Free Malware Removal Forum

[DFW]

Hi tahoeles.


Well done, I think we could be almost there, with just a little way to go.


First Off re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
• Click the Re-enable button to re-enable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.
Your Emulation drivers are now re-enabled.



You have a few sites, in the Trusted Zones of which you may have put them there. Trusted Zones allow the sites to run with reduced security settings.
This will provide an opportunity for exploit from malware and you will never know when a good site will get hacked.
It is advisable for you not to place any more websites in the Trusted Zones in the future, and I will remove the existing ones as below.


DelDomains

• Download: DelDomains.inf
• Locate DelDomains.inf
• Right-click and select Install
• This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) .
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment JRE 6 Update 20 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.

Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.




TFC(Temp File Cleaner)

• Please download TFC to your desktop,
• Save any unsaved work. TFC will close all open application windows.
• Double-click TFC.exe to run the program.
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.



Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

Next
Run RSIT

Please note there will be only one log this time.

• RUN random's system information tool by doulbe clicking on (RSIT)on your desktop
• Click Continue at the disclaimer screen.
• Once it has finished, one log will open.
• Please post the contents into next reply

Postback in this order Please

kaspersky Log
RSIT Log
How is your computer performing now, any further symptoms and or problems encountered?

[tahoeles]

OK DWF, I'll get to work on your requests.

Thanks,

Les

[tahoeles]

Hi DWF, here is the KL scan. I deleted the infected files. (and a bunch of others in the Shirley Transfer folder. I forgot I had all of those files....)
RSIT to follow in next post.

Thanks,

Les

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, June 27, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, June 27, 2010 04:07:22
Records in database: 4284456
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\

Scan statistics:
Objects scanned: 155406
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 04:13:02


File name / Threat / Threats count
C:\Downloads\Transfer 12-09\Shirley Transfer\On c\Program Files\AOL\Installers\ASP 2.0\setup.exe Infected: Trojan.Win32.Agent.dgon 1
D:\I386\APPS\APP17839\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
D:\I386\APPS\APP17839\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

Selected area has been scanned.

[tahoeles]

Here is the RSIT log. Computer seems to be running better. No redirects.
Horray!!

Thanks a bunch!

Les

Logfile of random's system information tool 1.07 (written by random/random)
Run by Compaq_Administrator at 2010-06-27 16:11:00
Microsoft Windows XP Professional Service Pack 3
System drive C: has 98 GB (43%) free of 230 GB
Total RAM: 958 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:11:09 PM, on 6/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\Malware\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Compaq_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - c:\program files\billeo\billeo.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - c:\program files\billeo\billeo.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Compaq_Administrator\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.ede.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - c:\program files\billeo\billeo.dll (HKCU)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7326998125
O16 - DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} (AxWebInstaller Control) - http://rad.interwise.com/rad/applicatio ... taller.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: DefWatch - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)

--
End of file - 11158 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2153165873-2257741584-3163000109-1008.job
C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2153165873-2257741584-3163000109-1008.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{1BA3DE38-4B85-402C-A165-1AA178EB55F0}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-04-01 880368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-03 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2010-03-07 329312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{465E08E7-F005-4389-980F-1D8764B3486C}]
Billeo - c:\program files\billeo\billeo.dll [2010-06-19 3620688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
Symantec NCO BHO - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll [2010-05-12 394608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\IPSBHO.DLL [2009-11-16 79224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-06-22 278192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
hpWebHelper Class - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll [2006-05-30 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll [2010-06-05 814648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
MSN Toolbar Helper - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll [2008-11-08 83800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-06-26 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-06-26 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - Billeo - c:\program files\billeo\billeo.dll [2010-06-19 3620688]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-04-01 880368]
{1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - MSN Toolbar - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll [2008-11-08 83800]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Norton Toolbar - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll [2010-05-12 394608]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-06-22 278192]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"AlwaysReady Power Message APP"=C:\WINDOWS\ARPWRMSG.EXE [2005-08-02 77312]
"DMAScheduler"=c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe [2005-11-01 90112]
"HPBootOp"=C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [2005-11-09 249856]
"KBD"=C:\HP\KBD\KBD.EXE [2005-02-02 61440]
"PrinTray"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe [2001-10-12 36864]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2010-03-12 49208]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-04-03 36272]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2010-03-07 202256]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-03-17 421888]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"1&1 EasyLogin"=C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe [2009-08-18 2200576]
"C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe"=1&1 EasyLogin HIDE []
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-23 68856]
"cdloader"=C:\Documents and Settings\Compaq_Administrator\Application Data\mjusbsp\cdloader2.exe [2010-02-26 50520]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2010-03-17 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
C:\PROGRA~1\COMPAQ~1\5577497\Program\COMPAQ~1.EXE [2006-02-14 36903]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
billeo.lnk - C:\Program Files\Billeo\billeo.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.ede.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-08-13 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2003-03-03 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe"="C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe"="C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Disabled:Compaq Connections"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\Program Files\HP\HP Software Update\HPWUCli.exe"="C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Disabled:HP Software Update Client"
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Media Player\wmplayer.exe"="C:\Program Files\Windows Media Player\wmplayer.exe:*:Disabled:Windows Media Player"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Documents and Settings\Compaq_Administrator\Application Data\mjusbsp\magicJack.exe"="C:\Documents and Settings\Compaq_Administrator\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe"="C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 3 months======

2010-06-26 18:46:22 ----HDC---- C:\WINDOWS\$NtUninstallKB980218$
2010-06-26 18:42:53 ----HDC---- C:\WINDOWS\$NtUninstallKB979904$
2010-06-26 18:42:12 ----HDC---- C:\WINDOWS\$NtUninstallKB980195$
2010-06-26 18:37:05 ----HDC---- C:\WINDOWS\$NtUninstallKB979559$
2010-06-26 18:36:53 ----HDC---- C:\WINDOWS\$NtUninstallKB979482$
2010-06-26 18:36:34 ----HDC---- C:\WINDOWS\$NtUninstallKB975562$
2010-06-26 18:28:21 ----D---- C:\Program Files\Common Files\Java
2010-06-26 18:27:49 ----A---- C:\WINDOWS\system32\javaws.exe
2010-06-26 18:27:49 ----A---- C:\WINDOWS\system32\javaw.exe
2010-06-26 18:27:49 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-06-26 18:27:48 ----A---- C:\WINDOWS\system32\java.exe
2010-06-26 02:23:50 ----SHD---- C:\RECYCLER
2010-06-26 02:09:18 ----A---- C:\ComboFix.txt
2010-06-26 01:55:54 ----A---- C:\WINDOWS\zip.exe
2010-06-26 01:55:54 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-06-26 01:55:54 ----A---- C:\WINDOWS\SWSC.exe
2010-06-26 01:55:54 ----A---- C:\WINDOWS\SWREG.exe
2010-06-26 01:55:54 ----A---- C:\WINDOWS\sed.exe
2010-06-26 01:55:54 ----A---- C:\WINDOWS\PEV.exe
2010-06-26 01:55:54 ----A---- C:\WINDOWS\NIRCMD.exe
2010-06-26 01:55:54 ----A---- C:\WINDOWS\MBR.exe
2010-06-26 01:55:54 ----A---- C:\WINDOWS\grep.exe
2010-06-26 01:54:38 ----AD---- C:\Qoobox
2010-06-23 16:55:59 ----D---- C:\Backup
2010-06-22 15:25:58 ----A---- C:\TDSSKiller.2.3.2.0_22.06.2010_15.25.58_log.txt
2010-06-22 15:07:12 ----D---- C:\WINDOWS\ERDNT
2010-06-22 15:06:24 ----D---- C:\Program Files\ERUNT
2010-06-14 15:42:17 ----D---- C:\rsit
2010-06-12 23:23:14 ----D---- C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
2010-06-12 23:22:52 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-06-12 23:22:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-06-12 00:04:21 ----A---- C:\WINDOWS\system32\MRT.INI
2010-06-11 23:58:48 ----HDC---- C:\WINDOWS\$NtUninstallKB978695_WM9$
2010-06-09 00:07:05 ----D---- C:\Movies
2010-06-05 02:53:37 ----HDC---- C:\WINDOWS\$NtUninstallKB981793$
2010-05-18 17:07:14 ----RA---- C:\WINDOWS\system32\GEARAspi.dll
2010-05-18 17:06:25 ----D---- C:\Program Files\Windows Sidebar
2010-05-18 17:06:25 ----D---- C:\Program Files\Norton Security Suite
2010-05-18 17:06:13 ----D---- C:\Program Files\NortonInstaller
2010-05-18 17:06:13 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2010-05-18 15:44:52 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2010-05-18 03:25:42 ----D---- C:\Program Files\QuickTime
2010-05-18 03:14:53 ----D---- C:\Program Files\Common Files\AnswerWorks 4.0
2010-05-18 03:13:35 ----D---- C:\WINDOWS\system32\FxsTmp
2010-05-18 00:32:08 ----D---- C:\Program Files\Microsoft Security Essentials
2010-05-17 14:33:14 ----SHD---- C:\WINDOWS\CSC
2010-05-15 18:05:25 ----D---- C:\Program Files\QuickTime(2)
2010-05-15 17:51:30 ----D---- C:\Program Files\Common Files\Java(2)
2010-05-13 16:59:44 ----D---- C:\Config.Msi
2010-05-13 16:33:35 ----A---- C:\WINDOWS\ntbtlog.txt
2010-05-11 20:00:26 ----HDC---- C:\WINDOWS\$NtUninstallKB978542$
2010-04-14 14:04:32 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-04-14 14:04:04 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-04-14 14:01:24 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-04-14 14:00:48 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-04-14 13:59:29 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-04-14 13:58:39 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$
2010-03-31 00:16:34 ----A---- C:\WINDOWS\system32\PresentationHostProxy.dll
2010-03-31 00:10:40 ----A---- C:\WINDOWS\system32\PresentationHost.exe

======List of files/folders modified in the last 3 months======

2010-06-27 16:11:03 ----D---- C:\WINDOWS\Temp
2010-06-27 16:11:03 ----D---- C:\WINDOWS\Prefetch
2010-06-27 16:04:35 ----SD---- C:\WINDOWS\Tasks
2010-06-27 13:28:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-06-26 19:52:17 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2010-06-26 19:35:31 ----D---- C:\WINDOWS\Microsoft.NET
2010-06-26 19:35:24 ----RSD---- C:\WINDOWS\assembly
2010-06-26 19:22:31 ----SHD---- C:\System Volume Information
2010-06-26 19:22:23 ----D---- C:\WINDOWS\Registration
2010-06-26 19:22:22 ----AD---- C:\WINDOWS
2010-06-26 19:21:02 ----D---- C:\WINDOWS\system32\CatRoot2
2010-06-26 19:09:29 ----SHD---- C:\WINDOWS\Installer
2010-06-26 19:08:38 ----HD---- C:\WINDOWS\inf
2010-06-26 19:08:37 ----D---- C:\WINDOWS\system32\CatRoot
2010-06-26 19:04:00 ----D---- C:\WINDOWS\system32
2010-06-26 18:46:25 ----RSHD---- C:\WINDOWS\system32\dllcache
2010-06-26 18:45:07 ----A---- C:\WINDOWS\win.ini
2010-06-26 18:43:01 ----A---- C:\WINDOWS\imsins.BAK
2010-06-26 18:41:52 ----HD---- C:\WINDOWS\$hf_mig$
2010-06-26 18:40:20 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-06-26 18:39:50 ----D---- C:\WINDOWS\WinSxS
2010-06-26 18:28:21 ----D---- C:\Program Files\Common Files
2010-06-26 02:05:42 ----A---- C:\WINDOWS\system.ini
2010-06-26 02:02:11 ----D---- C:\WINDOWS\system32\drivers
2010-06-26 02:02:11 ----D---- C:\WINDOWS\AppPatch
2010-06-25 20:32:04 ----D---- C:\Documents and Settings\Compaq_Administrator\Application Data\mjusbsp
2010-06-22 15:06:24 ----D---- C:\Program Files
2010-06-21 17:33:32 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-19 02:16:55 ----A---- C:\WINDOWS\ACTWIN2.INI
2010-06-19 01:55:06 ----D---- C:\Program Files\Billeo
2010-06-14 14:55:01 ----HDC---- C:\WINDOWS\$NtUninstallKB945553$
2010-06-12 00:10:09 ----D---- C:\Program Files\Internet Explorer
2010-06-09 22:31:39 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2010-06-05 02:59:53 ----D---- C:\Program Files\Microsoft Silverlight
2010-06-05 02:54:37 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-05-28 12:37:34 ----A---- C:\WINDOWS\system32\MRT.exe
2010-05-19 03:04:37 ----D---- C:\Program Files\Outlook Express
2010-05-19 02:58:00 ----D---- C:\Program Files\Windows Desktop Search
2010-05-18 17:11:14 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-05-18 17:07:03 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-05-18 17:06:56 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL
2010-05-18 04:43:17 ----D---- C:\WINDOWS\system32\config
2010-05-18 04:40:19 ----D---- C:\WINDOWS\system32\wbem
2010-05-18 03:18:16 ----D---- C:\Program Files\GemMaster
2010-05-18 03:17:38 ----D---- C:\Program Files\Microsoft Works
2010-05-18 03:13:36 ----D---- C:\WINDOWS\system32\inetsrv
2010-05-18 03:13:36 ----D---- C:\WINDOWS\addins
2010-05-17 13:56:26 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-05-17 13:56:25 ----D---- C:\Program Files\Microsoft Office
2010-05-17 13:54:02 ----D---- C:\Program Files\interwise
2010-05-12 04:17:01 ----D---- C:\Rancho ReDue
2010-05-10 23:54:17 ----D---- C:\WINDOWS\network diagnostic
2010-05-06 03:41:53 ----A---- C:\WINDOWS\system32\wininet.dll
2010-05-06 03:41:52 ----A---- C:\WINDOWS\system32\urlmon.dll
2010-05-06 03:41:52 ----A---- C:\WINDOWS\system32\occache.dll
2010-05-06 03:41:52 ----A---- C:\WINDOWS\system32\mstime.dll
2010-05-06 03:41:52 ----A---- C:\WINDOWS\system32\mshtml.dll
2010-05-06 03:41:51 ----N---- C:\WINDOWS\system32\jsproxy.dll
2010-05-06 03:41:51 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2010-05-06 03:41:51 ----A---- C:\WINDOWS\system32\msfeeds.dll
2010-05-06 03:41:50 ----A---- C:\WINDOWS\system32\iertutil.dll
2010-05-06 03:41:50 ----A---- C:\WINDOWS\system32\iepeers.dll
2010-05-06 03:41:49 ----A---- C:\WINDOWS\system32\ieframe.dll
2010-05-06 03:41:48 ----N---- C:\WINDOWS\system32\iedkcs32.dll
2010-05-05 06:30:57 ----N---- C:\WINDOWS\system32\ie4uinit.exe
2010-04-21 06:28:50 ----N---- C:\WINDOWS\system32\tzchange.exe
2010-04-20 23:49:50 ----D---- C:\Documents and Settings\Compaq_Administrator\Application Data\HpUpdate
2010-04-19 22:30:08 ----A---- C:\WINDOWS\system32\atmfd.dll
2010-04-14 13:59:05 ----D---- C:\WINDOWS\ie8updates
2010-04-06 04:52:46 ----A---- C:\WINDOWS\system32\WMVCore.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 BHDrvx86;BHDrvx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100619.001\BHDrvx86.sys []
R1 ccHP;Symantec Hash Provider; C:\WINDOWS\system32\drivers\N360\0402000.00C\ccHPx86.sys [2010-02-25 501888]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\WINDOWS\system32\drivers\N360\0402000.00C\SRTSPX.SYS [2010-04-21 43696]
R1 SymIRON;Symantec Iron Driver; C:\WINDOWS\system32\drivers\N360\0402000.00C\Ironx86.SYS [2010-04-28 116784]
R1 SYMTDI;Symantec Network Dispatch Driver; C:\WINDOWS\System32\Drivers\N360\0402000.00C\SYMTDI.SYS [2010-05-05 361904]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2009-08-13 1163328]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-08-29 3644928]
R3 aracpi;aracpi; C:\WINDOWS\system32\DRIVERS\aracpi.sys [2005-08-02 22784]
R3 arhidfltr;MS Ar HID Filter Driver; C:\WINDOWS\system32\DRIVERS\arhidfltr.sys [2005-08-02 19200]
R3 arkbcfltr;Microsoft PS2 Keyboard Filter; C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys [2005-08-02 5376]
R3 armoucfltr;Microsoft PS2 Mouse Filter; C:\WINDOWS\system32\DRIVERS\armoucfltr.sys [2005-08-02 4992]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ARPolicy;ARPolicy; C:\WINDOWS\system32\DRIVERS\arpolicy.sys [2005-08-02 10112]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-13 1313792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IDSxpx86;IDSxpx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100625.001\IDSxpx86.sys []
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100627.003\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100627.003\NAVEX15.SYS []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2005-12-12 19072]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2009-03-25 130432]
R3 SRTSP;Symantec Real Time Storage Protection; C:\WINDOWS\System32\Drivers\N360\0402000.00C\SRTSP.SYS [2010-04-21 325680]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 USBZC0301;USB Web Camera; C:\WINDOWS\System32\Drivers\usbcam.sys [2002-04-24 111272]
S2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
S3 catchme;catchme; \??\C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-09 11008]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NAVAP;NAVAP; \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys []
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050901.036\symidsco.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [2009-03-27 14336]
R2 ARSVC;ARSVC; C:\WINDOWS\arservice.exe [2005-08-02 58880]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 Intel File Transfer;Intel File Transfer; C:\WINDOWS\system32\cba\xfr.exe [2003-01-10 36915]
R2 Intel PDS;Intel PDS; C:\WINDOWS\system32\cba\pds.exe [2003-01-10 32819]
R2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-06-26 153376]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-12-18 73728]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 N360;Norton Security Suite; C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe [2010-02-25 126392]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe []
S2 DefWatch;DefWatch; C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe []
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-11-02 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 183280]
S2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]

-----------------EOF-----------------

[DFW]

Your all clean now, and good to go, but first we need to remove the tools we have used.
Also adding some extra protection will help secure your system against any future infections..


First Delete RegQuery from your Desktop.


Uninstall ComboFix:

• Click on Start >> Run...
• Now type in ComboFix /Uninstall into the and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
• 

Please download OTC and save it to desktop.

This tool will remove all the tools(and logs created) we used to clean your pc. Any left over merely delete yourself and empty the Recycle Bin.

• Double-click OTC.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.




There is no harm in keeping HijackThis v2.0.4 installed, but if used incorrectly it could fry your system, I advise you to
go to add and remove programs and uninstall it, you can always download again if needed.


Keep Malwarebytes' Anti-Malware updated and run weekly scans, I would also keep Temp File Cleaner and run weekly to keep your system free of clutter.

ERUNT is a registry backup program, so you can keep it and use, if you like, it good for backing up of the registry before
making any major changes to your system




Extra Protection and Advice



Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software



(P2P) peer-to-peer or file sharing programs are a security risk which can make your system susceptible to malware infections:
Remote attacks, exposure of personal information, identity theft, fraud, and phishing. Many malicious worms and Trojans target P2P files sharing networks.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update,
you can use the Secunia Software Inspector - I suggest that you run it at least once a month





Read some information here how to prevent Malware.




Please post back and let me know all is ok



Hope the above information helps, and safe surfing.

DFW

[Dakeyras]

Temporally re-opened. Please note we do not provide support via the Private Messaging system, thank you.

[DFW]

Can you tell me what program was causing all of the trouble? Was this an established piece of Malware or something you and your peers haddn't seen

Your computer was infected with a ROOTKIT. In particular, the TDL3/TDSS rootkit, also known as Win32/Alureon.
A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system. Sadly it is getting very common.
While we are on this subject if you used you system for any online banking etc I would go online and change all your passwords now, and call any company's involved and check all is OK.
not trying to panic you but's it better to be safe than sorry, IF you never, then theres nothing to worry about.

You mentioned it was a good idea to run ERUNT periodically, what about its companion program NTREGOPT?

Use ERUNT to back up your registry before making any system changes, if things were to go wrong you have a back up of your registry to fall back on.
NTREGOPT is a Registry optimizer, I would leave along, I have never found a use for it.


Please post back so we can archive this topic again, unless you have any more questions
DFW

[tahoeles]

DFW, thanks for the feedback. I seem to be running fine thanks to your help. GMER would never run correctly on my system. Should I be concerned about this? Should I do anything?

The donation tab above takes you to PayPal. It does not say where or to whom the donation is sent to. I cannot find anywhere on the page to refference you. I want you to get the credit you deserve for your efforts. Since emailing you directly is not an option, how do I give you proper credit?

Thanks again.

Tahoe Les

[DFW]

Hi Tahoe Les

The donation tab above takes you to PayPal. It does not say where or to whom the donation is sent to. I cannot find anywhere on the page to refference you

The donations are to support this site, so we can continue to help home computer users like yourself, Thank you

DFW, thanks for the feedback. I seem to be running fine thanks to your help. GMER would never run correctly on my system. Should I be concerned about this? Should I do anything?

You will be fine now, GMER did give us some information, which you posted direct, Gmer has now been deleted now as it has done it's job, there is nothing to be concerned about.

Nice working with you

DFW

[Dakeyras]

As it appears this issue has been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.