Jump to content

Recommended Posts

I have tried several scans and removed the viruses and malware,but, when going to bing or yahoo for searches the initial topic search list the results and when I proceed to click the item I get redirected to other sites . Please find my malwarebytes' log along with the HJT logs.

THX PS

Malwarebytes' Anti-Malware 1.37

Database version: 2271

Windows 5.1.2600 Service Pack 3

6/13/2009 9:21:22 PM

mbam-log-2009-06-13 (21-21-22).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 257712

Time elapsed: 51 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:10:39 PM, on 6/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://calbanktrust.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6E2ACE37-CF69-4DF0-AD17-C07A90DFB7F7} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll

O2 - BHO: (no name) - {D404CB63-461C-4797-8E18-F10BC5D6D824} - (no file)

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll

O3 - Toolbar: (no name) - {301c19bc-4368-46a4-8fbd-a0e9d0dcd4f7} - (no file)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [CamMonitor] "c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe"

O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-21-326441947-1957948835-3910647482-1008\..\Run: [backupNotify] "c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" (User 'Mom')

O4 - HKUS\S-1-5-21-326441947-1957948835-3910647482-1008\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" -NoStart (User 'Mom')

O4 - HKUS\S-1-5-21-326441947-1957948835-3910647482-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Mom')

O4 - HKUS\S-1-5-21-326441947-1957948835-3910647482-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Mom')

O4 - HKUS\S-1-5-21-326441947-1957948835-3910647482-1010\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" -NoStart (User 'MATT')

O4 - HKUS\S-1-5-21-326441947-1957948835-3910647482-1010\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'MATT')

O4 - HKUS\S-1-5-21-326441947-1957948835-3910647482-500\..\Run: [backupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe (User 'Administrator')

O4 - S-1-5-21-326441947-1957948835-3910647482-500 Startup: mod_sm.lnk.disabled (User 'Administrator')

O4 - S-1-5-21-326441947-1957948835-3910647482-500 User Startup: mod_sm.lnk.disabled (User 'Administrator')

O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk.disabled

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.alliedinsurance.com

O15 - Trusted Zone: http://download.windowsupdate.com

O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab

O16 - DPF: vzTCPConfig - https://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB

O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - http://supportcenter.adelphia.net/sdccommo...ad/tgctlins.cab

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab

O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152942121593

O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab

O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab

O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} - https://secure.stamps.com/download/us/cab/s...file=stamps.cab

O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -

O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -

O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O20 - Winlogon Notify: rqRHaWQi - C:\WINDOWS\

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--

End of file - 13594 bytes

Link to post
Share on other sites

Hello & Welcome to Malwarebytes'

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Options, then click Track this topic. Make sure it is set to Immediate Email Notification, then click Proceed.

In the meantime please note the following:

  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Thanks

DDS

Download DDS.scr by sUBs from one of the following links & save it to your desktop.

Link 1

Link 2

  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Gmer

Download gmer.zip from Gmer here & save it to your desktop.

  • Right click on gmer.zip, select Extract All... & extract the contents to your desktop
  • Double click the Gmer.exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    th_Gmer_initScan.gif
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Then click the Scan button & wait for it to finish

    [*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file

    [*]Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:

Contents of DDS log

Contents of Attach.txt

Contents of Gmer log

Link to post
Share on other sites

Hello and thank you for your help. This infection is a nasty one. I ran all the programs per your instruction and the only problem that occurs is that when I run gmer ( 4 times) my computer reboots about 2 hours into the scan and I am unable to get a log report. FYI I've disconnected from the internet and disabled my AVS. Please advise. I am posting the logs from DDS. Thank you again..

DDS (Ver_09-05-14.01) - NTFSx86

Run by Owner at 20:29:55.98 on Sun 06/14/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.67 [GMT -7:00]

AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://calbanktrust.com

uSearch Page = hxxp://google.com

uDefault_Search_URL = about:blank

uSearch Bar = hxxp://google.com

uWindow Title = Road Runner High Speed Online

mDefault_Page_URL = hxxp://go.microsoft.com

mStart Page = hxxp://us9.hpwis.com/

mSearch Bar = hxxp://srch-us9.hpwis.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = localhost

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {6E2ACE37-CF69-4DF0-AD17-C07A90DFB7F7} - No File

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll

BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll

BHO: {D404CB63-461C-4797-8E18-F10BC5D6D824} - No File

TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll

TB: {301c19bc-4368-46a4-8fbd-a0e9d0dcd4f7} - No File

TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [CamMonitor] "c:\program files\hewlett-packard\digital imaging\\unload\hpqcmon.exe"

mRun: [HPHUPD05] "c:\program files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [spybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled

uPolicies-explorer: NoViewOnDrive = 0 (0x0)

IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar v35\ViewBar.dll/CXTSEARCH.HTML

IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html

IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\npjpi160_06.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll

Trusted Zone: alliedinsurance.com\www

Trusted Zone: frontbridge.com\spam

Trusted Zone: frontbridge.com\webmail

Trusted Zone: microsoft.com\*.update

Trusted Zone: windowsupdate.com\download

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab

DPF: vzTCPConfig - hxxps://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB

DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxp://supportcenter.adelphia.net/sdccommon/download/tgctlins.cab

DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxp://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} - hxxp://www.imgag.com/cp/install/AxCtp.cab

DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152942121593

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab

DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab

DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} - hxxp://free.aol.com/tryaolfree/cdt175/aolcdt175.cab

DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab

DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} - hxxps://secure.stamps.com/download/us/cab/stamps/stamps.cab?r=0.409881591796875&file=stamps.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll

Notify: WRNotifier - WRLogonNTF.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnnKdec

LSA: Notification Packages = scecli scecli scecli scecli scecli

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-13 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-13 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-13 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-13 55640]

R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2006-4-27 3744]

R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2006-4-27 3904]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-16 24652]

R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-5-28 3572592]

S0 tyF73;tyF73;c:\windows\system32\drivers\tyf73.sys --> c:\windows\system32\drivers\tyF73.sys [?]

S2 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2009-06-13 09:47 55,640 a------- c:\windows\system32\drivers\avgntflt.sys

2009-06-13 09:47 <DIR> --d----- c:\program files\Avira

2009-06-13 09:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira

2009-06-12 15:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\93734526

2009-06-12 15:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13724534

2009-05-22 22:57 20,117 a------- c:\windows\system32\icra.rat

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll

2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll

2009-04-28 21:55 78,336 a------- c:\windows\system32\ieencode.dll

2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys

2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll

2005-10-13 22:01 161,928 a------- c:\documents and settings\all users\FixVundo.exe

2005-07-31 21:25 1,691 a------- c:\program files\ImageMixer VCD DVD2 for OLYMPUS 2.0.lnk

2004-03-27 16:26 56 a--shr-- c:\windows\system32\96F0810076.sys

============= FINISH: 20:32:44.09 ===============

And

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 1/30/2004 11:45:07 PM

System Uptime: 6/14/2009 6:43:21 PM (2 hours ago)

Motherboard: TriGem Computer Inc. | | Glendale motherboard

Processor: Intel® Pentium® 4 CPU 2.50GHz | WMT478/NWD | 2486/mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 67 GiB total, 44.375 GiB free.

D: is FIXED (FAT32) - 7 GiB total, 2.061 GiB free.

E: is CDROM ()

F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Realtek RTL8139/810x Family Fast Ethernet NIC

Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_3189109F&REV_10\4&2C53C0AE&0&10F0

Manufacturer: Realtek

Name: Realtek RTL8139/810x Family Fast Ethernet NIC

PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_3189109F&REV_10\4&2C53C0AE&0&10F0

Service: rtl8139

==== System Restore Points ===================

RP1: 6/11/2009 1:13:46 PM - System Checkpoint

RP2: 6/11/2009 1:13:47 PM - System Checkpoint

RP3: 6/11/2009 1:13:48 PM - System Checkpoint

RP4: 6/11/2009 1:13:48 PM - System Checkpoint

RP5: 6/11/2009 1:13:48 PM - System Checkpoint

RP6: 6/11/2009 1:13:48 PM - System Checkpoint

RP7: 6/11/2009 1:13:48 PM - System Checkpoint

RP8: 6/11/2009 1:13:48 PM - System Checkpoint

RP9: 6/11/2009 1:13:48 PM - System Checkpoint

RP10: 6/11/2009 1:13:48 PM - Software Distribution Service 3.0

RP11: 6/11/2009 1:13:48 PM - Installed Windows XP KB967715.

RP12: 6/11/2009 1:13:48 PM - System Checkpoint

RP13: 6/11/2009 1:13:48 PM - System Checkpoint

RP14: 6/11/2009 1:13:49 PM - System Checkpoint

RP15: 6/11/2009 1:13:49 PM - Software Distribution Service 3.0

RP16: 6/11/2009 1:13:49 PM - Installed Windows Media Player 11 KB959772.

RP17: 6/11/2009 1:13:49 PM - Installed Windows XP KB958690.

RP18: 6/11/2009 1:13:49 PM - Installed Windows XP KB938464-v2.

RP19: 6/11/2009 1:13:49 PM - Installed Windows XP KB960225.

RP20: 6/11/2009 1:13:50 PM - System Checkpoint

RP21: 6/11/2009 1:13:50 PM - System Checkpoint

RP22: 6/11/2009 1:13:50 PM - System Checkpoint

RP23: 6/11/2009 1:13:50 PM - FiOS Installation

RP24: 6/11/2009 1:13:50 PM - System Checkpoint

RP25: 6/11/2009 1:13:50 PM - Software Distribution Service 3.0

RP26: 6/11/2009 1:13:51 PM - System Checkpoint

RP27: 6/11/2009 1:13:51 PM - System Checkpoint

RP28: 6/11/2009 1:13:51 PM - System Checkpoint

RP29: 6/11/2009 1:13:52 PM - System Checkpoint

RP30: 6/11/2009 1:13:52 PM - System Checkpoint

RP31: 6/11/2009 1:13:52 PM - System Checkpoint

RP32: 6/11/2009 1:13:52 PM - System Checkpoint

RP33: 6/11/2009 1:13:52 PM - System Checkpoint

RP34: 6/11/2009 1:13:53 PM - System Checkpoint

RP35: 6/11/2009 1:13:53 PM - System Checkpoint

RP36: 6/11/2009 1:13:53 PM - System Checkpoint

RP37: 6/11/2009 1:13:53 PM - System Checkpoint

RP38: 6/11/2009 1:13:53 PM - System Checkpoint

RP39: 6/11/2009 1:13:53 PM - System Checkpoint

RP40: 6/11/2009 1:13:53 PM - System Checkpoint

RP41: 6/11/2009 1:13:53 PM - System Checkpoint

RP42: 6/11/2009 1:13:54 PM - Software Distribution Service 3.0

RP43: 6/11/2009 1:13:54 PM - Installed Windows XP KB923561.

RP44: 6/11/2009 1:13:54 PM - Installed Windows XP KB960803.

RP45: 6/11/2009 1:13:55 PM - Installed Windows XP KB952004.

RP46: 6/11/2009 1:13:55 PM - Installed Windows XP KB956572.

RP47: 6/11/2009 1:13:55 PM - Installed Windows XP KB963027.

RP48: 6/11/2009 1:13:55 PM - Installed Windows XP KB961373.

RP49: 6/11/2009 1:13:55 PM - Installed Windows XP KB959426.

RP50: 6/11/2009 1:13:55 PM - System Checkpoint

RP51: 6/11/2009 1:13:55 PM - System Checkpoint

RP52: 6/11/2009 1:13:55 PM - System Checkpoint

RP53: 6/11/2009 1:13:55 PM - System Checkpoint

RP54: 6/11/2009 1:13:56 PM - System Checkpoint

RP55: 6/11/2009 1:13:56 PM - System Checkpoint

RP56: 6/11/2009 1:13:56 PM - System Checkpoint

RP57: 6/11/2009 1:13:56 PM - System Checkpoint

RP58: 6/11/2009 1:13:56 PM - System Checkpoint

RP59: 6/11/2009 1:13:56 PM - System Checkpoint

RP60: 6/11/2009 1:13:56 PM - System Checkpoint

RP61: 6/11/2009 1:13:56 PM - System Checkpoint

RP62: 6/11/2009 1:13:56 PM - System Checkpoint

RP63: 6/11/2009 1:13:56 PM - System Checkpoint

RP64: 6/11/2009 1:13:56 PM - System Checkpoint

RP65: 6/11/2009 1:13:56 PM - System Checkpoint

RP66: 6/11/2009 1:13:56 PM - System Checkpoint

RP67: 6/11/2009 1:13:56 PM - System Checkpoint

RP68: 6/11/2009 1:13:56 PM - System Checkpoint

RP69: 6/11/2009 1:13:56 PM - System Checkpoint

RP70: 6/11/2009 1:13:56 PM - Software Distribution Service 3.0

RP71: 6/11/2009 1:13:56 PM - System Checkpoint

RP72: 6/11/2009 1:13:56 PM - System Checkpoint

RP73: 6/11/2009 1:13:56 PM - System Checkpoint

RP74: 6/11/2009 1:13:56 PM - System Checkpoint

RP75: 6/11/2009 1:13:56 PM - System Checkpoint

RP76: 6/11/2009 1:13:56 PM - System Checkpoint

RP77: 6/11/2009 1:13:56 PM - System Checkpoint

RP78: 6/11/2009 1:13:56 PM - System Checkpoint

RP79: 6/11/2009 1:13:56 PM - System Checkpoint

RP80: 6/11/2009 1:13:56 PM - System Checkpoint

RP81: 6/11/2009 1:13:56 PM - System Checkpoint

RP82: 6/11/2009 1:13:56 PM - System Checkpoint

RP83: 6/11/2009 1:13:56 PM - System Checkpoint

RP84: 6/11/2009 1:13:56 PM - System Checkpoint

RP85: 6/11/2009 1:13:56 PM - System Checkpoint

RP86: 6/11/2009 1:13:56 PM - System Checkpoint

RP87: 6/11/2009 1:13:56 PM - System Checkpoint

RP88: 6/11/2009 1:13:56 PM - System Checkpoint

RP89: 6/11/2009 1:13:56 PM - System Checkpoint

RP90: 6/11/2009 1:13:56 PM - System Checkpoint

RP91: 6/11/2009 1:13:56 PM - System Checkpoint

RP92: 6/11/2009 1:13:56 PM - System Checkpoint

RP93: 6/11/2009 1:13:56 PM - System Checkpoint

RP94: 6/11/2009 1:13:56 PM - Software Distribution Service 3.0

RP95: 6/11/2009 1:13:56 PM - Installed Windows XP KB968537.

RP96: 6/11/2009 1:13:56 PM - Installed Windows XP KB969897.

RP97: 6/11/2009 1:13:56 PM - Installed Windows XP KB970238.

RP98: 6/11/2009 1:13:56 PM - Installed Windows XP KB969898.

RP99: 6/11/2009 1:13:56 PM - Installed Windows XP KB961501.

==== Installed Programs ======================

5 Spots

Accent EXCEL Password Recovery 2.30

Adobe Flash Player 10 ActiveX

Adobe Reader 7.0.9

AiO_Scan

AIOMinimal

Alien Shooter

AOL Instant Messenger

Apple Mobile Device Support

Apple Software Update

Authentium AntiVirus SDK - 2

Avira AntiVir Personal - Free Antivirus

Ballistik

Balloon Blast

Bonjour

CheckIt Diagnostics

Copy

CreativeProjects

Critical Update for Windows Media Player 11 (KB959772)

Director

DivX Player

DivX Pro Codec Adware

DocProc

Enhanced Multimedia Keyboard Solution

ERUNT 1.1j

Family Feud Holidays

fbmgamesetup Toolbar

Freaky Freezeday

Funkiball

GdiplusUpgrade

Glenn's Premier Software

Google Earth

Google Toolbar for Internet Explorer

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Format SDK (KB902344)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

HP Deskjet Preloaded Printer Drivers

HP Image Zone 3.5

HP Instant Support

HP Organize

HP Photo and Imaging 2.0 - Photosmart Cameras

HP PSC & OfficeJet 3.5

HP Software Update

HPImageZone

HPIZ Fix2

hpmdtab

HpSdpAppCoreApp

HPSystemDiagnostics

ImageMixer VCD/DVD2 for OLYMPUS

Inspector-Parker

Intel® Extreme Graphics Driver

IntelliMover Data Transfer Demo

iTunes

Java 6 Update 2

Java 6 Update 3

Java 6 Update 6

Java SE Runtime Environment 6 Update 1

Jigsaw Deluxe Nickelodeon

Logitech Desktop Messenger

Logitech iTouch Software

Logitech MouseWare 9.75

Logitech Resource Center

Luxor

Macromedia Shockwave Player

Mah Jong Quest

Malwarebytes' Anti-Malware

Marble Blast

MasterSplitter Program

Memories Disc Creator 2.0

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Money 2003

Microsoft Money 2003 System Pack

Microsoft National Language Support Downlevel APIs

Microsoft Office 2000 Premium

Microsoft Office PowerPoint Viewer 2003

Microsoft Plus! Digital Media Edition

Microsoft Streets and Trips 2004

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual J# .NET Redistributable Package 1.1

Microsoft Works 7.0

Moyea FLV Player version 1.5.2.7

MSN Music Assistant

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MUSICMATCH

Link to post
Share on other sites

Hi

Are you getting any warnings from Gmer about Rootkit activity?

See if you have more luck with this scanner:

RootRepeal

Download RootRepeal.zip from here & unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
      Files
      Processes
      SSDT
      Stealth Objects
      Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File then Exit to close the program

Post the contents of RootRepeal.txt in your next reply.

Link to post
Share on other sites

The only indication from gmer about rootkit activity is in the window after I select "Scan" there are several lisitings in red saying "Hidden". Unfortunately, I am in my office and will not be at my infected computer until 5pm ( paciifc time) this evening. I will rin the new program at that time. I did save a partial log from gmer before my coputer had a chance to reboot. Would you like to see a copy of that, as well?

Link to post
Share on other sites

Ok I'm back.. I've copied the partial report from gmer. As an after thought, I am also copying the results of the scans that I had completed prior to contacting this forum. Maybe this will help in discerning the problems. Should I proceed to do the ROOTREPEAL scan? I will wait for your response.. Thanks again!

GMER 1.0.15.14972 - http://www.gmer.net

Rootkit scan 2009-06-15 07:09:21

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code FFB46678 ZwCreateSection

Code 81A33C70 ZwDuplicateObject

Code FF93BA30 ZwEnumerateKey

Code FF9979C8 ZwFlushInstructionCache

Code FF95AC70 ZwSetInformationFile

Code 81993510 ZwSetSystemInformation

Code FF7D3C70 ZwWriteFile

Code FF997E36 IofCallDriver

Code FF9714A6 IofCompleteRequest

Code FFB46677 NtCreateSection

Code 81A33C6F NtDuplicateObject

Code FF95AC6F NtSetInformationFile

Code FF7D3C6F NtWriteFile

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))

Device \FileSystem\Fastfat \FatCdrom Code FFB41340

Device \Driver\Tcpip \Device\Ip FF9CA190

Device \Driver\Tcpip \Device\Ip FFB37020

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

Device \Driver\Tcpip \Device\Tcp FF9CA190

Device \Driver\Tcpip \Device\Tcp FFB37020

Device \Driver\Tcpip \Device\Udp FF9CA190

Device \Driver\Tcpip \Device\Udp FFB37020

Device \Driver\Tcpip \Device\RawIp FF9CA190

Device \Driver\Tcpip \Device\RawIp FFB37020

Device \Driver\Tcpip \Device\IPMULTICAST FF9CA190

Device \Driver\Tcpip \Device\IPMULTICAST FFB37020

Device \FileSystem\Fastfat \Fat Code FFB41340

AttachedDevice \FileSystem\Fastfat \Fat SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Process hidden process (*** hidden *** ) 15204

Process hidden process (*** hidden *** ) 15428

Process hidden process (*** hidden *** ) 15536

Process hidden process (*** hidden *** ) 15576

Process hidden process (*** hidden *** ) 15796

Process hidden process (*** hidden *** ) 15820

Process hidden process (*** hidden *** ) 15852

Process hidden process (*** hidden *** ) 15860

Process hidden process (*** hidden *** ) 15868

Process hidden process (*** hidden *** ) 15908

Process hidden process (*** hidden *** ) 15920

Process hidden process (*** hidden *** ) 16072

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETxdqqoqom.sys (*** hidden *** ) [sYSTEM] SKYNETswrrjcbr <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr@imagepath \systemroot\system32\drivers\SKYNETxdqqoqom.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\main

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\main@aid 10120

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\main@sid 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\main@cmddelay 7200

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\main\delete

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\main\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\main\injector@* SKYNETwsp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\main\tasks

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxdqqoqom.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\modules@SKYNETcmd.dll \systemroot\system32\SKYNETliltabdr.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\modules@SKYNETlog.dat \systemroot\system32\SKYNETvxbqmwwb.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\modules@SKYNETwsp.dll \systemroot\system32\SKYNETtuhdpjwr.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr\modules@SKYNET.dat \systemroot\system32\SKYNETrnygsifv.dat

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr@start 1

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr@type 1

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr@group file system

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr@imagepath \systemroot\system32\drivers\SKYNETxdqqoqom.sys

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\main

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\main@aid 10120

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\main@sid 0

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\main@cmddelay 7200

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\main\delete

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\main\injector

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\main\injector@* SKYNETwsp.dll

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\main\tasks

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\modules

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxdqqoqom.sys

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\modules@SKYNETcmd.dll \systemroot\system32\SKYNETliltabdr.dll

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\modules@SKYNETlog.dat \systemroot\system32\SKYNETvxbqmwwb.dat

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\modules@SKYNETwsp.dll \systemroot\system32\SKYNETtuhdpjwr.dll

Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr\modules@SKYNET.dat \systemroot\system32\SKYNETrnygsifv.dat

Reg HKLM\SOFTWARE\Classes\CLSID\{00A2CCDC-4BE0-BECD-A563-A7145AE65077}\InProcServer32@ %SystemRoot%\System32\browseui.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{00A2CCDC-4BE0-BECD-A563-A7145AE65077}\InProcServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{00C10500-6CE3-84D4-575D-175CB8B271FF}\InprocHandler32@ ole32.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{00C10500-6CE3-84D4-575D-175CB8B271FF}\LocalServer32@ C:\PROGRA~1\MICROS~2\Office\WINWORD.EXE /Automation

Reg HKLM\SOFTWARE\Classes\CLSID\{00C10500-6CE3-84D4-575D-175CB8B271FF}\LocalServer32@LocalServer32 10!!!gxsf(Ng]qF`H{LsWORDFiles>llT]jI{jf(=1&L[-81-] /Automation?

Reg HKLM\SOFTWARE\Classes\CLSID\{00C10500-6CE3-84D4-575D-175CB8B271FF}\ProgID@ Word.Application.9

Reg HKLM\SOFTWARE\Classes\CLSID\{00C10500-6CE3-84D4-575D-175CB8B271FF}\VersionIndependentProgID@ Word.Application

Reg HKLM\SOFTWARE\Classes\CLSID\{031B8030-D0A2-363F-2275-1D5FEF65A9F6}\Insertable@

Reg HKLM\SOFTWARE\Classes\CLSID\{031B8030-D0A2-363F-2275-1D5FEF65A9F6}\Ole1Class@ MPlayer

Reg HKLM\SOFTWARE\Classes\CLSID\{031B8030-D0A2-363F-2275-1D5FEF65A9F6}\ProgID@ MPlayer

Reg HKLM\SOFTWARE\Classes\CLSID\{031B8030-D0A2-363F-2275-1D5FEF65A9F6}\TreatAs@ {00022601-0000-0000-C000-000000000046}

Reg HKLM\SOFTWARE\Classes\CLSID\{0A432577-9DC9-40AE-AA46-6411124A4C8E}\Ole1Class@ WP8Doc

Reg HKLM\SOFTWARE\Classes\CLSID\{0A432577-9DC9-40AE-AA46-6411124A4C8E}\ProgID@ WP8Doc

Reg HKLM\SOFTWARE\Classes\CLSID\{0D05F5EA-EF9F-7F27-904C-5AC5AC1B9155}\InprocServer32@ C:\WINDOWS\system32\mfc42.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{0D05F5EA-EF9F-7F27-904C-5AC5AC1B9155}\InprocServer32@InprocServer32 R0XISx3yLA2[L[A^.G0(Typical>l^*4T$!iE@AW'_1m2-*C?@Gem2BdaJ?ES60)4^LTy>=3&5,B^pf(V%eqFgkW_B?voC'0Fe7s=eTxzvF2=aaScan>=3&5,B^pf(V%eqFgkW_B?XmU5ExJfu9]$gId's5~1QuickProjects>=3&5,B^pf(V%eqFgkW_B?JS+qg~3aA?X$KEQ{w?_-MyImages>=3&5,B^pf(V%eqFgkW_B?s46'FYxog=e~RTbgveVQPrintCreator>=%YAYRcuf(mdaqF-Q9q.?s46'FYxog=e~RTbgveVQcuPvc2>=3&5,B^pf(V%eqFgkW_B?

Reg HKLM\SOFTWARE\Classes\CLSID\{15AFE201-8D63-7C14-2165-38E87248F036}\InprocServer32@ C:\WINDOWS\System32\dx3j.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{15AFE201-8D63-7C14-2165-38E87248F036}\InprocServer32@ThreadingModel both

Reg HKLM\SOFTWARE\Classes\CLSID\{15AFE201-8D63-7C14-2165-38E87248F036}\ProgID@ DIRECT.DirectPlay2.3

Reg HKLM\SOFTWARE\Classes\CLSID\{15AFE201-8D63-7C14-2165-38E87248F036}\VersionIndependentProgID@ DIRECT.DiectPlay2.3

Reg HKLM\SOFTWARE\Classes\CLSID\{23935D06-F101-12F8-4D8F-8F243ECDD1A4}\LocalServer32@ "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"

Reg HKLM\SOFTWARE\Classes\CLSID\{23935D06-F101-12F8-4D8F-8F243ECDD1A4}\ProgID@ Symantec.stLUProgressCallback.1

Reg HKLM\SOFTWARE\Classes\CLSID\{23935D06-F101-12F8-4D8F-8F243ECDD1A4}\TypeLib@ {51B9BCA6-4A06-11D3-B538-00902771A435}

Reg HKLM\SOFTWARE\Classes\CLSID\{23935D06-F101-12F8-4D8F-8F243ECDD1A4}\VersionIndependentProgID@ Symantec.stLUProgressCallback

Reg HKLM\SOFTWARE\Classes\CLSID\{252E569D-13FE-94AF-FD02-2752A487F89C}\InprocServer32@ C:\WINDOWS\System32\mstime.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{252E569D-13FE-94AF-FD02-2752A487F89C}\InprocServer32@ThreadingModel both

Reg HKLM\SOFTWARE\Classes\CLSID\{252E569D-13FE-94AF-FD02-2752A487F89C}\ProgID@ MSTIME.SMILAnimCompSiteFactory.1

Reg HKLM\SOFTWARE\Classes\CLSID\{252E569D-13FE-94AF-FD02-2752A487F89C}\VersionIndependentProgID@ MSTIME.SMILAnimCompSiteFactory

Reg HKLM\SOFTWARE\Classes\CLSID\{25CBCEA0-43D5-1289-C7B6-517316B45B4B}\InprocHandler32@ ole32.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{25CBCEA0-43D5-1289-C7B6-517316B45B4B}\LocalServer32@ C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE

Reg HKLM\SOFTWARE\Classes\CLSID\{25CBCEA0-43D5-1289-C7B6-517316B45B4B}\LocalServer32@LocalServer32 10!!!gxsf(Ng]qF`H{LsOUTLOOKFiles>ToT]jI{jf(=1&L[-81-]?

Reg HKLM\SOFTWARE\Classes\CLSID\{26B41561-A1B3-8D17-A7DE-051BE27736BA}\AutoConvertTo@ {64818D10-4F9B-11CF-86EA-00AA00B929E8}

Reg HKLM\SOFTWARE\Classes\CLSID\{26B41561-A1B3-8D17-A7DE-051BE27736BA}\NotInsertable@

Reg HKLM\SOFTWARE\Classes\CLSID\{26B41561-A1B3-8D17-A7DE-051BE27736BA}\Ole1Class@ MSPowerPoint

Reg HKLM\SOFTWARE\Classes\CLSID\{26B41561-A1B3-8D17-A7DE-051BE27736BA}\ProgID@ MSPowerPoint

Reg HKLM\SOFTWARE\Classes\CLSID\{2C5CCF7C-0D36-2744-777E-BDB8E644C83C}\InprocServer32@ c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqehttp.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{2C5CCF7C-0D36-2744-777E-BDB8E644C83C}\InprocServer32@InprocServer32 s46'FYxog=e~RTbgveVQcuPvc1>Kws&^g.Bw8Q84F.'H+wn?

Reg HKLM\SOFTWARE\Classes\CLSID\{2C5CCF7C-0D36-2744-777E-BDB8E644C83C}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{2C5CCF7C-0D36-2744-777E-BDB8E644C83C}\ProgID@ Hpqehttp.AssetUploadService.1

Reg HKLM\SOFTWARE\Classes\CLSID\{2C5CCF7C-0D36-2744-777E-BDB8E644C83C}\TypeLib@ {8E88DCDE-C5CC-462D-9D69-4058A2F97730}

Reg HKLM\SOFTWARE\Classes\CLSID\{2C5CCF7C-0D36-2744-777E-BDB8E644C83C}\VersionIndependentProgID@ Hpqehttp.AssetUploadService

Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\InprocServer32@ C:\WINDOWS\System32\qcap.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{30D25B48-48C5-F1BE-9E07-DCD372605F11}\InProcServer32@ wiavusd.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{30D25B48-48C5-F1BE-9E07-DCD372605F11}\InProcServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{30D25B48-48C5-F1BE-9E07-DCD372605F11}\ProgId@ StillImage.VideoCapture.1

Reg HKLM\SOFTWARE\Classes\CLSID\{30D25B48-48C5-F1BE-9E07-DCD372605F11}\VersionIndependentProgId@ StillImage.VideoCapture.1

Reg HKLM\SOFTWARE\Classes\CLSID\{36018685-C5B5-9B32-AB55-39A30EA1A452}\InProcServer32@ ole32.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{37E6B737-2341-8A00-D250-BD1235C52220}\RTFClassName@ WrdPrfctDos

Reg HKLM\SOFTWARE\Classes\CLSID\{38AE9EA3-F103-9F16-A792-ED2C16FB1CA2}\InprocServer32@ C:\WINDOWS\System32\qdv.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{38AE9EA3-F103-9F16-A792-ED2C16FB1CA2}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}@

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\InprocServer32@ mscoree.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\InprocServer32@Class System.Runtime.InteropServices.COMException

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\InprocServer32@Assembly mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\InprocServer32@RuntimeVersion v1.1.4322

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\InprocServer32\1.0.5000.0

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\InprocServer32\1.0.5000.0@Class System.Runtime.InteropServices.COMException

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\InprocServer32\1.0.5000.0@Assembly mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\InprocServer32\1.0.5000.0@RuntimeVersion v1.1.4322

Reg HKLM\SOFTWARE\Classes\CLSID\{38AF9B91-0245-992F-6C66-53D38DF21EE6}\ProgId@ System.Runtime.InteropServices.COMException

Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\InprocServer32@ C:\WINDOWS\System32\nvcpl.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{44A5F587-110C-7775-09E1-150D080F26AE}\InprocServer32@ C:\WINDOWS\system32\msvidctl.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{44A5F587-110C-7775-09E1-150D080F26AE}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{44A5F587-110C-7775-09E1-150D080F26AE}\TypeLib@ {9B085638-018E-11D3-9D8E-00C04F72D980}

Reg HKLM\SOFTWARE\Classes\CLSID\{4B39E890-C7CA-9820-0BCA-6DA048925FED}\InprocHandler32@ ole32.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{4B39E890-C7CA-9820-0BCA-6DA048925FED}\LocalServer32@ C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE

Reg HKLM\SOFTWARE\Classes\CLSID\{4B39E890-C7CA-9820-0BCA-6DA048925FED}\LocalServer32@LocalServer32 10!!!gxsf(Ng]qF`H{LsOUTLOOKFiles>ToT]jI{jf(=1&L[-81-]?

Reg HKLM\SOFTWARE\Classes\CLSID\{4DEF69C9-7051-AD87-BDC1-D408C5390C5C}\LocalServer32@LocalServer32 10!!!gxsf(Ng]qF`H{LsDatabaseReplication>hzBkuInpf(Ed)L[lj+'(?

Reg HKLM\SOFTWARE\Classes\CLSID\{4DEF69C9-7051-AD87-BDC1-D408C5390C5C}\ProgID@ WzConflict.Wizard

Reg HKLM\SOFTWARE\Classes\CLSID\{5218F687-A38C-4622-C098-EDAB060EE2C7}\InprocServer32@ C:\Program Files\Microsoft Money\System\mspfctl1.ocx

Reg HKLM\SOFTWARE\Classes\CLSID\{5218F687-A38C-4622-C098-EDAB060EE2C7}\InprocServer32@InprocServer32 .I}^!g[j7A2=!H+BS2TOfeat.Program>`]J-Uux@g(gjYeAyP.HQ?

Reg HKLM\SOFTWARE\Classes\CLSID\{5255CE12-C99C-E457-4434-E1142D08C704}\Insertable@

Reg HKLM\SOFTWARE\Classes\CLSID\{5255CE12-C99C-E457-4434-E1142D08C704}\Ole1Class@ MPlayer

Reg HKLM\SOFTWARE\Classes\CLSID\{5255CE12-C99C-E457-4434-E1142D08C704}\ProgID@ MPlayer

Reg HKLM\SOFTWARE\Classes\CLSID\{5255CE12-C99C-E457-4434-E1142D08C704}\TreatAs@ {00022601-0000-0000-C000-000000000046}

Reg HKLM\SOFTWARE\Classes\CLSID\{5A1A4A1F-3466-CD6F-A443-FF5E420A7557}\InprocServer32@ C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMRadioEngine.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{5A1A4A1F-3466-CD6F-A443-FF5E420A7557}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{5A1A4A1F-3466-CD6F-A443-FF5E420A7557}\ProgID@ MMRadioEngine.RadioEngineObj.1

Reg HKLM\SOFTWARE\Classes\CLSID\{5A1A4A1F-3466-CD6F-A443-FF5E420A7557}\TypeLib@ {0C5D39A3-460B-11D4-ADE1-0050DACD3DB9}

Reg HKLM\SOFTWARE\Classes\CLSID\{5A1A4A1F-3466-CD6F-A443-FF5E420A7557}\VersionIndependentProgID@ MMRadioEngine.RadioEngineObj

Reg HKLM\SOFTWARE\Classes\CLSID\{5CA477D1-1E14-16B2-2605-3950024911C6}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}

Reg HKLM\SOFTWARE\Classes\CLSID\{5CA477D1-1E14-16B2-2605-3950024911C6}\InProcServer32@ C:\WINDOWS\System32\wshom.ocx

Reg HKLM\SOFTWARE\Classes\CLSID\{5CA477D1-1E14-16B2-2605-3950024911C6}\InProcServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{5CA477D1-1E14-16B2-2605-3950024911C6}\ProgID@ WScript.Network.1

Reg HKLM\SOFTWARE\Classes\CLSID\{5CA477D1-1E14-16B2-2605-3950024911C6}\TypeLib@ {F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}

Reg HKLM\SOFTWARE\Classes\CLSID\{5CA477D1-1E14-16B2-2605-3950024911C6}\VersionIndependentProgID@ WScript.Network

Reg HKLM\SOFTWARE\Classes\CLSID\{5D089152-8CE4-5472-CD9A-40C48337E28A}\ShellFolder@Attributes 114

Reg HKLM\SOFTWARE\Classes\CLSID\{69ADA834-9CB5-8EE9-1265-38883729A7A2}\InprocServer32@ %ProgramFiles%\Outlook Express\oeimport.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{69ADA834-9CB5-8EE9-1265-38883729A7A2}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{6B30EBC6-92C2-8F00-10CC-96A2713E8079}\InProcServer32@ dpvoice.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{6B30EBC6-92C2-8F00-10CC-96A2713E8079}\InProcServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{6B30EBC6-92C2-8F00-10CC-96A2713E8079}\ProgID@ DirectPlayVoice.Test.1

Reg HKLM\SOFTWARE\Classes\CLSID\{6B30EBC6-92C2-8F00-10CC-96A2713E8079}\VersionIndependentProgID@ DirectPlayVoice.Test

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}@

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32@ mscoree.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32@Class System.Runtime.Remoting.Proxies.ProxyAttribute

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32@Assembly mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32@RuntimeVersion v1.1.4322

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32\1.0.5000.0

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32\1.0.5000.0@Class System.Runtime.Remoting.Proxies.ProxyAttribute

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32\1.0.5000.0@Assembly mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32\1.0.5000.0@RuntimeVersion v1.1.4322

Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\ProgId@ System.Runtime.Remoting.Proxies.ProxyAttribute

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\AuxUserType@ Clip

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\AuxUserType\2

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\AuxUserType\2@ Clip

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\AuxUserType\3

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\AuxUserType\3@ Clip Gallery

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\DefaultIcon@ C:\PROGRA~1\COMMON~1\MICROS~1\Artgalry\artgalrY.exe,1

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\InprocHandler32@ ole32.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\InprocServer32@

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\Insertable@

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\LocalServer32@ C:\PROGRA~1\COMMON~1\MICROS~1\Artgalry\artgalrY.exe

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\LocalServer32@LocalServer32 10!!!gxsf(Ng]qF`H{LsClipGalleryFiles>jYR4knDlf(2D6__kM!0Q?

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\MiscStatus@ 512

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\ProgID@ MS_ClipArt_Gallery.5

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\Verb@

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\Verb\0

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\Verb\0@ &Replace,0,2

Reg HKLM\SOFTWARE\Classes\CLSID\{7BBA5882-DB4F-47F1-2264-2198A23006C0}\VersionIndependentProgID@ MS_ClipArt_Gallery

Reg HKLM\SOFTWARE\Classes\CLSID\{806D8188-10B6-89D5-FB7C-3EC3580C1DD4}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{806D8188-10B6-89D5-FB7C-3EC3580C1DD4}\InprocServer32@ C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVLUCBK.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{806D8188-10B6-89D5-FB7C-3EC3580C1DD4}\ProgID@ LiveUpdate.luNavCallBack.1

Reg HKLM\SOFTWARE\Classes\CLSID\{806D8188-10B6-89D5-FB7C-3EC3580C1DD4}\VersionIndependentProgID@ LiveUpdate.luNavCallBack

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}@

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\InprocServer32@ mscoree.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\InprocServer32@Class Microsoft.JScript.JSAuthor

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\InprocServer32@Assembly Microsoft.JScript, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\InprocServer32@RuntimeVersion v1.1.4322

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\InprocServer32\7.0.5000.0

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\InprocServer32\7.0.5000.0@Class Microsoft.JScript.JSAuthor

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\InprocServer32\7.0.5000.0@Assembly Microsoft.JScript, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\InprocServer32\7.0.5000.0@RuntimeVersion v1.1.4322

Reg HKLM\SOFTWARE\Classes\CLSID\{8473CFA3-17F8-A0DB-7FFF-44784AFAF9FE}\ProgId@ Microsoft.JScript.JSAuthor

Reg HKLM\SOFTWARE\Classes\CLSID\{8742D82B-F165-76CC-FA0F-9ED6AFA6D482}\InprocServer32@ C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqimgr.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{8742D82B-F165-76CC-FA0F-9ED6AFA6D482}\InprocServer32@InprocServer32 Rh]S]2l%(?l~`k4dPHT+CreativeProjects>V?N-uf7x~?19C_P+aQ^B?JS+qg~3aA?X$KEQ{w?_-GalleryFramework>V?N-uf7x~?19C_P+aQ^B?

Reg HKLM\SOFTWARE\Classes\CLSID\{8742D82B-F165-76CC-FA0F-9ED6AFA6D482}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{8742D82B-F165-76CC-FA0F-9ED6AFA6D482}\ProgID@ ImageManager.ImageMgr.1

Reg HKLM\SOFTWARE\Classes\CLSID\{8742D82B-F165-76CC-FA0F-9ED6AFA6D482}\TypeLib@ {8782862A-52D2-4716-BD46-1D1E0DCB62F3}

Reg HKLM\SOFTWARE\Classes\CLSID\{8742D82B-F165-76CC-FA0F-9ED6AFA6D482}\VersionIndependentProgID@ ImageManager.ImageMgr

Reg HKLM\SOFTWARE\Classes\CLSID\{8C9DE8F6-531D-DE55-1757-04854AFB348C}\InprocServer32@ C:\WINDOWS\System32\wmvadvd.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{8C9DE8F6-531D-DE55-1757-04854AFB348C}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{8CD83E60-946D-C604-0BB1-C8A0A8356DDD}\Ole1Class@ Package

Reg HKLM\SOFTWARE\Classes\CLSID\{8CD83E60-946D-C604-0BB1-C8A0A8356DDD}\ProgID@ Package

Reg HKLM\SOFTWARE\Classes\CLSID\{942D82A5-DA03-640B-5E19-3CBD62700780}\InprocServer32@ %ProgramFiles%\Outlook Express\oeimport.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{942D82A5-DA03-640B-5E19-3CBD62700780}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{96221559-5328-0735-5782-A49F687771FA}\InProcServer32@ C:\WINDOWS\System32\urlmon.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{96221559-5328-0735-5782-A49F687771FA}\InProcServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{96387558-4A4A-C5ED-42AE-A37C590677E6}\InProcServer32@ shell32.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{96387558-4A4A-C5ED-42AE-A37C590677E6}\InProcServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{96387558-4A4A-C5ED-42AE-A37C590677E6}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}

Reg HKLM\SOFTWARE\Classes\CLSID\{96387558-4A4A-C5ED-42AE-A37C590677E6}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}@ {00021401-0000-0000-C000-000000000046}

Reg HKLM\SOFTWARE\Classes\CLSID\{96387558-4A4A-C5ED-42AE-A37C590677E6}\PersistentHandler@ {00021401-0000-0000-C000-000000000046}

Reg HKLM\SOFTWARE\Classes\CLSID\{96387558-4A4A-C5ED-42AE-A37C590677E6}\ProgID@ lnkfile

Reg HKLM\SOFTWARE\Classes\CLSID\{96387558-4A4A-C5ED-42AE-A37C590677E6}\shellex\MayChangeDefaultMenu

Reg HKLM\SOFTWARE\Classes\CLSID\{97BFF69F-6B37-B21D-271B-1C691B57AAE7}\Implemented Categories\{F2BB56D1-DB07-11D1-AA6B-006097DB9539}

Reg HKLM\SOFTWARE\Classes\CLSID\{97BFF69F-6B37-B21D-271B-1C691B57AAE7}\InprocServer32@ C:\PROGRA~1\MICROS~2\Office\MSOWC.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{97BFF69F-6B37-B21D-271B-1C691B57AAE7}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{97BFF69F-6B37-B21D-271B-1C691B57AAE7}\MiscStatus@ 0

Reg HKLM\SOFTWARE\Classes\CLSID\{97BFF69F-6B37-B21D-271B-1C691B57AAE7}\MiscStatus\1

Reg HKLM\SOFTWARE\Classes\CLSID\{97BFF69F-6B37-B21D-271B-1C691B57AAE7}\MiscStatus\1@ 131473

Reg HKLM\SOFTWARE\Classes\CLSID\{97BFF69F-6B37-B21D-271B-1C691B57AAE7}\ProgID@ OWC.PivotTable.9

Reg HKLM\SOFTWARE\Classes\CLSID\{97BFF69F-6B37-B21D-271B-1C691B57AAE7}\ToolboxBitmap32@ C:\PROGRA~1\MICROS~2\Office\MSOWC.DLL, 1010

Reg HKLM\SOFTWARE\Classes\CLSID\{97BFF69F-6B37-B21D-271B-1C691B57AAE7}\TypeLib@ {0002E540-0000-0000-C000-000000000046}

Reg HKLM\SOFTWARE\Classes\CLSID\{97BFF69F-6B37-B21D-271B-1C691B57AAE7}\Version@ 1.0

Reg HKLM\SOFTWARE\Classes\CLSID\{97BFF69F-6B37-B21D-271B-1C691B57AAE7}\VersionIndependentProgID@ OWC.PivotTable

Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\MiscStatus@ 512

Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\Ole1Class@ Note-It

Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\ProgID@ Note-It

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}@

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\InprocServer32@ C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscormmc.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\InprocServer32@Class Microsoft.CLRAdmin.CCommandHistory

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\InprocServer32@Assembly mscorcfg, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\InprocServer32@RuntimeVersion v1.1.4322

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\InprocServer32\1.0.5000.0

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\InprocServer32\1.0.5000.0@Class Microsoft.CLRAdmin.CCommandHistory

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\InprocServer32\1.0.5000.0@Assembly mscorcfg, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\InprocServer32\1.0.5000.0@RuntimeVersion v1.1.4322

Reg HKLM\SOFTWARE\Classes\CLSID\{9AED5D30-9D2E-D167-C810-42EC6B3814C2}\ProgId@ Microsoft.CLRAdmin.CCommandHistory

Reg HKLM\SOFTWARE\Classes\CLSID\{A04522E5-8205-FF06-51DC-66F5B88D62BA}\InprocServer32@ C:\Program Files\Common Files\Microsoft Shared\DAO\dao360.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{A04522E5-8205-FF06-51DC-66F5B88D62BA}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{A04522E5-8205-FF06-51DC-66F5B88D62BA}\ProgID@ DAO.Relation.36

Reg HKLM\SOFTWARE\Classes\CLSID\{A3276B48-53CE-0999-D7C7-E343217A8D0C}\InProcServer32@ %SystemRoot%\system32\SHELL32.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{A3276B48-53CE-0999-D7C7-E343217A8D0C}\InProcServer32@ThreadingModel Free

Reg HKLM\SOFTWARE\Classes\CLSID\{B9A286B5-B92D-D63C-14B5-3825F6D657F0}\InprocServer32@ C:\Program Files\Common Files\System\ado\msado15.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{B9A286B5-B92D-D63C-14B5-3825F6D657F0}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{B9A286B5-B92D-D63C-14B5-3825F6D657F0}\ProgID@ ADODB.Command.2.7

Reg HKLM\SOFTWARE\Classes\CLSID\{B9A286B5-B92D-D63C-14B5-3825F6D657F0}\VersionIndependentProgID@ ADODB.Command

Reg HKLM\SOFTWARE\Classes\CLSID\{DA07BE83-B97B-BA2D-4FC8-30F1027AA7BE}\CLSID@ Standard Font

Reg HKLM\SOFTWARE\Classes\CLSID\{DA07BE83-B97B-BA2D-4FC8-30F1027AA7BE}\InprocServer32@ oleaut32.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{DA07BE83-B97B-BA2D-4FC8-30F1027AA7BE}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{DA07BE83-B97B-BA2D-4FC8-30F1027AA7BE}\InprocServer32@InprocServer32 @Gem2BdaJ?ES60)4^LTy>M5KDYSUnf(HA*L[xeX)y?HMaD8.R.E@h%^}&Ow}MS>M5KDYSUnf(HA*L[xeX)y?'wFBCL'aJA^v~hSk`-f-WordPerfect11>M5KDYSUnf(HA*L[xeX)y?jEQLu3YJb?]i)6&6ifvJMSRedist>M5KDYSUnf(HA*L[xeX)y?

Reg HKLM\SOFTWARE\Classes\CLSID\{DA07BE83-B97B-BA2D-4FC8-30F1027AA7BE}\ProgID@ StdFont

Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\InprocServer32@ C:\Program Files\Common Files\Microsoft Shared\DAO\DAO350.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\ProgID@ DAO.QueryDef.35

Reg HKLM\SOFTWARE\Classes\CLSID\{EF41EF0C-281B-B63D-581F-B46DFA63498D}\InprocServer32@ C:\PROGRA~1\MICROS~2\Office\OUTLAS9.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{F2629F5A-D854-9380-83B2-7EA341879FAD}\InprocServer32@ C:\WINDOWS\system32\catsrvut.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{F2629F5A-D854-9380-83B2-7EA341879FAD}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{F2629F5A-D854-9380-83B2-7EA341879FAD}\ProgID@ AppExport.AppExport.1

Reg HKLM\SOFTWARE\Classes\CLSID\{F2629F5A-D854-9380-83B2-7EA341879FAD}\VersionIndependentProgID@ AppExport.AppExport

Reg HKLM\SOFTWARE\Classes\CLSID\{F49A1416-F382-CDFB-ED83-10138E9A8684}\AutoConvertTo@ {64818D11-4F9B-11CF-86EA-00AA00B929E8}

Reg HKLM\SOFTWARE\Classes\CLSID\{F49A1416-F382-CDFB-ED83-10138E9A8684}\Insertable@

Reg HKLM\SOFTWARE\Classes\CLSID\{F49A1416-F382-CDFB-ED83-10138E9A8684}\ProgID@ PowerPoint.Slide.4

Reg HKLM\SOFTWARE\Classes\CLSID\{F49A1416-F382-CDFB-ED83-10138E9A8684}\TreatAs@ {64818D11-4F9B-11CF-86EA-00AA00B929E8}

Reg HKLM\SOFTWARE\Classes\CLSID\{F5F197F4-92C8-E0D4-50F4-A8EEC0CCAA0C}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{F5F197F4-92C8-E0D4-50F4-A8EEC0CCAA0C}\InprocServer32@ C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVOpts.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{F5F197F4-92C8-E0D4-50F4-A8EEC0CCAA0C}\ProgID@ Symantec.Norton.Antivirus.Exclusion.1

Reg HKLM\SOFTWARE\Classes\CLSID\{F5F197F4-92C8-E0D4-50F4-A8EEC0CCAA0C}\TypeLib@ {D323F395-AA30-4DF9-A379-2F3F4819AB00}

Reg HKLM\SOFTWARE\Classes\CLSID\{F5F197F4-92C8-E0D4-50F4-A8EEC0CCAA0C}\VersionIndependentProgID@ Symantec.Norton.Antivirus.Exclusion

Reg HKLM\SOFTWARE\Classes\CLSID\{FB409A84-95E0-21B9-3E97-466E0AE1532D}\InprocServer32@ C:\Program Files\Common Files\System\ado\msado15.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{FB409A84-95E0-21B9-3E97-466E0AE1532D}\InprocServer32@ThreadingModel Both

Reg HKLM\SOFTWARE\Classes\CLSID\{FB409A84-95E0-21B9-3E97-466E0AE1532D}\ProgID@ ADODB.Command.2.7

Reg HKLM\SOFTWARE\Classes\CLSID\{FB409A84-95E0-21B9-3E97-466E0AE1532D}\VersionIndependentProgID@ ADODB.Command

Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\InprocServer32@ C:\WINDOWS\system32\cewmdm.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\InprocServer32@ThreadingModel Free

Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\ProgID@ WMDMCESP.WMDMCESP.1

Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\VersionIndependentProgID@ WMDMCESP.WMDMCESP

Reg HKLM\SOFTWARE\Classes\CLSID\{FFBDEE52-ACBB-BF9B-8EA8-3563F6258696}\InprocServer32@ C:\WINDOWS\System32\nvcpl.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{FFBDEE52-ACBB-BF9B-8EA8-3563F6258696}\InprocServer32@ThreadingModel Apartment

---- EOF - GMER 1.0.15 ----

Previous scans:

Malwarebytes' Anti-Malware 1.37

Database version: 2265

Windows 5.1.2600 Service Pack 3

6/12/2009 7:59:26 AM

mbam-log-2009-06-12 (07-59-26).txt

Scan type: Full Scan (C:\|)

Objects scanned: 259333

Time elapsed: 50 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\winlogin.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.37

Database version: 2271

Windows 5.1.2600 Service Pack 3

6/12/2009 11:21:42 PM

mbam-log-2009-06-12 (23-21-42).txt

Scan type: Full Scan (C:\|)

Objects scanned: 250045

Time elapsed: 50 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\all users\application data\13724534\13724534.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\93734526\93734526.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.37

Database version: 2271

Windows 5.1.2600 Service Pack 3

6/13/2009 8:18:20 PM

mbam-log-2009-06-13 (20-18-20).txt

Scan type: Quick Scan

Objects scanned: 128852

Time elapsed: 16 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Avira AntiVir Personal

Report file date: Saturday, June 13, 2009 10:17

Scanning for 1464231 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : HOMEBASE

Version information:

BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00

AVSCAN.EXE : 9.0.3.6 466689 Bytes 6/13/2009 17:03:08

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:33:26

ANTIVIR2.VDF : 7.1.4.87 2982912 Bytes 6/12/2009 17:03:06

ANTIVIR3.VDF : 7.1.4.88 2048 Bytes 6/12/2009 17:03:06

Engineversion : 8.2.0.187

AEVDF.DLL : 8.1.1.1 106868 Bytes 6/13/2009 17:03:07

AESCRIPT.DLL : 8.1.2.6 409978 Bytes 6/13/2009 17:03:07

AESCN.DLL : 8.1.2.3 127347 Bytes 6/13/2009 17:03:07

AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 02:24:41

AEPACK.DLL : 8.1.3.18 401783 Bytes 6/13/2009 17:03:07

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 04:01:56

AEHEUR.DLL : 8.1.0.131 1786232 Bytes 6/13/2009 17:03:07

AEHELP.DLL : 8.1.3.6 205174 Bytes 6/13/2009 17:03:07

AEGEN.DLL : 8.1.1.45 348532 Bytes 6/13/2009 17:03:07

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40

AECORE.DLL : 8.1.6.12 180599 Bytes 6/13/2009 17:03:07

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 6/13/2009 17:03:06

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+SPR,

Start of the scan: Saturday, June 13, 2009 10:17

Starting search for hidden objects.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETswrrjcbr\main

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETswrrjcbr\modules

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETswrrjcbr\start

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETswrrjcbr\type

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETswrrjcbr\group

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETswrrjcbr\imagepath

[iNFO] The registry entry is invisible.

'8402' objects were checked, '6' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'taskmgr.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'OPXPApp.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'McciTrayApp.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'realsched.exe' - '1' Module(s) have been scanned

Scan process 'hphmon05.exe' - '1' Module(s) have been scanned

Scan process 'kbd.exe' - '1' Module(s) have been scanned

Scan process 'HpqCmon.exe' - '1' Module(s) have been scanned

Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'ViewMgr.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'SpySweeper.exe' - '1' Module(s) have been scanned

Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'hpzipm12.exe' - '1' Module(s) have been scanned

Scan process 'omniServ.exe' - '1' Module(s) have been scanned

Scan process 'McciCMService.exe' - '1' Module(s) have been scanned

Scan process 'dvpapi.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'bgsvcgen.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

43 processes with 43 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '68' files ).

Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\PT8I6PXZ\index[1].htm

[DETECTION] Contains recognition pattern of the HTML/FakeAlert.njh HTML script virus

C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\V1TDVQEX\bigpornotube_com[1].htm

[DETECTION] Contains HEUR/HTML.Malware suspicious code

C:\hp\bin\KillIt.exe

[DETECTION] Contains recognition pattern of the APPL/KillApp.A application

C:\hp\bin\KillWind.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

C:\hp\bin\Terminator.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

C:\Program Files\Oberon Media\Marble Blast\MarbleBlast.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

C:\Program Files\Opera7\Plugins\npwthost.dll

[DETECTION] Contains recognition pattern of the SPR/WildTangent.B.1 program

Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[NOTE] The detection was classified as suspicious.

[NOTE] The file was moved to '4a8b30d9.qua'!

C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\PT8I6PXZ\index[1].htm

[DETECTION] Contains recognition pattern of the HTML/FakeAlert.njh HTML script virus

[NOTE] The file was moved to '4a9830cf.qua'!

C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\V1TDVQEX\bigpornotube_com[1].htm

[DETECTION] Contains HEUR/HTML.Malware suspicious code

[NOTE] The detection was classified as suspicious.

[NOTE] The file was moved to '4a9b30ca.qua'!

C:\hp\bin\KillIt.exe

[DETECTION] Contains recognition pattern of the APPL/KillApp.A application

[NOTE] The file was moved to '4aa030ca.qua'!

C:\hp\bin\KillWind.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

[NOTE] The file was moved to '58bd282b.qua'!

C:\hp\bin\Terminator.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

[NOTE] The file was moved to '4aa630c6.qua'!

C:\Program Files\Oberon Media\Marble Blast\MarbleBlast.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[NOTE] The file was moved to '4aa630c3.qua'!

C:\Program Files\Opera7\Plugins\npwthost.dll

[DETECTION] Contains recognition pattern of the SPR/WildTangent.B.1 program

[NOTE] The file was moved to '4aab30d2.qua'!

End of the scan: Saturday, June 13, 2009 16:04

Used time: 1:46:07 Hour(s)

The scan has been done completely.

12718 Scanned directories

573449 Files were scanned

6 Viruses and/or unwanted programs were found

2 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

8 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

573440 Files not concerned

20539 Archives were scanned

1 Warnings

9 Notes

8402 Objects were scanned with rootkit scan

6 Hidden objects were found

:)

Link to post
Share on other sites

Hi

I've copied the partial report from gmer. As an after thought, I am also copying the results of the scans that I had completed prior to contacting this forum. Maybe this will help in discerning the problems. Should I proceed to do the ROOTREPEAL scan? I will wait for your response.. Thanks again!
No need to run RootRepeal. The Gmer log is a complete log, so I know what I'm dealing with now. You have a newish Rootkit on board:

Service C:\WINDOWS\system32\drivers\SKYNETxdqqoqom.sys (*** hidden *** ) [sYSTEM] SKYNETswrrjcbr <-- ROOTKIT !!!

Next steps should take care of it.

ComboFix

Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):

Link 1

Link 2

Link 3

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Query_RC.gif

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:

ComboFix log

Update on how the computer is running

Link to post
Share on other sites

Here you go. Computer is behaving very good.. THANK YOU . Please advise if all clear..

ComboFix 09-06-15.05 - Owner 06/15/2009 19:31.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.19 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\SKYNETxdqqoqom.sys

c:\windows\system32\SKYNETliltabdr.dll

c:\windows\system32\SKYNETrnygsifv.dat

c:\windows\system32\SKYNETtuhdpjwr.dll

c:\windows\system32\SKYNETvxbqmwwb.dat

c:\windows\IE4 Error Log.txt

c:\windows\system32\drivers\SKYNETxdqqoqom.sys

c:\windows\system32\iAlmcoin.dll

c:\windows\system32\SKYNETliltabdr.dll

c:\windows\system32\SKYNETrnygsifv.dat

c:\windows\system32\SKYNETtuhdpjwr.dll

c:\windows\system32\SKYNETvxbqmwwb.dat

c:\windows\system32\uuDgPqss.ini

D:\Autorun.inf

D:\Desktop.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SKYNETswrrjcbr

-------\Legacy_CLBDRIVER

((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 )))))))))))))))))))))))))))))))

.

2009-06-16 00:45 . 2009-06-16 00:46 984 ----a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\mmap.bat

2009-06-16 00:45 . 2009-06-16 00:46 413696 ----a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motkt.dll

2009-06-16 00:45 . 2009-06-16 00:46 311296 ----a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motivede.dll

2009-06-14 06:06 . 2009-06-14 06:06 -------- d-----w- c:\program files\ERUNT

2009-06-13 16:47 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-06-13 16:47 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-06-13 16:47 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-06-13 16:47 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-06-13 16:47 . 2009-06-13 16:47 -------- d-----w- c:\program files\Avira

2009-06-13 16:47 . 2009-06-13 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-06-13 01:40 . 2009-06-13 01:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot

2009-06-12 22:04 . 2009-06-13 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\93734526

2009-06-12 22:04 . 2009-06-13 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\13724534

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-13 06:59 . 2009-02-10 04:07 -------- d-----w- c:\program files\Common Files\Scanner

2009-06-05 06:02 . 2008-06-01 07:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-05 06:02 . 2008-06-15 03:49 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-05-29 07:54 . 2008-10-11 06:11 -------- d-----w- c:\program files\Moyea

2009-05-26 20:20 . 2008-08-27 16:57 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 20:19 . 2008-06-01 07:04 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-07 15:32 . 2006-07-15 16:08 345600 ----a-w- c:\windows\system32\localspl.dll

2009-04-29 04:56 . 2006-06-23 18:33 827392 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-04-27 03:22 . 2009-02-10 04:04 -------- d-----w- c:\program files\Verizon

2009-04-19 16:49 . 2003-08-23 14:12 53568 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-17 12:26 . 2006-07-15 16:08 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2006-07-15 16:08 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2005-08-01 04:25 . 2005-08-01 04:25 1691 ----a-w- c:\program files\ImageMixer VCD DVD2 for OLYMPUS 2.0.lnk

2004-03-27 23:26 . 2004-02-03 02:23 56 --sha-r- c:\windows\system32\96F0810076.sys

2008-05-26 00:03 . 2008-05-26 00:03 1417782 --sha-w- c:\windows\system32\ajkrtcao.tmp

2008-05-31 20:19 . 2008-05-31 20:19 1504336 --sha-w- c:\windows\system32\ycpqelpo.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]

@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"

[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]

2006-04-23 00:20 73728 ----a-w- c:\windows\system32\VirtualExpander\VEShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]

"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 49152]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-01-30 1553920]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

mod_sm.lnk.disabled [2003-3-3 641]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk.disabled [2004-11-23 1736]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tyF73.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk

backup=c:\windows\pss\SideACT!.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk

backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

backup=c:\windows\pss\spamsubtract.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^VirtualExpander.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\VirtualExpander.lnk

backup=c:\windows\pss\VirtualExpander.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"Evidence Eliminator"=c:\program files\Evidence Eliminator\ee.exe /m

"IEUpdate"=c:\windows\system32\ahuit.exe

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

"NVIEW"=rundll32.exe nview.dll,nViewLoadHook

"BackupNotify"="c:\program files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

"IEUpdate"=c:\windows\system32\ahuit.exe

"IgfxTray"=c:\windows\system32\igfxtray.exe

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"

"78d2b5e2"=rundll32.exe "c:\windows\system32\cujeewdj.dll",b

"BM7be1867e"=Rundll32.exe "c:\windows\system32\oruqqdea.dll",s

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"

"NSWosCheck"="c:\program files\Norton SystemWorks" Basic Edition\osCheck.exe

"osCheck"="c:\program files\Norton Internet Security\osCheck.exe"

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe"

"93734526"=c:\documents and settings\All Users\Application Data\93734526\93734526.exe

"13724534"=c:\documents and settings\All Users\Application Data\13724534\13724534.exe

"KBD"=c:\hp\KBD\KBD.EXE

"HPHmon05"=c:\windows\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/13/2009 9:47 AM 108289]

R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [4/27/2006 8:56 PM 3744]

R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [4/27/2006 8:56 PM 3904]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/16/2007 10:22 PM 24652]

S0 tyF73;tyF73;c:\windows\system32\Drivers\tyF73.sys --> c:\windows\system32\Drivers\tyF73.sys [?]

S2 mrtRate;mrtRate; [x]

.

Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 20:34]

2009-06-04 c:\windows\Tasks\wrSpySweeper_L56BE5A51941B4B4380CA04DA49F74016.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-05-29 03:56]

2009-06-04 c:\windows\Tasks\wrSpySweeper_L56BE5A51941B4B4380CA04DA49F74016.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-05-29 03:56]

2009-05-27 c:\windows\Tasks\wrSpySweeper_LC480A12D1CFB4B78B14DA6D5915F96D8.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-05-29 03:56]

2009-05-27 c:\windows\Tasks\wrSpySweeper_LC480A12D1CFB4B78B14DA6D5915F96D8.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-05-29 03:56]

2009-06-13 c:\windows\Tasks\wrSpySweeper_LD3C05A2BEF2C41BBB1E724849A929432.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-05-29 03:56]

2009-06-13 c:\windows\Tasks\wrSpySweeper_LD3C05A2BEF2C41BBB1E724849A929432.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-05-29 03:56]

.

- - - - ORPHANS REMOVED - - - -

BHO-{6E2ACE37-CF69-4DF0-AD17-C07A90DFB7F7} - (no file)

BHO-{D404CB63-461C-4797-8E18-F10BC5D6D824} - (no file)

Notify-rqRHaWQi - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://calbanktrust.com

uDefault_Search_URL = about:blank

mStart Page = hxxp://us9.hpwis.com/

mSearch Bar = hxxp://srch-us9.hpwis.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = localhost

IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML

IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html

IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

Trusted Zone: alliedinsurance.com\www

Trusted Zone: frontbridge.com\spam

Trusted Zone: frontbridge.com\webmail

Trusted Zone: microsoft.com\*.update

Trusted Zone: windowsupdate.com\download

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab

DPF: vzTCPConfig - hxxps://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB

DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxp://supportcenter.adelphia.net/sdccommon/download/tgctlins.cab

DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} - hxxp://www.imgag.com/cp/install/AxCtp.cab

DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} - hxxp://free.aol.com/tryaolfree/cdt175/aolcdt175.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-15 19:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-326441947-1957948835-3910647482-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)

c:\program files\Softex\OmniPass\opxpgina.dll

c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(240)

c:\windows\system32\VirtualExpander\VEShellExt.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\bgsvcgen.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Softex\OmniPass\omniServ.exe

c:\windows\system32\hpzipm12.exe

c:\program files\Webroot\Spy Sweeper\SpySweeper.exe

c:\program files\Softex\OmniPass\OPXPApp.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-06-16 20:08 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-16 03:08

Pre-Run: 47,578,062,848 bytes free

Post-Run: 48,131,715,072 bytes free

269 --- E O F --- 2009-06-11 10:38

:)

Link to post
Share on other sites

Hi

ComboFix is showing that your Avira Antivir is out of date. Have you had problems updating it or just not bothered?

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

CFScript

Close any open browsers.

Open notepad and copy/paste the text in the code box below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=17497Collect::c:\windows\system32\96F0810076.sysc:\windows\system32\ajkrtcao.tmpc:\windows\system32\ycpqelpo.tmpc:\windows\system32\ahuit.exec:\windows\system32\cujeewdj.dllc:\windows\system32\oruqqdea.dllc:\documents and settings\All Users\Application Data\93734526\93734526.exec:\documents and settings\All Users\Application Data\13724534\13724534.exec:\windows\system32\Drivers\tyF73.sysDriver::tyF73mrtRateFolder::c:\documents and settings\All Users\Application Data\93734526c:\documents and settings\All Users\Application Data\13724534Registry::[-HKLM\SYSTEM\CurrentControlSet\Services\SKYNETswrrjcbr][-HKLM\SYSTEM\ControlSet004\Services\SKYNETswrrjcbr][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tyF73.sys][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]"IEUpdate"=-[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]"UserFaultCheck"=-"KernelFaultCheck"=-"IEUpdate"=-"78d2b5e2"=-"BM7be1867e"=-"93734526"=-"13724534"=-[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000000DDS::uDefault_Search_URL = about:blankTrusted Zone: alliedinsurance.com\wwwTrusted Zone: frontbridge.com\spamTrusted Zone: frontbridge.com\webmailTrusted Zone: microsoft.com\*.updateTrusted Zone: windowsupdate.com\downloadDPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} - hxxp://www.imgag.com/cp/install/AxCtp.cab

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 14.

  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 14. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the Download button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel

Kaspersky Online Scan

Do an online scan with >Kaspersky Online Scanner<

  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan

    [*]Once the scan is complete, it will display the results. Click on View Scan Report

    [*]You will see a list of infected items there. Click on Save Report As...

    [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button

    [*]Please post this log in your next reply

To post in next reply:

ComboFix log

Kaspersky Scan log

Link to post
Share on other sites

I have attached the new combo fix log. I updated java per your instructions. When I try to download the Kaspersky scanner I get an error message about the Java applet failing to load and there is no action for a dl. It suggests to go online but where? In regards to Avira, when I downloaded this a few days ago it did an online update. I did a manual download and it fully updated now.

ComboFix 09-06-15.07 - Owner 06/16/2009 7:20.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.99 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}

file zipped: c:\windows\system32\96F0810076.sys

file zipped: c:\windows\system32\ajkrtcao.tmp

file zipped: c:\windows\system32\ycpqelpo.tmp

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\13724534

c:\documents and settings\All Users\Application Data\93734526

c:\documents and settings\All Users\Application Data\13724534\13724534.glu

c:\documents and settings\All Users\Application Data\13724534\pc13724534cnf

c:\documents and settings\All Users\Application Data\13724534\pc13724534ins

c:\windows\system32\96F0810076.sys

c:\windows\system32\ajkrtcao.tmp

c:\windows\system32\ycpqelpo.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MRTRATE

-------\Service_mrtRate

-------\Service_tyF73

((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 )))))))))))))))))))))))))))))))

.

2009-06-16 00:45 . 2009-06-16 00:46 984 ----a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\mmap.bat

2009-06-16 00:45 . 2009-06-16 00:46 413696 ----a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motkt.dll

2009-06-16 00:45 . 2009-06-16 00:46 311296 ----a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motivede.dll

2009-06-14 06:06 . 2009-06-14 06:06 -------- d-----w- c:\program files\ERUNT

2009-06-13 16:47 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-06-13 16:47 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-06-13 16:47 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-06-13 16:47 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-06-13 16:47 . 2009-06-13 16:47 -------- d-----w- c:\program files\Avira

2009-06-13 16:47 . 2009-06-13 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-06-13 01:40 . 2009-06-13 01:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-13 06:59 . 2009-02-10 04:07 -------- d-----w- c:\program files\Common Files\Scanner

2009-06-05 06:02 . 2008-06-01 07:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-05 06:02 . 2008-06-15 03:49 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-05-29 07:54 . 2008-10-11 06:11 -------- d-----w- c:\program files\Moyea

2009-05-26 20:20 . 2008-08-27 16:57 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 20:19 . 2008-06-01 07:04 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-07 15:32 . 2006-07-15 16:08 345600 ----a-w- c:\windows\system32\localspl.dll

2009-04-29 04:56 . 2006-06-23 18:33 827392 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-04-27 03:22 . 2009-02-10 04:04 -------- d-----w- c:\program files\Verizon

2009-04-19 16:49 . 2003-08-23 14:12 53568 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-17 12:26 . 2006-07-15 16:08 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2006-07-15 16:08 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2005-08-01 04:25 . 2005-08-01 04:25 1691 ----a-w- c:\program files\ImageMixer VCD DVD2 for OLYMPUS 2.0.lnk

.

((((((((((((((((((((((((((((( SnapShot@2009-06-16_02.59.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-16 14:17 . 2009-06-16 14:17 389120 c:\windows\system32\CF26347.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]

@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"

[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]

2006-04-23 00:20 73728 ----a-w- c:\windows\system32\VirtualExpander\VEShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]

"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 49152]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-01-30 1553920]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

mod_sm.lnk.disabled [2003-3-3 641]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk.disabled [2004-11-23 1736]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaWQi]

[bU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk

backup=c:\windows\pss\SideACT!.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk

backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

backup=c:\windows\pss\spamsubtract.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^VirtualExpander.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\VirtualExpander.lnk

backup=c:\windows\pss\VirtualExpander.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"Evidence Eliminator"=c:\program files\Evidence Eliminator\ee.exe /m

"IEUpdate"=c:\windows\system32\ahuit.exe

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

"NVIEW"=rundll32.exe nview.dll,nViewLoadHook

"BackupNotify"="c:\program files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

"IEUpdate"=c:\windows\system32\ahuit.exe

"IgfxTray"=c:\windows\system32\igfxtray.exe

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"

"78d2b5e2"=rundll32.exe "c:\windows\system32\cujeewdj.dll",b

"BM7be1867e"=Rundll32.exe "c:\windows\system32\oruqqdea.dll",s

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"

"NSWosCheck"="c:\program files\Norton SystemWorks" Basic Edition\osCheck.exe

"osCheck"="c:\program files\Norton Internet Security\osCheck.exe"

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe"

"93734526"=c:\documents and settings\All Users\Application Data\93734526\93734526.exe

"13724534"=c:\documents and settings\All Users\Application Data\13724534\13724534.exe

"KBD"=c:\hp\KBD\KBD.EXE

"HPHmon05"=c:\windows\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/13/2009 9:47 AM 108289]

R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [4/27/2006 8:56 PM 3744]

R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [4/27/2006 8:56 PM 3904]

.

Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 20:34]

.

- - - - ORPHANS REMOVED - - - -

BHO-{6E2ACE37-CF69-4DF0-AD17-C07A90DFB7F7} - (no file)

BHO-{D404CB63-461C-4797-8E18-F10BC5D6D824} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://calbanktrust.com

mStart Page = hxxp://us9.hpwis.com/

mSearch Bar = hxxp://srch-us9.hpwis.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = localhost

IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML

IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html

IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab

DPF: vzTCPConfig - hxxps://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB

DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxp://supportcenter.adelphia.net/sdccommon/download/tgctlins.cab

DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} - hxxp://www.imgag.com/cp/install/AxCtp.cab

DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} - hxxp://free.aol.com/tryaolfree/cdt175/aolcdt175.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-16 07:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-326441947-1957948835-3910647482-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)

c:\program files\Softex\OmniPass\opxpgina.dll

c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(5504)

c:\windows\system32\VirtualExpander\VEShellExt.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\bgsvcgen.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Softex\OmniPass\omniServ.exe

c:\windows\system32\hpzipm12.exe

c:\program files\Viewpoint\Common\ViewpointService.exe

c:\program files\Webroot\Spy Sweeper\SpySweeper.exe

c:\program files\Softex\OmniPass\OPXPApp.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\windows\system32\CF26347.exe

c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

c:\windows\system32\taskmgr.exe

.

**************************************************************************

.

Completion time: 2009-06-16 7:43 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-16 14:43

ComboFix2.txt 2009-06-16 03:08

Pre-Run: 48,110,297,088 bytes free

Post-Run: 48,100,691,968 bytes free

245 --- E O F --- 2009-06-11 10:38

Please advise as to how to get the Kaspersky downloaded. THX again..

Link to post
Share on other sites

Hi

In regards to Avira, when I downloaded this a few days ago it did an online update. I did a manual download and it fully updated now.
Good Stuff

CFScript

Close any open browsers.

Open notepad and copy/paste the text in the code box below into it:

KillAll::File::c:\windows\system32\CF26347.exeRegistry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaWQi][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]"IEUpdate"=-[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"UserFaultCheck"=-"KernelFaultCheck"=-"IEUpdate"=-"78d2b5e2"=-"BM7be1867e"=-"93734526"=-"13724534"=-DDS::DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} - hxxp://www.imgag.com/cp/install/AxCtp.cab

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Try this online scan if your having problems with Kaspersky Online Scan:

ESET Online Scanner:

Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

To post in next reply:

ComboFix log

ESET Online Scan log

Update on how the computer is running

Link to post
Share on other sites

Here you go. Eset worked, but took a while. I did not remove any of the files from Eset. Computer is working better...

ComboFix 09-06-16.01 - Owner 06/16/2009 17:15.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.113 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}

FILE ::

"c:\windows\system32\CF26347.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\CF26347.exe

.

((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))

.

2009-06-16 15:13 . 2009-06-16 15:13 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-16 00:45 . 2009-06-16 00:46 984 ----a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\mmap.bat

2009-06-16 00:45 . 2009-06-16 00:46 413696 ----a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motkt.dll

2009-06-16 00:45 . 2009-06-16 00:46 311296 ----a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motivede.dll

2009-06-14 06:06 . 2009-06-14 06:06 -------- d-----w- c:\program files\ERUNT

2009-06-13 16:47 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-06-13 16:47 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-06-13 16:47 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-06-13 16:47 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-06-13 16:47 . 2009-06-13 16:47 -------- d-----w- c:\program files\Avira

2009-06-13 16:47 . 2009-06-13 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-06-13 01:40 . 2009-06-13 01:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-16 15:13 . 2004-01-31 07:44 -------- d-----w- c:\program files\Java

2009-06-13 06:59 . 2009-02-10 04:07 -------- d-----w- c:\program files\Common Files\Scanner

2009-06-05 06:02 . 2008-06-01 07:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-05 06:02 . 2008-06-15 03:49 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-05-29 07:54 . 2008-10-11 06:11 -------- d-----w- c:\program files\Moyea

2009-05-26 20:20 . 2008-08-27 16:57 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 20:19 . 2008-06-01 07:04 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-07 15:32 . 2006-07-15 16:08 345600 ----a-w- c:\windows\system32\localspl.dll

2009-04-29 04:56 . 2006-06-23 18:33 827392 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-04-27 03:22 . 2009-02-10 04:04 -------- d-----w- c:\program files\Verizon

2009-04-19 16:49 . 2003-08-23 14:12 53568 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-17 12:26 . 2006-07-15 16:08 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2006-07-15 16:08 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2005-08-01 04:25 . 2005-08-01 04:25 1691 ----a-w- c:\program files\ImageMixer VCD DVD2 for OLYMPUS 2.0.lnk

.

((((((((((((((((((((((((((((( SnapShot@2009-06-16_02.59.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-17 00:26 . 2009-06-17 00:26 16384 c:\windows\temp\Perflib_Perfdata_6e0.dat

- 2003-08-23 12:55 . 2009-06-16 00:13 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2003-08-23 12:55 . 2009-06-16 18:31 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2003-08-23 12:55 . 2009-06-16 00:13 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2003-08-23 12:55 . 2009-06-16 18:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-06-16 15:13 . 2009-06-16 15:13 148888 c:\windows\system32\javaws.exe

+ 2009-06-16 15:13 . 2009-06-16 15:13 144792 c:\windows\system32\javaw.exe

+ 2009-06-16 15:13 . 2009-06-16 15:13 144792 c:\windows\system32\java.exe

+ 2009-06-17 00:13 . 2009-06-17 00:13 389120 c:\windows\system32\CF11993.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]

@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"

[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]

2006-04-23 00:20 73728 ----a-w- c:\windows\system32\VirtualExpander\VEShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]

"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 49152]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-01-30 1553920]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-16 148888]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

mod_sm.lnk.disabled [2003-3-3 641]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk.disabled [2004-11-23 1736]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tyF73.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk

backup=c:\windows\pss\SideACT!.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk

backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

backup=c:\windows\pss\spamsubtract.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^VirtualExpander.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\VirtualExpander.lnk

backup=c:\windows\pss\VirtualExpander.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"Evidence Eliminator"=c:\program files\Evidence Eliminator\ee.exe /m

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

"NVIEW"=rundll32.exe nview.dll,nViewLoadHook

"BackupNotify"="c:\program files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

"IgfxTray"=c:\windows\system32\igfxtray.exe

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"

"NSWosCheck"="c:\program files\Norton SystemWorks" Basic Edition\osCheck.exe

"osCheck"="c:\program files\Norton Internet Security\osCheck.exe"

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe"

"KBD"=c:\hp\KBD\KBD.EXE

"HPHmon05"=c:\windows\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [4/27/2006 8:56 PM 3744]

R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [4/27/2006 8:56 PM 3904]

.

Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 20:34]

.

- - - - ORPHANS REMOVED - - - -

BHO-{6E2ACE37-CF69-4DF0-AD17-C07A90DFB7F7} - (no file)

BHO-{D404CB63-461C-4797-8E18-F10BC5D6D824} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://calbanktrust.com

mStart Page = hxxp://us9.hpwis.com/

mSearch Bar = hxxp://srch-us9.hpwis.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = localhost

IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML

IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html

IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab

DPF: vzTCPConfig - hxxps://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB

DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxp://supportcenter.adelphia.net/sdccommon/download/tgctlins.cab

DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} - hxxp://www.imgag.com/cp/install/AxCtp.cab

DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} - hxxp://free.aol.com/tryaolfree/cdt175/aolcdt175.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-16 17:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-326441947-1957948835-3910647482-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)

c:\program files\Softex\OmniPass\opxpgina.dll

c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(2764)

c:\windows\system32\VirtualExpander\VEShellExt.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\sched.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\bgsvcgen.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Softex\OmniPass\omniServ.exe

c:\windows\system32\hpzipm12.exe

c:\program files\Viewpoint\Common\ViewpointService.exe

c:\program files\Webroot\Spy Sweeper\SpySweeper.exe

c:\program files\Softex\OmniPass\OPXPApp.exe

c:\windows\system32\CF11993.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\windows\system32\wscntfy.exe

c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\taskmgr.exe

.

**************************************************************************

.

Completion time: 2009-06-17 17:44 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-17 00:44

ComboFix2.txt 2009-06-16 14:43

ComboFix3.txt 2009-06-16 03:08

Pre-Run: 48,226,770,944 bytes free

Post-Run: 48,296,103,936 bytes free

240 --- E O F --- 2009-06-11 10:38

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)

# OnlineScanner.ocx=1.0.0.5863

# api_version=3.0.2

# EOSSerial=2aabe6b737edab43a35e39d82a09fccd

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2009-06-17 03:05:27

# local_time=2009-06-16 08:05:27 (-0800, Pacific Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 37 100 100 308462187500

# scanned=124236

# found=8

# cleaned=0

# scan_time=7640

C:\Documents and Settings\Mom\Local Settings\Application Data\Identities\{079470BD-0D1E-4703-9CBB-F232AE85514B}\Microsoft\Outlook Express\Inbox.dbx multiple threats 00000000000000000000000000000000

C:\Documents and Settings\Owner\Application Data\Opera\Opera8\mail\store\account2\2007-02.mbs Win32/Nuwar.gen worm 00000000000000000000000000000000

C:\Documents and Settings\Owner\My Documents\XPMedic_Setup.zip probably unknown NewHeur_PE virus 00000000000000000000000000000000

C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000

C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000

C:\Qoobox\Quarantine\[4]-Submit_2009-06-16_07.19.34.zip Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\uuDgPqss.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP99\A0019311.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000

Link to post
Share on other sites

Hi

Looks like you have infected emails in Outlook Express & Opera8. Unfortunately the Eset scan doesn't show what emails are infected. My suggestion would be to delete all email keeping only what is important.

OTM

Download OTM by OldTimer Here & save it to your desktop.

  • Double click on OTM.exe to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved

Note: Do not type it out to minimize the risk of typo error

:Processesc:\windows\system32\CF11993.exe:Filesc:\windows\system32\CF11993.exeC:\Program Files\AIM\Sysfiles\WxBug.EXE:Reg[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tyF73.sys]:Commands[Purity][EmptyTemp][Reboot]
  • Click on MoveIt!
  • When done, click on Exit

Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

How's everything running?

Link to post
Share on other sites

Hi

I deleted the email that was unimportant. I noticed Opera files in my logs. I deleted via Add/remove programs all Opera from my computer over a year ago. Do some files still hang around?

Here is the log

========== PROCESSES ==========

Unable to kill process: c:\windows\system32\CF11993.exe

========== FILES ==========

c:\windows\system32\CF11993.exe moved successfully.

C:\Program Files\AIM\Sysfiles\WxBug.EXE moved successfully.

========== REGISTRY ==========

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tyF73.sys\\ deleted successfully.

========== COMMANDS ==========

User's Temp folder emptied.

User's Internet Explorer cache folder emptied.

File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

User's Temporary Internet Files folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

Network Service Temp folder emptied.

File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Network Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6e0.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

OTM by OldTimer - Version 2.1.0.1 log created on 06172009_075525

Files moved on Reboot...

File C:\WINDOWS\temp\Perflib_Perfdata_6e0.dat not found!

Registry entries deleted on Reboot...

Computer is working fine..

Link to post
Share on other sites

I wanted to thank you for all of your help and donating your valuable time. My computer seems to be working well and I will download some of the programs you recommended. I do have SPYBOT which has a hosts file, I just do not know if the other programs will cause a conflict with it. :)

Link to post
Share on other sites

Hi

If your happy with Spybot's Host File then stick with it. Mine were only recommendations... up to you whether you'd like to use them or not.

Good to hear you pc is doing well... Good Luck & Safe Surfing :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.