Free Malware Removal Forum

by **dilligaf375** » August 14th, 2009, 9:40 pm

I think I have a "back door trojan" called sdra64.exe. I tried to remove it with no luck. Please help!! Here is my hijack this log.
Thanks,
brian

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:51 PM, on 8/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000\cstray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://webcam01.thenewarkarena.com:4448 ... 25View.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 0: (no name) - http://store1.yimg.com/I/babyride_1815_0

--
End of file - 11132 bytes

by **jmw3** » August 18th, 2009, 2:47 pm

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is postedis ticked on the POST A REPLY page.

In the meantime please note the following:

Any recommendations made are for your computer problems only and should NOT be used on any other computer.
Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
If you get stuck or are unsure of something please ask for a further explanation, do not guess.
It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2

Double-Click on dds.scr and a command window will appear. This is normal
Shortly after two logs will appear, DDS.txt & Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

Gmer
Download GMER Rootkit Scanner from here.

Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log

by **dilligaf375** » August 20th, 2009, 5:20 am

ran the scans. here are the logs.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 19:09:06.67 on Wed 08/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.148 [GMT -4:00]

AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {4E7A1CCA-8140-473D-88EE-9B74B550315E}
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Documents and Settings\Owner\Desktop\spyware recovery tools\New Folder\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/home.html
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uWindow Title = Microsoft Internet Explorer provided by Comcast
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRun: [P2P Networking] c:\windows\system32\p2p networking\P2P Networking.exe /AUTOSTART
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\compus~1.lnk - c:\compuserve 2000\cstray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\1940576\program\BackWeb-1940576.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\printmaster 16\pmremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/v ... .2.4.3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan ... asinst.cab
DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} - hxxp://webcam01.thenewarkarena.com:4448 ... 25View.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/sh ... wflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/games/popcaploader_v6.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido\security suite\shellhook.dll

============= SERVICES / DRIVERS ===============

R1 ewido security suite driver;ewido security suite driver;c:\program files\ewido\security suite\guard.sys [2004-11-22 3072]
R3 DVC150B;Dazzle DVC 150B;c:\windows\system32\drivers\dvc150b.sys [2005-12-25 30976]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-8-14 67424]

=============== Created Last 30 ================

2009-08-15 21:19 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-14 22:40 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-14 22:39 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 22:39 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 22:39 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 22:39 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-14 22:39 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-14 22:39 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-14 22:39 <DIR> --d----- C:\77ac5688eb8fd6e347a49fb2d6f9d830
2009-08-14 22:39 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-14 22:38 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-14 21:08 <DIR> --d----- c:\program files\Trend Micro
2009-08-14 19:28 60 a------- c:\windows\av_affiliate.ini
2009-08-14 19:28 60 a------- c:\windows\as_affiliate.ini
2009-08-14 19:26 67,424 a------- c:\windows\system32\drivers\CDAVFS.sys
2009-08-14 19:26 <DIR> --d----- c:\program files\CyberDefender
2009-08-14 17:34 760 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-14 17:28 4,352 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-13 21:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-08-13 21:28 <DIR> --d----- c:\program files\common files\iS3
2009-08-13 21:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-08-11 20:26 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 20:25 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-11 18:47 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-13 21:10 26,112 a------- c:\windows\system32\userinit.exe
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 07:18 92,928 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2007-06-25 22:07 576 a------- c:\documents and settings\owner\test.dat
2005-11-28 14:34 2,855,080 a---h--- c:\program files\aawsepersonal.exe
2005-03-07 13:38 543,269 a---h--- c:\program files\DVD43_3-5-2_Setup.exe
2005-01-24 14:53 3,249,463 a---h--- c:\program files\dxcp.exe
2004-12-18 22:30 3,479,664 a---h--- c:\program files\ICopyDVDs2-Standard.zip
2004-08-30 17:50 476 a---h--- c:\documents and settings\owner\hpothb07.dat
2004-08-30 17:48 164 a---h--- c:\documents and settings\all users\hpothb07.dat
2004-08-30 17:48 185 a---h--- c:\docume~1\alluse~1\applic~1\hpothb07.dat
2001-08-22 14:15 245,760 a------- c:\windows\inf\i386\viceo.dll
2001-08-22 14:13 32,768 a------- c:\windows\inf\i386\Pmicro.dll
2001-08-22 14:13 61,440 a------- c:\windows\inf\i386\gl.dll
2001-08-03 19:29 13,824 a------- c:\windows\inf\i386\Usbscan.sys
1999-07-18 21:05 15,716 a------- c:\windows\inf\i386\Pmxscan.sys
2004-08-07 12:13 0 ac-sh--- c:\windows\sminst\HPCD.sys
2008-09-15 06:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091520080916\index.dat

============= FINISH: 19:09:45.98 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/6/2004 12:32:21 PM
System Uptime: 8/18/2009 8:04:26 PM (23 hours ago)

Motherboard: ASUSTek Computer INC. | | Kelut
Processor: AMD Athlon(tm) XP 3000+ | Socket A | 2099/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 145 GiB total, 26.088 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.594 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable
L: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\8473AEE01800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\8473AEE01800
Service: NIC1394

==== System Restore Points ===================

RP1047: 5/21/2009 9:17:16 PM - System Checkpoint
RP1048: 5/24/2009 10:27:44 PM - System Checkpoint
RP1049: 5/26/2009 6:44:35 AM - System Checkpoint
RP1050: 5/28/2009 8:08:16 PM - System Checkpoint
RP1051: 5/30/2009 6:56:48 AM - System Checkpoint
RP1052: 6/1/2009 3:48:54 PM - System Checkpoint
RP1053: 6/2/2009 5:18:28 PM - System Checkpoint
RP1054: 6/4/2009 6:43:51 PM - System Checkpoint
RP1055: 6/6/2009 6:56:28 AM - System Checkpoint
RP1056: 6/7/2009 7:41:50 AM - System Checkpoint
RP1057: 6/8/2009 1:38:57 PM - System Checkpoint
RP1058: 6/9/2009 10:29:15 PM - Removed Sony Ericsson PC Suite 1.20.237
RP1059: 6/9/2009 11:21:58 PM - Software Distribution Service 3.0
RP1060: 6/11/2009 5:20:20 AM - Software Distribution Service 3.0
RP1061: 6/12/2009 1:56:58 PM - System Checkpoint
RP1062: 6/13/2009 2:13:08 PM - System Checkpoint
RP1063: 6/14/2009 3:33:14 PM - System Checkpoint
RP1064: 6/15/2009 4:48:45 PM - System Checkpoint
RP1065: 6/17/2009 1:27:44 PM - System Checkpoint
RP1066: 6/18/2009 1:30:07 PM - System Checkpoint
RP1067: 6/19/2009 1:56:42 PM - System Checkpoint
RP1068: 6/20/2009 2:18:59 PM - System Checkpoint
RP1069: 6/21/2009 5:07:25 PM - System Checkpoint
RP1070: 6/22/2009 8:05:48 PM - System Checkpoint
RP1071: 6/24/2009 6:23:53 AM - System Checkpoint
RP1072: 6/25/2009 2:06:54 PM - System Checkpoint
RP1073: 6/26/2009 5:33:48 PM - System Checkpoint
RP1074: 6/28/2009 7:29:14 AM - System Checkpoint
RP1075: 6/29/2009 10:38:46 AM - Software Distribution Service 3.0
RP1076: 6/30/2009 7:30:46 PM - System Checkpoint
RP1077: 7/2/2009 4:06:07 PM - System Checkpoint
RP1078: 7/3/2009 4:55:00 PM - System Checkpoint
RP1079: 7/5/2009 5:20:28 PM - System Checkpoint
RP1080: 7/6/2009 5:40:53 PM - System Checkpoint
RP1081: 7/7/2009 5:42:16 PM - System Checkpoint
RP1082: 7/10/2009 10:42:24 AM - System Checkpoint
RP1083: 7/11/2009 10:57:44 AM - System Checkpoint
RP1084: 7/12/2009 12:58:17 PM - System Checkpoint
RP1085: 7/13/2009 6:19:27 PM - System Checkpoint
RP1086: 7/14/2009 7:30:40 PM - System Checkpoint
RP1087: 7/15/2009 4:53:17 AM - Software Distribution Service 3.0
RP1088: 7/16/2009 1:53:49 PM - System Checkpoint
RP1089: 7/17/2009 7:54:55 PM - System Checkpoint
RP1090: 7/20/2009 5:50:49 PM - System Checkpoint
RP1091: 7/21/2009 7:20:36 PM - System Checkpoint
RP1092: 7/22/2009 7:27:19 PM - System Checkpoint
RP1093: 7/24/2009 1:04:01 PM - System Checkpoint
RP1094: 7/26/2009 8:27:42 AM - System Checkpoint
RP1095: 7/27/2009 1:22:03 PM - System Checkpoint
RP1096: 7/28/2009 1:44:01 PM - Software Distribution Service 3.0
RP1097: 7/29/2009 2:17:07 PM - System Checkpoint
RP1098: 7/30/2009 5:11:47 PM - System Checkpoint
RP1099: 8/2/2009 2:34:16 PM - System Checkpoint
RP1100: 8/3/2009 5:06:59 PM - System Checkpoint
RP1101: 8/4/2009 7:54:46 PM - System Checkpoint
RP1102: 8/5/2009 8:04:58 PM - System Checkpoint
RP1103: 8/7/2009 5:18:49 PM - System Checkpoint
RP1104: 8/8/2009 5:24:18 PM - System Checkpoint
RP1105: 8/10/2009 7:42:04 AM - System Checkpoint
RP1106: 8/11/2009 2:01:17 PM - System Checkpoint
RP1107: 8/11/2009 6:46:23 PM - Restore Operation
RP1108: 8/11/2009 9:08:06 PM - Software Distribution Service 3.0
RP1109: 8/12/2009 10:24:25 PM - System Checkpoint
RP1110: 8/13/2009 9:28:13 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP1111: 8/14/2009 5:54:32 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP1112: 8/14/2009 10:32:48 PM - Software Distribution Service 3.0
RP1113: 8/15/2009 11:27:08 PM - Software Distribution Service 3.0
RP1114: 8/17/2009 7:24:49 PM - System Checkpoint
RP1115: 8/18/2009 9:13:51 PM - System Checkpoint

==== Installed Programs ======================

360Share(remove only)
Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album 2.0
Adobe Reader 8
Agere Systems PCI Soft Modem
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
AVS Disc Creator version 2.1
Calendar Creator
CC_ccStart
ccCommon
CCleaner (remove only)
ComcastSUPPORT
Compaq Instant Support
Compaq Organize
CompuServe
ConvertMovie 4.2
Crazy MiniGolf
Creative DVD Audio Plugin for Audigy Series
Critical Update for Windows Media Player 11 (KB959772)
CyberDefender Early Detection Center
Dave Ramsey's Financial Software 5.1
Digital Photo Navigator 1.5
DigitImg
Dirt Bike Racing
DiscWizard 2003
DVD X Copy Platinum 4.0.3
DVD X Rescue
DVD43 v3.5.2
DXG-503
eMusic Download Manager 4.1.2
EPSON Printer Software
EPSON Stylus CX7400 Series Scanner Driver Update
ewido security suite
exPressit S.E. 2.2
EXPStudio Audio Editor FREE 3.99a
Garmin City Navigator North America NT 2009 Update
Garmin Communicator Plugin
GdiplusUpgrade
Google Earth
Green Eggs and Ham
HijackThis 2.0.2
Hollywood FX 5.5 Additional Effects
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Design Studio Holiday Greeting Cards 2.0
hp deskjet 3600
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
HP Photosmart Essential
hp print screen utility
HP Software Update
HpSdpAppCoreApp
Indeo® Software
Intel(R) Integrated Performance Primitives RTI 4.0
IntelliMover Data Transfer Demo
InterActual Player
InterVideo WinDVD 6
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
ItsDeductible Express
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
JumpStart Advanced 1st Grade
JumpStart Art Club
JumpStart Music
JumpStart World Presents Pet Playground
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visio Professional 2002 [English]
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Works 7.0
MSN
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My Sirius Studio
NASCAR® Racing 4
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
OneTouch Software
Panda ActiveScan
PaperPort 6.5
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Pinnacle Hollywood FX for Studio
Pirate Poppers
PokerStars
Power Chips
PowerCinema NE for Everio
PowerDirector Express
PowerProducer
Prerequisite Checker 5.0
Presto! Mr. Photo 3
PrintMaster 16
proDAD Heroglyph 1.0
proDAD Heroglyph 2.0
PS2
PS7700
PSShortcuts
PSUsage
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
QuickTime
RealArcade
RealPlayer
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Shockwave
Smart Start UP
SmartSoft Video Converter
Sompy MovieEncoder version 1.0.0314
Spy Sweeper
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
Studio 9
Studio 9 Content CD/DVD
Studio 9.4 Patch
Superbike
Switch Uninstall
Symantec Network Drivers Update
Symantec Script Blocking Installer
SymNet
The Playa
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wpaiper
TurboTax 2008 wrapper
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Unity Web Player
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visioneer 4400 Scanner
WD Diagnostics
WebFldrs XP
WexTech AnswerWorks
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Service Pack 3
WinPatrol
WinWay Resume 4.0

==== Event Viewer Messages From Past Week ========

8/15/2009 9:12:32 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
8/15/2009 9:12:09 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
8/15/2009 9:12:09 PM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/15/2009 9:11:17 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPodService with arguments "-Service" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
8/15/2009 9:10:49 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
8/15/2009 9:10:20 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the iPodService service.
8/14/2009 8:14:37 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Fips IPSec MRxSmb NetBIOS NetBT PCLEPCI RasAcd Rdbss SAVRT SAVRTPEL SYMTDI Tcpip
8/14/2009 8:14:37 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
8/14/2009 8:14:37 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/14/2009 8:14:37 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/14/2009 8:14:37 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
8/14/2009 8:14:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/14/2009 8:14:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/14/2009 7:53:11 PM, error: Service Control Manager [7031] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
8/14/2009 7:53:08 PM, error: Service Control Manager [7034] - The Norton AntiVirus Auto Protect Service service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 7:53:01 PM, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 7:52:58 PM, error: Service Control Manager [7034] - The SymWMI Service service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 7:52:55 PM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 7:52:52 PM, error: Service Control Manager [7034] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 7:52:44 PM, error: Service Control Manager [7034] - The HTTP SSL service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 5:56:24 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
8/14/2009 5:52:10 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
8/14/2009 5:27:08 PM, error: Service Control Manager [7000] - The SAVRT service failed to start due to the following error: The system cannot find the file specified.
8/14/2009 5:27:08 PM, error: SAVRT [6] - Incompatible version of SYMEVENT.SYS is loaded.
8/14/2009 5:27:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: fasttx2k IntelIde SAVRT SISAGP
8/14/2009 5:27:00 PM, error: Service Control Manager [7001] - The SAVScan service depends on the SAVRT service which failed to start because of the following error: A device attached to the system is not functioning.
8/14/2009 5:27:00 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
8/14/2009 4:12:50 PM, error: Service Control Manager [7000] - The SAVRT service failed to start due to the following error: A device attached to the system is not functioning.
8/13/2009 9:12:07 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\userinit.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
8/13/2009 9:09:32 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file userinit.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
8/13/2009 7:46:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SAVRT

==== End Of File ===========================

GMER 1.0.15.15077 [2zkjzsgm.exe] - http://www.gmer.net
Rootkit scan 2009-08-20 05:16:56
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\ewido\security suite\guard.sys ZwOpenProcess [0xF7BD468C]
SSDT \??\C:\Program Files\ewido\security suite\guard.sys ZwTerminateProcess [0xF7BD4604]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xF8 0x31 0x0F 0xA9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----

by **jmw3** » August 20th, 2009, 5:44 am

MRU P2P Policy
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

360Share

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) & any other P2P programs.

Once this is done run DDS again & post both logs.

by **dilligaf375** » August 20th, 2009, 5:37 pm

I uninstalled 360 share and ran the DDS again. Also, I haven't used 360 share in about 2 to 4 months. Here are my logs.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 17:30:49.06 on Thu 08/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.140 [GMT -4:00]

AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {4E7A1CCA-8140-473D-88EE-9B74B550315E}
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\spyware recovery tools\New Folder\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/home.html
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uWindow Title = Microsoft Internet Explorer provided by Comcast
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRun: [P2P Networking] c:\windows\system32\p2p networking\P2P Networking.exe /AUTOSTART
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\compus~1.lnk - c:\compuserve 2000\cstray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\1940576\program\BackWeb-1940576.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\printmaster 16\pmremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/v ... .2.4.3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan ... asinst.cab
DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} - hxxp://webcam01.thenewarkarena.com:4448 ... 25View.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/sh ... wflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/games/popcaploader_v6.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido\security suite\shellhook.dll

============= SERVICES / DRIVERS ===============

R1 ewido security suite driver;ewido security suite driver;c:\program files\ewido\security suite\guard.sys [2004-11-22 3072]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\savrtpel.sys [2005-12-16 37000]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2003-11-10 255600]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2003-11-10 235120]
R2 ewido security suite control;ewido security suite control;c:\program files\ewido\security suite\ewidoctrl.exe [2004-11-11 16448]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-12-9 13088]
R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2004-3-17 158848]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-12-16 602112]
R3 DVC150B;Dazzle DVC 150B;c:\windows\system32\drivers\dvc150b.sys [2005-12-25 30976]
S1 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2005-12-16 305288]
S2 mrtRate;mrtRate; [x]
S2 SAVScan;SAVScan;c:\program files\norton antivirus\SAVSCAN.EXE [2003-11-7 194272]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2003-6-24 66784]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2003-11-10 87664]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-8-14 67424]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20061213.022\NAVENG.Sys [2006-12-13 79240]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20061213.022\NavEx15.Sys [2006-12-13 831880]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [2004-8-8 15104]
S4 ewido security suite guard;ewido security suite guard;c:\program files\ewido\security suite\ewidoguard.exe [2006-10-30 151616]

=============== Created Last 30 ================

2009-08-15 21:19 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-14 22:40 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-14 22:39 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 22:39 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 22:39 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 22:39 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-14 22:39 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-14 22:39 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-14 22:39 <DIR> --d----- C:\77ac5688eb8fd6e347a49fb2d6f9d830
2009-08-14 22:39 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-14 22:38 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-14 21:08 <DIR> --d----- c:\program files\Trend Micro
2009-08-14 19:28 60 a------- c:\windows\av_affiliate.ini
2009-08-14 19:28 60 a------- c:\windows\as_affiliate.ini
2009-08-14 19:26 67,424 a------- c:\windows\system32\drivers\CDAVFS.sys
2009-08-14 19:26 <DIR> --d----- c:\program files\CyberDefender
2009-08-14 17:34 760 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-14 17:28 4,352 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-13 21:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-08-13 21:28 <DIR> --d----- c:\program files\common files\iS3
2009-08-13 21:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-08-11 20:26 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 20:25 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-11 18:47 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-13 21:10 26,112 a------- c:\windows\system32\userinit.exe
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 07:18 92,928 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2007-06-25 22:07 576 a------- c:\documents and settings\owner\test.dat
2005-11-28 14:34 2,855,080 a---h--- c:\program files\aawsepersonal.exe
2005-03-07 13:38 543,269 a---h--- c:\program files\DVD43_3-5-2_Setup.exe
2005-01-24 14:53 3,249,463 a---h--- c:\program files\dxcp.exe
2004-12-18 22:30 3,479,664 a---h--- c:\program files\ICopyDVDs2-Standard.zip
2004-08-30 17:50 476 a---h--- c:\documents and settings\owner\hpothb07.dat
2004-08-30 17:48 164 a---h--- c:\documents and settings\all users\hpothb07.dat
2004-08-30 17:48 185 a---h--- c:\docume~1\alluse~1\applic~1\hpothb07.dat
2001-08-22 14:15 245,760 a------- c:\windows\inf\i386\viceo.dll
2001-08-22 14:13 32,768 a------- c:\windows\inf\i386\Pmicro.dll
2001-08-22 14:13 61,440 a------- c:\windows\inf\i386\gl.dll
2001-08-03 19:29 13,824 a------- c:\windows\inf\i386\Usbscan.sys
1999-07-18 21:05 15,716 a------- c:\windows\inf\i386\Pmxscan.sys
2004-08-07 12:13 0 ac-sh--- c:\windows\sminst\HPCD.sys
2008-09-15 06:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091520080916\index.dat

============= FINISH: 17:31:54.42 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/6/2004 12:32:21 PM
System Uptime: 8/20/2009 5:14:11 PM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | Kelut
Processor: AMD Athlon(tm) XP 3000+ | Socket A | 2099/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 145 GiB total, 26.095 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.594 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable
L: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\8473AEE01800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\8473AEE01800
Service: NIC1394

==== System Restore Points ===================

RP1048: 5/24/2009 10:27:44 PM - System Checkpoint
RP1049: 5/26/2009 6:44:35 AM - System Checkpoint
RP1050: 5/28/2009 8:08:16 PM - System Checkpoint
RP1051: 5/30/2009 6:56:48 AM - System Checkpoint
RP1052: 6/1/2009 3:48:54 PM - System Checkpoint
RP1053: 6/2/2009 5:18:28 PM - System Checkpoint
RP1054: 6/4/2009 6:43:51 PM - System Checkpoint
RP1055: 6/6/2009 6:56:28 AM - System Checkpoint
RP1056: 6/7/2009 7:41:50 AM - System Checkpoint
RP1057: 6/8/2009 1:38:57 PM - System Checkpoint
RP1058: 6/9/2009 10:29:15 PM - Removed Sony Ericsson PC Suite 1.20.237
RP1059: 6/9/2009 11:21:58 PM - Software Distribution Service 3.0
RP1060: 6/11/2009 5:20:20 AM - Software Distribution Service 3.0
RP1061: 6/12/2009 1:56:58 PM - System Checkpoint
RP1062: 6/13/2009 2:13:08 PM - System Checkpoint
RP1063: 6/14/2009 3:33:14 PM - System Checkpoint
RP1064: 6/15/2009 4:48:45 PM - System Checkpoint
RP1065: 6/17/2009 1:27:44 PM - System Checkpoint
RP1066: 6/18/2009 1:30:07 PM - System Checkpoint
RP1067: 6/19/2009 1:56:42 PM - System Checkpoint
RP1068: 6/20/2009 2:18:59 PM - System Checkpoint
RP1069: 6/21/2009 5:07:25 PM - System Checkpoint
RP1070: 6/22/2009 8:05:48 PM - System Checkpoint
RP1071: 6/24/2009 6:23:53 AM - System Checkpoint
RP1072: 6/25/2009 2:06:54 PM - System Checkpoint
RP1073: 6/26/2009 5:33:48 PM - System Checkpoint
RP1074: 6/28/2009 7:29:14 AM - System Checkpoint
RP1075: 6/29/2009 10:38:46 AM - Software Distribution Service 3.0
RP1076: 6/30/2009 7:30:46 PM - System Checkpoint
RP1077: 7/2/2009 4:06:07 PM - System Checkpoint
RP1078: 7/3/2009 4:55:00 PM - System Checkpoint
RP1079: 7/5/2009 5:20:28 PM - System Checkpoint
RP1080: 7/6/2009 5:40:53 PM - System Checkpoint
RP1081: 7/7/2009 5:42:16 PM - System Checkpoint
RP1082: 7/10/2009 10:42:24 AM - System Checkpoint
RP1083: 7/11/2009 10:57:44 AM - System Checkpoint
RP1084: 7/12/2009 12:58:17 PM - System Checkpoint
RP1085: 7/13/2009 6:19:27 PM - System Checkpoint
RP1086: 7/14/2009 7:30:40 PM - System Checkpoint
RP1087: 7/15/2009 4:53:17 AM - Software Distribution Service 3.0
RP1088: 7/16/2009 1:53:49 PM - System Checkpoint
RP1089: 7/17/2009 7:54:55 PM - System Checkpoint
RP1090: 7/20/2009 5:50:49 PM - System Checkpoint
RP1091: 7/21/2009 7:20:36 PM - System Checkpoint
RP1092: 7/22/2009 7:27:19 PM - System Checkpoint
RP1093: 7/24/2009 1:04:01 PM - System Checkpoint
RP1094: 7/26/2009 8:27:42 AM - System Checkpoint
RP1095: 7/27/2009 1:22:03 PM - System Checkpoint
RP1096: 7/28/2009 1:44:01 PM - Software Distribution Service 3.0
RP1097: 7/29/2009 2:17:07 PM - System Checkpoint
RP1098: 7/30/2009 5:11:47 PM - System Checkpoint
RP1099: 8/2/2009 2:34:16 PM - System Checkpoint
RP1100: 8/3/2009 5:06:59 PM - System Checkpoint
RP1101: 8/4/2009 7:54:46 PM - System Checkpoint
RP1102: 8/5/2009 8:04:58 PM - System Checkpoint
RP1103: 8/7/2009 5:18:49 PM - System Checkpoint
RP1104: 8/8/2009 5:24:18 PM - System Checkpoint
RP1105: 8/10/2009 7:42:04 AM - System Checkpoint
RP1106: 8/11/2009 2:01:17 PM - System Checkpoint
RP1107: 8/11/2009 6:46:23 PM - Restore Operation
RP1108: 8/11/2009 9:08:06 PM - Software Distribution Service 3.0
RP1109: 8/12/2009 10:24:25 PM - System Checkpoint
RP1110: 8/13/2009 9:28:13 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP1111: 8/14/2009 5:54:32 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP1112: 8/14/2009 10:32:48 PM - Software Distribution Service 3.0
RP1113: 8/15/2009 11:27:08 PM - Software Distribution Service 3.0
RP1114: 8/17/2009 7:24:49 PM - System Checkpoint
RP1115: 8/18/2009 9:13:51 PM - System Checkpoint
RP1116: 8/20/2009 12:09:06 AM - System Checkpoint

==== Installed Programs ======================

Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album 2.0
Adobe Reader 8
Agere Systems PCI Soft Modem
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
AVS Disc Creator version 2.1
Calendar Creator
CC_ccStart
ccCommon
CCleaner (remove only)
ComcastSUPPORT
Compaq Instant Support
Compaq Organize
CompuServe
ConvertMovie 4.2
Crazy MiniGolf
Creative DVD Audio Plugin for Audigy Series
Critical Update for Windows Media Player 11 (KB959772)
CyberDefender Early Detection Center
Dave Ramsey's Financial Software 5.1
Digital Photo Navigator 1.5
DigitImg
Dirt Bike Racing
DiscWizard 2003
DVD X Copy Platinum 4.0.3
DVD X Rescue
DVD43 v3.5.2
DXG-503
eMusic Download Manager 4.1.2
EPSON Printer Software
EPSON Stylus CX7400 Series Scanner Driver Update
ewido security suite
exPressit S.E. 2.2
EXPStudio Audio Editor FREE 3.99a
Garmin City Navigator North America NT 2009 Update
Garmin Communicator Plugin
GdiplusUpgrade
Google Earth
Green Eggs and Ham
HijackThis 2.0.2
Hollywood FX 5.5 Additional Effects
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Design Studio Holiday Greeting Cards 2.0
hp deskjet 3600
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
HP Photosmart Essential
hp print screen utility
HP Software Update
HpSdpAppCoreApp
Indeo® Software
Intel(R) Integrated Performance Primitives RTI 4.0
IntelliMover Data Transfer Demo
InterActual Player
InterVideo WinDVD 6
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
ItsDeductible Express
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
JumpStart Advanced 1st Grade
JumpStart Art Club
JumpStart Music
JumpStart World Presents Pet Playground
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visio Professional 2002 [English]
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Works 7.0
MSN
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My Sirius Studio
NASCAR® Racing 4
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
OneTouch Software
Panda ActiveScan
PaperPort 6.5
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Pinnacle Hollywood FX for Studio
Pirate Poppers
PokerStars
Power Chips
PowerCinema NE for Everio
PowerDirector Express
PowerProducer
Prerequisite Checker 5.0
Presto! Mr. Photo 3
PrintMaster 16
proDAD Heroglyph 1.0
proDAD Heroglyph 2.0
PS2
PS7700
PSShortcuts
PSUsage
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
QuickTime
RealArcade
RealPlayer
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Shockwave
Smart Start UP
SmartSoft Video Converter
Sompy MovieEncoder version 1.0.0314
Spy Sweeper
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
Studio 9
Studio 9 Content CD/DVD
Studio 9.4 Patch
Superbike
Switch Uninstall
Symantec Network Drivers Update
Symantec Script Blocking Installer
SymNet
The Playa
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wpaiper
TurboTax 2008 wrapper
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Unity Web Player
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visioneer 4400 Scanner
WD Diagnostics
WebFldrs XP
WexTech AnswerWorks
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Service Pack 3
WinPatrol
WinWay Resume 4.0

==== Event Viewer Messages From Past Week ========

8/15/2009 9:12:32 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
8/15/2009 9:12:09 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
8/15/2009 9:12:09 PM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/15/2009 9:11:17 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPodService with arguments "-Service" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
8/15/2009 9:10:49 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
8/15/2009 9:10:20 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the iPodService service.
8/14/2009 8:14:37 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Fips IPSec MRxSmb NetBIOS NetBT PCLEPCI RasAcd Rdbss SAVRT SAVRTPEL SYMTDI Tcpip
8/14/2009 8:14:37 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
8/14/2009 8:14:37 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/14/2009 8:14:37 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/14/2009 8:14:37 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
8/14/2009 8:14:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/14/2009 8:14:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/14/2009 7:53:11 PM, error: Service Control Manager [7031] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
8/14/2009 7:53:08 PM, error: Service Control Manager [7034] - The Norton AntiVirus Auto Protect Service service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 7:53:01 PM, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 7:52:58 PM, error: Service Control Manager [7034] - The SymWMI Service service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 7:52:55 PM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 7:52:52 PM, error: Service Control Manager [7034] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 7:52:44 PM, error: Service Control Manager [7034] - The HTTP SSL service terminated unexpectedly. It has done this 1 time(s).
8/14/2009 5:56:24 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
8/14/2009 5:52:10 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
8/14/2009 5:27:08 PM, error: Service Control Manager [7000] - The SAVRT service failed to start due to the following error: The system cannot find the file specified.
8/14/2009 5:27:08 PM, error: SAVRT [6] - Incompatible version of SYMEVENT.SYS is loaded.
8/14/2009 5:27:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: fasttx2k IntelIde SAVRT SISAGP
8/14/2009 5:27:00 PM, error: Service Control Manager [7001] - The SAVScan service depends on the SAVRT service which failed to start because of the following error: A device attached to the system is not functioning.
8/14/2009 5:27:00 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
8/14/2009 4:12:50 PM, error: Service Control Manager [7000] - The SAVRT service failed to start due to the following error: A device attached to the system is not functioning.
8/13/2009 9:12:07 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\userinit.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
8/13/2009 9:09:32 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file userinit.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
8/13/2009 7:46:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SAVRT

==== End Of File ===========================

by **jmw3** » August 21st, 2009, 1:20 am

Hi
You have some really old software on this computer including numerous Anti-Virus & Anti-Spyware programs:
CyberDefender Early Detection Center
ewido security suite
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
This is not good. I'm assuming that CyberDefender is your current Anti-Virus protection. Is that correct? If so the ewido & Norton need to be uninstalled. You should also uninstall the old versions of Spybot Search & Destroy & SpywareBlaster. These two can be reinstalled with the latest versions when we're done cleaning.
And what about WinPatrol? What version is that? The current versions is 16.1.2009.1:16.1.2009.1. You can check this by opening WinPatrol, then click the PLUS tab. Your version will be displayed at the top.
Let me know what the status is of the above & I can give you some links to Removal Tools if needed.

Disable Spybot's TeaTimer 1.5 & 1.6

If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol)
Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless
Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy
Click on Mode > Advanced Mode. When it prompts you, click Yes
On the left hand side, click on Tools
Check this box if it is not yet ticked: Resident
You will notice that Resident is now added under Tools. Click on Resident
Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active
Exit Spybot Search & Destroy
Restart your computer for the changes to take effect

Leave TeaTimer disabled until we're done here.

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
A guide to do this can be found here
Double click on ComboFix.exe & follow the prompts
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
ComboFix log
New HijackThis log
Update on how the computer is running

by **dilligaf375** » August 21st, 2009, 7:02 pm

Cyber defender, I downloaded accidentally when searching for a solution to this problem. I thought it might be a fake program and never intended to use it. I had trouble shutting it off to run ComboFix so I just uninstalled it.

I was using Ewido every once in a while to do system scans at the recomendation of this site starting back in 2005. When I tried to update it recently it linked to AVG 8 and again I thought it might be a by product of this infection since I had never heard of it before.

I installed Norton whe we purchased the PC and purchased the renewal once, a year later.

Spybot was also recomended by this site last time I had a problem.

Spyware Blaster was downloaded and ran at the request of this site also.

WinPatrol versin is 9.8.0.0:9.8.0.0

I usually have Winpatrol and Spybot running in the background all the time.

I ran the ComboFix and HJT. Things seem to be running OK I guess. WinPatrol and Spybot kept popping warnings about sdra64.exe and a windows system 32 thing. I will keep an eye out for them. I would definitly like suggestions on a really good security program and help cleaning out the old outdated ones. Here's my logs.

ComboFix 09-08-20.07 - Owner 08/21/2009 18:19.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.207 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\spyware recovery tools\New Folder\ComboFix.exe
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {08D351A8-8FA7-42C3-A754-3F05246C14B0}
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\COMMON~1\{60C10~1
c:\progra~1\COMMON~1\{60C10~2
c:\program files\Common Files\download
c:\program files\Common Files\download\mc-110-12-0000140.exe
c:\program files\MyWay
c:\program files\outlook
c:\program files\outlook\p.zip
c:\recycler\S-1-5-21-1180975056-3221489076-3856198511-1003
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Fonts\acrsec.fon
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\IA
c:\windows\Installer\1447e.msi
c:\windows\Installer\888e0.msi
c:\windows\new_drv.sys
c:\windows\patch.exe
c:\windows\Readme.txt
c:\windows\smdat32m.sys
c:\windows\system32\ARAudioCDGrabber2.dll
c:\windows\system32\ARAudioPlayer2.dll
c:\windows\system32\ARAudioTransform2.dll
c:\windows\system32\lowsec
c:\windows\system32\twain.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NEW_DRV

((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-15 02:40 . 2009-08-15 02:40 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-15 02:40 . 2009-08-15 02:40 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-15 02:39 . 2009-08-15 02:39 -------- d-----w- c:\program files\MSBuild
2009-08-15 02:39 . 2009-08-15 02:39 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 02:39 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-15 02:39 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-15 02:39 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-15 02:39 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-15 02:39 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-15 02:39 . 2009-08-15 02:39 -------- d-----w- C:\77ac5688eb8fd6e347a49fb2d6f9d830
2009-08-15 02:39 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-15 02:39 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-15 02:38 . 2009-08-16 01:08 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-15 01:08 . 2009-08-15 01:08 -------- d-----w- c:\program files\Trend Micro
2009-08-14 01:29 . 2009-08-14 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-14 01:28 . 2009-08-14 01:28 -------- d-----w- c:\program files\Common Files\iS3
2009-08-14 01:28 . 2009-08-14 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-12 00:25 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 22:47 . 2009-08-11 22:47 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 23:48 . 2005-11-29 18:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 22:04 . 2004-04-02 09:51 -------- d-----w- c:\program files\IntelliMover Data Transfer Demo
2009-08-14 21:34 . 2009-08-14 21:28 4352 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-14 21:34 . 2009-08-14 21:34 760 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-14 01:10 . 2004-04-29 21:08 26112 ----a-w- c:\windows\system32\userinit.exe
2009-08-13 01:41 . 2005-11-29 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-10 10:53 . 2007-03-22 05:56 -------- d-----w- c:\program files\PokerStars
2009-08-05 09:01 . 2002-12-12 15:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-04-29 23:01 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-04-02 08:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-02-06 23:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 00:10 . 2009-07-03 00:10 -------- d-----w- c:\documents and settings\Owner\Application Data\eMusic
2009-07-03 00:10 . 2009-07-03 00:10 -------- d-----w- c:\program files\eMusic Download Manager
2009-06-25 08:25 . 2004-04-29 23:03 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-04-29 23:02 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-04-29 21:08 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-04-29 21:06 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-04-29 21:06 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-04-29 21:06 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-04-02 06:52 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-04-29 23:02 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-04-29 21:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-04-02 06:52 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-04-29 23:01 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-04-29 21:06 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-04-02 06:52 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2003-05-31 00:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-11-28 18:34 . 2005-11-28 18:33 2855080 ---ha-w- c:\program files\aawsepersonal.exe
2005-03-07 17:38 . 2005-03-07 17:38 543269 ---ha-w- c:\program files\DVD43_3-5-2_Setup.exe
2005-01-24 18:53 . 2005-01-24 18:52 3249463 ---ha-w- c:\program files\dxcp.exe
2004-12-19 02:30 . 2004-12-19 02:30 3479664 ---ha-w- c:\program files\ICopyDVDs2-Standard.zip
2004-08-07 16:13 . 2004-08-07 16:13 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2000-03-01 48128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-17 229376]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-02 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-31 180269]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2005-11-15 222784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=

R1 ewido security suite driver;ewido security suite driver;c:\program files\ewido\security suite\guard.sys [11/22/2004 10:15 AM 3072]
R3 DVC150B;Dazzle DVC 150B;c:\windows\system32\drivers\dvc150b.sys [12/25/2005 11:38 PM 30976]
S2 mrtRate;mrtRate; [x]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [8/8/2004 9:23 PM 15104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2004-04-29 01:05]

2009-08-21 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-04-29 00:12]

2009-08-21 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2004-08-08 13:03]

2009-08-15 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-03-17 11:23]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-P2P Networking - c:\windows\System32\P2P Networking\P2P Networking.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/home.html
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 18:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,3d,63,c7,ed,24,
4c,12,64,c8,28,51,af,b0,29,a3,98,01,b8,df,84,21,73,45,7a,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,65,4f,a3,23,a0,
40,23,68,71,3b,04,66,8b,46,0d,96,10,66,43,fd,4a,7b,72,f1,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,46,0b,0f,66,fa,
d1,84,f0,25,da,ec,7e,55,20,c9,26,d3,5b,51,fd,ec,2c,11,ca,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,d7,19,b2,7c,4d,
3c,56,dc,3e,1e,9e,e0,57,5a,93,61,86,34,ce,be,e5,a5,dc,64,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,1a,b9,82,dc,5f,
d6,18,a8,cd,44,cd,b9,a6,33,6c,cd,a0,aa,4c,b7,de,34,6b,38,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,86,93,c5,ed,f2,
c0,10,88,b0,18,ed,a7,3f,8d,37,a4,25,66,30,d0,4c,11,85,0a,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,7b,eb,1c,fe,e9,
0c,a2,e7,31,77,e1,ba,b1,f8,68,02,50,c8,1c,31,4a,e1,71,0e,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,bb,9c,b5,27,15,
fc,fe,d6,83,6c,56,8b,a0,85,96,ab,2c,85,50,00,e7,2d,cb,b9,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,77,d8,de,3a,3e,
39,0e,3d,51,fa,6e,91,28,9e,14,cc,7c,e4,b5,d8,8f,4e,1f,6d,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,76,16,0b,15,87,
9a,3a,97,b1,cd,45,5a,a8,c4,f8,b9,64,bd,77,5d,63,e7,e6,08,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,0a,55,05,b2,04,
1a,9a,36,e3,0e,66,d5,eb,bc,2f,6b,e8,c3,11,26,17,c6,99,ce,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,4a,37,1a,a3,bd,
82,74,a6,fa,ea,66,7f,d4,3b,6b,70,c3,8d,89,93,84,b6,08,82,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3296)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\ewido\security suite\ewidoctrl.exe
c:\windows\system32\gearsec.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-21 18:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 22:42

Pre-Run: 27,925,958,656 bytes free
Post-Run: 27,825,164,288 bytes free

Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=,1,2,4,5
278 --- E O F --- 2009-08-16 03:29

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:22 PM, on 8/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000\cstray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://webcam01.thenewarkarena.com:4448 ... 25View.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 0: (no name) - http://store1.yimg.com/I/babyride_1815_0

--
End of file - 10062 bytes

by **jmw3** » August 21st, 2009, 10:42 pm

Hi

I was using Ewido every once in a while to do system scans at the recomendation of this site starting back in 2005. When I tried to update it recently it linked to AVG 8 and again I thought it might be a by product of this infection since I had never heard of it before.

AVG 8 is fine. Ewido was taken over by AVG a while ago. It is definitely legit.

WinPatrol and Spybot kept popping warnings about sdra64.exe and a windows system 32 thing.

I don't see sdra64.exe anywhere in any of the logs. What are the exact warning messages?

Here's what I suggest you do regarding your old security programs.
Download the setup file for ONE of these free Anti-virus programs & save it to your desktop. Don't install the program just yet:
1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

Leave CyberDefender uninstalled. Click Start>>Control Panel>>Add or Remove Programs. Uninstall the following by right clicking on each & choosing Remove:
ewido security suite
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
WinPatrol

Once all of the above are uninstalled, install your new Anti-virus using the set up file you downloaded earlier.

Norton products can leave a lot of leftover files so run the Norton Removal Tool found here: http://service1.symantec.com/Support/ts ... 108162039/
Choose the removal tool that is appropriate for your version of Norton.

Once your clean I'll make some further recommendations, which will include installing the most current versions of SpywareBlaster & WinPatrol.

Once you have one of the Anti-virus programs installed, continue with the following:

SystemLook
Download SystemLook by jpshortstuff from one of the links below & save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it
Copy the contents of the Codebox below into the main textfield
Code: Select all
```
:filefind
*sdra64.exe*
```
Click the Look button to start the scan
When finished, a notepad window will open with the results of the scan. Post the contents of the log in your next reply

Note: The log can also be found on your Desktop entitled SystemLook.txt

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all

Folder::
c:\documents and settings\All Users\Application Data\STOPzilla!
DDS::
Trusted Zone: turbotax.com

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Still some work to do but this will do for the time being.
To post in next reply:
SystemLook log
ComboFix log
New HijackThis log
Update on how the computer is running

by **dilligaf375** » August 22nd, 2009, 6:24 pm

Hi,
I removed the old programs. downloaded and installed the free version of Avira. System seems to be runnung smoothly.

ComboFix 09-08-20.07 - Owner 08/22/2009 17:53.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.141 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\spyware recovery tools\New Folder\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\spyware recovery tools\text\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\STOPzilla!
c:\documents and settings\All Users\Application Data\STOPzilla!\modules_scanned.db
c:\documents and settings\All Users\Application Data\STOPzilla!\modules_scanned.db.bak
c:\documents and settings\All Users\Application Data\STOPzilla!\scanner.log
c:\documents and settings\All Users\Application Data\STOPzilla!\sgdefs.db
c:\documents and settings\All Users\Application Data\STOPzilla!\sgdwc.db
c:\documents and settings\All Users\Application Data\STOPzilla!\sgupdater.log
c:\documents and settings\All Users\Application Data\STOPzilla!\userdata.db
c:\documents and settings\All Users\Application Data\STOPzilla!\zilla5.log

.
((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-22 21:29 . 2009-08-22 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-22 21:21 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-22 21:21 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-22 21:21 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-22 21:21 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-22 21:21 . 2009-08-22 21:21 -------- d-----w- c:\program files\Avira
2009-08-22 21:21 . 2009-08-22 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-15 02:40 . 2009-08-15 02:40 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-15 02:40 . 2009-08-15 02:40 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-15 02:39 . 2009-08-15 02:39 -------- d-----w- c:\program files\MSBuild
2009-08-15 02:39 . 2009-08-15 02:39 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 02:39 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-15 02:39 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-15 02:39 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-15 02:39 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-15 02:39 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-15 02:39 . 2009-08-15 02:39 -------- d-----w- C:\77ac5688eb8fd6e347a49fb2d6f9d830
2009-08-15 02:39 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-15 02:39 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-15 02:38 . 2009-08-16 01:08 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-15 01:08 . 2009-08-15 01:08 -------- d-----w- c:\program files\Trend Micro
2009-08-14 01:29 . 2009-08-14 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-14 01:28 . 2009-08-14 01:28 -------- d-----w- c:\program files\Common Files\iS3
2009-08-12 00:25 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 22:47 . 2009-08-11 22:47 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 21:33 . 2005-11-29 18:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-22 21:31 . 2004-04-03 08:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-22 21:14 . 2005-11-29 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-14 22:04 . 2004-04-02 09:51 -------- d-----w- c:\program files\IntelliMover Data Transfer Demo
2009-08-14 21:34 . 2009-08-14 21:28 4352 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-14 21:34 . 2009-08-14 21:34 760 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-14 01:10 . 2004-04-29 21:08 26112 ------w- c:\windows\system32\userinit.exe
2009-08-10 10:53 . 2007-03-22 05:56 -------- d-----w- c:\program files\PokerStars
2009-08-05 09:01 . 2002-12-12 15:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-04-29 23:01 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-04-02 08:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-02-06 23:05 915456 ------w- c:\windows\system32\wininet.dll
2009-07-03 00:10 . 2009-07-03 00:10 -------- d-----w- c:\documents and settings\Owner\Application Data\eMusic
2009-07-03 00:10 . 2009-07-03 00:10 -------- d-----w- c:\program files\eMusic Download Manager
2009-06-25 08:25 . 2004-04-29 23:03 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-04-29 23:02 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-04-29 21:08 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-04-29 21:06 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-04-29 21:06 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-04-29 21:06 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-04-02 06:52 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-04-29 23:02 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-04-29 21:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-04-02 06:52 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-04-29 23:01 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-04-29 21:06 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-04-02 06:52 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2003-05-31 00:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-11-28 18:34 . 2005-11-28 18:33 2855080 ---ha-w- c:\program files\aawsepersonal.exe
2005-03-07 17:38 . 2005-03-07 17:38 543269 ---ha-w- c:\program files\DVD43_3-5-2_Setup.exe
2005-01-24 18:53 . 2005-01-24 18:52 3249463 ---ha-w- c:\program files\dxcp.exe
2004-12-19 02:30 . 2004-12-19 02:30 3479664 ---ha-w- c:\program files\ICopyDVDs2-Standard.zip
2004-08-07 16:13 . 2004-08-07 16:13 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-21_22.34.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 06:19 . 2007-11-07 06:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-08-22 21:21 . 2009-05-11 14:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2008-07-29 12:05 . 2008-07-29 12:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 07:54 . 2008-07-29 07:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-08-22 21:19 . 2009-08-22 21:19 228352 c:\windows\Installer\134172.msi
+ 2008-07-29 12:05 . 2008-07-29 12:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2000-03-01 48128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-17 229376]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-02 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-31 180269]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
CompuServe 2000 Tray Icon.lnk - c:\compuserve 2000\cstray.exe [2004-8-8 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-4-2 16384]
Event Reminder.lnk - c:\program files\PrintMaster 16\pmremind.exe [2004-1-20 339968]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-11-13 237568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/22/2009 5:21 PM 108289]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [12/9/2008 12:37 PM 13088]
R3 DVC150B;Dazzle DVC 150B;c:\windows\system32\drivers\dvc150b.sys [12/25/2005 11:38 PM 30976]
S2 mrtRate;mrtRate; [x]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [8/8/2004 9:23 PM 15104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2004-04-29 01:05]

2009-08-22 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-04-29 00:12]

2009-08-22 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2004-08-08 13:03]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinPatrol - c:\program files\BillP Studios\WinPatrol\winpatrol.exe
HKLM-Run-SpybotSnD - c:\program files\Spybot - Search & Destroy\SpybotSD.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/home.html
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 18:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,3d,63,c7,ed,24,
4c,12,64,c8,28,51,af,b0,29,a3,98,01,b8,df,84,21,73,45,7a,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,65,4f,a3,23,a0,
40,23,68,71,3b,04,66,8b,46,0d,96,10,66,43,fd,4a,7b,72,f1,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,46,0b,0f,66,fa,
d1,84,f0,25,da,ec,7e,55,20,c9,26,d3,5b,51,fd,ec,2c,11,ca,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,d7,19,b2,7c,4d,
3c,56,dc,3e,1e,9e,e0,57,5a,93,61,86,34,ce,be,e5,a5,dc,64,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,1a,b9,82,dc,5f,
d6,18,a8,cd,44,cd,b9,a6,33,6c,cd,a0,aa,4c,b7,de,34,6b,38,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,86,93,c5,ed,f2,
c0,10,88,b0,18,ed,a7,3f,8d,37,a4,25,66,30,d0,4c,11,85,0a,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,7b,eb,1c,fe,e9,
0c,a2,e7,31,77,e1,ba,b1,f8,68,02,50,c8,1c,31,4a,e1,71,0e,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,bb,9c,b5,27,15,
fc,fe,d6,83,6c,56,8b,a0,85,96,ab,2c,85,50,00,e7,2d,cb,b9,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,77,d8,de,3a,3e,
39,0e,3d,51,fa,6e,91,28,9e,14,cc,7c,e4,b5,d8,8f,4e,1f,6d,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,76,16,0b,15,87,
9a,3a,97,b1,cd,45,5a,a8,c4,f8,b9,64,bd,77,5d,63,e7,e6,08,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,0a,55,05,b2,04,
1a,9a,36,e3,0e,66,d5,eb,bc,2f,6b,e8,c3,11,26,17,c6,99,ce,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,4a,37,1a,a3,bd,
82,74,a6,fa,ea,66,7f,d4,3b,6b,70,c3,8d,89,93,84,b6,08,82,6c,43,2d,1e,aa,22,\
.
Completion time: 2009-08-22 18:10
ComboFix-quarantined-files.txt 2009-08-22 22:10
ComboFix2.txt 2009-08-21 22:42

Pre-Run: 28,075,589,632 bytes free
Post-Run: 28,044,398,592 bytes free

Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=,1,2,4,5
268 --- E O F --- 2009-08-16 03:29

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:53 PM, on 8/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000\cstray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://webcam01.thenewarkarena.com:4448 ... 25View.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O24 - Desktop Component 0: (no name) - http://store1.yimg.com/I/babyride_1815_0

--
End of file - 8031 bytes

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 17:39 on 22/08/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "*sdra64.exe*"
No files found.

-=End Of File=-

by **jmw3** » August 22nd, 2009, 11:16 pm

Hi

Looking good. I note your Avira is not updated. Make sure you get it up to date as soon as possible.

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 16.

Download the latest version of Java Runtime Environment (JRE) 6 Here
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 16. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the Download button to the right
Select the Windows platform from the dropdown menu
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
Click on the link to download Windows Offline Installation & save the file to your desktop
Close any programs you may have running - especially your web browser
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel

TFC (Temp File Cleaner)
Download TFC (Temp File Cleaner) by Old Timer Here & save it to your desktop.

Save any unsaved work. TFC Cleaner will close all open application windows
Double-click TFC.exe to run the program, your desktop will temporarily disappear
If prompted, click Yes to reboot

Note: Save your work.. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take any longer than a couple of minutes & may only take a few seconds. Only if needed will you be prompted to reboot.

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<

Read through the requirements and privacy statement and click on Accept button
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
When the downloads have finished, click on Settings
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan
Once the scan is complete, it will display the results. Click on View Scan Report
You will see a list of infected items there. Click on Save Report As...
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
Please post this log in your next reply

Pictured tutorial if required.

Download Security Check by screen317 from one of the following links & save it to your desktop:
Link 1
Link 2

Double click SecurityCheck.exe to run it then press any key at the prompt to continue
Once the tool has finished a Notepad document should open named checkup.txt
Copy/paste the contents of checkup.txt & post in your next reply

To post in next reply:
Kaspersky Scan log
checkup log

by **dilligaf375** » August 23rd, 2009, 11:06 pm

Howdy,
I removed all the Java and installed the new one. The Kapersky Online Scanner would not work. It got quite a ways through the update / download and the I got a window with a failed message, something about the web key expired. So there is no Kapersky log. Here is the security check log though.

esults of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus

Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
HijackThis 2.0.2
CCleaner (remove only)
Java(TM) 6 Update 16
Adobe Flash Player 10
Adobe Reader 8
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Avira Antivir avgnt.exe
Avira Antivir avguard.exe

``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

by **jmw3** » August 23rd, 2009, 11:34 pm

Hi

Try this online scanner:

ESET Online Scanner
Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

by **dilligaf375** » August 24th, 2009, 11:01 pm

ESET seemed to work. here is the log.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GameVance8.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Nurech1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\Owner\Desktop\spyware recovery tools\smitRem.exe Win32/PrcView application
C:\Documents and Settings\Owner\Desktop\spyware recovery tools\SpyAxeFix.exe Win32/PrcView application
C:\Documents and Settings\Owner\Desktop\spyware recovery tools\smitRem\Process.exe Win32/PrcView application
C:\Documents and Settings\Owner\Desktop\spyware recovery tools\SpyAxeFix\Process.exe Win32/PrcView application
C:\Documents and Settings\Owner\My Documents\My Music\it wont last for long.mp3 WMA/TrojanDownloader.GetCodec.C trojan
C:\Documents and Settings\Owner\My Documents\My Music\Rockabye Baby Lullaby Renditions Of Metallica.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe probably a variant of Win32/Agent trojan
C:\Qoobox\Quarantine\C\WINDOWS\new_drv.sys.vir Win32/PSW.Papras.AB trojan
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1090\A0071246.exe Win32/TrojanClicker.Delf.NGK trojan
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1108\A0072354.cpl Win32/Adware.P2PNet application
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1109\A0072369.exe a variant of Win32/Adware.Gamevance.AC application
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1109\A0072371.dll a variant of Win32/Adware.Gamevance.AA application
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1109\A0072377.exe Win32/Spy.Zbot.JF trojan
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1111\A0072668.exe Win32/Adware.SystemSecurity application
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1116\A0073356.sys Win32/PSW.Papras.AB trojan

by **jmw3** » August 25th, 2009, 1:50 am

Hi
Looks good

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9.1
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 3 instead from http://www.foxitsoftware.com/pdf/rd_intro.php
Note: Do not install anything dealing with AskBar... presented as an installation option.

OTM
Download OTM by OldTimer Here & save it to your desktop.

Double click on OTM.exe to run it
Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved

Note: Do not type it out to minimize the risk of typo error

Code: Select all

:Files
C:\Documents and Settings\Owner\My Documents\My Music\it wont last for long.mp3
C:\Documents and Settings\Owner\My Documents\My Music\Rockabye Baby Lullaby Renditions Of Metallica.wma
:Commands
[Purity]
[EmptyTemp]
[Reboot]

Click on MoveIt!
When done, click on Exit

Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /u

Double-click OTM
Click the CleanUp! button
Select Yes when the Begin cleanup Process? prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it yourself

You can delete the following from your desktop:
DDS.scr
The Gmer.exe file (it will be randomly named .exe file)
Norton Removal Tool
SystemLook.exe
TFC.exe
SecurityCheck.exe
Any logs that may have been saved to your desktop
You should also completely remove the spyware recovery tools folder you have on your desktop. The items you have in there are not meant for general malware cleaning & could cause damage if used incorrectly.
You can also uninstall both the Kaspersky Online Scan & Eset Online Scan. Both can be uninstalled via Add or Remove Programs.
You should also remove HijackThis. You can do this by going to C:\Program Files\Trend Micro\HijackThis

Double click HijackThis.exe
From the Main menu click Open the Misc Tools section
Using the scroll bar, scroll down to Uninstall HijackThis
Click Uninstall HijackThis & exit then click Yes at the prompt

To post in next reply:
OTM log
Update on how the computer is running / problems

by **dilligaf375** » August 25th, 2009, 9:07 pm

Hi,
i think I uninstalled ComboFix. The Spyware recovery tools folder just up and disappeared from the desk top. I have no idea what happened to it because I didn't delete it. I was looking in it with explorer and I closed out explorer to open it from the desk top and it was gone. Other than that, things seem to be running normally. I have no idea if all the programs you listed in your last post have been deleted. Here is my OTM log.

All processes killed
========== FILES ==========
C:\Documents and Settings\Owner\My Documents\My Music\it wont last for long.mp3 moved successfully.
C:\Documents and Settings\Owner\My Documents\My Music\Rockabye Baby Lullaby Renditions Of Metallica.wma moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_8ec.dat scheduled to be deleted on reboot.
->Temp folder emptied: -1965840798 bytes
->Temporary Internet Files folder emptied: 41718371 bytes
->Java cache emptied: 13559203 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = -1821.93 mb

OTM by OldTimer - Version 3.0.0.6 log created on 08252009_161644

Files moved on Reboot...
File C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_8ec.dat not found!

Registry entries deleted on Reboot...

Free Malware Removal Forum

sdra64.exe

sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Re: sdra64.exe

Who is online