Free Malware Removal Forum

by **peku006** » April 29th, 2009, 3:54 am

Hi malwarefix2719

Looking good

Let's make sure we got everything

1 - F-Secure Online Scan

F-Secure Online Scan

Note: You will need to use Internet explorer for this scan
Go here to run an online scan from F-Secure
Click on Start scanning
This will open a new internet explorer window
It will require an activex control, please install it
Click Accept
Click Full System Scan
It will now download the scanner, this may take a while, please be patient
It will then start scanning, wait for the scan to finish
Click Automatic cleaning (recommended)
Wait for it finish the cleaning process
Click show report
This will open up a window with the results of the scan, copy and paste those results as a reply to this topic

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with

1. the F-Secure online scanner report
2. a fresh HijackThis log

Thanks peku006

by **malwarefix2719** » April 30th, 2009, 5:19 pm

I ran the F-Secure online scanner twice to make sure I didn't do anything wrong the first time. What happens is when I click to automatic clean it gets about halfway through and just disappears no log or anything. Also my comodo and my avg are still detecting trojans. I have seen one named vundo and one named bho and win32. I am unsure as to why the fixes aren't working or what is going on with it. I will await instructions from you as to what to do next.

Also I am going to go ahead and include the hjt log in case you see anything in it.

Thanks so much for your time and effort with this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:25 PM, on 5/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [thirdintel] c:\hp\bin\cloaker.exe c:\hp\bin\intel_tweak\intel_tweak3.cmd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Belkin Wireless G USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D7050v5011\Belkinwcui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner.THEBAMAS\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} (Active DJ Studio ActiveX Control) - http://www.christianrock2.net/amp3dj.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {6903bbee-8b34-4de1-942e-d1fac2ed1b61} - C:\WINDOWS\system32\dsound3dd.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8973 bytes

by **malwarefix2719** » April 30th, 2009, 9:50 pm

Tried it once more and it went through Thank Goodness so heres the log and a new hjt log.....

Scanning Report
Friday, May 01, 2009 19:09:17 - 21:45:24
Computer name: THEBAMAS
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\

--------------------------------------------------------------------------------

Result: 11 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Adbrite (spyware)
System
TrackingCookie.Adrevolver (spyware)
System
TrackingCookie.Advertising (spyware)
System
TrackingCookie.Atdmt (spyware)
System
TrackingCookie.Mediaplex (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System
Trojan.Win32.ExeDot (virus)
System
Trojan.Win32.ExeDot.gk (virus)
C:\PROGRAM FILES\COMMON\HELPER.DLL
Trojan:W32/Agent (virus)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 56147
System: 3107
Not scanned: 145
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 11
Submitted: 0
Files not scanned:
�O~�D~AGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\E816EB59A2D166730F\AUDIODEV.DLL
C:\E816EB59A2D166730F\BLACKBOX.DLL
C:\E816EB59A2D166730F\CEWMDM.DLL
C:\E816EB59A2D166730F\DRMUPGDS.EXE
C:\E816EB59A2D166730F\DRMV2CLT.DLL
C:\E816EB59A2D166730F\LAPRXY.DLL
C:\E816EB59A2D166730F\LOGAGENT.EXE
C:\E816EB59A2D166730F\MFPLAT.DLL
C:\E816EB59A2D166730F\MP43DECD.DLL
C:\E816EB59A2D166730F\MP43DMOD.DLL
C:\E816EB59A2D166730F\MP4SDECD.DLL
C:\E816EB59A2D166730F\MP4SDMOD.DLL
C:\E816EB59A2D166730F\MPG4DECD.DLL
C:\E816EB59A2D166730F\MPG4DMOD.DLL
C:\E816EB59A2D166730F\MSNETOBJ.DLL
C:\E816EB59A2D166730F\MSPMSNSV.DLL
C:\E816EB59A2D166730F\MSPMSP.DLL
C:\E816EB59A2D166730F\MSSCP.DLL
C:\E816EB59A2D166730F\MSWMDM.DLL
C:\E816EB59A2D166730F\PORTABLEDEVICEAPI.DLL
C:\E816EB59A2D166730F\PORTABLEDEVICECLASSEXTENSION.DLL
C:\E816EB59A2D166730F\PORTABLEDEVICETYPES.DLL
C:\E816EB59A2D166730F\PORTABLEDEVICEWIACOMPAT.DLL
C:\E816EB59A2D166730F\PORTABLEDEVICEWMDRM.DLL
C:\E816EB59A2D166730F\QASF.DLL
C:\E816EB59A2D166730F\SPUNINST.EXE
C:\E816EB59A2D166730F\SPUPDSVC.EXE
C:\E816EB59A2D166730F\UWDF.EXE
C:\E816EB59A2D166730F\WDFAPI.DLL
C:\E816EB59A2D166730F\WDFMGR.EXE
C:\E816EB59A2D166730F\WMADMOD.DLL
C:\E816EB59A2D166730F\WMADMOE.DLL
C:\E816EB59A2D166730F\WMASF.DLL
C:\E816EB59A2D166730F\WMDMLOG.DLL
C:\E816EB59A2D166730F\WMDMPS.DLL
C:\E816EB59A2D166730F\WMDRMDEV.DLL
C:\E816EB59A2D166730F\WMDRMNET.DLL
C:\E816EB59A2D166730F\WMDRMSDK.DLL
C:\E816EB59A2D166730F\WMIDX.DLL
C:\E816EB59A2D166730F\WMNETMGR.DLL
C:\E816EB59A2D166730F\WMSDMOD.DLL
C:\E816EB59A2D166730F\WMSDMOE2.DLL
C:\E816EB59A2D166730F\WMSETSDK.EXE
C:\E816EB59A2D166730F\WMSPDMOD.DLL
C:\E816EB59A2D166730F\WMSPDMOE.DLL
C:\E816EB59A2D166730F\WMVADVD.DLL
C:\E816EB59A2D166730F\WMVADVE.DLL
C:\E816EB59A2D166730F\WMVCORE.DLL
C:\E816EB59A2D166730F\WMVDECOD.DLL
C:\E816EB59A2D166730F\WMVDMOD.DLL
C:\E816EB59A2D166730F\WMVDMOE2.DLL
C:\E816EB59A2D166730F\WMVENCOD.DLL
C:\E816EB59A2D166730F\WMVSDECD.DLL
C:\E816EB59A2D166730F\WMVSENCD.DLL
C:\E816EB59A2D166730F\WMVXENCD.DLL
C:\E816EB59A2D166730F\WPDCONNS.DLL
C:\E816EB59A2D166730F\WPDINSTALLUTIL.DLL
C:\E816EB59A2D166730F\WPDMTP.DLL
C:\E816EB59A2D166730F\WPDMTP.INF
C:\E816EB59A2D166730F\WPDMTPDR.DLL
C:\E816EB59A2D166730F\WPDMTPHW.INF
C:\E816EB59A2D166730F\WPDMTPUS.DLL
C:\E816EB59A2D166730F\WPDSHEXT.DLL
C:\E816EB59A2D166730F\WPDSHEXTAUTOPLAY.EXE
C:\E816EB59A2D166730F\WPDSHSERVICEOBJ.DLL
C:\E816EB59A2D166730F\WPDSP.DLL
C:\E816EB59A2D166730F\WPDUSB.SYS
C:\E816EB59A2D166730F\WPD_CI.DLL
C:\DOCUMENTS AND SETTINGS\HP_OWNER.THEBAMAS\LOCAL SETTINGS\TEMP\HSPERFDATA_HP_OWNER\2584
C:\DOCUMENTS AND SETTINGS\HP_OWNER\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\5\106073C5-41A1FEDA
C:\DOCUMENTS AND SETTINGS\HP_OWNER\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\5\1284ED05-1078CA3D
C:\DOCUMENTS AND SETTINGS\HP_OWNER\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\5\13743D45-450DD0E5
C:\DOCUMENTS AND SETTINGS\HP_OWNER\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\5\1571D445-39ECEE1C
C:\DOCUMENTS AND SETTINGS\HP_OWNER\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\5\15A7EA45-3226A2C5
C:\DOCUMENTS AND SETTINGS\HP_OWNER\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\5\1674BF45-29B66C11
C:\DOCUMENTS AND SETTINGS\HP_OWNER\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\5\16B45685-3 ��
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\E816EB59A2D166730F\AUDIODEV.DLL
C:\E816EB59A2D166730F\BLACKBOX.DLL
C:\E816EB59A2D166730F\CEWMDM.DLL
C:\E816EB59A2D166730F\DRMUPGDS.EXE
C:\E�B

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.8.9080, 2009-04-30
F-Secure AVP: 7.0.171, 2009-04-30
F-Secure Pegasus: 1.20.0, 1969-11-31
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:20 PM, on 5/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [thirdintel] c:\hp\bin\cloaker.exe c:\hp\bin\intel_tweak\intel_tweak3.cmd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Belkin Wireless G USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D7050v5011\Belkinwcui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner.THEBAMAS\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} (Active DJ Studio ActiveX Control) - http://www.christianrock2.net/amp3dj.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {6903bbee-8b34-4de1-942e-d1fac2ed1b61} - C:\WINDOWS\system32\dsound3dd.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8973 bytes

by **peku006** » May 3rd, 2009, 9:43 am

Hi malwarefix2719

my comodo and my avg are still detecting trojans. I have seen one named vundo and one named bho and win32.

Can you tell me where they are located?

1 - Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

2 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)

Thanks peku006

by **malwarefix2719** » May 3rd, 2009, 4:34 pm

ComboFix 09-05-03.1 - HP_Owner 05/04/2009 16:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.222 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner.THEBAMAS\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: COMODO Antivirus *On-access scanning enabled* (Updated)
FW: COMODO Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\mcroso~1.net
c:\program files\Common\helper.sig
c:\program files\icroso~1.net
c:\program files\mcroso~1
c:\temp\sanR24
c:\windows\IA
c:\windows\IE4 Error Log.txt
c:\windows\racle~1
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-05-04 20:12 . 2009-05-04 20:14 -------- d-----w C:\32788R22FWJFW
2009-05-04 20:03 . 2009-05-04 20:12 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-04-30 17:12 . 2009-04-30 17:12 -------- d-----w C:\fsaua.data
2009-04-29 23:52 . 2009-04-29 23:52 -------- d-----w c:\windows\LastGood
2009-04-29 23:32 . 2009-04-29 23:32 -------- d-----w C:\_OTListIt
2009-04-26 04:01 . 2009-04-26 04:01 -------- d-----w C:\_OTMoveIt
2009-04-19 23:31 . 2009-04-26 23:36 -------- d-----w c:\program files\PartyGaming.Net
2009-04-19 23:13 . 2009-04-19 23:13 -------- d-----w c:\documents and settings\HP_Owner.THEBAMAS\Application Data\Lavasoft
2009-04-08 16:57 . 2009-04-26 23:05 -------- d-----w c:\program files\PokerStars
2009-04-08 11:40 . 2009-04-08 12:59 -------- d-----w c:\documents and settings\HP_Owner.THEBAMAS\Application Data\LimeWire
2009-04-08 11:34 . 2009-04-08 11:33 410984 ----a-w c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 20:17 . 2009-04-03 17:41 -------- d-----w c:\program files\Common
2009-05-04 20:15 . 2005-01-28 09:12 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-04 20:15 . 2008-11-01 20:50 366 ----a-w c:\windows\Tasks\Symantec NetDetect.job
2009-05-04 15:19 . 2008-09-04 19:29 1208 ----a-w c:\windows\Tasks\GoogleUpdateTaskUser.job
2009-04-28 03:18 . 2007-12-26 01:12 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-26 04:38 . 2008-03-20 02:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 18:22 . 2008-11-08 17:40 1062 ----a-w c:\documents and settings\HP_Owner.THEBAMAS\Application Data\wklnhst.dat
2009-04-19 13:49 . 2008-11-01 21:50 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-04-08 23:03 . 2005-05-06 06:35 -------- d-----w c:\program files\Java
2009-03-21 00:24 . 2008-11-02 05:24 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-21 00:24 . 2008-11-02 05:24 325128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-21 00:24 . 2008-11-02 05:24 107272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-21 00:02 . 2008-11-01 21:50 155384 ----a-w c:\windows\system32\guard32.dll
2009-03-21 00:02 . 2008-11-01 21:50 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-03-20 23:10 . 2009-03-20 23:10 21035 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-03-20 23:08 . 2009-03-20 23:08 -------- d-----w c:\program files\Belkin
2009-03-20 23:08 . 2005-05-06 07:05 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 18:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2004-08-04 12:00 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-04 18:00 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-09-14 04:14 . 2008-09-14 04:14 144 ----a-w c:\program files\jhat.txt
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-05-06 07:04 . 2004-10-14 20:54 253952 c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
2005-05-06 07:04 . 2004-10-14 20:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

2004-08-27 23:22 . 2004-08-27 23:22 58488 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2004-11-03 06:59 . 2004-11-03 06:59 218240 c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

2007-08-31 22:41 . 2007-08-31 22:41 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
2008-10-08 23:53 . 2008-10-08 23:53 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

2005-02-26 05:34 . 2005-02-26 05:34 245760 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
2005-02-26 05:34 . 2005-02-26 05:34 245760 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"thirdintel"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-06 180269]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-21 1601304]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2005-05-06 36972]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-21 1851128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5011\Belkinwcui.exe [2009-3-20 1589248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-21 00:24 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\DRIVERS\BLKWGU.sys [2007-12-18 273280]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2001-08-17 2944]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2001-08-17 60416]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\Drivers\BrUsbMdm.sys [2001-08-17 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\Drivers\BrUsbScn.sys [2001-08-17 10368]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-21 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-21 107272]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2009-03-21 110992]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2009-04-19 24336]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-21 903960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-21 298264]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [2007-10-09 38144]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - F-SECURE_STANDALONE_MINIFILTER
*NewlyCreated* - FSBL
*Deregistered* - F-Secure Standalone Minifilter
*Deregistered* - fsbl
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
.
------- Supplementary Scan -------
.
uLocal Page =
uStart Page = hxxp://www.myspace.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\HP_Owner.THEBAMAS\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} - hxxp://www.christianrock2.net/amp3dj.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\guard32.dll
.
Completion time: 2009-05-04 16:31
ComboFix-quarantined-files.txt 2009-05-04 20:31

Pre-Run: 125,622,050,816 bytes free
Post-Run: 126,069,329,920 bytes free

168 --- E O F --- 2009-04-19 07:03

by **peku006** » May 4th, 2009, 10:44 am

Hi malwarefix2719

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

AWF::
c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Run Malwarebytes' Anti-Malware

Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log

Thanks peku006

by **malwarefix2719** » May 5th, 2009, 6:34 am

ComboFix 09-05-03.6 - HP_Owner 05/05/2009 21:20.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.180 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner.THEBAMAS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner.THEBAMAS\My Documents\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-06 01:15 . 2009-05-06 01:15 -------- d-----w c:\windows\LastGood
2009-05-06 00:16 . 2009-05-06 00:20 -------- d-----w C:\32788R22FWJFW.6.tmp
2009-05-06 00:13 . 2009-05-06 00:16 -------- d-----w C:\32788R22FWJFW.5.tmp
2009-05-06 00:11 . 2009-05-06 00:13 -------- d-----w C:\32788R22FWJFW.4.tmp
2009-05-06 00:08 . 2009-05-06 00:09 -------- d-----w C:\32788R22FWJFW.3.tmp
2009-05-06 00:06 . 2009-05-06 00:07 -------- d-----w C:\32788R22FWJFW.2.tmp
2009-05-04 20:12 . 2009-05-04 20:14 -------- d-----w C:\32788R22FWJFW.1.tmp
2009-05-04 20:03 . 2009-05-04 20:12 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-04-30 17:12 . 2009-04-30 17:12 -------- d-----w C:\fsaua.data
2009-04-29 23:32 . 2009-04-29 23:32 -------- d-----w C:\_OTListIt
2009-04-26 04:01 . 2009-04-26 04:01 -------- d-----w C:\_OTMoveIt
2009-04-19 23:31 . 2009-04-26 23:36 -------- d-----w c:\program files\PartyGaming.Net
2009-04-19 23:13 . 2009-04-19 23:13 -------- d-----w c:\documents and settings\HP_Owner.THEBAMAS\Application Data\Lavasoft
2009-04-08 16:57 . 2009-04-26 23:05 -------- d-----w c:\program files\PokerStars
2009-04-08 11:40 . 2009-04-08 12:59 -------- d-----w c:\documents and settings\HP_Owner.THEBAMAS\Application Data\LimeWire
2009-04-08 11:34 . 2009-04-08 11:33 410984 ----a-w c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 01:28 . 2005-05-06 07:35 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-04 20:17 . 2009-04-03 17:41 -------- d-----w c:\program files\Common
2009-04-26 04:38 . 2008-03-20 02:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 18:22 . 2008-11-08 17:40 1062 ----a-w c:\documents and settings\HP_Owner.THEBAMAS\Application Data\wklnhst.dat
2009-04-19 13:49 . 2008-11-01 21:50 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-04-08 23:03 . 2005-05-06 06:35 -------- d-----w c:\program files\Java
2009-03-21 00:24 . 2008-11-02 05:24 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-21 00:24 . 2008-11-02 05:24 325128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-21 00:24 . 2008-11-02 05:24 107272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-21 00:02 . 2008-11-01 21:50 155384 ----a-w c:\windows\system32\guard32.dll
2009-03-21 00:02 . 2008-11-01 21:50 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-03-20 23:10 . 2009-03-20 23:10 21035 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-03-20 23:08 . 2009-03-20 23:08 -------- d-----w c:\program files\Belkin
2009-03-20 23:08 . 2005-05-06 07:05 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 18:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2004-08-04 12:00 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-04 18:00 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-09-14 04:14 . 2008-09-14 04:14 144 ----a-w c:\program files\jhat.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"thirdintel"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-06 180269]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-21 1601304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2005-05-06 36972]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-21 1851128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5011\Belkinwcui.exe [2009-3-20 1589248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-21 00:24 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\DRIVERS\BLKWGU.sys [2007-12-18 273280]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2001-08-17 2944]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2001-08-17 60416]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\Drivers\BrUsbMdm.sys [2001-08-17 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\Drivers\BrUsbScn.sys [2001-08-17 10368]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-21 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-21 107272]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2009-03-21 110992]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2009-04-19 24336]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-21 903960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-21 298264]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [2007-10-09 38144]

.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe

.
------- Supplementary Scan -------
.
uLocal Page =
uStart Page = hxxp://www.myspace.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\HP_Owner.THEBAMAS\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} - hxxp://www.christianrock2.net/amp3dj.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 21:27
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(640)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(1320)
c:\windows\system32\guard32.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-06 21:31
ComboFix-quarantined-files.txt 2009-05-06 01:31
ComboFix2.txt 2009-05-04 20:31

Pre-Run: 125,922,840,576 bytes free
Post-Run: 126,681,616,384 bytes free

156 --- E O F --- 2009-04-19 07:03

Malwarebytes' Anti-Malware 1.36
Database version: 2075
Windows 5.1.2600 Service Pack 2

5/6/2009 6:30:49 AM
mbam-log-2009-05-06 (06-30-49).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 225580
Time elapsed: 2 hour(s), 10 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\HP_Owner\Start Menu\Programs\Perfect Optimizer (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0014018.exe (Adware.MyWebSearch) -> Delete on reboot.
C:\Documents and Settings\HP_Owner\Start Menu\Programs\Perfect Optimizer\Perfect Optimizer.lnk (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Start Menu\Programs\Perfect Optimizer\Uninstall.lnk (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Start Menu\Programs\Perfect Optimizer\Website.lnk (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Desktop\Perfect Optimizer.lnk (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:58 AM, on 5/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D7050v5011\Belkinwcui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [thirdintel] c:\hp\bin\cloaker.exe c:\hp\bin\intel_tweak\intel_tweak3.cmd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Belkin Wireless G USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D7050v5011\Belkinwcui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner.THEBAMAS\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} (Active DJ Studio ActiveX Control) - http://www.christianrock2.net/amp3dj.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8615 bytes

by **peku006** » May 5th, 2009, 9:56 am

Hi malwarefix2719

1 - Remove bad HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

2 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\32788R22FWJFW.6.tmp
C:\32788R22FWJFW.5.tmp
C:\32788R22FWJFW.4.tmp
C:\32788R22FWJFW.3.tmp
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp
C:\32788R22FWJFW.0.tmp

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)

How's the computer running now? Any problems?

Thanks peku006

by **malwarefix2719** » May 5th, 2009, 7:51 pm

Computer is running much better. Thanks so much!!

ComboFix 09-05-05.03 - HP_Owner 05/06/2009 19:31.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.169 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner.THEBAMAS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner.THEBAMAS\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\32788R22FWJFW.0.tmp
c:\32788r22fwjfw.0.tmp\hidec.exe
c:\32788r22fwjfw.0.tmp\history.bat
c:\32788r22fwjfw.0.tmp\image001.gif
c:\32788r22fwjfw.0.tmp\Install-RC.cmd
c:\32788r22fwjfw.0.tmp\katch.cmd
c:\32788r22fwjfw.0.tmp\Kill-All.cmd
c:\32788r22fwjfw.0.tmp\Kollect.bat
c:\32788r22fwjfw.0.tmp\Lang.bat
c:\32788r22fwjfw.0.tmp\License\Curl - license.txt
c:\32788r22fwjfw.0.tmp\License\dumphive-license.txt
c:\32788r22fwjfw.0.tmp\License\EXTRACT.TXT
c:\32788r22fwjfw.0.tmp\License\FI - license.txt
c:\32788r22fwjfw.0.tmp\License\mtee.txt.txt
c:\32788r22fwjfw.0.tmp\License\pv_5_2_2.zip
c:\32788r22fwjfw.0.tmp\License\streamtools.zip
c:\32788r22fwjfw.0.tmp\License\UnxUtilsDist.html
c:\32788r22fwjfw.0.tmp\License\Zip - license.txt
c:\32788r22fwjfw.0.tmp\List-B.bat
c:\32788r22fwjfw.0.tmp\List-C.bat
c:\32788r22fwjfw.0.tmp\List-D.bat
c:\32788r22fwjfw.0.tmp\List.bat
c:\32788r22fwjfw.0.tmp\lnkread.vbs
c:\32788r22fwjfw.0.tmp\LocalService.dat
c:\32788r22fwjfw.0.tmp\LocalServiceNetworkRestricted.dat
c:\32788r22fwjfw.0.tmp\LocalSystemNetworkRestricted.dat
c:\32788r22fwjfw.0.tmp\md5sum.pif
c:\32788r22fwjfw.0.tmp\moveex.cfexe
c:\32788r22fwjfw.0.tmp\MoveIt.bat
c:\32788r22fwjfw.0.tmp\mtee.cfexe
c:\32788r22fwjfw.0.tmp\mynul.dat
c:\32788r22fwjfw.0.tmp\n.com
c:\32788r22fwjfw.0.tmp\N_\15878
c:\32788r22fwjfw.0.tmp\N_\17290
c:\32788r22fwjfw.0.tmp\N_\22627
c:\32788r22fwjfw.0.tmp\N_\31523
c:\32788r22fwjfw.0.tmp\N_\N
c:\32788r22fwjfw.0.tmp\ND_.bat
c:\32788r22fwjfw.0.tmp\ndis_combofix.dat
c:\32788r22fwjfw.0.tmp\netsvc.bad.dat
c:\32788r22fwjfw.0.tmp\netsvc.dat
c:\32788r22fwjfw.0.tmp\netsvc.vista.dat
c:\32788r22fwjfw.0.tmp\netsvc.xp.dat
c:\32788r22fwjfw.0.tmp\NetworkService.dat
c:\32788r22fwjfw.0.tmp\NirCmd.cfexe
c:\32788r22fwjfw.0.tmp\Nircmd.com
c:\32788r22fwjfw.0.tmp\NirCmdC.cfexe
c:\32788r22fwjfw.0.tmp\NlsLanguageDefault
c:\32788r22fwjfw.0.tmp\NT-OS.cmd
c:\32788r22fwjfw.0.tmp\Oldsfxname00
c:\32788r22fwjfw.0.tmp\OSid.vbs
c:\32788r22fwjfw.0.tmp\OsVer
c:\32788r22fwjfw.0.tmp\pev.cfexe
c:\32788r22fwjfw.0.tmp\pev.exe
c:\32788r22fwjfw.0.tmp\Policies.dat
c:\32788r22fwjfw.0.tmp\Prep.cmd
c:\32788r22fwjfw.0.tmp\Prep.inf
c:\32788r22fwjfw.0.tmp\psexec.cfexe
c:\32788r22fwjfw.0.tmp\Purity.dat
c:\32788r22fwjfw.0.tmp\pv.cfexe
c:\32788r22fwjfw.0.tmp\RCLink.dat
c:\32788r22fwjfw.0.tmp\REGDACL.sed
c:\32788r22fwjfw.0.tmp\RegDo.sed
c:\32788r22fwjfw.0.tmp\region.dat
c:\32788r22fwjfw.0.tmp\RegScan.cmd
c:\32788r22fwjfw.0.tmp\Resident.txt
c:\32788r22fwjfw.0.tmp\restore_pt.vbs
c:\32788r22fwjfw.0.tmp\RestoreO4.bat
c:\32788r22fwjfw.0.tmp\Rkey.cmd
c:\32788r22fwjfw.0.tmp\rogues.dat
c:\32788r22fwjfw.0.tmp\run2.sed
c:\32788r22fwjfw.0.tmp\safeboot.dat
c:\32788r22fwjfw.0.tmp\safeboot.def.dat
c:\32788r22fwjfw.0.tmp\safeboot.def.vista.dat
c:\32788r22fwjfw.0.tmp\SafeBootRepair.bat
c:\32788r22fwjfw.0.tmp\sed.cfexe
c:\32788r22fwjfw.0.tmp\SetEnvmt.bat
c:\32788r22fwjfw.0.tmp\setpath.cfexe
c:\32788r22fwjfw.0.tmp\sfx.cmd
c:\32788r22fwjfw.0.tmp\SnapShot.cmd
c:\32788r22fwjfw.0.tmp\SRestore.cmd
c:\32788r22fwjfw.0.tmp\srizbi.md5
c:\32788r22fwjfw.0.tmp\SuppScan.cmd
c:\32788r22fwjfw.0.tmp\svc_wht.dat
c:\32788r22fwjfw.0.tmp\SvcDrv.vbs
c:\32788r22fwjfw.0.tmp\svchost.dat
c:\32788r22fwjfw.0.tmp\svchost.vista.dat
c:\32788r22fwjfw.0.tmp\swreg.exe
c:\32788r22fwjfw.0.tmp\swsc.cfexe
c:\32788r22fwjfw.0.tmp\swxcacls.cfexe
c:\32788r22fwjfw.0.tmp\system_ini.dat
c:\32788r22fwjfw.0.tmp\tail.cfexe
c:\32788r22fwjfw.0.tmp\toolbar.sed
c:\32788r22fwjfw.0.tmp\unzip.cfexe
c:\32788r22fwjfw.0.tmp\Update-CF.cmd
c:\32788r22fwjfw.0.tmp\vistareg.dat
c:\32788r22fwjfw.0.tmp\w2kreg.dat
c:\32788r22fwjfw.0.tmp\xpreg.dat
c:\32788r22fwjfw.0.tmp\zDomain.dat
c:\32788r22fwjfw.0.tmp\zhsvc.dat
c:\32788r22fwjfw.0.tmp\zip.cfexe
C:\32788R22FWJFW.1.tmp
c:\32788r22fwjfw.1.tmp\hidec.exe
c:\32788r22fwjfw.1.tmp\psexec.cfexe
C:\32788R22FWJFW.2.tmp
c:\32788r22fwjfw.2.tmp\hidec.exe
c:\32788r22fwjfw.2.tmp\psexec.cfexe
C:\32788R22FWJFW.3.tmp
c:\32788r22fwjfw.3.tmp\hidec.exe
C:\32788R22FWJFW.4.tmp
c:\32788r22fwjfw.4.tmp\hidec.exe
c:\32788r22fwjfw.4.tmp\history.bat
c:\32788r22fwjfw.4.tmp\image001.gif
c:\32788r22fwjfw.4.tmp\Install-RC.cmd
c:\32788r22fwjfw.4.tmp\katch.cmd
c:\32788r22fwjfw.4.tmp\Kill-All.cmd
c:\32788r22fwjfw.4.tmp\Kollect.bat
c:\32788r22fwjfw.4.tmp\Lang.bat
c:\32788r22fwjfw.4.tmp\License\Curl - license.txt
c:\32788r22fwjfw.4.tmp\License\dumphive-license.txt
c:\32788r22fwjfw.4.tmp\License\EXTRACT.TXT
c:\32788r22fwjfw.4.tmp\License\FI - license.txt
c:\32788r22fwjfw.4.tmp\License\mtee.txt.txt
c:\32788r22fwjfw.4.tmp\License\pv_5_2_2.zip
c:\32788r22fwjfw.4.tmp\License\streamtools.zip
c:\32788r22fwjfw.4.tmp\License\UnxUtilsDist.html
c:\32788r22fwjfw.4.tmp\License\Zip - license.txt
c:\32788r22fwjfw.4.tmp\List-B.bat
c:\32788r22fwjfw.4.tmp\List-C.bat
c:\32788r22fwjfw.4.tmp\List-D.bat
c:\32788r22fwjfw.4.tmp\List.bat
c:\32788r22fwjfw.4.tmp\lnkread.vbs
c:\32788r22fwjfw.4.tmp\LocalService.dat
c:\32788r22fwjfw.4.tmp\LocalServiceNetworkRestricted.dat
c:\32788r22fwjfw.4.tmp\LocalSystemNetworkRestricted.dat
c:\32788r22fwjfw.4.tmp\md5sum.pif
c:\32788r22fwjfw.4.tmp\moveex.cfexe
c:\32788r22fwjfw.4.tmp\MoveIt.bat
c:\32788r22fwjfw.4.tmp\mtee.cfexe
c:\32788r22fwjfw.4.tmp\mynul.dat
c:\32788r22fwjfw.4.tmp\n.com
c:\32788r22fwjfw.4.tmp\N_\10279
c:\32788r22fwjfw.4.tmp\N_\11656
c:\32788r22fwjfw.4.tmp\N_\16585
c:\32788r22fwjfw.4.tmp\N_\17439
c:\32788r22fwjfw.4.tmp\N_\22475
c:\32788r22fwjfw.4.tmp\N_\27609
c:\32788r22fwjfw.4.tmp\N_\6968
c:\32788r22fwjfw.4.tmp\N_\N
c:\32788r22fwjfw.4.tmp\ND_.bat
c:\32788r22fwjfw.4.tmp\ndis_combofix.dat
c:\32788r22fwjfw.4.tmp\netsvc.bad.dat
c:\32788r22fwjfw.4.tmp\netsvc.dat
c:\32788r22fwjfw.4.tmp\netsvc.vista.dat
c:\32788r22fwjfw.4.tmp\netsvc.xp.dat
c:\32788r22fwjfw.4.tmp\NetworkService.dat
c:\32788r22fwjfw.4.tmp\NirCmd.cfexe
c:\32788r22fwjfw.4.tmp\Nircmd.com
c:\32788r22fwjfw.4.tmp\NirCmdC.cfexe
c:\32788r22fwjfw.4.tmp\NlsLanguageDefault
c:\32788r22fwjfw.4.tmp\NT-OS.cmd
c:\32788r22fwjfw.4.tmp\OSid.vbs
c:\32788r22fwjfw.4.tmp\OsVer
c:\32788r22fwjfw.4.tmp\pev.cfexe
c:\32788r22fwjfw.4.tmp\pev.exe
c:\32788r22fwjfw.4.tmp\Policies.dat
c:\32788r22fwjfw.4.tmp\Prep.cmd
c:\32788r22fwjfw.4.tmp\Prep.inf
c:\32788r22fwjfw.4.tmp\psexec.cfexe
c:\32788r22fwjfw.4.tmp\Purity.dat
c:\32788r22fwjfw.4.tmp\pv.cfexe
c:\32788r22fwjfw.4.tmp\RCLink.dat
c:\32788r22fwjfw.4.tmp\REGDACL.sed
c:\32788r22fwjfw.4.tmp\RegDo.sed
c:\32788r22fwjfw.4.tmp\region.dat
c:\32788r22fwjfw.4.tmp\RegScan.cmd
c:\32788r22fwjfw.4.tmp\Resident.txt
c:\32788r22fwjfw.4.tmp\restore_pt.vbs
c:\32788r22fwjfw.4.tmp\RestoreO4.bat
c:\32788r22fwjfw.4.tmp\Rkey.cmd
c:\32788r22fwjfw.4.tmp\rogues.dat
c:\32788r22fwjfw.4.tmp\run2.sed
c:\32788r22fwjfw.4.tmp\safeboot.dat
c:\32788r22fwjfw.4.tmp\safeboot.def.dat
c:\32788r22fwjfw.4.tmp\safeboot.def.vista.dat
c:\32788r22fwjfw.4.tmp\SafeBootRepair.bat
c:\32788r22fwjfw.4.tmp\sed.cfexe
c:\32788r22fwjfw.4.tmp\SetEnvmt.bat
c:\32788r22fwjfw.4.tmp\setpath.cfexe
c:\32788r22fwjfw.4.tmp\sfx.cmd
c:\32788r22fwjfw.4.tmp\SnapShot.cmd
c:\32788r22fwjfw.4.tmp\SRestore.cmd
c:\32788r22fwjfw.4.tmp\srizbi.md5
c:\32788r22fwjfw.4.tmp\SuppScan.cmd
c:\32788r22fwjfw.4.tmp\svc_wht.dat
c:\32788r22fwjfw.4.tmp\SvcDrv.vbs
c:\32788r22fwjfw.4.tmp\svchost.dat
c:\32788r22fwjfw.4.tmp\svchost.vista.dat
c:\32788r22fwjfw.4.tmp\swreg.exe
c:\32788r22fwjfw.4.tmp\swsc.cfexe
c:\32788r22fwjfw.4.tmp\swxcacls.cfexe
c:\32788r22fwjfw.4.tmp\system_ini.dat
c:\32788r22fwjfw.4.tmp\tail.cfexe
c:\32788r22fwjfw.4.tmp\toolbar.sed
c:\32788r22fwjfw.4.tmp\unzip.cfexe
c:\32788r22fwjfw.4.tmp\Update-CF.cmd
c:\32788r22fwjfw.4.tmp\vistareg.dat
c:\32788r22fwjfw.4.tmp\w2kreg.dat
c:\32788r22fwjfw.4.tmp\xpreg.dat
c:\32788r22fwjfw.4.tmp\zDomain.dat
c:\32788r22fwjfw.4.tmp\zhsvc.dat
c:\32788r22fwjfw.4.tmp\zip.cfexe
C:\32788R22FWJFW.5.tmp
c:\32788r22fwjfw.5.tmp\hidec.exe
c:\32788r22fwjfw.5.tmp\history.bat
c:\32788r22fwjfw.5.tmp\image001.gif
c:\32788r22fwjfw.5.tmp\Install-RC.cmd
c:\32788r22fwjfw.5.tmp\katch.cmd
c:\32788r22fwjfw.5.tmp\Kill-All.cmd
c:\32788r22fwjfw.5.tmp\Kollect.bat
c:\32788r22fwjfw.5.tmp\Lang.bat
c:\32788r22fwjfw.5.tmp\License\Curl - license.txt
c:\32788r22fwjfw.5.tmp\License\dumphive-license.txt
c:\32788r22fwjfw.5.tmp\License\EXTRACT.TXT
c:\32788r22fwjfw.5.tmp\License\FI - license.txt
c:\32788r22fwjfw.5.tmp\License\mtee.txt.txt
c:\32788r22fwjfw.5.tmp\License\pv_5_2_2.zip
c:\32788r22fwjfw.5.tmp\License\streamtools.zip
c:\32788r22fwjfw.5.tmp\License\UnxUtilsDist.html
c:\32788r22fwjfw.5.tmp\License\Zip - license.txt
c:\32788r22fwjfw.5.tmp\List-B.bat
c:\32788r22fwjfw.5.tmp\List-C.bat
c:\32788r22fwjfw.5.tmp\List-D.bat
c:\32788r22fwjfw.5.tmp\List.bat
c:\32788r22fwjfw.5.tmp\lnkread.vbs
c:\32788r22fwjfw.5.tmp\LocalService.dat
c:\32788r22fwjfw.5.tmp\LocalServiceNetworkRestricted.dat
c:\32788r22fwjfw.5.tmp\LocalSystemNetworkRestricted.dat
c:\32788r22fwjfw.5.tmp\md5sum.pif
c:\32788r22fwjfw.5.tmp\moveex.cfexe
c:\32788r22fwjfw.5.tmp\MoveIt.bat
c:\32788r22fwjfw.5.tmp\mtee.cfexe
c:\32788r22fwjfw.5.tmp\mynul.dat
c:\32788r22fwjfw.5.tmp\n.com
c:\32788r22fwjfw.5.tmp\N_\10104
c:\32788r22fwjfw.5.tmp\N_\13881
c:\32788r22fwjfw.5.tmp\N_\19378
c:\32788r22fwjfw.5.tmp\N_\20008
c:\32788r22fwjfw.5.tmp\N_\21258
c:\32788r22fwjfw.5.tmp\N_\24700
c:\32788r22fwjfw.5.tmp\N_\27153
c:\32788r22fwjfw.5.tmp\N_\N
c:\32788r22fwjfw.5.tmp\ND_.bat
c:\32788r22fwjfw.5.tmp\ndis_combofix.dat
c:\32788r22fwjfw.5.tmp\netsvc.bad.dat
c:\32788r22fwjfw.5.tmp\netsvc.dat
c:\32788r22fwjfw.5.tmp\netsvc.vista.dat
c:\32788r22fwjfw.5.tmp\netsvc.xp.dat
c:\32788r22fwjfw.5.tmp\NetworkService.dat
c:\32788r22fwjfw.5.tmp\NirCmd.cfexe
c:\32788r22fwjfw.5.tmp\Nircmd.com
c:\32788r22fwjfw.5.tmp\NirCmdC.cfexe
c:\32788r22fwjfw.5.tmp\NlsLanguageDefault
c:\32788r22fwjfw.5.tmp\NT-OS.cmd
c:\32788r22fwjfw.5.tmp\OSid.vbs
c:\32788r22fwjfw.5.tmp\OsVer
c:\32788r22fwjfw.5.tmp\pev.cfexe
c:\32788r22fwjfw.5.tmp\pev.exe
c:\32788r22fwjfw.5.tmp\Policies.dat
c:\32788r22fwjfw.5.tmp\Prep.cmd
c:\32788r22fwjfw.5.tmp\Prep.inf
c:\32788r22fwjfw.5.tmp\psexec.cfexe
c:\32788r22fwjfw.5.tmp\Purity.dat
c:\32788r22fwjfw.5.tmp\pv.cfexe
c:\32788r22fwjfw.5.tmp\RCLink.dat
c:\32788r22fwjfw.5.tmp\REGDACL.sed
c:\32788r22fwjfw.5.tmp\RegDo.sed
c:\32788r22fwjfw.5.tmp\region.dat
c:\32788r22fwjfw.5.tmp\RegScan.cmd
c:\32788r22fwjfw.5.tmp\Resident.txt
c:\32788r22fwjfw.5.tmp\restore_pt.vbs
c:\32788r22fwjfw.5.tmp\RestoreO4.bat
c:\32788r22fwjfw.5.tmp\Rkey.cmd
c:\32788r22fwjfw.5.tmp\rogues.dat
c:\32788r22fwjfw.5.tmp\run2.sed
c:\32788r22fwjfw.5.tmp\safeboot.dat
c:\32788r22fwjfw.5.tmp\safeboot.def.dat
c:\32788r22fwjfw.5.tmp\safeboot.def.vista.dat
c:\32788r22fwjfw.5.tmp\SafeBootRepair.bat
c:\32788r22fwjfw.5.tmp\sed.cfexe
c:\32788r22fwjfw.5.tmp\SetEnvmt.bat
c:\32788r22fwjfw.5.tmp\setpath.cfexe
c:\32788r22fwjfw.5.tmp\sfx.cmd
c:\32788r22fwjfw.5.tmp\SnapShot.cmd
c:\32788r22fwjfw.5.tmp\SRestore.cmd
c:\32788r22fwjfw.5.tmp\srizbi.md5
c:\32788r22fwjfw.5.tmp\SuppScan.cmd
c:\32788r22fwjfw.5.tmp\svc_wht.dat
c:\32788r22fwjfw.5.tmp\SvcDrv.vbs
c:\32788r22fwjfw.5.tmp\svchost.dat
c:\32788r22fwjfw.5.tmp\svchost.vista.dat
c:\32788r22fwjfw.5.tmp\swreg.exe
c:\32788r22fwjfw.5.tmp\swsc.cfexe
c:\32788r22fwjfw.5.tmp\swxcacls.cfexe
c:\32788r22fwjfw.5.tmp\system_ini.dat
c:\32788r22fwjfw.5.tmp\tail.cfexe
c:\32788r22fwjfw.5.tmp\toolbar.sed
c:\32788r22fwjfw.5.tmp\unzip.cfexe
c:\32788r22fwjfw.5.tmp\Update-CF.cmd
c:\32788r22fwjfw.5.tmp\vistareg.dat
c:\32788r22fwjfw.5.tmp\w2kreg.dat
c:\32788r22fwjfw.5.tmp\xpreg.dat
c:\32788r22fwjfw.5.tmp\zDomain.dat
c:\32788r22fwjfw.5.tmp\zhsvc.dat
c:\32788r22fwjfw.5.tmp\zip.cfexe
C:\32788R22FWJFW.6.tmp
c:\32788r22fwjfw.6.tmp\hidec.exe
c:\32788r22fwjfw.6.tmp\history.bat
c:\32788r22fwjfw.6.tmp\image001.gif
c:\32788r22fwjfw.6.tmp\Install-RC.cmd
c:\32788r22fwjfw.6.tmp\katch.cmd
c:\32788r22fwjfw.6.tmp\Kill-All.cmd
c:\32788r22fwjfw.6.tmp\Kollect.bat
c:\32788r22fwjfw.6.tmp\Lang.bat
c:\32788r22fwjfw.6.tmp\License\Curl - license.txt
c:\32788r22fwjfw.6.tmp\License\dumphive-license.txt
c:\32788r22fwjfw.6.tmp\License\EXTRACT.TXT
c:\32788r22fwjfw.6.tmp\License\FI - license.txt
c:\32788r22fwjfw.6.tmp\License\mtee.txt.txt
c:\32788r22fwjfw.6.tmp\License\pv_5_2_2.zip
c:\32788r22fwjfw.6.tmp\License\streamtools.zip
c:\32788r22fwjfw.6.tmp\License\UnxUtilsDist.html
c:\32788r22fwjfw.6.tmp\License\Zip - license.txt
c:\32788r22fwjfw.6.tmp\List-B.bat
c:\32788r22fwjfw.6.tmp\List-C.bat
c:\32788r22fwjfw.6.tmp\List-D.bat
c:\32788r22fwjfw.6.tmp\List.bat
c:\32788r22fwjfw.6.tmp\lnkread.vbs
c:\32788r22fwjfw.6.tmp\LocalService.dat
c:\32788r22fwjfw.6.tmp\LocalServiceNetworkRestricted.dat
c:\32788r22fwjfw.6.tmp\LocalSystemNetworkRestricted.dat
c:\32788r22fwjfw.6.tmp\md5sum.pif
c:\32788r22fwjfw.6.tmp\moveex.cfexe
c:\32788r22fwjfw.6.tmp\MoveIt.bat
c:\32788r22fwjfw.6.tmp\mtee.cfexe
c:\32788r22fwjfw.6.tmp\mynul.dat
c:\32788r22fwjfw.6.tmp\n.com
c:\32788r22fwjfw.6.tmp\N_\16911
c:\32788r22fwjfw.6.tmp\N_\18941
c:\32788r22fwjfw.6.tmp\N_\21626
c:\32788r22fwjfw.6.tmp\N_\25161
c:\32788r22fwjfw.6.tmp\N_\32650
c:\32788r22fwjfw.6.tmp\N_\3420
c:\32788r22fwjfw.6.tmp\N_\8966
c:\32788r22fwjfw.6.tmp\N_\N
c:\32788r22fwjfw.6.tmp\ND_.bat
c:\32788r22fwjfw.6.tmp\ndis_combofix.dat
c:\32788r22fwjfw.6.tmp\netsvc.bad.dat
c:\32788r22fwjfw.6.tmp\netsvc.dat
c:\32788r22fwjfw.6.tmp\netsvc.vista.dat
c:\32788r22fwjfw.6.tmp\netsvc.xp.dat
c:\32788r22fwjfw.6.tmp\NetworkService.dat
c:\32788r22fwjfw.6.tmp\NirCmd.cfexe
c:\32788r22fwjfw.6.tmp\Nircmd.com
c:\32788r22fwjfw.6.tmp\NirCmdC.cfexe
c:\32788r22fwjfw.6.tmp\NlsLanguageDefault
c:\32788r22fwjfw.6.tmp\NT-OS.cmd
c:\32788r22fwjfw.6.tmp\OSid.vbs
c:\32788r22fwjfw.6.tmp\OsVer
c:\32788r22fwjfw.6.tmp\pev.cfexe
c:\32788r22fwjfw.6.tmp\pev.exe
c:\32788r22fwjfw.6.tmp\Policies.dat
c:\32788r22fwjfw.6.tmp\Prep.cmd
c:\32788r22fwjfw.6.tmp\Prep.inf
c:\32788r22fwjfw.6.tmp\psexec.cfexe
c:\32788r22fwjfw.6.tmp\Purity.dat
c:\32788r22fwjfw.6.tmp\pv.cfexe
c:\32788r22fwjfw.6.tmp\RCLink.dat
c:\32788r22fwjfw.6.tmp\REGDACL.sed
c:\32788r22fwjfw.6.tmp\RegDo.sed
c:\32788r22fwjfw.6.tmp\region.dat
c:\32788r22fwjfw.6.tmp\RegScan.cmd
c:\32788r22fwjfw.6.tmp\Resident.txt
c:\32788r22fwjfw.6.tmp\restore_pt.vbs
c:\32788r22fwjfw.6.tmp\RestoreO4.bat
c:\32788r22fwjfw.6.tmp\Rkey.cmd
c:\32788r22fwjfw.6.tmp\rogues.dat
c:\32788r22fwjfw.6.tmp\run2.sed
c:\32788r22fwjfw.6.tmp\safeboot.dat
c:\32788r22fwjfw.6.tmp\safeboot.def.dat
c:\32788r22fwjfw.6.tmp\safeboot.def.vista.dat
c:\32788r22fwjfw.6.tmp\SafeBootRepair.bat
c:\32788r22fwjfw.6.tmp\sed.cfexe
c:\32788r22fwjfw.6.tmp\SetEnvmt.bat
c:\32788r22fwjfw.6.tmp\setpath.cfexe
c:\32788r22fwjfw.6.tmp\sfx.cmd
c:\32788r22fwjfw.6.tmp\SnapShot.cmd
c:\32788r22fwjfw.6.tmp\SRestore.cmd
c:\32788r22fwjfw.6.tmp\srizbi.md5
c:\32788r22fwjfw.6.tmp\SuppScan.cmd
c:\32788r22fwjfw.6.tmp\svc_wht.dat
c:\32788r22fwjfw.6.tmp\SvcDrv.vbs
c:\32788r22fwjfw.6.tmp\svchost.dat
c:\32788r22fwjfw.6.tmp\svchost.vista.dat
c:\32788r22fwjfw.6.tmp\swreg.exe
c:\32788r22fwjfw.6.tmp\swsc.cfexe
c:\32788r22fwjfw.6.tmp\swxcacls.cfexe
c:\32788r22fwjfw.6.tmp\system_ini.dat
c:\32788r22fwjfw.6.tmp\tail.cfexe
c:\32788r22fwjfw.6.tmp\toolbar.sed
c:\32788r22fwjfw.6.tmp\unzip.cfexe
c:\32788r22fwjfw.6.tmp\Update-CF.cmd
c:\32788r22fwjfw.6.tmp\vistareg.dat
c:\32788r22fwjfw.6.tmp\w2kreg.dat
c:\32788r22fwjfw.6.tmp\xpreg.dat
c:\32788r22fwjfw.6.tmp\zDomain.dat
c:\32788r22fwjfw.6.tmp\zhsvc.dat
c:\32788r22fwjfw.6.tmp\zip.cfexe

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-06 23:23 . 2009-05-06 23:23 -------- d-----w c:\windows\LastGood
2009-04-30 17:12 . 2009-04-30 17:12 -------- d-----w C:\fsaua.data
2009-04-29 23:32 . 2009-04-29 23:32 -------- d-----w C:\_OTListIt
2009-04-26 04:01 . 2009-04-26 04:01 -------- d-----w C:\_OTMoveIt
2009-04-19 23:31 . 2009-04-26 23:36 -------- d-----w c:\program files\PartyGaming.Net
2009-04-19 23:13 . 2009-04-19 23:13 -------- d-----w c:\documents and settings\HP_Owner.THEBAMAS\Application Data\Lavasoft
2009-04-08 16:57 . 2009-04-26 23:05 -------- d-----w c:\program files\PokerStars
2009-04-08 11:40 . 2009-04-08 12:59 -------- d-----w c:\documents and settings\HP_Owner.THEBAMAS\Application Data\LimeWire
2009-04-08 11:34 . 2009-04-08 11:33 410984 ----a-w c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 01:34 . 2008-03-20 02:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 01:28 . 2005-05-06 07:35 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-04 20:17 . 2009-04-03 17:41 -------- d-----w c:\program files\Common
2009-04-20 18:22 . 2008-11-08 17:40 1062 ----a-w c:\documents and settings\HP_Owner.THEBAMAS\Application Data\wklnhst.dat
2009-04-19 13:49 . 2008-11-01 21:50 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-04-08 23:03 . 2005-05-06 06:35 -------- d-----w c:\program files\Java
2009-04-06 19:32 . 2008-11-14 08:58 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-11-14 08:58 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-21 00:24 . 2008-11-02 05:24 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-21 00:24 . 2008-11-02 05:24 325128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-21 00:24 . 2008-11-02 05:24 107272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-21 00:02 . 2008-11-01 21:50 155384 ----a-w c:\windows\system32\guard32.dll
2009-03-21 00:02 . 2008-11-01 21:50 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-03-20 23:10 . 2009-03-20 23:10 21035 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-03-20 23:08 . 2009-03-20 23:08 -------- d-----w c:\program files\Belkin
2009-03-20 23:08 . 2005-05-06 07:05 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 18:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2004-08-04 12:00 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-04 18:00 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-09-14 04:14 . 2008-09-14 04:14 144 ----a-w c:\program files\jhat.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"thirdintel"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-06 180269]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-21 1601304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2005-05-06 36972]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-21 1851128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5011\Belkinwcui.exe [2009-3-20 1589248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-21 00:24 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/2/2008 1:24 AM 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/2/2008 1:24 AM 107272]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [11/1/2008 5:50 PM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11/1/2008 5:50 PM 24336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/20/2009 8:23 PM 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/20/2009 8:23 PM 298264]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [3/20/2009 7:09 PM 38144]
S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [3/20/2009 7:09 PM 273280]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [11/8/2008 12:28 AM 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [11/8/2008 12:28 AM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [11/8/2008 12:28 AM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [11/8/2008 12:28 AM 10368]
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
.
------- Supplementary Scan -------
.
uLocal Page =
uStart Page = hxxp://www.myspace.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\HP_Owner.THEBAMAS\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} - hxxp://www.christianrock2.net/amp3dj.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 19:42
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(644)
c:\windows\system32\guard32.dll
.
Completion time: 2009-05-06 19:45
ComboFix-quarantined-files.txt 2009-05-06 23:45
ComboFix2.txt 2009-05-06 01:31
ComboFix3.txt 2009-05-04 20:31

Pre-Run: 126,133,145,600 bytes free
Post-Run: 126,638,964,736 bytes free

564 --- E O F --- 2009-04-19 07:03

by **peku006** » May 6th, 2009, 2:38 am

Hi malwarefix2719

Great that your machine is running better now, the scans are fine and it looks like your machine is clean

To remove all of the tools we used and the files and folders they created do the following:

Double-click OTMoveIt3.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time :

Turn off System Restore

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.

Turn ON System Restore

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy surfing and stay clean! :thumbup:

by **malwarefix2719** » May 8th, 2009, 1:03 am

thanks a million!!!!

by **Shaba** » May 8th, 2009, 7:32 am

malwarefix2719 this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.

Free Malware Removal Forum

hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Re: hjt log 4/18/09 Need Help ASAP!!!

Who is online