 09:52 0 --a------ c:\windows\system32\B.tmp
2009-02-14 09:47 . 2009-02-14 09:47 132 --a------ c:\windows\system32\2.tmp
2009-02-14 09:24 . 2009-02-14 09:24 132 --a------ c:\windows\system32\7.tmp
2009-02-14 09:24 . 2009-02-14 09:24 0 --a------ c:\windows\system32\A.tmp
2009-02-14 08:52 . 2009-02-14 08:52 163,396 --a------ c:\windows\system32\91.tmp
2009-02-14 08:52 . 2009-02-14 08:52 31,744 --ah----- c:\documents and settings\HP_Owner\sijmdb.exe
2009-02-14 08:52 . 2009-02-14 08:52 132 --a------ c:\windows\system32\90.tmp
2009-02-14 08:50 . 2009-02-14 14:07 137,952 --a------ c:\windows\system32\drivers\ethrytcl.sys
2009-02-14 08:50 . 2009-02-14 08:52 67,072 ---h----- c:\windows\system32\secupdat.dat
2009-02-14 08:50 . 2009-02-14 08:50 11,264 --ah----- c:\documents and settings\HP_Owner\sblwjsh.exe
2009-02-14 08:48 . 2004-08-04 07:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-14 08:48 . 2009-02-14 08:50 163,396 --a------ c:\windows\system32\80.tmp
2009-02-14 08:48 . 2009-02-14 08:48 1,838 -rahs---- c:\windows\system32\drivers\103C_HP_CPC_PX748AA-ABA A1114N_YC_0Pavi_QMXK533_E53NAheBLU3_47_IALBACORE_SMSI_V1.0_B3.31_T050801_WXH2_L409_M959_J160_7AMD_8Athlon 64_92.19_#050910_N10EC8139_Z11C1048C_G10025954.MRK
2009-02-14 08:47 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\HP_Owner\WINDOWS
2009-02-14 08:47 . 2009-02-14 08:49 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Symantec
2009-02-14 08:47 . 2005-06-16 21:58 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\SampleView
2009-02-14 08:47 . 2005-06-16 22:03 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\InterMute
2009-02-14 08:47 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Apple Computer
2009-02-14 08:47 . 2009-02-17 16:52 <DIR> d-------- c:\documents and settings\HP_Owner
2009-02-14 08:47 . 2009-02-14 08:48 132 --a------ c:\windows\system32\7F.tmp
2009-02-14 08:45 . 2005-06-16 21:45 <DIR> d-------- c:\windows\system32\config\systemprofile\WINDOWS
2009-02-14 08:45 . 2005-06-16 22:06 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-02-14 08:45 . 2005-06-16 21:58 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-02-14 08:45 . 2005-06-16 22:03 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\InterMute
2009-02-14 08:45 . 2005-06-16 21:45 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2009-02-14 08:44 . 2009-02-14 08:44 81,853 --a------ c:\windows\system32\C5.tmp
2009-02-14 08:44 . 2009-02-14 08:44 132 --a------ c:\windows\system32\C4.tmp
2009-02-13 23:23 . 2009-02-14 13:33 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\mjusbsp
2009-02-12 12:14 . 2009-02-12 12:14 <DIR> d-------- c:\program files\Opera
2009-02-12 12:14 . 2009-02-12 12:14 55,809 --a------ c:\windows\services.ex_
2009-02-12 10:47 . 2009-02-12 10:47 32,256 --ah----- c:\documents and settings\HP_Owner\klk.exe
2009-02-12 10:15 . 2009-02-12 10:15 11,264 --ah----- c:\documents and settings\HP_Owner\gcfa.exe
2009-02-12 09:17 . 2009-02-12 09:17 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-12 09:17 . 2009-02-12 09:17 1,409 --a------ c:\windows\QTFont.for
2009-02-12 08:59 . 2009-02-12 08:59 <DIR> d-------- c:\program files\Plaxo
2009-02-12 08:46 . 2009-02-12 12:11 94,208 --a------ c:\windows\DUMP7dbb.tmp
2009-02-12 07:45 . 2009-02-12 07:45 32,256 --ah----- c:\documents and settings\HP_Owner\xhkgeki.exe
2009-02-12 07:28 . 2009-02-12 07:28 6 --a------ c:\windows\_id.dat
2009-02-12 07:11 . 2009-02-12 07:11 11,264 --ah----- c:\documents and settings\HP_Owner\clj.exe
2009-02-12 07:09 . 2009-02-12 07:09 32,256 --ah----- c:\documents and settings\HP_Owner\rus.exe
2009-02-12 07:09 . 2009-02-12 11:52 130 --a------ c:\windows\adobe.bat
2009-02-10 18:05 . 2009-02-10 18:05 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\PC Tools
2009-02-10 17:42 . 2009-02-10 17:42 32,256 --ah----- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\vjwrq.exe
2009-02-10 17:32 . 2009-02-10 17:32 32,256 --ah----- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\eouq.exe
2009-02-10 15:18 . 2009-02-10 15:18 398,340 --a------ c:\windows\sysguard.exe
2009-02-10 15:17 . 2009-02-17 16:50 <DIR> d-------- c:\program files\system
2009-02-10 15:17 . 2009-02-10 15:17 102,912 --a------ C:\wskrote.exe
2009-02-10 15:17 . 2009-02-10 15:17 39,936 --a------ C:\xxweksc.exe
2009-02-10 15:17 . 2009-02-10 15:17 28,672 --a------ C:\jxnx.exe
2009-02-10 15:17 . 2009-02-10 15:17 22,016 --a------ C:\jwfmld.exe
2009-02-10 15:17 . 2009-02-10 15:17 2 --a------ C:\-589827600
2009-02-09 23:09 . 2009-02-09 23:09 <DIR> d-------- c:\temp\sTMP3
2009-02-06 20:39 . 2009-02-07 21:24 <DIR> d-------- c:\program files\LimeWire
2009-02-06 20:39 . 2009-02-07 21:34 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\LimeWire
2009-02-05 13:35 . 2009-02-05 13:35 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\OpenOffice.org
2009-02-05 13:33 . 2009-02-05 13:33 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-02-05 13:33 . 2009-02-05 13:33 <DIR> d-------- c:\program files\JRE
2009-02-03 12:05 . 2009-02-06 15:05 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\AdobeUM
2009-02-03 10:47 . 2009-02-03 10:47 <DIR> d---s---- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\UserData
2009-01-31 08:41 . 2009-01-31 08:46 <DIR> d-------- c:\program files\MSECache
2009-01-28 15:32 . 2009-01-28 15:32 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\PC Tools
2009-01-28 15:26 . 2009-02-10 17:11 929 --a------ c:\windows\wininit.ini
2009-01-28 14:56 . 2009-01-28 14:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-28 14:56 . 2009-01-28 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-28 12:11 . 2005-06-16 22:03 <DIR> d-------- c:\documents and settings\Administrator.YOUR-F78BF48CE2\Application Data\InterMute
2009-01-28 12:11 . 2009-01-28 12:16 <DIR> d---s---- c:\documents and settings\Administrator.YOUR-F78BF48CE2
2009-01-26 15:28 . 2009-02-10 17:27 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\skypePM
2009-01-26 15:06 . 2009-02-10 17:27 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\Skype
2009-01-26 12:08 . 2009-01-26 12:08 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\Yahoo!
2009-01-26 12:06 . 2005-06-16 22:03 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\InterMute
2009-01-26 12:06 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\Apple Computer
2009-01-26 12:05 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\WINDOWS
2009-01-26 12:05 . 2005-06-16 22:06 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\Symantec
2009-01-26 12:05 . 2005-06-16 21:58 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\SampleView
2009-01-26 12:05 . 2009-02-03 11:43 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2
2009-01-26 11:46 . 2009-01-26 11:46 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\Microsoft Web Folders
2009-01-26 11:34 . 2009-01-26 11:34 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\Yahoo!
2009-01-26 11:31 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\WINDOWS
2009-01-26 11:31 . 2005-06-16 22:06 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\Symantec
2009-01-26 11:31 . 2005-06-16 21:58 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\SampleView
2009-01-26 11:31 . 2005-06-16 22:03 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\InterMute
2009-01-26 11:31 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\Apple Computer
2009-01-26 11:31 . 2009-02-10 17:42 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001
2009-01-26 08:54 . 2009-02-14 10:22 <DIR> dr-h----- C:\MSOCache
2009-01-26 08:41 . 2009-01-26 08:41 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.000\Application Data\skypePM
2009-01-26 08:25 . 2006-12-28 14:01 19,569 --a------ c:\windows\
005144_.tmp
2009-01-26 08:25 . 2006-12-28 14:01 19,569 --a------ c:\windows\
005126_.tmp
2009-01-26 08:25 . 2006-12-28 14:01 19,569 --a------ c:\windows\
005099_.tmp
2009-01-26 08:18 . 2009-01-26 11:19 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.000\Application Data\Skype
2009-01-26 08:04 . 2005-06-16 22:03 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.000\Application Data\InterMute
2009-01-26 08:04 . 2009-01-26 11:19 <DIR> d---s---- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.000
2009-01-25 10:41 . 2009-01-25 10:41 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\PC Tools
2009-01-25 10:40 . 2009-02-11 12:13 <DIR> d-------- c:\program files\PC Tools AntiVirus
2009-01-25 10:40 . 2009-01-25 10:40 <DIR> d-------- c:\program files\Common Files\PC Tools
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 14:16 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-14 14:16 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-14 14:03 --------- d-----w c:\program files\Easy Internet signup
2009-02-14 13:51 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-11 16:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-30 23:45 --------- d-----w c:\program files\CIF USB Camera
2009-01-26 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-26 11:36 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Skype
2009-01-26 09:45 --------- d-----w c:\documents and settings\HP_Owner\Application Data\skypePM
2008-12-26 17:47 --------- d-----w c:\documents and settings\HP_Owner\Application Data\ArcSoft
2008-12-26 08:16 --------- d-----w c:\documents and settings\HP_Owner\Application Data\OpenOffice.org2
2008-12-26 01:11 --------- d-----w c:\program files\Common Files\ArcSoft
2008-12-26 01:11 --------- d-----w c:\program files\ArcSoft
2008-12-18 15:50 --------- d-----w c:\documents and settings\Rick Adams\Application Data\Yahoo!
2008-12-05 03:55 307,560 ----a-w c:\windows\WLXPGSS.SCR
2006-09-07 15:48 0 ----a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2008-08-06 16:46 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2005-10-01 18:00 22 --sha-w c:\windows\SMINST\HPCD.sys
.
------- Sigcheck -------
2004-08-04 07:00 31232 6183fc0148105ae1a313fe9df9c6928a c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 19:12 31232 54168357cb39cc00036bc885b1d8e5bc c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 19:12 31232 1be984f0062ddffd1aff4ee3ff2fa096 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2008-04-13 19:12 31744 a745a8367019b8463034b5fc4a94e0e0 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
2004-08-04 07:00 31232 02ca9d38c2e1787e266ca3e4577d8620 c:\windows\system32\svchost.exe
2004-08-04 07:00 31232 93e2e44f9ba702a134cd2e0c95a5bc9e c:\windows\system32\dllcache\svchost.exe
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 14:20 182656 558635d3af1c7546d26067d5d9b6959e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2008-04-13 14:20 182656 558635d3af1c7546d26067d5d9b6959e c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
2009-02-14 08:51 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2009-02-14 08:51 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys
2004-08-04 07:00 1049088 342d471bccb7983bd25a13f8842b43b0 c:\windows\explorer.exe
2007-06-13 06:26 1050112 18960d42702f2894584ee571036a58d6 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1049088 5c450e3c7e2c9f733f15d5f70889e5c0 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 07:00 1049088 e6661d51e826e65dedfde85dcef58a08 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1050624 0d2bfd313fc65abdf876a7391598ae73 c:\windows\ServicePackFiles\i386\explorer.exe
2007-06-13 05:23 1050112 4b8188534d07519917b2ca6b142551e0 c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2008-04-13 19:12 1050624 2df9fcf31cd9d41da77d54cd36c7ee74 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2008-04-13 19:12 1051136 8c8f4369952f2efbd96ad6d1a664a7d2 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
2004-08-04 07:00 1049088 0b4b9d9a53817494cb7678ff22a5eea1 c:\windows\system32\dllcache\explorer.exe
2004-08-04 07:00 32256 d83607d2345fe060882545fbbbdf03fb c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 32256 c8d8e34a940137f5eec1867ae75d9e9d c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 32768 306d729049035067f580f8d5e82edca9 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2008-04-13 19:12 32256 6f492095dbfd0cf6f13abf8cf1fbd822 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
2004-08-04 07:00 32256 2f79d6e72c7ab910cadf0db6ffa9cd29 c:\windows\system32\ctfmon.exe
2004-08-04 07:00 32256 bce9cd27ec6af9fd5604142d4afe0c97 c:\windows\system32\dllcache\ctfmon.exe
2005-06-10 19:17 74752 7ad5bb52bab89eaac15864a619c3d088 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 74752 a47e01f14e9e3584dfbab8f80b3928f8 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 07:00 74752 553733ffddac9569c3ba8bf72da0f125 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 74752 57897baef071bdb8832c57213901517b c:\windows\ServicePackFiles\i386\spoolsv.exe
2005-06-10 18:53 74752 c8f7757bb8e8932cd707c51a1a92255b c:\windows\SoftwareDistribution\Download\
0fd33c77398fa2b50df56456525ef5c3\sp2gdr\spoolsv.exe
2008-04-13 19:12 75264 4bac22b4e73729c624d6f3b756b46697 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2008-04-13 19:12 74752 35bccb51631de691040eb70ebd5b9a76 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
2004-08-04 07:00 74752 0ce931be31cf9a5032b28186d750df51 c:\windows\system32\spoolsv.exe
2004-08-04 07:00 74752 c3d5a917640f6fd863c122af05bce3ed c:\windows\system32\dllcache\spoolsv.exe
2004-08-04 07:00 41984 d8d14a52e8371755d902087b3f82a140 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 43008 05a5a28fd586596df5698c9ff98182e4 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 43008 6a12ab42e4352222a0e128c465357491 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-04-13 19:12 43520 97ef782b9d5f1f6a7d4e175cd146c260 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
2004-08-04 07:00 41472 45b3202c32e32f482f2cb40a9d678d62 c:\windows\system32\userinit.exe
2004-08-04 07:00 41472 fb0b3f0d4c68bd52bd45a28abfd776c8 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32256]
"cdloader"="c:\documents and settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 266240]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 360448]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 274432]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-06-16 200749]
c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 400896]
c:\documents and settings\John Dawe\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 278528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 86068]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2005-06-16 65536]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rrrywtmw.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Documents and Settings\\HP_Owner\\Application Data\\mjusbsp\\magicJack.exe"=
S0 rrrywtmw;rrrywtmw;c:\windows\system32\Drivers\rrrywtmw.sys --> c:\windows\system32\Drivers\rrrywtmw.sys [?]
S1 ethrytcl;ethrytcl;c:\windows\system32\drivers\ethrytcl.sys [2009-02-14 137952]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\autorun.exe
\Shell\phone\command - K:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8b8c2d8-fac4-11dd-a0a2-0013d34fbf57}]
\Shell\AutoRun\command - K:\autorun.exe
\Shell\phone\command - K:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-06 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-09-18 23:42]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-reader_s - c:\documents and settings\HP_Owner\reader_s.exe
HKLM-Run-reader_s - c:\windows\System32\reader_s.exe
HKU-Default-Run-vxvarubn.exe - c:\windows\vxvarubn.exe
HKU-Default-Run-reader_s - c:\documents and settings\HP_Owner\reader_s.exe
HKU-Default-Run-hdlmtanr.exe - c:\windows\hdlmtanr.exe
HKU-Default-Run-rvhcdrxn.exe - c:\windows\rvhcdrxn.exe
HKU-Default-Run-xlpjwnze.exe - c:\windows\xlpjwnze.exe
HKU-Default-Run-nttlrfop.exe - c:\windows\nttlrfop.exe
HKU-Default-Run-dbhgyskc.exe - c:\windows\dbhgyskc.exe
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopuDefault_Search_URL =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopmStart Page =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopmSearch Bar =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopuSearchURL,(Default) =
hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-02-17 17:04:23
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-17 17:10:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-17 22:10:02
Pre-Run: 111,326,265,344 bytes free
Post-Run: 114,131,853,312 bytes free
317
***********************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:45 PM, on 2/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\explorer.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopO3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5372 bytes