TROJAN.VUNDO.H / TROJAN.AGENT

h2otech1 · November 25, 2008

Hello,

I hope this is the right place to post, and MB seems to be well versed and educated, so here is my problem (like others):

Got infected w/ the Vundo & Agent so downloaded MBAM. Got rid of most but there are still 8 lingering bugs I cannot get rid of. Tried many times w/ MBAM, please help and thank you in advance. In looking at other posts, I beleive I need to tell you what OS I have and give you my MBAM log files so I hope this is enough:

MS Window XP

Home Edition

Version 2002

Service Pack 3

Log Files---------------------------------------------------

Malwarebytes' Anti-Malware 1.30

Database version: 1419

Windows 5.1.2600 Service Pack 3

11/24/2008 8:35:05 PM

mbam-log-2008-11-24 (20-35-05).txt

Scan type: Quick Scan

Objects scanned: 57578

Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nfhakpga (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\qsjatud.dll (Trojan.Vundo.H) -> Delete on reboot.

I have tried to reboot immediately afterward, but cannot remove the 8.

Thank you again for any help....

h2otech1

Raid · November 25, 2008

Hi There.

Your running a slightly outdated version of MBAM, please update it and proceed as instructed below:

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I need you to follow the instructions provided here

Pre- HJT Post Instructions

first.

I also need for you to download this program

OTListIt.exe

http://oldtimer.geekstogo.com/OTListIt.exe' rel="external nofollow">

to your desktop.

Close all applications and windows so that you have nothing open and are at your Desktop
Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.
Place a checkmark in the
"Scan All Users"
checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)
Click the Run Scan button
NOTE:
Please be patient and let the scan run without using the computer
When the scan is complete, a text file (
OTListIt.Txt
) will open in Notepad (if not, it can be found on your Desktop)
In Notepad, click
Edit
,
Select all
then
Edit
,
Copy
Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.
Submit your reply and close the Notepad window with
OTList.txt
Also OTListIt's
Extras.txt
log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window
In Notepad, click
Edit
,
Select all
then
Edit
,
Copy
Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.
NOTE:
If the files (
OTListIt.txt, Extras.txt
) do not appear in your taskbar, just open the files in notepad from your desktop.

Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

h2otech1 · November 25, 2008

Thanks for the reply!!!!

1) Ran Spybot S&D.

2) Reinstalled MBAM, scanned and the log is found below. I will continue with your instructions and repost the other logs. Thank you!!!!!

Malwarebytes' Anti-Malware 1.30

Database version: 1423

Windows 5.1.2600 Service Pack 3

11/25/2008 10:58:00 AM

mbam-log-2008-11-25 (10-58-00).txt

Scan type: Quick Scan

Objects scanned: 57699

Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nfhakpga (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\qsjatud.dll (Trojan.Vundo.H) -> Delete on reboot.

h2otech1 · November 25, 2008

And here is the log from Panda Security:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-25 12:22:29

PROTECTIONS: 1

MALWARE: 5

SUSPECTS: 5

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Norton AntiVirus 16.0.0.125 Yes Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Default User\Cookies\system@atdmt[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@ad.yieldmanager[1].txt

02077612 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0009168.exe

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\drivers\qouwge.sys

04156665 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\clusapim.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location y

;===============================================================================

================================================================================

=

===================

No C:\hp\bin\KillIt.exe y

No C:\hp\recovery\wizard\SWR_Wizard.exe y

No C:\Program Files\Online Services\NetscapeOnline\NSsetup.exe y

No C:\WINDOWS\Installer\167ae975.msi[unk_0100] y

No C:\WINDOWS\system32\bw7nir4b.exe y

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description y

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

h2otech1 · November 25, 2008

And the log file from HiJack:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:28:35 PM, on 11/25/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\WINDOWS\ALCMTR.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\hphmon06.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Browser Mouse\MOffice.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Browser Mouse\MOUSE32A.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe

C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL

O2 - BHO: (no name) - {8C760D34-E6A5-4111-BFE1-4EF0620B8ECA} - C:\WINDOWS\system32\clusapim.dll

O2 - BHO: (no name) - {CE27CD53-6FFD-49C4-A72A-60B139E15E4B} - c:\windows\system32\qsjatud.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"

O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [soundMan] "C:\WINDOWS\SOUNDMAN.EXE"

O4 - HKLM\..\Run: [AlcWzrd] "C:\WINDOWS\ALCWZRD.EXE"

O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"

O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\URGOKQQC\WAS5Scan[1].exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HPHmon06] "C:\WINDOWS\system32\hphmon06.exe"

O4 - HKLM\..\Run: [imInstaller_IncrediMail] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe" -startup -product IncrediMail

O4 - HKLM\..\Run: [hpsysdrv] "c:\windows\system\hpsysdrv.exe"

O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] "C:\WINDOWS\system32\HDAudPropShortcut.exe"

O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] "C:\Program Files\Browser Mouse\MOffice.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [KBD] "C:\HP\KBD\KBD.EXE"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN

O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\InstallHelper.exe" /uninstalltrackingvendor=Verizon

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [ccApp] -

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sFP] "C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE" /s

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [spybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab

O20 - Winlogon Notify: nfhakpga - C:\WINDOWS\SYSTEM32\qsjatud.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--

End of file - 11280 bytes

h2otech1 · November 25, 2008

And here is the log file for OTListIt:

OTListIt logfile created on: 11/25/2008 12:40:00 PM - Run

OTListIt by OldTimer - Version 1.0.12.0 Folder = C:\Documents and Settings\HP_Owner\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.29 Mb Total Physical Memory | 492.91 Mb Available Physical Memory | 48.55% Memory free

2.39 Gb Paging File | 1.95 Gb Available in Paging File | 81.68% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 179.33 Gb Total Space | 158.95 Gb Free Space | 88.63% Space Free | Partition Type: NTFS

Drive D: | 6.96 Gb Total Space | 1.84 Gb Free Space | 26.41% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: YOUR-4F1261A8E5

Current User Name: HP_Owner

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Whitelist: On

File Age = 30 Days

========== Processes ==========

[2004/11/02 00:59:42 | 00,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe

[2005/03/04 11:01:56 | 00,088,209 | ---- | M] (Agere Systems) -- C:\WINDOWS\AGRSMMSG.exe

[2005/02/25 05:39:16 | 00,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[2005/04/06 17:57:12 | 00,090,112 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE

[2005/04/06 17:53:00 | 02,805,248 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE

[2005/04/12 00:10:22 | 00,065,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCMTR.EXE

[2007/05/08 16:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[2004/06/07 03:42:30 | 00,659,456 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\hphmon06.exe

[1998/05/07 01:04:38 | 00,052,736 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system\hpsysdrv.exe

[2006/12/07 17:25:19 | 00,958,464 | ---- | M] () -- C:\Program Files\Browser Mouse\MOffice.exe

[2006/10/25 18:58:18 | 00,282,624 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe

[2006/12/07 17:25:18 | 00,356,352 | ---- | M] () -- C:\Program Files\Browser Mouse\mouse32a.exe

[2006/10/30 09:36:36 | 00,256,576 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe

[2005/02/02 16:44:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\hp\KBD\kbd.exe

[2007/11/28 19:51:10 | 00,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[2008/02/22 03:25:21 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[2008/08/09 15:04:58 | 05,418,864 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[2007/01/05 14:04:10 | 00,554,616 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

[2008/09/16 12:16:08 | 01,833,296 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[2004/11/04 19:28:24 | 00,258,048 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[2004/08/11 01:22:40 | 00,757,760 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

[2004/02/13 13:12:08 | 00,016,423 | ---- | M] () -- C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

[2005/02/25 05:49:52 | 00,045,056 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

[2004/05/24 11:35:52 | 00,322,104 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\KodakCCS.exe

[2005/07/24 22:35:00 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- c:\Program Files\Common Files\LightScribe\LSSrvc.exe

[2007/11/28 19:51:10 | 00,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

[2008/11/04 20:24:52 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe

[2008/02/08 12:01:34 | 01,251,720 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[2008/08/09 13:42:02 | 03,585,384 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[2006/10/30 09:36:32 | 00,492,608 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe

[2008/11/04 20:24:52 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe

[2008/02/22 03:25:20 | 00,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe

[2008/08/09 13:42:02 | 00,181,608 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SSU.exe

[2008/11/25 12:33:18 | 00,418,304 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Owner\Desktop\OTListIt.exe

========== (O23) Win32 Services ==========

[2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])

[2007/01/05 14:04:10 | 00,554,616 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Auto | Running])

[2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

[2006/10/30 09:36:32 | 00,492,608 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])

[2004/05/24 11:35:52 | 00,322,104 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\KodakCCS.exe -- (KodakCCS [Auto | Running])

[2005/07/24 22:35:00 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- c:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])

[2007/01/05 14:04:04 | 02,918,008 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate [On_Demand | Stopped])

File not found -- -- (LiveUpdate Notice Ex [Auto | Stopped])

[2007/11/28 19:51:10 | 00,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service [Auto | Running])

[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])

[2008/11/04 20:24:52 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe -- (Norton AntiVirus [Auto | Running])

[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

[2007/08/08 23:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Stopped])

[2008/02/08 12:01:34 | 01,251,720 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC [Auto | Running])

[2008/08/09 13:42:02 | 03,585,384 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- (WebrootSpySweeperService [Auto | Running])

[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2005/03/04 11:02:20 | 01,066,278 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])

[2008/11/04 20:25:03 | 00,255,536 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\BHDrvx86.sys -- (BHDrvx86 [system | Running])

[2008/11/20 09:22:32 | 00,362,544 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\cchpx86.sys -- (ccHP [system | Running])

[2004/05/20 07:21:10 | 00,036,918 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcCam.sys -- (DcCam [system | Running])

[2004/05/20 07:41:54 | 00,061,564 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcFpoint.sys -- (DcFpoint [On_Demand | Stopped])

[2004/06/02 12:19:00 | 00,038,705 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DCFS2k.sys -- (DCFS2K [Auto | Running])

[2004/05/20 07:39:42 | 00,008,022 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcLps.sys -- (DcLps [On_Demand | Stopped])

[2004/05/20 07:45:20 | 00,068,950 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcPtp.sys -- (DcPTP [On_Demand | Stopped])

[2008/11/20 09:22:32 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [system | Running])

[2008/11/20 09:22:32 | 00,099,376 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])

[2004/06/02 12:17:56 | 00,151,985 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\ExportIt.sys -- (Exportit [system | Stopped])

[2006/09/19 15:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])

[2004/03/17 16:10:40 | 00,113,664 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService [On_Demand | Stopped])

[2008/04/13 08:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])

[2004/12/14 08:07:44 | 00,051,120 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])

[2004/12/14 08:07:44 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])

[2004/12/14 08:07:44 | 00,021,744 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])

[2004/11/02 01:27:20 | 00,773,565 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Running])

[2008/11/20 09:22:32 | 00,274,808 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081120.006\IDSxpx86.sys -- (IDSxpx86 [system | Stopped])

[2005/04/15 17:05:42 | 02,564,032 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])

[2003/09/10 23:36:54 | 00,021,060 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])

[2008/04/13 10:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [system | Stopped])

[2007/09/28 10:30:57 | 00,019,345 | ---- | M] (Motive, Inc.) -- C:\Program Files\Common Files\Motive\MREMPR5.sys -- (MREMPR5 [On_Demand | Stopped])

[2007/09/28 10:30:49 | 00,018,003 | ---- | M] (Motive, Inc.) -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5 [On_Demand | Stopped])

[2008/11/20 01:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081124.023\NAVENG.SYS -- (NAVENG [On_Demand | Running])

[2008/11/20 01:00:00 | 00,876,112 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081124.023\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])

[2003/09/19 01:47:00 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc [On_Demand | Running])

[2005/12/12 17:27:00 | 00,019,072 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2 [On_Demand | Running])

[2004/08/03 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])

[2005/02/25 05:38:09 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [boot | Running])

[2002/10/04 02:04:10 | 00,046,976 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139 [On_Demand | Running])

[2007/04/03 12:59:30 | 00,083,208 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616bus.sys -- (s616bus [On_Demand | Stopped])

[2007/04/03 12:59:36 | 00,015,112 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616mdfl.sys -- (s616mdfl [On_Demand | Stopped])

[2007/04/03 12:59:38 | 00,108,680 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616mdm.sys -- (s616mdm [On_Demand | Stopped])

[2007/04/03 12:59:40 | 00,100,360 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616mgmt.sys -- (s616mgmt [On_Demand | Stopped])

[2007/04/03 12:59:42 | 00,098,568 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616obex.sys -- (s616obex [On_Demand | Stopped])

[2007/04/03 12:59:42 | 00,099,080 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616unic.sys -- (s616unic [On_Demand | Stopped])

[2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])

[2008/11/04 20:25:03 | 00,306,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\srtsp.sys -- (SRTSP [On_Demand | Running])

[2008/11/04 20:25:03 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\srtspx.sys -- (SRTSPX [system | Running])

[2008/08/09 13:42:12 | 00,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\ssfs0bbc.sys -- (ssfs0bbc [boot | Running])

[2008/08/09 13:42:14 | 00,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\sshrmd.sys -- (SSHRMD [boot | Running])

[2008/08/09 13:42:14 | 00,166,512 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\ssidrv.sys -- (SSIDRV [boot | Running])

[2008/01/04 20:34:36 | 00,023,920 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\WINDOWS\system32\drivers\sskbfd.sys -- (SSKBFD [On_Demand | Running])

[2008/11/20 09:22:34 | 00,012,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\symdns.sys -- (SYMDNS [On_Demand | Stopped])

[2008/11/04 20:25:03 | 00,309,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\SymEFA.sys -- (SymEFA [boot | Running])

[2008/11/20 09:22:44 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])

[2008/11/20 09:22:35 | 00,089,904 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\symfw.sys -- (SYMFW [On_Demand | Stopped])

[2008/11/20 09:22:36 | 00,034,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\symids.sys -- (SYMIDS [On_Demand | Stopped])

[2008/11/20 09:22:36 | 00,035,888 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM [On_Demand | Stopped])

[2008/11/20 09:22:36 | 00,035,888 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP [On_Demand | Running])

[2006/06/14 19:42:59 | 00,010,344 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd [Auto | Running])

[2008/11/20 09:22:36 | 00,037,424 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\symndis.sys -- (SYMNDIS [On_Demand | Stopped])

[2008/11/20 09:22:36 | 00,024,752 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\symredrv.sys -- (SYMREDRV [On_Demand | Stopped])

[2008/04/13 10:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS_XP [On_Demand | Stopped])

[2004/08/03 20:00:00 | 00,023,424 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\zthhzhwv.sys -- (zthhzhwv [boot | Running])

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?P...pdate&O1=b1

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions =

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

HKCU\Software\Microsoft\Internet Explorer\SearchURL\CNNSI, = search.sportsillustrated.cnn.com/pages/search.jsp?query=%s

HKCU\Software\Microsoft\Internet Explorer\SearchURL\Dictionary, = dictionary.reference.com/search?q=%s

HKCU\Software\Microsoft\Internet Explorer\SearchURL\Google, = google.com/search?q=%s

HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleGroups, = groups-beta.google.com/groups?q=%s

HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleImages, = images.google.com/images?hl=en&lr=&q=%s

HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleNews, = news.google.com/news?tab=gn&hl=en&ie=UTF-8&q=%s&btnG=Search+News

HKCU\Software\Microsoft\Internet Explorer\SearchURL\KB, = support.microsoft.com/search/default.aspx?query=%s

HKCU\Software\Microsoft\Internet Explorer\SearchURL\KBDLL, = support.microsoft.com/dllhelp/default.aspx?dlltype=file&l=55α=%s&S=1

HKCU\Software\Microsoft\Internet Explorer\SearchURL\Movies, = fandango.com/my_box_office.asp?searchby=2&txtCityZip=%s

HKCU\Software\Microsoft\Internet Explorer\SearchURL\MSN, = search.msn.com/results.asp?q=%s

HKCU\Software\Microsoft\Internet Explorer\SearchURL\Thesaurus, = thesaurus.reference.com/search?q=%s

HKCU\Software\Microsoft\Internet Explorer\SearchURL\Weather, = weather.com/weather/local/%s

HKCU\Software\Microsoft\Internet Explorer\SearchURL\Yahoo, = search.yahoo.com/search?p=%s

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?P...pdate&O1=b1

HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions =

HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\CNNSI, = search.sportsillustrated.cnn.com/pages/search.jsp?query=%s

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Dictionary, = dictionary.reference.com/search?q=%s

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Google, = google.com/search?q=%s

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\GoogleGroups, = groups-beta.google.com/groups?q=%s

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\GoogleImages, = images.google.com/images?hl=en&lr=&q=%s

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\GoogleNews, = news.google.com/news?tab=gn&hl=en&ie=UTF-8&q=%s&btnG=Search+News

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\KB, = support.microsoft.com/search/default.aspx?query=%s

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\KBDLL, = support.microsoft.com/dllhelp/default.aspx?dlltype=file&l=55α=%s&S=1

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Movies, = fandango.com/my_box_office.asp?searchby=2&txtCityZip=%s

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\MSN, = search.msn.com/results.asp?q=%s

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Thesaurus, = thesaurus.reference.com/search?q=%s

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Weather, = weather.com/weather/local/%s

HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Yahoo, = search.yahoo.com/search?p=%s

HKU\S-1-5-21-691311170-1838169275-933237389-1009\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-21-691311170-1838169275-933237389-1009\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

O1 HOSTS File: (23 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.dll (Symantec Corporation)

O2 - BHO: (no name) - {8C760D34-E6A5-4111-BFE1-4EF0620B8ECA} - C:\WINDOWS\system32\clusapim.dll (Alcohol Soft Development Team)

O2 - BHO: () - {CE27CD53-6FFD-49C4-A72A-60B139E15E4B} - c:\WINDOWS\system32\qsjatud.dll ()

O3 - HKLM\..\Toolbar: (no name) - - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKLM\..\Toolbar: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)

O3 - HKCU\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)

O3 - HKCU\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKCU\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)

O3 - HKCU\..\Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\.DEFAULT\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKU\.DEFAULT\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\.DEFAULT\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-18\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKU\S-1-5-18\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-18\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)

O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)

O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key does not exist or could not be opened. File not found

O4 - HKLM..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe" (Agere Systems)

O4 - HKLM..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE" (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [AlcWzrd] "C:\WINDOWS\ALCWZRD.EXE" (RealTek Semicoductor Corp.)

O4 - HKLM..\Run: [ccApp] - File not found

O4 - HKLM..\Run: [FLMOFFICE4DMOUSE] "C:\Program Files\Browser Mouse\MOffice.exe" ()

O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] "C:\WINDOWS\system32\HDAudPropShortcut.exe" (Windows ® Server 2003 DDK provider)

O4 - HKLM..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe" (Intel Corporation)

O4 - HKLM..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" (Hewlett-Packard)

O4 - HKLM..\Run: [HPHmon06] "C:\WINDOWS\system32\hphmon06.exe" (Hewlett-Packard)

O4 - HKLM..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" (Hewlett-Packard)

O4 - HKLM..\Run: [hpsysdrv] "c:\windows\system\hpsysdrv.exe" (Hewlett-Packard Company)

O4 - HKLM..\Run: [imInstaller_IncrediMail] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe" -startup -product IncrediMail File not found

O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Computer, Inc.)

O4 - HKLM..\Run: [KBD] "C:\HP\KBD\KBD.EXE" (Hewlett-Packard Company)

O4 - HKLM..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\URGOKQQC\WAS5Scan[1].exe" File not found

O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)

O4 - HKLM..\Run: [soundMan] "C:\WINDOWS\SOUNDMAN.EXE" (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray (Webroot Software, Inc.)

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" (Symantec Corporation)

O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)

O4 - HKLM..\Run: [Verizon Custom Uninstall Tracking] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\InstallHelper.exe" /uninstalltrackingvendor=Verizon File not found

O4 - HKLM..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN File not found

O4 - HKCU..\Run: [sFP] "C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE" /s File not found

O4 - HKCU..\Run: [spybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" (Safer Networking Limited)

O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (AWS Convergence Technologies, Inc.)

O4 - HKU\S-1-5-21-691311170-1838169275-933237389-1009..\Run: [sFP] "C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE" /s File not found

O4 - HKU\S-1-5-21-691311170-1838169275-933237389-1009..\Run: [spybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" (Safer Networking Limited)

O4 - HKU\S-1-5-21-691311170-1838169275-933237389-1009..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (AWS Convergence Technologies, Inc.)

O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (Microsoft Corporation)

O4 - HKLM..\RunOnceEx: [] File not found

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe (Hewlett-Packard)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O15 - HKLM\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Sites: 2 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..Trusted Sites: 2 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} http://forms.real.com/real/player/download...ne_Inst_Win.cab (Reg Error: Key does not exist or could not be opened.)

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (Get_ActiveX Control)

O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://download.games.yahoo.com/games/web_...e/gpcontrol.cab (TikGames Online Control)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key does not exist or could not be opened.)

O18 - Protocol\Handler: - ipp - No CLSID value found

O18 - Protocol\Handler: - ipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp - No CLSID value found

O18 - Protocol\Handler: - msdaipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp\oledb - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - ms-itss - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

O18 - Protocol\Handler: - mso-offdap - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - mso-offdap11 - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)

O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)

O20 - See sections below for AppInitDlls and Winlogon settings

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]

igfxcui: "DllName" = igfxsrvc.dll -- C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)

nfhakpga: "DllName" = qsjatud.dll -- C:\WINDOWS\system32\qsjatud.dll ()

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages" = msv1_0,OWS\S

>File not found --

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT [PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | ]

[2005/02/25 06:18:25 | 00,000,050 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTOEXEC.BAT []

[2001/07/28 05:07:38 | 00,000,000 | -HS- | M] () -- D:\AUTOEXEC.BAT -- [ FAT32 ]

Autorun.inf [[AUTORUN] | ShellExecute=Info.exe protect.ed 480 480 | ]

[2004/04/30 21:01:14 | 00,000,053 | -HS- | M] () -- D:\Autorun.inf -- [ FAT32 ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell]

"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell\AutoRun]

"" = Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell\AutoRun\command]

"" = D:\setup.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]

[2008/11/25 12:33:18 | 00,418,304 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Owner\Desktop\OTListIt.exe

[2008/11/25 12:27:37 | 00,001,745 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\HijackThis.lnk

[2008/11/25 12:27:36 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2008/11/25 11:05:26 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys

[2008/11/25 11:05:01 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security

[2008/11/25 11:05:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood

[2008/11/25 11:00:48 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\qouwge.sys

[2008/11/25 10:07:41 | 00,000,944 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\Spybot - Search & Destroy.lnk

[2008/11/25 10:07:31 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2008/11/25 10:07:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2008/11/24 20:07:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP

@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

[2008/11/24 13:44:11 | 00,917,504 | ---- | C] (Macromedia, Inc.) -- C:\WINDOWS\System32\FLASH.OCX

[2008/11/24 13:01:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\My Documents\ARCHIVED EMAIL

[2008/11/24 10:14:14 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn

[2008/11/24 10:14:14 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for

[2008/11/24 10:01:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\My Documents\BACKED UP FILES MY DOCUMENTS

[2008/11/23 08:47:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes

[2008/11/23 08:47:14 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2008/11/23 08:47:14 | 00,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2008/11/23 08:47:11 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2008/11/23 08:47:09 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2008/11/23 08:47:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2008/11/20 16:32:23 | 00,001,826 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Bejeweled 2 Deluxe.lnk

[2008/11/20 10:47:34 | 00,620,006 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\Cat.DB

[2008/11/20 10:34:56 | 00,198,192 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symtdi.sys

[2008/11/20 10:34:55 | 00,309,296 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.sys

[2008/11/20 10:34:55 | 00,089,904 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symfw.sys

[2008/11/20 10:34:55 | 00,040,496 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symndisv.sys

[2008/11/20 10:34:55 | 00,037,424 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symndis.sys

[2008/11/20 10:34:55 | 00,034,608 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symids.sys

[2008/11/20 10:34:55 | 00,024,752 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symredrv.sys

[2008/11/20 10:34:55 | 00,013,089 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymNet.cat

[2008/11/20 10:34:55 | 00,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.inf

[2008/11/20 10:34:55 | 00,001,611 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymNet.inf

[2008/11/20 10:34:54 | 00,306,736 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.sys

[2008/11/20 10:34:54 | 00,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.sys

[2008/11/20 10:34:54 | 00,012,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symdns.sys

[2008/11/20 10:34:54 | 00,008,428 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.cat

[2008/11/20 10:34:54 | 00,008,390 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.cat

[2008/11/20 10:34:54 | 00,008,386 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.cat

[2008/11/20 10:34:54 | 00,001,388 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.inf

[2008/11/20 10:34:54 | 00,001,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.inf

[2008/11/20 10:34:52 | 00,255,536 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.sys

[2008/11/20 10:34:52 | 00,008,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.CAT

[2008/11/20 10:34:52 | 00,000,640 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.inf

[2008/11/20 10:33:52 | 00,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\isolate.ini

[2008/11/20 10:33:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1001000.021

[2008/11/20 09:22:47 | 00,035,888 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys

[2008/11/20 09:22:44 | 00,124,464 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS

[2008/11/20 09:22:44 | 00,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL

[2008/11/20 09:22:44 | 00,010,635 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT

[2008/11/20 09:22:44 | 00,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF

[2008/11/20 09:22:37 | 00,002,091 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.lnk

[2008/11/20 09:22:06 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV

[2008/11/20 09:22:04 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar

[2008/11/20 09:21:42 | 00,000,000 | ---D | C] -- C:\Program Files\NortonInstaller

[2008/11/19 14:24:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla

[2008/11/19 14:24:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\tdfjfgji

[2008/11/19 14:24:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Application Data\tdfjfgji

[2008/11/15 06:29:29 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bw7nir4b.exe

[2008/11/15 06:28:56 | 00,000,434 | ---- | C] () -- C:\WINDOWS\tasks\At1.job

[2008/11/15 06:28:31 | 00,098,816 | ---- | C] (Alcohol Soft Development Team) -- C:\WINDOWS\System32\clusapim.dll

[2008/11/12 09:19:07 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys

[2008/11/12 09:18:56 | 01,106,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml3.dll

========== Files - Modified Within 30 Days ==========

[20 C:\WINDOWS\System32\*.tmp files]

[1 C:\WINDOWS\*.tmp files]

[2008/11/25 12:33:18 | 00,418,304 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Owner\Desktop\OTListIt.exe

[2008/11/25 12:27:37 | 00,001,745 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\HijackThis.lnk

[2008/11/25 11:00:48 | 00,061,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\qouwge.sys

[2008/11/25 10:50:27 | 00,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2008/11/25 10:46:18 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2008/11/25 10:44:49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2008/11/25 10:44:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2008/11/25 10:44:44 | 10,646,85568 | -HS- | M] () -- C:\hiberfil.sys

[2008/11/25 10:39:39 | 05,890,576 | -H-- | M] () -- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\IconCache.db

[2008/11/25 10:07:41 | 00,000,944 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\Spybot - Search & Destroy.lnk

[2008/11/25 09:58:04 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\Microsoft Office Word 2003.lnk

[2008/11/24 20:54:28 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\EMAIL.lnk

[2008/11/24 20:08:14 | 00,445,458 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2008/11/24 20:08:14 | 00,384,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2008/11/24 20:08:14 | 00,054,280 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2008/11/24 18:52:54 | 00,000,434 | ---- | M] () -- C:\WINDOWS\tasks\At1.job

[2008/11/24 13:44:11 | 00,917,504 | ---- | M] (Macromedia, Inc.) -- C:\WINDOWS\System32\FLASH.OCX

[2008/11/24 13:39:44 | 00,000,847 | ---- | M] () -- C:\WINDOWS\win.ini

[2008/11/24 13:00:02 | 00,001,692 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_L8426DC16FCF345DE92DE2F2DDAB65B37.job

[2008/11/24 10:14:33 | 00,001,755 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2008/11/24 10:14:14 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn

[2008/11/24 10:14:14 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for

[2008/11/22 09:18:00 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2008/11/21 10:21:40 | 00,122,880 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\WEEKLY POOL PRINTOUT.doc

[2008/11/20 16:32:23 | 00,001,826 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Bejeweled 2 Deluxe.lnk

[2008/11/20 10:48:56 | 00,002,091 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.lnk

[2008/11/20 10:47:46 | 00,620,006 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\Cat.DB

[2008/11/20 10:33:52 | 00,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\isolate.ini

[2008/11/20 09:22:44 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS

[2008/11/20 09:22:44 | 00,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL

[2008/11/20 09:22:44 | 00,010,635 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT

[2008/11/20 09:22:44 | 00,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF

[2008/11/20 09:22:36 | 00,198,192 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symtdi.sys

[2008/11/20 09:22:36 | 00,040,496 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symndisv.sys

[2008/11/20 09:22:36 | 00,037,424 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symndis.sys

[2008/11/20 09:22:36 | 00,035,888 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys

[2008/11/20 09:22:36 | 00,034,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symids.sys

[2008/11/20 09:22:36 | 00,024,752 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symredrv.sys

[2008/11/20 09:22:35 | 00,089,904 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symfw.sys

[2008/11/20 09:22:34 | 00,012,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symdns.sys

[2008/11/19 12:58:27 | 00,001,692 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_LFD35ABAF75F84190804C495313906639.job

[2008/11/15 06:29:22 | 00,016,896 | ---- | M] () -- C:\WINDOWS\System32\bw7nir4b.exe

[2008/11/13 05:13:29 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2008/11/07 20:40:40 | 00,002,495 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\Microsoft Office Excel 2003.lnk

[2008/11/04 20:25:03 | 00,309,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.sys

[2008/11/04 20:25:03 | 00,306,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.sys

[2008/11/04 20:25:03 | 00,255,536 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.sys

[2008/11/04 20:25:03 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.sys

[2008/11/04 20:24:59 | 00,003,373 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.inf

[2008/11/04 20:24:59 | 00,001,611 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymNet.inf

[2008/11/04 20:24:59 | 00,001,388 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.inf

[2008/11/04 20:24:59 | 00,001,382 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.inf

[2008/11/04 20:24:59 | 00,000,640 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.inf

[2008/11/04 20:24:55 | 00,013,089 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymNet.cat

[2008/11/04 20:24:55 | 00,008,428 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.cat

[2008/11/04 20:24:55 | 00,008,390 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.cat

[2008/11/04 20:24:55 | 00,008,386 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.cat

[2008/11/04 20:24:55 | 00,008,382 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.CAT

[2008/11/03 16:10:25 | 17,318,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

< End of report >

h2otech1 · November 25, 2008

And the OTListIt's Extras Log File: Again, thanks for all of your help, cause I no idea what all this means!!!!!!!!!

OTListIt Extras logfile created on: 11/25/2008 12:40:00 PM - Run

OTListIt by OldTimer - Version 1.0.12.0 Folder = C:\Documents and Settings\HP_Owner\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.29 Mb Total Physical Memory | 492.91 Mb Available Physical Memory | 48.55% Memory free

2.39 Gb Paging File | 1.95 Gb Available in Paging File | 81.68% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 179.33 Gb Total Space | 158.95 Gb Free Space | 88.63% Space Free | Partition Type: NTFS

Drive D: | 6.96 Gb Total Space | 1.84 Gb Free Space | 26.41% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: YOUR-4F1261A8E5

Current User Name: HP_Owner

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Whitelist: On

File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[2006/10/30 09:36:32 | 15,338,560 | ---- | M] (Apple Computer, Inc.) -- %ProgramFiles%\iTunes\iTunes.exe:*:enabled:iTunes

[2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[2005/02/25 05:49:52 | 00,045,056 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe:*:Enabled:BackWeb for Pavilion

File not found -- C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

[2004/02/13 13:12:08 | 00,016,423 | ---- | M] () -- C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater

File not found -- C:\Documents and Settings\HP_Owner\My Documents\My PSP Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire

File not found -- C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\NHW8CZ33\incredimail_install[1].exe:*:Enabled:IncrediMail Installer

File not found -- C:\Documents and Settings\HP_Owner\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe:*:Enabled:IncrediMail Installer

[2006/10/30 09:36:32 | 15,338,560 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes

[2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[2008/08/21 12:59:55 | 00,147,456 | ---- | M] (Lime Wire, LLC) -- C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire

[2008/11/15 06:29:22 | 00,016,896 | ---- | M] () -- C:\WINDOWS\system32\bw7nir4b.exe:*:Disabled:bw7nir4b

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier

"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306

"{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA}" = PC-Doctor for Windows

"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan

"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE

"{0FF18B53-CA57-40BB-B562-21A27B662005}" = 1600

"{10E98E14-832C-4AF7-A4D1-6A9EF83B282E}" = VCAMCEN

"{14589F05-C658-4594-9429-D437BA688686}" = IntelliMover Data Transfer Demo

"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy

"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD

"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant

"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax

"{1A103D70-5C9B-4E1A-B306-5106C68F9914}" = Microsoft Plus! Dancer LE

"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare

"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy

"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp

"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1

"{28CFF19D-B92C-4109-A427-F75505E81688}" = cp_dwSharkTaleAlbums1

"{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005

"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload

"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java 6 Update 3

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{36FCD82D-1CED-436d-B33C-874EEC666D68}" = cp_dwSharkTaleCards1

"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant

"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour

"{38441BE7-79B0-42B8-8297-833704F949FE}" = HLPIndex

"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext

"{3AEF2F6C-F1D3-47CD-BF3B-A327F1FABE58}" = PSPrinters06

"{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}" = OTtBPSDK

"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth

"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core

"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works

"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme

"{446DBFFA-4088-48E3-8932-74316BA4CAE4}" = iTunes

"{469730CC-78DF-4CD3-B286-562D459EA619}" = ESSCAM

"{48C82F7A-F100-4DAB-A310-8E18BF2159E1}" = ESSvpot

"{4C04DF1B-6A39-4299-9DD1-1FA60000266E}" = HP Photosmart Cameras 4.0

"{4F677FC7-7AA8-412B-A957-F13CBE1C7331}" = ESSSONIC

"{50D8FFDD-90CD-4859-841F-AA1961C7767A}" = QuickTime

"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade

"{55508A44-8225-47AB-9666-1F57A5B5CE2E}" = CP_PLSBusinessFlyers

"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone

"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0

"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr

"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects

"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery

"{64D5E9DE-7890-4FB0-8865-8B24BE1773F7}" = LightScribe 1.4.42.1

"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler

"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations

"{69BD6399-3D8F-45B7-81D9-819361F5101D}" = PCDLNCH

"{6B350CA4-0031-0002-3757-34999AD85AEC}" = InterVideo WinDVD Creator

"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer

"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm

"{70DECFBF-9119-4434-B2D3-A3C283D15E45}" = WeatherBug

"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03

"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1

"{725249C3-B94C-4141-8799-0D3BA43D0812}" = CameraDrivers

"{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1" = Spy Sweeper

"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics

"{7B98685A-4E21-4A4F-A2D6-DC557042BADA}" = HPIZplus450

"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1

"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware

"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder

"{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver

"{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}" = ESSCT

"{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}" = URGE

"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc

"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003

"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui

"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD Player

"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!

"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL

"{9CB2512B-3EC4-43DF-8002-46BDAB5EDD1B}" = QuickProjects

"{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}" = CCHelp

"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore

"{9EEBF8D5-8712-4D1D-88F4-4CDC2D270BC3}" = PrintScreen

"{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}" = SFR2

"{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}" = ESSvpaht

"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config

"{A6F18A67-B771-4191-8A33-36D2E742D6D9}" = ESSANUP

"{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}" = Photosmart 320,370,7400,8100,8400 Series

"{AADAC983-FDE9-42FA-8FD9-7BB324155593}" = HLPRFO

"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0

"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK

"{B103C8A7-D1CC-4B1A-BD41-883F652E097D}" = muvee autoProducer 3.5 magicMoments - HPD

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore

"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director

"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU

"{BD29EBAC-AD7D-4b27-B727-4CC6AC52D36B}" = MarketResearch

"{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}" = SFR

"{C3F058C0-A21C-452D-8D99-95B1A45F417D}" = InterVideo DiscLabel

"{CA60320D-6A16-49C8-A34F-84EEF4799567}" = ESSTUTOR

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CB449D5A-7710-47aa-B9F5-352B877C90E6}" = 1600_Help

"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg

"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer

"{D0122362-6333-4DE4-93F6-A5A2F3CC101A}" = HP Organize

"{D0420D64-8D33-4374-A2B2-9225C7925CA6}" = HP Image Zone Plus 4.5.3

"{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}" = ESSAdpt

"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software

"{D42B6F90-1084-4C9B-AF28-958926E6E32E}" = LP_Flash

"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp

"{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)

"{E2EFF20D-30BF-4907-B1FD-B7EBCED798D6}" = HPHDiscovery

"{F2D0C1B1-80FF-46F9-BA61-33B01A07FAFC}" = HLPCCTR

"{F419D20A-7719-4639-8E30-C073A040D878}" = HP Deskjet Preloaded Printer Drivers

"{F4C6CC40-1142-49be-A28C-7BBD36F0B41A}" = 1600Trb

"{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP

"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates

"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update

"{FEE5C812-51C7-4A6B-9DC0-4618AC9F6BD4}" = JD2 Tube Bend App.

"Absolute Poker Basic" = Absolute Poker Basic

"ActiveScan 2.0" = Panda ActiveScan 2.0

"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem

"BackWeb-309731 Uninstaller" = Updates from HP

"Bejeweled 2 Deluxe" = Bejeweled 2 Deluxe (remove only)

"Browser Mouse" = Browser Mouse

"Help and Support Additions" = Help and Support Additions

"HijackThis" = HijackThis 2.0.2

"HP Photo & Imaging" = HP Image Zone 4.7

"HPExtendedCapabilities" = HP Extended Capabilities 4.7

"InstallShield_{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA}" = PC-Doctor for Windows

"InstallShield_{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005

"LimeWire" = LimeWire 4.18.6

"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)

"Macromedia Shockwave Player" = Macromedia Shockwave Player

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NAV" = Norton AntiVirus

"Pdf995" = Pdf995

"PdfEdit995" = PdfEdit995

"Pro Media Director_is1" = Pro Media Director Version 1.1.1.1

"PS2" = PS2

"RadialpointClientGateway_is1" = Verizon Servicepoint 1.5.12

"RealPlayer 6.0" = RealPlayer

"ShockwaveFlash" = Adobe Flash Player 9 ActiveX

"Sierra Utilities" = Sierra Utilities

"TaxCut Basic 2006" = TaxCut Basic 2006

"TaxCut Standard 2005" = TaxCut Standard 2005

"WIC" = Windows Imaging Component

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 11/16/2008 3:30:29 PM | Computer Name = YOUR-4F1261A8E5 | Source = Application Error | ID = 1000

Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting

module unknown, version 0.0.0.0, fault address 0x0009586f.

Error - 11/19/2008 2:36:56 AM | Computer Name = YOUR-4F1261A8E5 | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting

module ntdll.dll, version 5.1.2600.5512, fault address 0x000100c8.

Error - 11/20/2008 1:21:56 PM | Computer Name = YOUR-4F1261A8E5 | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module unknown, version 0.0.0.0, fault address 0x0c4f740d.

Error - 11/21/2008 9:42:32 AM | Computer Name = YOUR-4F1261A8E5 | Source = Automatic LiveUpdate Scheduler | ID = 101

Description = Information Level: error Initialization of the COM subsystem failed.

Error code: 0x80080005

Error - 11/23/2008 5:09:11 PM | Computer Name = YOUR-4F1261A8E5 | Source = ESENT | ID = 490

Description = wuauclt (2792) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"

for read / write access failed with system error 32 (0x00000020): "The process

cannot access the file because it is being used by another process. ". The open

file operation will fail with error -1032 (0xfffffbf8).

Error - 11/23/2008 5:09:21 PM | Computer Name = YOUR-4F1261A8E5 | Source = ESENT | ID = 490

Description = wuauclt (2792) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"

for read / write access failed with system error 32 (0x00000020): "The process

cannot access the file because it is being used by another process. ". The open

file operation will fail with error -1032 (0xfffffbf8).

Error - 11/23/2008 5:20:41 PM | Computer Name = YOUR-4F1261A8E5 | Source = ESENT | ID = 490

Description = wuauclt (1380) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"

for read / write access failed with system error 32 (0x00000020): "The process

cannot access the file because it is being used by another process. ". The open

file operation will fail with error -1032 (0xfffffbf8).

Error - 11/23/2008 5:20:51 PM | Computer Name = YOUR-4F1261A8E5 | Source = ESENT | ID = 490

Description = wuauclt (1380) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"

for read / write access failed with system error 32 (0x00000020): "The process

cannot access the file because it is being used by another process. ". The open

file operation will fail with error -1032 (0xfffffbf8).

Error - 11/24/2008 2:34:55 PM | Computer Name = YOUR-4F1261A8E5 | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting

module unknown, version 0.0.0.0, fault address 0x026823ac.

Error - 11/25/2008 1:13:10 AM | Computer Name = YOUR-4F1261A8E5 | Source = pctsSvc.exe | ID = 0

Description =

[ System Events ]

Error - 11/24/2008 11:53:15 PM | Computer Name = YOUR-4F1261A8E5 | Source = sr | ID = 1

Description = The System Restore filter encountered the unexpected error '0xC0000001'

while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring

the volume.

Error - 11/24/2008 11:53:37 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

IDSxpx86

Error - 11/25/2008 12:36:41 AM | Computer Name = YOUR-4F1261A8E5 | Source = sr | ID = 1

Description = The System Restore filter encountered the unexpected error '0xC0000001'

while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring

the volume.

Error - 11/25/2008 12:37:00 AM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

IDSxpx86

Error - 11/25/2008 12:44:05 AM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

IDSxpx86

Error - 11/25/2008 1:16:38 AM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

IDSxpx86

Error - 11/25/2008 1:29:00 AM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

IDSxpx86

Error - 11/25/2008 1:52:09 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

IDSxpx86

Error - 11/25/2008 2:41:47 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

IDSxpx86

Error - 11/25/2008 2:45:35 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

IDSxpx86

< End of report >

Raid · November 25, 2008

Looks like we have a few trojans remaining...

C:\WINDOWS\system32\clusapim.dll

c:\windows\system32\qsjatud.dll

Can you zip both of these please, and send them to uploads.malwarebytes.org

h2otech1 · November 25, 2008

I tried to zip the clusapim file but I get an error message of file not found.

I did the same w/ the qsjatud file and it seems like it zipped, but I don't know where to find the folder. Sorry, not real familiar w/ zipping.

I then tried to upload the files using your supplied upload link and got a message that the clusapim was not found.

Don't mean to be a pain in the A$$, but I am not that PC savy.

Thank again, really!!!!!!!!!

Raid · November 26, 2008

That's okay. In this case, lets just have you follow these instructions. I won't worry too much about collecting samples in your case.

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

Trend Micro Damage Cleanup Engine

Make sure you read this document to understand how to use the program.

Trend Micro Sysclean Package

README 1st

Basically there are 3 parts that need to be downloaded from these links:

As an example on 2008-10-17 the files to download are:
sysclean.com
|
lpt605.zip
|
ssapiptn697.zip
NOTE!
These file names are examples and you must visit Trend Micro for the very latest files which may have different names.
Create a brand new folder to copy these files to.
As an example:
C:\DCE
Then open each of the zipped archive files and copy their contents to
C:\DCE
Copy the file
sysclean.com
to the new folder
C:\DCE
as well.
Double-click on the file
sysclean.com
that is in the
C:\DCE
folder and follow the on-screen instructions.

After doing all of this, please post back your results, including the log file
sysclean.log
that will be left behind by sysclean.

This self-extracting archive is a stand-alone fix package that incorporates the Trend Micro VSAPI Malware and Spyware scanning engines as well as the Trend Micro Damage Cleanup Engine and Template.

This tool supports the following features:

o Terminate all detected malware/spyware instances in memory

o Remove malware/spyware registry entries

o Remove malware/spyware entries from system files

o Scan for and delete all detected malware/spyware copies in all local drives

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

http://windowshelp.microsoft.com/windows/en-us/help/7050d809-c761-43d4-aae7-587550cd341a1033.mspx' rel="external nofollow">

h2otech1 · November 26, 2008

Thanks Raid, I will tackle this later on today. After all the scans and cleaning, everthing seems to running good right now, at least at the level at was last week prior to all of this. Do you think we need to continue? Does every PC need zero viruses / trojans to run effeciently? If one exists that you cannot get rid of, will it propogate others to intrude?

On a side note, I had just renewed norton about 4 weeks ago and it did nothing to catch any of this. Co-workers have suggested not using norton and instead use AVG. I uninstalled norton late yesterday and installed AVG. So, hopefully the risk will be more minimal than before???

Thank again!!!!!!!

Raid · November 27, 2008

Thanks Raid, I will tackle this later on today. After all the scans and cleaning, everthing seems to running good right now, at least at the level at was last week prior to all of this. Do you think we need to continue? Does every PC need zero viruses / trojans to run effeciently? If one exists that you cannot get rid of, will it propogate others to intrude?
On a side note, I had just renewed norton about 4 weeks ago and it did nothing to catch any of this. Co-workers have suggested not using norton and instead use AVG. I uninstalled norton late yesterday and installed AVG. So, hopefully the risk will be more minimal than before???
Thank again!!!!!!!

We have a few more things left to do, to ensure your system is Clean and will hopefully remain that way. PC's shouldn't have any viruses/trojans or other forms of malware on them. At the very least, they steal resources from you. Be it hard disk space for physically storing them, to abusing network/cpu resources.

I've never personally been a fan of Norton. AVG is a decent scanner, but is more prone to false positives than some others; due to it's hueristics engine.

h2otech1 · November 27, 2008

Again............................ YOU ROCK!!!!!!!!!!!!!!!

OK, did not get to this today for all seems OK. I will continue hopefully tomorrow morning????? TXgiving and all. I will continue w/ your advice and try to fully eradicate these l'll bastards!!!!!!

If you don't hear from me, its because I'm off to the dezert for the weekend.............

Happy Turkey Day, and again......................... THANK YOU!!!!!!!!!!!!!!!!!!!!!!!!

h2otech1 · December 2, 2008

Raid-

Ok, finally got back to dealing with this. Here is the sysclean log file:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-12-02, 11:34:25, Auto-clean mode specified.

2008-12-02, 11:34:26, Initialized Rootkit Driver version 2.2.0.1004.

2008-12-02, 11:34:26, Running scanner "C:\MALWARE CLEANUP\TSC.BIN"...

2008-12-02, 11:35:16, Scanner "C:\MALWARE CLEANUP\TSC.BIN" has finished running.

2008-12-02, 11:35:16, TSC Log:

Raid · December 3, 2008

How is the computer running now? Are you still having trouble?

Please post a fresh hijackthislog.

h2otech1 · December 3, 2008

Raid-

The PC seems to be running at normal now, the same as it was prior to recieving these bugs. Speed is ok, resources are ok. Here is the HiJack log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:34:49 AM, on 12/3/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\WINDOWS\ALCMTR.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\hphmon06.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Browser Mouse\MOffice.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Browser Mouse\MOUSE32A.EXE

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\HP\KBD\KBD.EXE

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\AVG\AVG8\aAvgApi.exe

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\EJ23QHYF\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {8C760D34-E6A5-4111-BFE1-4EF0620B8ECA} - C:\WINDOWS\system32\clusapim.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: (no name) - {CE27CD53-6FFD-49C4-A72A-60B139E15E4B} - c:\windows\system32\qsjatud.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL