Can't get rid of trojan.vundo.h

humblyyours · February 25, 2010

I have my infected computer offline with logs to post and am using another computer to make this post. Is there a way to safely transfer my logs from the infected computer to this computer to post them, or is it better to post directly from the infected computer? I'm new at this and I'm not sure of what's the best way to do this if I have a second computer available. I'm sorry if this is a stupid question. If it's best to post directly from the infected computer, I will do as instructed. Thank you for your help.

kahdah · February 26, 2010

Hello humblyyours

Welcome to Malwarebytes.

=====================

You can burn the files to a cd to minimize transferring an infection from the infected computer to your working one.

What logs do you have?

humblyyours · February 26, 2010

Hello humblyyours
Welcome to Malwarebytes.
=====================
You can burn the files to a cd to minimize transferring an infection from the infected computer to your working one.
What logs do you have?

Hello kahdah,

Thank you for your reply and I will do as instructed. Please close my earlier post, time stamped Feb 24 2010, 05:09 PM. I was concerned the post confused a number of issues, but I didn't know how to recall it. I added the post to which you responded, because it more simply addressed my initial question about how to best post logs. Sorry for the confusion.

I have the following logs listed in your posting instructions: MBAM, defogger_disable, and DDS (2). Please note that I also have HJT logs. I have not been able to obtain a GMER log because the computer keeps crashing ("The system has recovered from serious error"). The GMER scan runs for over 8-9 hours before crashing (about 160GB on system drive c:). The CPU runs at 100% because Norton 360 (ccSvcHst.exe) takes up 90% (task manager takes 0-1%). Norton 360 notes that it is blocking Trojan.Vundo, but removal failed. I don't touch the computer while the scan is running, except to shake the mouse to wake up the monitor to check on status. Should I stop Norton 360 to run GMER scan? I'm running another scan now with Norton 360 on.

For your information, I provided the following information in my earlier post (please note that I put DeFogger, DDS and GMER on infected computer via CD).

"I have a Windows XP computer with a problem I have not been able to permanently remove. I keep Norton 360 and Microsoft Update up to date. Norton 360 reports Trojan.Vundo is removed or blocked, but it keeps coming back. In summary, I did the following to try to remove the trojan permanently.

humblyyours · February 26, 2010

Hello kahdah,

The GMER scan crashed again. Should I try again with Norton 360 disabled?

Here is my MBAM log.

*******

Malwarebytes' Anti-Malware 1.44

Database version: 3782

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/26/2010 12:43:12 PM

mbam-log-2010-02-26 (12-43-12).txt

Scan type: Quick Scan

Objects scanned: 141258

Time elapsed: 12 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 6

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\ljgsqkp.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca8748e5-e981-4e07-8c68-e2405b4c31b9} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vlpwyjhy (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{ca8748e5-e981-4e07-8c68-e2405b4c31b9} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yrxbbisg (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca8748e5-e981-4e07-8c68-e2405b4c31b9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{ca8748e5-e981-4e07-8c68-e2405b4c31b9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\ljgsqkp.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\gvegpjh.dll (Trojan.Vundo.H) -> Delete on reboot.

******

Here is my DDS log.

*******

DDS (Ver_09-12-01.01) - NTFSx86

Run by HP_Administrator at 13:49:14.35 on Thu 02/25/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2363 [GMT -8:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\NDAS\System\ndassvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

C:\WINDOWS\ehome\ehtray.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\hphmon06.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\AppInterfaces\HPDeviceHost.exe

C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\WINDOWS\ALCMTR.EXE

C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

C:\Program Files\NDAS\System\ndasmgmt.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\SpywareBlaster\spywareblaster.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = iexplore

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.135\IPSBHO.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: : {ca8748e5-e981-4e07-8c68-e2405b4c31b9} - c:\windows\system32\ljgsqkp.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [TivoTransfer] "c:\program files\common files\tivo shared\transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service

uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /registry /service

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe

mRun: [HPHmon06] c:\windows\system32\hphmon06.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 8\drag to disc\DrgToDsc.exe"

mRun: [<NO NAME>]

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\sharedcom8\RoxWatchTray.exe"

mRun: [KnexStarter] c:\program files\common files\hewlett-packard\hp device communication services\appinterfaces\HPDeviceService.exe

mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimage\TrueImageMonitor.exe

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [soundMan] SOUNDMAN.EXE

mRun: [AlcWzrd] ALCWZRD.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [RunTasktray] "c:\program files\hewlett-packard\hp easy printer care\hpprun.exe" --regkeypath=software\hewlett-packard\hp easy printer care\HPPRun --valuename=InstallTTM

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [ccApp] -

StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ndasde~1.lnk - c:\program files\ndas\system\ndasmgmt.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spywar~2.lnk - c:\program files\spywareblaster\spywareblaster.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: amgentourofcalifornia.com

Trusted Zone: aol.com

Trusted Zone: circuitcity.com

Trusted Zone: cmtsj.org

Trusted Zone: forbes.com

Trusted Zone: hp.com

Trusted Zone: microsoft.com

Trusted Zone: nbcolympics.com

Trusted Zone: netscape.com

Trusted Zone: sonic.com

Trusted Zone: symantec.com

Trusted Zone: hp.com

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/LSSupCtl.cab

DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab

DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB

DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105337377093

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181779992140

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab

DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://www.imgag.com/cp/install/AxCtp2.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/SymAData.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - hxxp://liveca04.rightnowtech.com/7020-b369h/rnl/java/RntX.cab

DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

TCP: {1CAA8A56-CB26-44E8-B457-58A5E3B2C9AC} = 192.168.1.1

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: HPDCS - {ba135f49-a12c-4e26-a2c4-6ea945999072} - c:\program files\common files\hewlett-packard\hp device communication services\app\hpdcsapp.dll

Handler: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll

Handler: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll

Handler: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxsrvc.dll

Notify: vlpwyjhy - ljgsqkp.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

Hosts: 192.168.1.102 HP000D9D0E3A76

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\95zwpo9c.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 adxzmpfc;adxzmpfc;c:\windows\system32\drivers\adxzmpfc.sys [2004-11-26 23424]

R0 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [2007-1-3 140160]

R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2006-3-20 44288]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-7-18 28544]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2010-2-21 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2010-2-21 258608]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2010-2-21 482352]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 N360;Norton 360;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2010-2-22 115560]

R2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2005-8-4 848896]

R2 yrxbbisg;CD-ROM Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-11-26 14336]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-23 102448]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100223.033\NAVENG.SYS [2010-2-23 84912]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100223.033\NAVEX15.SYS [2010-2-23 1324720]

R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2006-3-20 59136]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100218.001\IDSXpx86.sys [2010-2-23 329592]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-23 135664]

S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2006-3-20 115584]

=============== Created Last 30 ================

2010-02-25 21:07:10 0 ----a-w- c:\documents and settings\hp_administrator\defogger_reenable

2010-02-24 07:06:43 0 d-sh--w- c:\documents and settings\hp_administrator\IECompatCache

2010-02-24 04:02:59 39102 ----a-w- c:\windows\system32\unknown_mini_3A31F086919C4C48BB8956E198560057.7z

2010-02-23 23:32:08 0 d-----w- c:\program files\Trend Micro

2010-02-23 20:18:23 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes

2010-02-23 20:18:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-23 20:18:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-02-23 20:18:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-23 20:18:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-22 21:55:27 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2010-02-22 21:55:21 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-02-22 21:55:21 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-02-22 21:55:21 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-02-22 21:55:21 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-02-22 21:54:52 0 d-----w- c:\program files\Norton 360

2010-02-22 21:51:50 0 d-----w- c:\program files\NortonInstaller

2010-02-22 19:41:17 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-02-22 19:41:17 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2010-02-22 19:41:17 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-02-22 19:41:16 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-02-22 10:01:24 48971 ----a-w- c:\windows\system32\unknown_mini_80E929BBD4BB45E79E675DB4B76E7753.7z

2010-02-22 08:51:26 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-22 08:51:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-02-22 08:50:35 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-02-22 08:48:30 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2010-02-22 08:48:29 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2010-02-22 08:45:32 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2010-02-22 08:43:37 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2010-02-22 08:43:34 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

2010-02-21 23:42:42 0 d-----w- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

2010-02-21 23:42:19 0 d-----w- c:\program files\Symantec

2010-02-21 23:41:05 0 d-----w- c:\windows\system32\drivers\N360

2010-02-21 23:22:29 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSettings

2010-02-21 23:22:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton

2010-02-21 23:20:14 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-18 01:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2005-08-29 21:59:31 251 ----a-w- c:\program files\wt3d.ini

2005-09-03 03:06:12 0 --sha-w- c:\windows\sminst\HPCD.sys

2009-05-24 16:20:08 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

2008-09-15 03:44:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 13:50:54.28 ===============

Here is my defogger_disable log.

********

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 13:07 on 25/02/2010 (HP_Administrator)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

********

I'm sorry, but I couldn't zip the attach.txt file. I got "cannot create output file" error.

The old bad files found by Norton 360 were {0135BF2C-3EBD-49AB-827F-AD085F6FAD49}, c:\windows\system32\rxaghdss.dll.

Please let me know what you would like me to do next. Sorry if I have missed anything.

Thank you again for your help.

Attach.txt

kahdah · February 27, 2010

During this leave the computer online so it can install the Recovery Console.

After Combofix completes you can keep the computer online to post the logs.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

humblyyours · February 27, 2010

During this leave the computer online so it can install the Recovery Console.
After Combofix completes you can keep the computer online to post the logs.
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hello kahdah,

Thank you for your post. Here is my ComboFix.txt as you requested.

*********

ComboFix 10-02-27.04 - HP_Administrator 02/27/2010 12:47:36.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2363 [GMT -8:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll

c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll

c:\recycler\NPROTECT

c:\recycler\S-1-5-21-453580023-1531494662-276917186-500

c:\windows\system32\drivers\adxzmpfc.sys

c:\windows\system32\drivers\fjjumtvm.sys

c:\windows\system32\gvegpjh.dll

c:\windows\system32\inf

c:\windows\system32\inf\hpqps2kb.inf

c:\windows\system32\ljgsqkp.dll

c:\windows\system32\ps2.bat

c:\windows\system32\rxaghdss.dll

c:\windows\system32\SIntf16.dll

c:\windows\system32\Vbshell.tlb

c:\windows\Tasks\At1.job

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ADXZMPFC

-------\Legacy_YRXBBISG

-------\Service_adxzmpfc

-------\Service_yrxbbisg

((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))

.

2010-02-24 07:06 . 2010-02-24 07:06 -------- d-sh--w- c:\documents and settings\HP_Administrator\IECompatCache

2010-02-23 23:55 . 2010-02-23 23:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-02-23 23:50 . 2010-02-23 23:50 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-02-23 23:32 . 2010-02-23 23:32 -------- d-----w- c:\program files\Trend Micro

2010-02-23 22:28 . 2010-02-23 22:41 -------- d-----w- c:\documents and settings\TEMP

2010-02-23 20:18 . 2010-02-23 20:18 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes

2010-02-23 20:18 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-23 20:18 . 2010-02-23 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-23 20:18 . 2010-02-23 20:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-23 20:18 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-22 21:55 . 2010-02-22 21:55 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2010-02-22 21:55 . 2010-02-22 21:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-02-22 21:55 . 2010-02-22 21:55 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-02-22 21:54 . 2010-02-22 21:55 -------- d-----w- c:\program files\Norton 360

2010-02-22 21:51 . 2010-02-22 21:51 -------- d-----w- c:\program files\NortonInstaller

2010-02-22 19:41 . 2010-02-22 19:41 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-02-22 19:41 . 2010-02-22 19:41 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2010-02-22 19:41 . 2010-02-22 19:41 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-02-22 19:41 . 2010-02-22 19:41 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-02-22 08:51 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-02-22 08:51 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-22 08:50 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-02-22 08:48 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2010-02-22 08:48 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2010-02-22 08:45 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2010-02-22 08:43 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2010-02-21 23:42 . 2010-02-22 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

2010-02-21 23:42 . 2010-02-21 23:42 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Downloaded Installations

2010-02-21 23:42 . 2010-02-22 21:55 -------- d-----w- c:\program files\Symantec

2010-02-21 23:41 . 2010-02-24 04:02 -------- d-----w- c:\windows\system32\drivers\N360

2010-02-21 23:22 . 2010-02-21 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2010-02-21 23:22 . 2010-02-21 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-02-21 23:20 . 2010-02-22 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-27 21:00 . 2008-09-15 00:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-27 20:20 . 2008-09-15 00:48 -------- d-----w- c:\program files\SpywareBlaster

2010-02-24 00:14 . 2004-11-05 10:30 -------- d-----w- c:\program files\Common Files\Java

2010-02-24 00:14 . 2010-02-24 00:14 503808 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6e15262a-n\msvcp71.dll

2010-02-24 00:14 . 2010-02-24 00:14 499712 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6e15262a-n\jmc.dll

2010-02-24 00:14 . 2010-02-24 00:14 348160 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6e15262a-n\msvcr71.dll

2010-02-24 00:14 . 2010-02-24 00:14 61440 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-52529918-n\decora-sse.dll

2010-02-24 00:14 . 2010-02-24 00:14 12800 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-52529918-n\decora-d3d.dll

2010-02-24 00:14 . 2004-11-05 10:30 -------- d-----w- c:\program files\Java

2010-02-23 23:50 . 2008-03-12 22:30 -------- d-----w- c:\program files\Google

2010-02-23 09:00 . 2010-02-27 20:22 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.007\NAVENG.SYS

2010-02-23 09:00 . 2010-02-27 20:22 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.007\EECTRL.SYS

2010-02-23 09:00 . 2010-02-27 20:22 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.007\CCERASER.DLL

2010-02-23 09:00 . 2010-02-27 20:22 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.007\ECMSVR32.DLL

2010-02-23 09:00 . 2010-02-27 20:22 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.007\NAVENG32.DLL

2010-02-23 09:00 . 2010-02-27 20:22 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.007\NAVEX32A.DLL

2010-02-23 09:00 . 2010-02-27 20:22 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.007\NAVEX15.SYS

2010-02-23 09:00 . 2010-02-27 20:22 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.007\ERASER.SYS

2010-02-22 21:58 . 2004-11-06 06:02 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-22 21:55 . 2010-02-22 21:55 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-02-22 21:55 . 2010-02-22 21:55 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-02-22 21:55 . 2010-02-22 21:55 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll

2010-02-22 21:55 . 2010-02-22 21:55 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll

2010-02-22 21:55 . 2010-02-27 20:56 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

2010-02-22 21:55 . 2010-02-22 21:56 554352 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

2010-02-22 21:55 . 2010-02-22 21:55 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll

2010-02-22 21:54 . 2008-09-14 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-02-22 19:58 . 2005-01-10 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-22 19:46 . 2005-07-19 21:31 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-02-22 09:41 . 2008-07-23 22:05 -------- d-----w- c:\program files\Windows Desktop Search

2010-02-21 23:32 . 2008-07-14 23:56 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Symantec

2010-02-11 04:19 . 2010-02-27 20:22 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\Scxpx86.dll

2010-02-11 04:19 . 2010-02-27 20:22 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSxpx86.dll

2010-02-11 04:19 . 2010-02-27 20:22 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSviA64.sys

2010-02-11 04:19 . 2010-02-27 20:22 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSvix86.sys

2010-02-11 04:19 . 2010-02-27 20:22 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys

2010-02-11 04:19 . 2010-02-23 23:36 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll

2010-02-11 04:19 . 2010-02-23 23:36 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll

2010-02-11 04:19 . 2010-02-23 23:36 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys

2010-02-11 04:19 . 2010-02-23 23:36 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys

2010-02-11 04:19 . 2010-02-23 23:36 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys

2009-12-31 16:50 . 2004-11-26 08:59 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2004-11-26 09:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-18 01:14 . 2009-01-26 22:27 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-16 18:43 . 2004-11-26 08:58 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-11-26 08:55 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26 . 2004-11-26 08:58 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-04 05:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-11-26 08:57 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2005-08-29 21:59 . 2005-08-29 21:59 251 ----a-w- c:\program files\wt3d.ini

2009-04-01 05:47 . 2008-09-14 18:40 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

2005-09-03 03:06 . 2005-09-03 03:06 0 --sha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" [2005-08-04 1123328]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2005-08-04 1860608]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-08 68856]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RunTasktray"="c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe --regkeypath=Software\Hewlett-Packard\HP Easy Printer Care\HPPRun --valuename=InstallTTM" [X]

"ccApp"="-" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]

"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]

"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-11-05 180269]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-06-05 286720]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]

"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 344064]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-05 98304]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-21 1687552]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]

"KnexStarter"="c:\program files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe" [2008-08-29 159744]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2006-03-04 988654]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-03-04 118784]

"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]

"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2008-12-24 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2006-3-20 220160]

spywareblaster.exe.lnk - c:\program files\SpywareBlaster\spywareblaster.exe [2009-4-26 1340944]

SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-11-5 45056]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Alcmtr"=ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Hewlett-Packard\\HP Easy Printer Care\\HPPRun.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

R0 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [1/3/2007 11:14 PM 140160]

R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [3/20/2006 4:39 PM 44288]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/18/2008 8:24 PM 28544]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [2/21/2010 3:42 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [2/21/2010 3:42 PM 258608]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [2/21/2010 3:42 PM 482352]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [2/22/2010 1:55 PM 115560]

R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [8/4/2005 5:11 AM 848896]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/23/2010 1:00 AM 102448]

R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [3/20/2006 4:39 PM 59136]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys [2/27/2010 12:22 PM 329592]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/23/2010 3:50 PM 135664]

S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [3/20/2006 4:39 PM 115584]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ADXZMPFC

*Deregistered* - adxzmpfc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2005-04-10 c:\windows\Tasks\Easy Internet Sign-up.job

- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 16:50]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 23:50]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 23:50]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = iexplore

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: amgentourofcalifornia.com

Trusted Zone: aol.com

Trusted Zone: circuitcity.com

Trusted Zone: cmtsj.org

Trusted Zone: forbes.com

Trusted Zone: hp.com

Trusted Zone: microsoft.com

Trusted Zone: nbcolympics.com

Trusted Zone: netscape.com

Trusted Zone: sonic.com

Trusted Zone: symantec.com

Trusted Zone: hp.com

TCP: {1CAA8A56-CB26-44E8-B457-58A5E3B2C9AC} = 192.168.1.1

Handler: HPDCS - {ba135f49-a12c-4e26-a2c4-6ea945999072} - c:\program files\Common Files\Hewlett-Packard\HP Device Communication Services\APP\hpdcsapp.dll

Handler: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll

Handler: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll

Handler: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\95zwpo9c.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-27 12:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]

"ImagePath"="-"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1813034691-3816922137-1525111315-1008\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1400)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3020)

c:\windows\system32\WININET.dll

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\Shellex.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\NDAS\System\ndassvc.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\wscntfy.exe

c:\windows\eHome\ehmsas.exe

c:\windows\AGRSMMSG.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

c:\program files\Common Files\Hewlett-Packard\HP Device Communication Services\AppInterfaces\HPDeviceHost.exe

c:\windows\SOUNDMAN.EXE

c:\windows\ALCWZRD.EXE

c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

.

**************************************************************************

.

Completion time: 2010-02-27 13:07:04 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-27 21:07

Pre-Run: 77,559,365,632 bytes free

Post-Run: 77,693,104,128 bytes free

- - End Of File - - 17F52112729F4357D2A52E3311D418ED

*********

I noted that ComboFix identified and tried to remove the three bad .dll files that Norton 360 and MBAM had previously identified.

How did my defogger_disable log look?

Should I try to run GMER again, with or without Norton 360 turned off?

Should I enable my antivirus and antispyware applications now, e.g., Norton 360, SpywareBlaster, SpywareGuard?

Please note that before I downloaded ComboFix and disabled my Norton 360, I got a liveupdate error that "Not all of the updates were successful." Should I try to update Norton 360 after ComboFix was run?

Please note that when I put the infected computer online, dumprep.exe took 100% of CPU for several minutes, before I could open IE and download ComboFix.

Please note that ComboFix didn't install Recovery Console; I imagine it is already installed.

Should I run MBAM or Norton 360 scans?

Please note that I'm posting from my second computer because I pulled the ethernet cable from my infected computer once ComboFix was done, as I have left all antivirus and antispyware applications disable until I get further instructions.

Thank you again for all your help; it is greatly appreciated.

kahdah · February 27, 2010

No need to run Norton right now.

You can put it back online to do the following:

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

Click on the update tab then click on Check for updates.
If an update is found, it will download and install the latest version.
Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Check next options: Remove found threats and Scan unwanted applications.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
Copy and paste that log as a reply to this topic

humblyyours · February 28, 2010

No need to run Norton right now.
You can put it back online to do the following:
Update Run Malwarebytes
Please update\run Malwarebytes' Anti-Malware.
Double Click the Malwarebytes Anti-Malware icon to run the application.
Click on the update tab then click on Check for updates.
If an update is found, it will download and install the latest version.
Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
* Go here to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Check next options: Remove found threats and Scan unwanted applications.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Hello kahdah,

Thank you again for your help and reply. I updated and ran MBAM. It found nothing, even though I'm still infected. I can't set Norton 360 to scan incoming and outgoing email messages permanently. Everytime I set Norton to scan such messages, such scan is automatically turned off within 1-2 seconds and I receive a warning. I also still can't successfully update Norton 360 via LiveUpdate. Here is my MBAM log as requested.

*********

Malwarebytes' Anti-Malware 1.44

Database version: 3805

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/27/2010 9:09:40 PM

mbam-log-2010-02-27 (21-09-40).txt

Scan type: Quick Scan

Objects scanned: 140051

Time elapsed: 11 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

********

I ran ESET and it discovered and removed 2 entries. Here is the log as requested.

********

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=694ab91c3f4f954f9326b7917a33fd1c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-02-28 07:01:25

# local_time=2010-02-27 11:01:25 (-0800, Pacific Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 284635 284635 0 0

# compatibility_mode=3589 16777189 100 100 281721 16437481 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=183904

# found=2

# cleaned=2

# scan_time=5122

C:\Downloads\AgeOfCastles_Setup-dm[1].exe Win32/Adware.Trymedia application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\ActiveScan\pskavs.dll probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

************

Please note that I turned off Norton 360 auto-protect antivirus during the ESET scan because I was warned by ESET that such AV software may affect the performance and quality of the scan.

What next? Should I try to run GMER without Norton 360 turned on?

Did my defogger_disable log look okay?

Thank you again for all your help.

kahdah · February 28, 2010

Norton appears to missing a few components so you may have to reinstall it to get the full functionality back.

========================

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\PowerReg Scheduler.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

Combofix.txt

=============

humblyyours · February 28, 2010

Norton appears to missing a few components so you may have to reinstall it to get the full functionality back.
========================
1. Please open Notepad
Click Start , then Run
type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\PowerReg Scheduler.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
Combofix.txt
=============

Hello kahdah,

Thank you again for your quick reply. Attached is the ComboFix log you requested.

******

ComboFix 10-02-27.04 - HP_Administrator 02/28/2010 9:46.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2452 [GMT -8:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt

AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::

"c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\PowerReg Scheduler.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\PowerReg Scheduler.exe

.

((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))

.

2010-02-28 17:25 . 2010-02-28 17:25 177024 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\95zwpo9c.default\FlashGot.exe

2010-02-28 17:01 . 2010-02-22 21:55 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

2010-02-28 05:30 . 2010-02-28 05:30 -------- d-----w- c:\program files\ESET

2010-02-28 04:55 . 2010-02-28 04:55 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Temp

2010-02-28 04:49 . 2010-02-23 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.025\NAVENG.SYS

2010-02-28 04:49 . 2010-02-23 09:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.025\EECTRL.SYS

2010-02-28 04:49 . 2010-02-23 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.025\CCERASER.DLL

2010-02-28 04:49 . 2010-02-23 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.025\ECMSVR32.DLL

2010-02-28 04:49 . 2010-02-23 09:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.025\NAVENG32.DLL

2010-02-28 04:49 . 2010-02-23 09:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.025\NAVEX32A.DLL

2010-02-28 04:49 . 2010-02-23 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.025\NAVEX15.SYS

2010-02-28 04:49 . 2010-02-23 09:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100227.025\ERASER.SYS

2010-02-27 20:22 . 2010-02-11 04:19 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\Scxpx86.dll

2010-02-27 20:22 . 2010-02-11 04:19 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSxpx86.dll

2010-02-27 20:22 . 2010-02-11 04:19 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSviA64.sys

2010-02-27 20:22 . 2010-02-11 04:19 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSvix86.sys

2010-02-27 20:22 . 2010-02-11 04:19 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys