Jump to content

Recommended Posts

Thanks in advance. Malwarebytes says Quarantined and deleted successfully. However after a reboot it is back.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6146

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

3/23/2011 7:04:29 PM

mbam-log-2011-03-23 (19-04-29).txt

Scan type: Quick scan

Objects scanned: 182065

Time elapsed: 14 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\hood\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.

After I reboot, the file scandisk.lnk is still there. Please help!!

Link to post
Share on other sites

I updated the database from 6146 to 6151. Did a quick scan, see log. After reboot I checked the location "c:\Users\hood\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.lnk" and the file is there.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6151

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

3/24/2011 7:08:43 AM

mbam-log-2011-03-24 (07-08-43).txt

Scan type: Quick scan

Objects scanned: 182583

Time elapsed: 13 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\hood\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Delete on reboot.

Link to post
Share on other sites

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 6d4d5610d8802b097bde17986a5dd0d1

Date first seen: 2011-03-25 08:13:50 (UTC)

Date last seen: 2011-03-28 16:07:03 (UTC)

Detection ratio: 18/43

What do you wish to do?

Reanalyse View last report

I clicked on view last report. Here is the report.

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: 6d4d5610d8802b097bde17986a5dd0d1

Submission date: 2011-03-28 16:07:03 (UTC)

Current status: finished

Result: 18 /43 (41.9%)

VT Community

not reviewed

Safety score: -

Compact Print results Antivirus Version Last Update Result

AhnLab-V3 2011.03.26.00 2011.03.25 Trojan/Win32.Scar

AntiVir 7.11.5.79 2011.03.25 TR/PWS.Sinowal.Gen

Antiy-AVL 2.0.3.7 2011.03.26 -

Avast 4.8.1351.0 2011.03.26 Win32:Agent-AMUF

Avast5 5.0.677.0 2011.03.26 Win32:Agent-AMUF

AVG 10.0.0.1190 2011.03.26 SHeur3.BSNT

BitDefender 7.2 2011.03.26 Trojan.Generic.5704903

CAT-QuickHeal 11.00 None.. -

ClamAV 0.96.4.0 2011.03.26 -

Commtouch 5.2.11.5 2011.03.24 -

Comodo 8111 2011.03.26 -

DrWeb 5.0.2.03300 2011.03.26 Trojan.MulDrop2.9196

Emsisoft 5.1.0.4 2011.03.26 Backdoor.Win32.Sinowal!IK

eSafe 7.0.17.0 2011.03.24 -

eTrust-Vet 36.1.8236 2011.03.25 -

F-Prot 4.6.2.117 2011.03.26 -

F-Secure 9.0.16440.0 2011.03.23 -

Fortinet 4.2.254.0 2011.03.26 -

GData 21 2011.03.26 Trojan.Generic.5704903

Ikarus T3.1.1.97.0 2011.03.26 Backdoor.Win32.Sinowal

Jiangmin 13.0.900 2011.03.26 -

K7AntiVirus 9.94.4219 2011.03.26 -

Kaspersky 7.0.0.125 2011.03.26 Trojan.Win32.Scar.dtnb

McAfee 5.400.0.1158 2011.03.26 Artemis!6D4D5610D880

McAfee-GW-Edition 2010.1C 2011.03.26 Artemis!6D4D5610D880

Microsoft 1.6702 2011.03.26 -

NOD32 5987 2011.03.26 -

Norman 6.07.03 2011.03.26 -

nProtect 2011-02-10.01 2011.02.15 -

Panda 10.0.3.5 2011.03.26 Trj/CI.A

PCTools 7.0.3.5 2011.03.26 Trojan.Anserin

Prevx 3.0 2011.03.28 -

Rising 23.50.05.05 2011.03.26 -

Sophos 4.64.0 2011.03.26 Mal/Behav-204

SUPERAntiSpyware 4.40.0.1006 2011.03.26 -

Symantec 20101.3.0.103 2011.03.26 Trojan.Anserin

TheHacker 6.7.0.1.157 2011.03.26 -

TrendMicro 9.200.0.1012 2011.03.26 -

TrendMicro-HouseCall 9.200.0.1012 2011.03.26 -

VBA32 3.12.14.3 2011.03.25 -

VIPRE 8825 2011.03.26 Trojan.Anserin

ViRobot 2011.3.26.4378 2011.03.26 -

VirusBuster 13.6.270.0 2011.03.25 -

Additional informationShow all

MD5 : 6d4d5610d8802b097bde17986a5dd0d1

SHA1 : d4584d4c06aac48ab0965f526721aa895d90ede1

SHA256: db8b13d4718e4d95626ac323c627c99aede87bdee7e9aed8d371064462269670

Link to post
Share on other sites

Here you are....

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: scanxdisknq16.dll

Submission date: 2011-03-28 20:10:13 (UTC)

Current status: queued (#1) queued (#1) analysing finished

Result: 17/ 42 (40.5%)

VT Community

not reviewed

Safety score: -

Compact Print results Antivirus Version Last Update Result

AhnLab-V3 2011.03.26.00 2011.03.25 Trojan/Win32.Scar

AntiVir 7.11.5.79 2011.03.25 TR/PWS.Sinowal.Gen

Antiy-AVL 2.0.3.7 2011.03.26 -

Avast 4.8.1351.0 2011.03.26 Win32:Agent-AMUF

Avast5 5.0.677.0 2011.03.26 Win32:Agent-AMUF

AVG 10.0.0.1190 2011.03.26 SHeur3.BSNT

BitDefender 7.2 2011.03.26 Trojan.Generic.5704903

CAT-QuickHeal 11.00 None.. -

ClamAV 0.96.4.0 2011.03.26 -

Commtouch 5.2.11.5 2011.03.24 -

Comodo 8111 2011.03.26 -

DrWeb 5.0.2.03300 2011.03.26 Trojan.MulDrop2.9196

Emsisoft 5.1.0.4 2011.03.26 Backdoor.Win32.Sinowal!IK

eSafe 7.0.17.0 2011.03.24 -

eTrust-Vet 36.1.8236 2011.03.25 -

F-Prot 4.6.2.117 2011.03.26 -

F-Secure 9.0.16440.0 2011.03.23 -

Fortinet 4.2.254.0 2011.03.26 -

GData 21 2011.03.26 Trojan.Generic.5704903

Ikarus T3.1.1.97.0 2011.03.26 Backdoor.Win32.Sinowal

Jiangmin 13.0.900 2011.03.26 -

K7AntiVirus 9.94.4219 2011.03.26 -

Kaspersky 7.0.0.125 2011.03.26 Trojan.Win32.Scar.dtnb

McAfee 5.400.0.1158 2011.03.26 Artemis!6D4D5610D880

McAfee-GW-Edition 2010.1C 2011.03.26 Artemis!6D4D5610D880

Microsoft 1.6702 2011.03.26 -

NOD32 5987 2011.03.26 -

Norman 6.07.03 2011.03.26 -

nProtect 2011-02-10.01 2011.02.15 -

Panda 10.0.3.5 2011.03.26 Trj/CI.A

PCTools 7.0.3.5 2011.03.26 Trojan.Anserin

Prevx 3.0 2011.03.28 -

Rising 23.50.05.05 2011.03.26 -

Sophos 4.64.0 2011.03.26 Mal/Behav-204

SUPERAntiSpyware 4.40.0.1006 2011.03.26 -

TheHacker 6.7.0.1.157 2011.03.26 -

TrendMicro 9.200.0.1012 2011.03.26 -

TrendMicro-HouseCall 9.200.0.1012 2011.03.26 -

VBA32 3.12.14.3 2011.03.25 -

VIPRE 8825 2011.03.26 Trojan.Anserin

ViRobot 2011.3.26.4378 2011.03.26 -

VirusBuster 13.6.270.0 2011.03.25 -

Additional informationShow all

MD5 : 6d4d5610d8802b097bde17986a5dd0d1

SHA1 : d4584d4c06aac48ab0965f526721aa895d90ede1

SHA256: db8b13d4718e4d95626ac323c627c99aede87bdee7e9aed8d371064462269670

Link to post
Share on other sites

  • Staff

Hi,

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

After that, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by hood at 16:46:20.94 on Mon 03/28/2011

Internet Explorer: 7.0.6002.18005

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\rundll32.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Windows\system32\mfevtps.exe

C:\PROGRA~1\MYFUNC~2\bar\1.bin\c8barsvc.exe

C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe

C:\Windows\system32\taskeng.exe

c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\hp\support\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe

C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe

C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe

C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\PictureMover\Bin\PictureMover.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Hewlett-Packard\KBD\kbd.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqdirec.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe

C:\Users\hood\Desktop\dds.scr

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k HPZ12

.

============== Pseudo HJT Report ===============

.

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt

uSearch Bar = hxxp://www.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=70001

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt

mSearchAssistant = hxxp://www.inbox.com/search/ie.aspx?tb_id=70001

mCustomizeSearch = hxxp://dnl.inbox.com/support/sa_customize.aspx?TbId=70001

uURLSearchHooks: N/A: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\inbox\toolbar\ctbr.dll

uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files\bing toolbar\tbhelper.dll

uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

uURLSearchHooks: N/A: {55b8f6ed-2800-4f27-974a-80ef13a91083} - c:\program files\myfuncardsbarie\bar\1.bin\c8SrcAs.dll

mURLSearchHooks: Free TV Bar Toolbar: {a0729639-d831-46c9-811b-9b0aa79fb45a} - c:\program files\free_tv_bar\tbFree.dll

mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\inbox\toolbar\ctbr.dll

BHO: Toolbar BHO: {664a876f-a887-4016-abb7-423f1129d6ca} - c:\progra~1\myfunc~2\bar\1.bin\c8bar.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Free TV Bar Toolbar: {a0729639-d831-46c9-811b-9b0aa79fb45a} - c:\program files\free_tv_bar\tbFree.dll

BHO: Search Assistant BHO: {a53d3e99-2d75-4752-a2b4-b2c727d7df8c} - c:\program files\myfuncardsbarie\bar\1.bin\c8SrcAs.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll

BHO: TBSB05974 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\bing toolbar\tbcore3.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

TB: Free TV Bar Toolbar: {a0729639-d831-46c9-811b-9b0aa79fb45a} - c:\program files\free_tv_bar\tbFree.dll

TB: Bing Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files\bing toolbar\tbcore3.dll

TB: &Inbox.com Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\inbox\toolbar\ctbr.dll

TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: MyFunCards: {4b3b7746-935c-48e9-95cd-a855419cdef0} - c:\program files\myfuncardsbarie\bar\1.bin\c8bar.dll

TB: @c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [NvCplDaemonTool] rundll32.exe c:\users\hood\lload88.dll,_IWMPEvents

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe

mRun: [KBD] c:\program files\hewlett-packard\kbd\KbdStub.EXE

mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [updatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"

mRun: [updatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"

mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"

mRun: [smartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [ReminderApp] c:\program files\nova development\greeting card factory deluxe 7.0\ReminderApp.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [AddressBookReminderApp] c:\program files\creative home\hallmark card studio 2011 deluxe\ReminderApp.exe

mRun: [NvCplDaemonTool] rundll32.exe c:\windows\system32\lload88.dll,_IWMPEvents

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: Inbox Search - tbr:iemenu

IE: {CDAFD956-97BE-443D-8EF7-F4F094EB5766} - c:\program files\inbox\ssaver\CSSaver.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: plaxo.com\www

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxp://hood-pc:5000/activex/RACtrl.cab

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\inbox\toolbar\ctbr.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

.

============= SERVICES / DRIVERS ===============

.

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? fssfltr;fssfltr

R? fsssvc;Windows Live Family Safety Service

R? gupdate;Google Update Service (gupdate)

R? mferkdet;McAfee Inc. mferkdet

R? Norton Internet Security;Norton Internet Security

R? PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver

R? Stereo Service;NVIDIA Stereoscopic 3D Driver Service

R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0

S? FontCache;Windows Font Cache Service

S? McAfeeEngineService;McAfee Engine Service

S? McAfeeFramework;McAfee Framework Service

S? McShield;McAfee McShield

S? McTaskManager;McAfee Task Manager

S? mfeavfk;McAfee Inc. mfeavfk

S? mfebopk;McAfee Inc. mfebopk

S? mfehidk;McAfee Inc. mfehidk

S? mfevtp;McAfee Validation Trust Protection Service

S? MyFunCardsbarIEService;MyFunCards Service

S? RAInfo;RemotelyAnywhere Kernel Information Provider

S? ramirr;ramirr

.

=============== Created Last 30 ================

.

2011-03-25 07:03:38 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{3e2052a6-92a5-4a84-b988-490c3e88f678}\mpengine.dll

2011-03-23 23:01:00 -------- d-----w- c:\users\hood\appdata\roaming\Malwarebytes

2011-03-23 23:00:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-23 23:00:10 -------- d-----w- c:\progra~2\Malwarebytes

2011-03-23 23:00:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-23 23:00:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-23 22:42:54 7734240 ----a-w- C:\mbam-setup.exe

2011-03-23 22:37:36 66896 ----a-w- C:\mbam-clean.exe

2011-03-22 22:47:37 -------- d-----w- C:\Malwarebytes

2011-03-22 22:37:40 -------- d-----w- c:\windows\pss

2011-03-22 20:58:38 797696 ----a-w- c:\windows\system32\FntCache.dll

2011-03-22 20:58:38 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-03-22 20:58:38 1068544 ----a-w- c:\windows\system32\DWrite.dll

2011-03-22 00:52:50 7734208 ----a-w- C:\mbam-setup-1.50.1.1100(2).exe

2011-03-22 00:44:28 269741 ----a-w- C:\mbam-setup-1.50.1.1100.exe

2011-03-09 17:02:51 429056 ----a-w- c:\windows\system32\EncDec.dll

2011-03-09 17:02:51 322560 ----a-w- c:\windows\system32\sbe.dll

2011-03-09 17:02:51 177664 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-09 17:02:51 153088 ----a-w- c:\windows\system32\sbeio.dll

2011-03-09 17:02:49 2067968 ----a-w- c:\windows\system32\mstscax.dll

2011-03-09 17:02:48 677888 ----a-w- c:\windows\system32\mstsc.exe

.

==================== Find3M ====================

.

2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll

2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll

2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll

2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll

2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv

2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll

2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll

2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll

2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll

2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll

2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll

2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll

2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe

2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll

2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll

2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll

2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll

2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll

2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll

2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll

2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys

2009-04-11 06:28:20 606208 --sha-w- c:\windows\system32\lload88.dll

2009-04-11 06:28:20 606208 --sha-w- c:\windows\system32\config\systemprofile\lload88.dll

.

============= FINISH: 16:53:26.27 ===============

Link to post
Share on other sites

Here is the ComboFix.txt and a new DDS.txt and attach.txt

ComboFix 11-03-28.01 - hood 03/28/2011 17:13:42.1.2 - x86

Running from: c:\users\hood\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Bing Toolbar\tbHElper.dll

c:\program files\Fast Browser Search

c:\program files\Fast Browser Search\IE\1.bat

c:\program files\Fast Browser Search\IE\about.html

c:\program files\Fast Browser Search\IE\affid.dat

c:\program files\Fast Browser Search\IE\basis.xml

c:\program files\Fast Browser Search\IE\BHO.dll

c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe

c:\program files\Fast Browser Search\IE\error.html

c:\program files\Fast Browser Search\IE\fbsProtection.xml

c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml

c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe

c:\program files\Fast Browser Search\IE\icons.bmp

c:\program files\Fast Browser Search\IE\info.txt

c:\program files\Fast Browser Search\IE\local.xml

c:\program files\Fast Browser Search\IE\MTWBtoolbar.html

c:\program files\Fast Browser Search\IE\search.bmp

c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico

c:\program files\Fast Browser Search\IE\SGPU.ico

c:\program files\Fast Browser Search\IE\sgpUpdater.exe

c:\program files\Fast Browser Search\IE\sgpUpdater.xml

c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe

c:\program files\Fast Browser Search\IE\tbhelper.dll

c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js

c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js

c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js

c:\program files\Fast Browser Search\IE\Toolbar Help.htm

c:\program files\Fast Browser Search\IE\uninstalSGP.exe

c:\program files\Fast Browser Search\IE\uninstalSGPU.exe

c:\program files\Fast Browser Search\IE\version.txt

c:\program files\Search Guard Plus

c:\program files\Search Guard Plus\fbsProtection.xml

c:\program files\Search Guard Plus\fbsProtectionI.xml

c:\program files\Search Guard Plus\fbsSearchProvider.xml

c:\program files\Search Guard Plus\FbsSearchProviderIE8.exe

c:\program files\Search Guard Plus\SearchGuardPlus.ico

c:\program files\Search Guard Plus\uninstalSGP.exe

c:\program files\Search Guard PlusU

c:\program files\Search Guard PlusU\SGPU.ico

c:\program files\Search Guard PlusU\sgpUpdater.exe

c:\program files\Search Guard PlusU\sgpUpdater.xml

c:\program files\Search Guard PlusU\sgpUpdaters.exe

c:\program files\Search Guard PlusU\Tmp\removesgp.exe

c:\program files\Search Guard PlusU\Tmp\removesgp0.exe

c:\program files\Search Guard PlusU\uninstalSGPU.exe

c:\program files\SGPSA

c:\program files\SGPSA\BHO.dll

c:\programdata\ntuser.dat

c:\users\david\lload88.dll

c:\users\hood\AppData\Local\Microsoft\Windows\Temporary Internet Files\pse_350_enu.exe

c:\users\hood\AppData\Roaming\.#

c:\users\hood\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk

c:\users\hood\lload88.dll

c:\users\Public\RemoveSGP.exe

c:\users\Public\RemoveSGP0.exe

c:\windows\Imgtask.exe

c:\windows\system32\config\systemprofile\lload88.dll

c:\windows\system32\H

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_Net Driver HPZ12

.

.

((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))

.

.

2011-03-28 22:30 . 2011-03-28 22:30 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-03-28 22:30 . 2011-03-28 22:30 -------- d-----w- c:\users\david\AppData\Local\temp

2011-03-25 07:03 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3E2052A6-92A5-4A84-B988-490C3E88F678}\mpengine.dll

2011-03-24 20:34 . 2011-03-24 20:35 -------- d-----w- c:\users\david\AppData\Local\Google

2011-03-24 17:56 . 2011-03-24 17:56 -------- d-----w- c:\users\david\AppData\Roaming\Malwarebytes

2011-03-24 13:48 . 2011-03-24 13:48 -------- d-----w- c:\users\david\AppData\Roaming\HPAppData

2011-03-24 13:47 . 2011-03-24 13:47 -------- d-----w- c:\users\david\AppData\Roaming\Yahoo!

2011-03-24 13:12 . 2011-03-24 13:12 -------- d-----w- c:\users\david\AppData\Local\ArcSoft

2011-03-24 13:12 . 2011-03-24 13:12 -------- d-----w- c:\users\david\AppData\Roaming\Smilebox

2011-03-24 13:12 . 2011-03-24 14:15 -------- d-----w- c:\users\david\AppData\Roaming\ArcSoft

2011-03-23 23:01 . 2011-03-23 23:01 -------- d-----w- c:\users\hood\AppData\Roaming\Malwarebytes

2011-03-23 23:00 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-23 23:00 . 2011-03-23 23:00 -------- d-----w- c:\programdata\Malwarebytes

2011-03-23 23:00 . 2011-03-23 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-23 23:00 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-23 22:42 . 2011-03-23 22:42 7734240 ----a-w- C:\mbam-setup.exe

2011-03-23 22:37 . 2011-03-23 22:36 66896 ----a-w- C:\mbam-clean.exe

2011-03-22 22:47 . 2011-03-22 22:47 -------- d-----w- C:\Malwarebytes

2011-03-22 20:58 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-03-22 20:58 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll

2011-03-22 20:58 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll

2011-03-22 00:52 . 2011-03-22 00:48 7734208 ----a-w- C:\mbam-setup-1.50.1.1100(2).exe

2011-03-22 00:44 . 2011-03-22 00:44 269741 ----a-w- C:\mbam-setup-1.50.1.1100.exe

2011-03-09 17:02 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll

2011-03-09 17:02 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll

2011-03-09 17:02 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll

2011-03-09 17:02 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-09 17:02 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll

2011-03-09 17:02 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-12 21:55 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2011-02-02 23:11 . 2009-10-03 11:27 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-01-20 16:37 . 2011-02-09 00:34 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-01-20 16:08 . 2011-02-09 00:34 478720 ----a-w- c:\windows\system32\dxgi.dll

2011-01-20 16:08 . 2011-02-09 00:34 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-01-20 16:08 . 2011-02-09 00:34 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2011-01-20 16:08 . 2011-02-09 00:34 1029120 ----a-w- c:\windows\system32\d3d10.dll

2011-01-20 16:08 . 2011-02-09 00:34 189952 ----a-w- c:\windows\system32\d3d10core.dll

2011-01-20 16:07 . 2011-02-09 00:34 37376 ----a-w- c:\windows\system32\cdd.dll

2011-01-20 16:07 . 2011-02-09 00:34 258048 ----a-w- c:\windows\system32\winspool.drv

2011-01-20 16:07 . 2011-02-09 00:34 586240 ----a-w- c:\windows\system32\stobject.dll

2011-01-20 16:06 . 2011-02-09 00:34 2873344 ----a-w- c:\windows\system32\mf.dll

2011-01-20 16:06 . 2011-02-09 00:34 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll

2011-01-20 16:04 . 2011-02-09 00:34 209920 ----a-w- c:\windows\system32\mfplat.dll

2011-01-20 16:04 . 2011-02-09 00:34 98816 ----a-w- c:\windows\system32\mfps.dll

2011-01-20 14:28 . 2011-02-09 00:34 1554432 ----a-w- c:\windows\system32\xpsservices.dll

2011-01-20 14:27 . 2011-02-09 00:34 876032 ----a-w- c:\windows\system32\XpsPrint.dll

2011-01-20 14:26 . 2011-02-09 00:34 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe

2011-01-20 14:25 . 2011-02-09 00:34 847360 ----a-w- c:\windows\system32\OpcServices.dll

2011-01-20 14:24 . 2011-02-09 00:34 135680 ----a-w- c:\windows\system32\XpsRasterService.dll

2011-01-20 14:15 . 2011-02-09 00:34 979456 ----a-w- c:\windows\system32\MFH264Dec.dll

2011-01-20 14:14 . 2011-02-09 00:34 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll

2011-01-20 14:14 . 2011-02-09 00:34 261632 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-01-20 14:14 . 2011-02-09 00:34 302592 ----a-w- c:\windows\system32\mfmp4src.dll

2011-01-20 14:12 . 2011-02-09 00:34 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2011-01-20 14:11 . 2011-02-09 00:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll

2011-01-20 13:47 . 2011-02-09 00:34 683008 ----a-w- c:\windows\system32\d2d1.dll

2011-01-08 08:47 . 2011-02-08 22:47 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-08 06:28 . 2011-02-08 22:47 292352 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:57 . 2011-02-08 22:53 2039808 ----a-w- c:\windows\system32\win32k.sys

2009-04-11 06:28 606208 --sha-w- c:\windows\System32\lload88.dll

2009-04-11 06:28 606208 --sha-w- c:\windows\System32\config\systemprofile\lload88.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-12-02 2735200]

"{55b8f6ed-2800-4f27-974a-80ef13a91083}"= "c:\program files\MyFunCardsbarIE\bar\1.bin\c8SrcAs.dll" [2010-12-08 53248]

.

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

.

[HKEY_CLASSES_ROOT\clsid\{55b8f6ed-2800-4f27-974a-80ef13a91083}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{664a876f-a887-4016-abb7-423f1129d6ca}]

2010-12-08 22:52 675840 ----a-w- c:\progra~1\MYFUNC~2\bar\1.bin\c8bar.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

2010-12-02 13:12 2735200 ----a-w- c:\program files\Zynga\tbZyn1.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a0729639-d831-46c9-811b-9b0aa79fb45a}]

2009-12-31 17:53 2349080 ----a-w- c:\program files\Free_TV_Bar\tbFree.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a53d3e99-2d75-4752-a2b4-b2c727d7df8c}]

2010-12-08 22:52 53248 ----a-w- c:\program files\MyFunCardsbarIE\bar\1.bin\c8SrcAs.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{a0729639-d831-46c9-811b-9b0aa79fb45a}"= "c:\program files\Free_TV_Bar\tbFree.dll" [2009-12-31 2349080]

"{0C8413C1-FAD1-446C-8584-BE50576F863E}"= "c:\program files\Bing Toolbar\tbcore3.dll" [2009-11-10 2767360]

"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-12-02 2735200]

"{4b3b7746-935c-48e9-95cd-a855419cdef0}"= "c:\program files\MyFunCardsbarIE\bar\1.bin\c8bar.dll" [2010-12-08 675840]

.

[HKEY_CLASSES_ROOT\clsid\{a0729639-d831-46c9-811b-9b0aa79fb45a}]

.

[HKEY_CLASSES_ROOT\clsid\{0c8413c1-fad1-446c-8584-be50576f863e}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974.3]

[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974]

.

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

.

[HKEY_CLASSES_ROOT\clsid\{4b3b7746-935c-48e9-95cd-a855419cdef0}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{A0729639-D831-46C9-811B-9B0AA79FB45A}"= "c:\program files\Free_TV_Bar\tbFree.dll" [2009-12-31 2349080]

"{0C8413C1-FAD1-446C-8584-BE50576F863E}"= "c:\program files\Bing Toolbar\tbcore3.dll" [2009-11-10 2767360]

"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-12-02 2735200]

"{4B3B7746-935C-48E9-95CD-A855419CDEF0}"= "c:\program files\MyFunCardsbarIE\bar\1.bin\c8bar.dll" [2010-12-08 675840]

.

[HKEY_CLASSES_ROOT\clsid\{a0729639-d831-46c9-811b-9b0aa79fb45a}]

.

[HKEY_CLASSES_ROOT\clsid\{0c8413c1-fad1-446c-8584-be50576f863e}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974.3]

[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974]

.

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

.

[HKEY_CLASSES_ROOT\clsid\{4b3b7746-935c-48e9-95cd-a855419cdef0}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-23 4240760]

"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2010-06-30 1689144]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-16 39408]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 15028104]

"NvCplDaemonTool"="c:\users\hood\lload88.dll" [2009-04-11 606208]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"KBD"="c:\program files\Hewlett-Packard\KBD\KbdStub.EXE" [2008-07-21 12288]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]

"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]

"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]

"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-10-18 1152296]

"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-10-18 189736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]

"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe" [2007-12-18 185664]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]

"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-10-17 162304]

"NvCplDaemonTool"="c:\windows\system32\lload88.dll" [2009-04-11 606208]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder 2009.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder 2009.lnk

backup=c:\windows\pss\Event Planner Reminder 2009.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder 2010.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder 2010.lnk

backup=c:\windows\pss\Event Planner Reminder 2010.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder.lnk

backup=c:\windows\pss\Event Planner Reminder.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyFunCardsbarIE Browser Plugin Loader]

2010-12-08 22:52 20480 ----a-w- c:\progra~1\MYFUNC~2\bar\1.bin\c8brmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemonTool]

2009-04-11 06:28 606208 --sha-w- c:\windows\System32\lload88.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-53473447-3286257181-559794806-1000]

"EnableNotificationsRef"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 135664]

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]

R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2008-09-10 20640]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]

S2 MyFunCardsbarIEService;MyFunCards Service;c:\progra~1\MYFUNC~2\bar\1.bin\c8barsvc.exe [2010-12-08 28766]

S2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\RaInfo.sys [2005-04-18 11136]

S3 ramirr;ramirr;c:\windows\system32\DRIVERS\ramirr.sys [2005-04-18 7424]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 15:16]

.

2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 15:16]

.

2011-03-22 c:\windows\Tasks\HPCeeScheduleForhood.job

- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-11-10 19:12]

.

2011-03-10 c:\windows\Tasks\PCDRScheduledMaintenance.job

- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]

.

2011-03-28 c:\windows\Tasks\User_Feed_Synchronization-{8AAC0136-4894-459F-B2BE-1C3B89C1DC88}.job

- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: Inbox Search - tbr:iemenu

IE: {{CDAFD956-97BE-443D-8EF7-F4F094EB5766} - c:\program files\Inbox\SSaver\CSSaver.exe

Trusted Zone: plaxo.com\www

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Inbox\Toolbar\ctbr.dll

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKLM-Run-SmartMenu - %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe

HKLM-Run-AddressBookReminderApp - c:\program files\Creative Home\Hallmark Card Studio 2011 Deluxe\ReminderApp.exe

MSConfigStartUp-ImgTask - c:\windows\Imgtask.exe

MSConfigStartUp-SmileboxTray - c:\users\david\AppData\Roaming\Smilebox\SmileboxTray.exe

AddRemove-sp43113 - c:\hp\Softpaq\sp43113\sp43113.exe

AddRemove-sp44626 - c:\hp\Softpaq\sp44626\sp44626.exe

.

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]

"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(3752)

c:\windows\system32\lload88.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\RemotelyAnywhere\RemotelyAnywhere.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\DRIVERS\xaudio.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

c:\windows\system32\WUDFHost.exe

c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe

c:\program files\Windows Media Player\wmplayer.exe

c:\windows\System32\rundll32.exe

c:\windows\System32\rundll32.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

c:\windows\ehome\ehmsas.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\program files\HP\Digital Imaging\bin\hpqtra08.exe

c:\program files\PictureMover\Bin\PictureMover.exe

c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe

c:\program files\Common Files\Java\Java Update\jucheck.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\Hewlett-Packard\KBD\kbd.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2011-03-28 18:07:35 - machine was rebooted

ComboFix-quarantined-files.txt 2011-03-28 23:06

.

Pre-Run: 197,863,985,152 bytes free

Post-Run: 199,331,950,592 bytes free

.

- - End Of File - - 524C65982D5D8A3CFA6B272C2ED2E907

__________________________________________________________________________

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by hood at 18:49:13.65 on Mon 03/28/2011

Internet Explorer: 7.0.6002.18005

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\rundll32.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Windows\system32\mfevtps.exe

C:\PROGRA~1\MYFUNC~2\bar\1.bin\c8barsvc.exe

C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\hp\support\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe

C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe

C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe

C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\PictureMover\Bin\PictureMover.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Windows\system32\SearchProtocolHost.exe

c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files\Hewlett-Packard\KBD\kbd.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Users\hood\Desktop\dds.scr

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\WerCon.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt

uURLSearchHooks: N/A: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\inbox\toolbar\ctbr.dll

uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

uURLSearchHooks: N/A: {55b8f6ed-2800-4f27-974a-80ef13a91083} - c:\program files\myfuncardsbarie\bar\1.bin\c8SrcAs.dll

mURLSearchHooks: Free TV Bar Toolbar: {a0729639-d831-46c9-811b-9b0aa79fb45a} - c:\program files\free_tv_bar\tbFree.dll

mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\inbox\toolbar\ctbr.dll

BHO: Toolbar BHO: {664a876f-a887-4016-abb7-423f1129d6ca} - c:\progra~1\myfunc~2\bar\1.bin\c8bar.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Free TV Bar Toolbar: {a0729639-d831-46c9-811b-9b0aa79fb45a} - c:\program files\free_tv_bar\tbFree.dll

BHO: Search Assistant BHO: {a53d3e99-2d75-4752-a2b4-b2c727d7df8c} - c:\program files\myfuncardsbarie\bar\1.bin\c8SrcAs.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: TBSB05974 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\bing toolbar\tbcore3.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

TB: Free TV Bar Toolbar: {a0729639-d831-46c9-811b-9b0aa79fb45a} - c:\program files\free_tv_bar\tbFree.dll

TB: Bing Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files\bing toolbar\tbcore3.dll

TB: &Inbox.com Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\inbox\toolbar\ctbr.dll

TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: MyFunCards: {4b3b7746-935c-48e9-95cd-a855419cdef0} - c:\program files\myfuncardsbarie\bar\1.bin\c8bar.dll

TB: @c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [NvCplDaemonTool] rundll32.exe c:\users\hood\lload88.dll,_IWMPEvents

mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe

mRun: [KBD] c:\program files\hewlett-packard\kbd\KbdStub.EXE

mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [updatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"

mRun: [updatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"

mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [ReminderApp] c:\program files\nova development\greeting card factory deluxe 7.0\ReminderApp.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [NvCplDaemonTool] rundll32.exe c:\windows\system32\lload88.dll,_IWMPEvents

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: Inbox Search - tbr:iemenu

IE: {CDAFD956-97BE-443D-8EF7-F4F094EB5766} - c:\program files\inbox\ssaver\CSSaver.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: plaxo.com\www

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxp://hood-pc:5000/activex/RACtrl.cab

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\inbox\toolbar\ctbr.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

.

============= SERVICES / DRIVERS ===============

.

7 McShield;McAfee McShield PAUSED

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? fssfltr;fssfltr

R? fsssvc;Windows Live Family Safety Service

R? gupdate;Google Update Service (gupdate)

R? mferkdet;McAfee Inc. mferkdet

R? Norton Internet Security;Norton Internet Security

R? PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver

R? Stereo Service;NVIDIA Stereoscopic 3D Driver Service

R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0

S? FontCache;Windows Font Cache Service

S? McAfeeEngineService;McAfee Engine Service

S? McAfeeFramework;McAfee Framework Service

S? McTaskManager;McAfee Task Manager

S? mfeavfk;McAfee Inc. mfeavfk

S? mfebopk;McAfee Inc. mfebopk

S? mfehidk;McAfee Inc. mfehidk

S? mfevtp;McAfee Validation Trust Protection Service

S? MyFunCardsbarIEService;MyFunCards Service

S? RAInfo;RemotelyAnywhere Kernel Information Provider

S? ramirr;ramirr

.

=============== Created Last 30 ================

.

2011-03-28 22:35:58 -------- d-sh--w- C:\$RECYCLE.BIN

2011-03-28 22:07:50 89088 ----a-w- c:\windows\MBR.exe

2011-03-28 22:07:50 256512 ----a-w- c:\windows\PEV.exe

2011-03-28 22:07:49 98816 ----a-w- c:\windows\sed.exe

2011-03-28 22:07:49 161792 ----a-w- c:\windows\SWREG.exe

2011-03-28 22:07:42 -------- d-----w- C:\ComboFix

2011-03-25 07:03:38 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{3e2052a6-92a5-4a84-b988-490c3e88f678}\mpengine.dll

2011-03-23 23:01:00 -------- d-----w- c:\users\hood\appdata\roaming\Malwarebytes

2011-03-23 23:00:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-23 23:00:10 -------- d-----w- c:\progra~2\Malwarebytes

2011-03-23 23:00:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-23 23:00:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-23 22:42:54 7734240 ----a-w- C:\mbam-setup.exe

2011-03-23 22:37:36 66896 ----a-w- C:\mbam-clean.exe

2011-03-22 22:47:37 -------- d-----w- C:\Malwarebytes

2011-03-22 22:37:40 -------- d-----w- c:\windows\pss

2011-03-22 20:58:38 797696 ----a-w- c:\windows\system32\FntCache.dll

2011-03-22 20:58:38 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-03-22 20:58:38 1068544 ----a-w- c:\windows\system32\DWrite.dll

2011-03-22 00:52:50 7734208 ----a-w- C:\mbam-setup-1.50.1.1100(2).exe

2011-03-22 00:44:28 269741 ----a-w- C:\mbam-setup-1.50.1.1100.exe

2011-03-09 17:02:51 429056 ----a-w- c:\windows\system32\EncDec.dll

2011-03-09 17:02:51 322560 ----a-w- c:\windows\system32\sbe.dll

2011-03-09 17:02:51 177664 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-09 17:02:51 153088 ----a-w- c:\windows\system32\sbeio.dll

2011-03-09 17:02:49 2067968 ----a-w- c:\windows\system32\mstscax.dll

2011-03-09 17:02:48 677888 ----a-w- c:\windows\system32\mstsc.exe

.

==================== Find3M ====================

.

2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll

2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll

2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll

2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll

2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv

2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll

2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll

2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll

2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll

2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll

2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll

2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll

2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe

2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll

2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll

2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll

2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll

2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll

2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll

2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll

2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys

2009-04-11 06:28:20 606208 --sha-w- c:\windows\system32\lload88.dll

2009-04-11 06:28:20 606208 --sha-w- c:\windows\system32\config\systemprofile\lload88.dll

.

============= FINISH: 18:55:51.80 ===============

Attach.zip

Link to post
Share on other sites

  • Staff

Hi,

The following software is of questionable repute, are often installed in a dubious manner, and I highly recommend uninstalling them from Add or Remove Programs:

Inbox.com 3D Marine & Tropical Aquarium Screensaver

Inbox.com Toolbar

Free_TV_Bar Toolbar

Yahoo! Toolbar

Zynga Toolbar

Please zip up the following folder and attach it in your reply so I can submit it to our developers:

C:\Users\hood\AppData\Roaming\microsoft\Windows\START MENU\Programs\Startup

Next, please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=78853
Collect::
C:\Users\hood\AppData\Roaming\microsoft\Windows\START MENU\Programs\Startup\scanxdisknq16.dll
c:\Users\hood\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.lnk

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

I removed these programs:

Inbox.com 3D Marine & Tropical Aquarium Screensaver

Inbox.com Toolbar

Free_TV_Bar Toolbar

Yahoo! Toolbar

Zynga Toolbar

Below is the ComboFix.txt and attached is the startup folder.

ComboFix 11-03-29.06 - hood 03/30/2011 15:43:07.2.2 - x86

Running from: c:\users\hood\Desktop\ComboFix.exe

Command switches used :: c:\users\hood\Desktop\CFScript.txt

* Resident AV is active

.

.

file zipped: c:\users\hood\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.lnk

file zipped: c:\users\hood\AppData\Roaming\microsoft\Windows\START MENU\Programs\Startup\scanxdisknq16.dll

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\david\lload88.dll

c:\users\hood\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.lnk

c:\users\hood\AppData\Roaming\microsoft\Windows\START MENU\Programs\Startup\scanxdisknq16.dll

c:\users\hood\lload88.dll

c:\windows\system32\config\systemprofile\lload88.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))

.

.

2011-03-30 20:59 . 2011-03-30 20:59 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2011-03-30 20:59 . 2011-03-30 20:59 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-03-30 20:59 . 2011-03-30 20:59 -------- d-----w- c:\users\david\AppData\Local\temp

2011-03-29 23:50 . 2011-03-29 23:50 388096 ----a-r- c:\users\david\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-03-29 23:50 . 2011-03-29 23:50 -------- d-----w- c:\program files\Trend Micro

2011-03-29 08:03 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E9A7C9CF-5DC9-4241-B56C-190CD68677D8}\mpengine.dll

2011-03-24 20:34 . 2011-03-24 20:35 -------- d-----w- c:\users\david\AppData\Local\Google

2011-03-24 17:56 . 2011-03-24 17:56 -------- d-----w- c:\users\david\AppData\Roaming\Malwarebytes

2011-03-24 13:48 . 2011-03-24 13:48 -------- d-----w- c:\users\david\AppData\Roaming\HPAppData

2011-03-24 13:47 . 2011-03-24 13:47 -------- d-----w- c:\users\david\AppData\Roaming\Yahoo!

2011-03-24 13:12 . 2011-03-24 13:12 -------- d-----w- c:\users\david\AppData\Local\ArcSoft

2011-03-24 13:12 . 2011-03-24 13:12 -------- d-----w- c:\users\david\AppData\Roaming\Smilebox

2011-03-24 13:12 . 2011-03-24 14:15 -------- d-----w- c:\users\david\AppData\Roaming\ArcSoft

2011-03-23 23:01 . 2011-03-23 23:01 -------- d-----w- c:\users\hood\AppData\Roaming\Malwarebytes

2011-03-23 23:00 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-23 23:00 . 2011-03-23 23:00 -------- d-----w- c:\programdata\Malwarebytes

2011-03-23 23:00 . 2011-03-23 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-23 23:00 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-23 22:42 . 2011-03-23 22:42 7734240 ----a-w- C:\mbam-setup.exe

2011-03-23 22:37 . 2011-03-23 22:36 66896 ----a-w- C:\mbam-clean.exe

2011-03-22 22:47 . 2011-03-22 22:47 -------- d-----w- C:\Malwarebytes

2011-03-22 20:58 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-03-22 20:58 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll

2011-03-22 20:58 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll

2011-03-22 00:52 . 2011-03-22 00:48 7734208 ----a-w- C:\mbam-setup-1.50.1.1100(2).exe

2011-03-22 00:44 . 2011-03-22 00:44 269741 ----a-w- C:\mbam-setup-1.50.1.1100.exe

2011-03-09 17:02 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll

2011-03-09 17:02 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll

2011-03-09 17:02 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll

2011-03-09 17:02 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-09 17:02 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll

2011-03-09 17:02 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-12 21:55 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2011-02-02 23:11 . 2009-10-03 11:27 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-01-20 16:37 . 2011-02-09 00:34 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-01-20 16:08 . 2011-02-09 00:34 478720 ----a-w- c:\windows\system32\dxgi.dll

2011-01-20 16:08 . 2011-02-09 00:34 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-01-20 16:08 . 2011-02-09 00:34 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2011-01-20 16:08 . 2011-02-09 00:34 1029120 ----a-w- c:\windows\system32\d3d10.dll

2011-01-20 16:08 . 2011-02-09 00:34 189952 ----a-w- c:\windows\system32\d3d10core.dll

2011-01-20 16:07 . 2011-02-09 00:34 37376 ----a-w- c:\windows\system32\cdd.dll

2011-01-20 16:07 . 2011-02-09 00:34 258048 ----a-w- c:\windows\system32\winspool.drv

2011-01-20 16:07 . 2011-02-09 00:34 586240 ----a-w- c:\windows\system32\stobject.dll

2011-01-20 16:06 . 2011-02-09 00:34 2873344 ----a-w- c:\windows\system32\mf.dll

2011-01-20 16:06 . 2011-02-09 00:34 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll

2011-01-20 16:04 . 2011-02-09 00:34 209920 ----a-w- c:\windows\system32\mfplat.dll

2011-01-20 16:04 . 2011-02-09 00:34 98816 ----a-w- c:\windows\system32\mfps.dll

2011-01-20 14:28 . 2011-02-09 00:34 1554432 ----a-w- c:\windows\system32\xpsservices.dll

2011-01-20 14:27 . 2011-02-09 00:34 876032 ----a-w- c:\windows\system32\XpsPrint.dll

2011-01-20 14:26 . 2011-02-09 00:34 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe

2011-01-20 14:25 . 2011-02-09 00:34 847360 ----a-w- c:\windows\system32\OpcServices.dll

2011-01-20 14:24 . 2011-02-09 00:34 135680 ----a-w- c:\windows\system32\XpsRasterService.dll

2011-01-20 14:15 . 2011-02-09 00:34 979456 ----a-w- c:\windows\system32\MFH264Dec.dll

2011-01-20 14:14 . 2011-02-09 00:34 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll

2011-01-20 14:14 . 2011-02-09 00:34 261632 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-01-20 14:14 . 2011-02-09 00:34 302592 ----a-w- c:\windows\system32\mfmp4src.dll

2011-01-20 14:12 . 2011-02-09 00:34 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2011-01-20 14:11 . 2011-02-09 00:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll

2011-01-20 13:47 . 2011-02-09 00:34 683008 ----a-w- c:\windows\system32\d2d1.dll

2011-01-08 08:47 . 2011-02-08 22:47 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-08 06:28 . 2011-02-08 22:47 292352 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:57 . 2011-02-08 22:53 2039808 ----a-w- c:\windows\system32\win32k.sys

2009-04-11 06:28 606208 --sha-w- c:\windows\System32\lload88.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{55b8f6ed-2800-4f27-974a-80ef13a91083}"= "c:\program files\MyFunCardsbarIE\bar\1.bin\c8SrcAs.dll" [2010-12-08 53248]

.

[HKEY_CLASSES_ROOT\clsid\{55b8f6ed-2800-4f27-974a-80ef13a91083}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{664a876f-a887-4016-abb7-423f1129d6ca}]

2010-12-08 22:52 675840 ----a-w- c:\progra~1\MYFUNC~2\bar\1.bin\c8bar.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a53d3e99-2d75-4752-a2b4-b2c727d7df8c}]

2010-12-08 22:52 53248 ----a-w- c:\program files\MyFunCardsbarIE\bar\1.bin\c8SrcAs.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{0C8413C1-FAD1-446C-8584-BE50576F863E}"= "c:\program files\Bing Toolbar\tbcore3.dll" [2009-11-10 2767360]

"{4b3b7746-935c-48e9-95cd-a855419cdef0}"= "c:\program files\MyFunCardsbarIE\bar\1.bin\c8bar.dll" [2010-12-08 675840]

.

[HKEY_CLASSES_ROOT\clsid\{0c8413c1-fad1-446c-8584-be50576f863e}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974.3]

[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974]

.

[HKEY_CLASSES_ROOT\clsid\{4b3b7746-935c-48e9-95cd-a855419cdef0}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{0C8413C1-FAD1-446C-8584-BE50576F863E}"= "c:\program files\Bing Toolbar\tbcore3.dll" [2009-11-10 2767360]

"{4B3B7746-935C-48E9-95CD-A855419CDEF0}"= "c:\program files\MyFunCardsbarIE\bar\1.bin\c8bar.dll" [2010-12-08 675840]

.

[HKEY_CLASSES_ROOT\clsid\{0c8413c1-fad1-446c-8584-be50576f863e}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974.3]

[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974]

.

[HKEY_CLASSES_ROOT\clsid\{4b3b7746-935c-48e9-95cd-a855419cdef0}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-23 4240760]

"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2010-06-30 1689144]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 15028104]

"NvCplDaemonTool"="c:\users\hood\lload88.dll" [2009-04-11 606208]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"KBD"="c:\program files\Hewlett-Packard\KBD\KbdStub.EXE" [2008-07-21 12288]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]

"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]

"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]

"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-10-18 1152296]

"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-10-18 189736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe" [2007-12-18 185664]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]

"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-10-17 162304]

"NvCplDaemonTool"="c:\windows\system32\lload88.dll" [2009-04-11 606208]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-9-8 430080]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder 2009.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder 2009.lnk

backup=c:\windows\pss\Event Planner Reminder 2009.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder 2010.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder 2010.lnk

backup=c:\windows\pss\Event Planner Reminder 2010.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder.lnk

backup=c:\windows\pss\Event Planner Reminder.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyFunCardsbarIE Browser Plugin Loader]

2010-12-08 22:52 20480 ----a-w- c:\progra~1\MYFUNC~2\bar\1.bin\c8brmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemonTool]

2009-04-11 06:28 606208 --sha-w- c:\windows\System32\lload88.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-53473447-3286257181-559794806-1000]

"EnableNotificationsRef"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 135664]

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

R3 CFcatchme;CFcatchme;c:\users\hood\AppData\Local\Temp\CFcatchme.sys [x]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-20 38224]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]

R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2008-09-10 20640]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]

S2 MyFunCardsbarIEService;MyFunCards Service;c:\progra~1\MYFUNC~2\bar\1.bin\c8barsvc.exe [2010-12-08 28766]

S2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\RaInfo.sys [2005-04-18 11136]

S3 ramirr;ramirr;c:\windows\system32\DRIVERS\ramirr.sys [2005-04-18 7424]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 15:16]

.

2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 15:16]

.

2011-03-22 c:\windows\Tasks\HPCeeScheduleForhood.job

- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-11-10 19:12]

.

2011-03-10 c:\windows\Tasks\PCDRScheduledMaintenance.job

- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]

.

2011-03-30 c:\windows\Tasks\User_Feed_Synchronization-{8AAC0136-4894-459F-B2BE-1C3B89C1DC88}.job

- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

Trusted Zone: plaxo.com\www

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-30 17:29

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]

"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(5020)

c:\program files\RemotelyAnywhere\rahook.000.dll

c:\windows\system32\lload88.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\RemotelyAnywhere\RemotelyAnywhere.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\DRIVERS\xaudio.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\windows\system32\WUDFHost.exe

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe

c:\program files\RemotelyAnywhere\RemotelyAnywhere.exe

c:\windows\System32\rundll32.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

c:\program files\McAfee\Common Framework\McTray.exe

c:\windows\ehome\ehmsas.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\Common Files\Java\Java Update\jucheck.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2011-03-30 17:58:32 - machine was rebooted

ComboFix-quarantined-files.txt 2011-03-30 22:58

ComboFix2.txt 2011-03-28 23:07

.

Pre-Run: 245,449,867,264 bytes free

Post-Run: 245,521,514,496 bytes free

.

- - End Of File - - 9C9B59AD1223F1ADE6F38DD08D54A62E

Upload was successful

Startup.zip

Link to post
Share on other sites

  • Staff

Hi,

One more toolbar that I missed before:

MyFunCards

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\DRIVERS\ramirr.sys

c:\windows\System32\lload88.dll

Post the results in your reply.

Zip up c:\windows\System32\lload88.dll please and attach it to your reply.

Then run DDS again and post DDS.txt please. :)

Link to post
Share on other sites

I removed MyFunCards. Attached are the zip file's of lload88.dll and attach.txt from DDS. Below are the results from VirusTotal and the DDS.txt

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

ramirr.sys

Submission date:

2011-03-31 22:55:50 (UTC)

Current status:

queued (#7) queued (#7) analysing finished

Result:

1/ 41 (2.4%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.04.01.00 2011.03.31 -

AntiVir 7.11.5.151 2011.03.31 -

Antiy-AVL 2.0.3.7 2011.03.31 -

Avast 4.8.1351.0 2011.03.31 -

Avast5 5.0.677.0 2011.03.31 -

AVG 10.0.0.1190 2011.03.31 -

BitDefender 7.2 2011.03.31 -

CAT-QuickHeal 11.00 2011.03.31 -

ClamAV 0.97.0.0 2011.03.31 -

Commtouch 5.2.11.5 2011.03.24 -

Comodo 8176 2011.03.31 -

DrWeb 5.0.2.03300 2011.03.31 -

eSafe 7.0.17.0 2011.03.31 -

eTrust-Vet 36.1.8246 2011.03.31 -

F-Prot 4.6.2.117 2011.03.31 -

F-Secure 9.0.16440.0 2011.03.23 -

Fortinet 4.2.254.0 2011.03.31 -

GData 22 2011.03.31 -

Ikarus T3.1.1.103.0 2011.03.31 -

Jiangmin 13.0.900 2011.03.31 -

K7AntiVirus 9.96.4264 2011.03.31 -

McAfee 5.400.0.1158 2011.04.01 -

McAfee-GW-Edition 2010.1C 2011.03.31 -

Microsoft 1.6702 2011.04.01 RemoteAccess:Win32/RemotelyAnywhere

NOD32 6004 2011.03.31 -

Norman 6.07.03 2011.03.31 -

nProtect 2011-02-10.01 2011.02.15 -

Panda 10.0.3.5 2011.03.31 -

PCTools 7.0.3.5 2011.03.30 -

Prevx 3.0 2011.04.01 -

Rising 23.51.03.06 2011.03.31 -

Sophos 4.64.0 2011.03.31 -

SUPERAntiSpyware 4.40.0.1006 2011.04.01 -

Symantec 20101.3.2.89 2011.03.31 -

TheHacker 6.7.0.1.162 2011.03.31 -

TrendMicro 9.200.0.1012 2011.03.31 -

TrendMicro-HouseCall 9.200.0.1012 2011.03.31 -

VBA32 3.12.14.3 2011.03.31 -

VIPRE 8881 2011.04.01 -

ViRobot 2011.3.31.4386 2011.03.31 -

VirusBuster 13.6.280.0 2011.03.31 -

Additional information

Show all

MD5 : 23b80d2720d49ac7cdefd768a5beeaaa

SHA1 : 5abcbe2d28cae2cd746930ec174509131d7c95a5

SHA256: 6781bf86016cd76c2dfaf9661f8940724747df0bb77b82935c5bd6adb9990024

_________________________________________________________________________________

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

lload88.dll

Submission date:

2011-03-31 22:57:52 (UTC)

Current status:

queued (#1) queued analysing finished

Result:

20/ 41 (48.8%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.04.01.00 2011.03.31 Trojan/Win32.Scar

AntiVir 7.11.5.151 2011.03.31 TR/PWS.Sinowal.Gen

Antiy-AVL 2.0.3.7 2011.03.31 Trojan/Win32.Scar.gen

Avast 4.8.1351.0 2011.03.31 Win32:Agent-AMUF

Avast5 5.0.677.0 2011.03.31 Win32:Agent-AMUF

AVG 10.0.0.1190 2011.03.31 SHeur3.BSNT

BitDefender 7.2 2011.03.31 Trojan.Generic.5704903

CAT-QuickHeal 11.00 2011.03.31 -

ClamAV 0.97.0.0 2011.03.31 -

Commtouch 5.2.11.5 2011.03.24 -

Comodo 8176 2011.03.31 -

DrWeb 5.0.2.03300 2011.03.31 Trojan.MulDrop2.9196

eSafe 7.0.17.0 2011.03.31 -

eTrust-Vet 36.1.8246 2011.03.31 -

F-Prot 4.6.2.117 2011.03.31 -

F-Secure 9.0.16440.0 2011.03.23 -

Fortinet 4.2.254.0 2011.03.31 -

GData 22 2011.03.31 Trojan.Generic.5704903

Ikarus T3.1.1.103.0 2011.03.31 Backdoor.Win32.Sinowal

Jiangmin 13.0.900 2011.03.31 -

K7AntiVirus 9.96.4264 2011.03.31 Riskware

McAfee 5.400.0.1158 2011.04.01 Attach.zip

McAfee-GW-Edition 2010.1C 2011.03.31 Artemis!6D4D5610D880

Microsoft 1.6702 2011.04.01 -

NOD32 6004 2011.03.31 -

Norman 6.07.03 2011.03.31 W32/Suspicious_Gen2.JUGCU

nProtect 2011-02-10.01 2011.02.15 -

Panda 10.0.3.5 2011.03.31 Trj/CI.A

PCTools 7.0.3.5 2011.03.30 Trojan.Anserin

Prevx 3.0 2011.04.01 -

Rising 23.51.03.06 2011.03.31 -

Sophos 4.64.0 2011.03.31 Mal/Behav-204

SUPERAntiSpyware 4.40.0.1006 2011.04.01 -

Symantec 20101.3.2.89 2011.03.31 Trojan.Anserin

TheHacker 6.7.0.1.162 2011.03.31 Trojan/Scar.dtnb

TrendMicro 9.200.0.1012 2011.03.31 -

TrendMicro-HouseCall 9.200.0.1012 2011.03.31 -

VBA32 3.12.14.3 2011.03.31 -

VIPRE 8881 2011.04.01 Trojan.Anserin

ViRobot 2011.3.31.4386 2011.03.31 -

VirusBuster 13.6.280.0 2011.03.31 -

Additional information

Show all

MD5 : 6d4d5610d8802b097bde17986a5dd0d1

SHA1 : d4584d4c06aac48ab0965f526721aa895d90ede1

SHA256: db8b13d4718e4d95626ac323c627c99aede87bdee7e9aed8d371064462269670

__________________________________________________________________________________

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by hood at 18:22:01.26 on Thu 03/31/2011

Internet Explorer: 7.0.6002.18005

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\rundll32.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Windows\system32\mfevtps.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\hp\support\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe

C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\PictureMover\Bin\PictureMover.exe

C:\Windows\system32\rundll32.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Hewlett-Packard\KBD\kbd.exe

c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe

C:\Users\hood\Desktop\dds.scr

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\msfeedssync.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: TBSB05974 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\bing toolbar\tbcore3.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Bing Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files\bing toolbar\tbcore3.dll

TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [NvCplDaemonTool] rundll32.exe c:\users\hood\lload88.dll,_IWMPEvents

mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe

mRun: [KBD] c:\program files\hewlett-packard\kbd\KbdStub.EXE

mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [updatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"

mRun: [updatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"

mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"

mRun: [NvCplDaemonTool] rundll32.exe c:\windows\system32\lload88.dll,_IWMPEvents

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: plaxo.com\www

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxp://hood-pc:5000/activex/RACtrl.cab

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

.

============= SERVICES / DRIVERS ===============

.

R? CFcatchme;CFcatchme

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? fssfltr;fssfltr

R? fsssvc;Windows Live Family Safety Service

R? gupdate;Google Update Service (gupdate)

R? mferkdet;McAfee Inc. mferkdet

R? Norton Internet Security;Norton Internet Security

R? PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver

R? Stereo Service;NVIDIA Stereoscopic 3D Driver Service

R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0

S? FontCache;Windows Font Cache Service

S? McAfeeEngineService;McAfee Engine Service

S? McAfeeFramework;McAfee Framework Service

S? McShield;McAfee McShield

S? McTaskManager;McAfee Task Manager

S? mfeavfk;McAfee Inc. mfeavfk

S? mfebopk;McAfee Inc. mfebopk

S? mfehidk;McAfee Inc. mfehidk

S? mfevtp;McAfee Validation Trust Protection Service

S? RAInfo;RemotelyAnywhere Kernel Information Provider

S? ramirr;ramirr

.

=============== Created Last 30 ================

.

2011-03-31 23:14:11 -------- d-----w- c:\users\hood\appdata\local\{E0A570FE-D755-432C-BB6D-09D976927275}

2011-03-31 22:55:06 675840 ----a-w- c:\program files\Uninstall MyFunCards.dll

2011-03-30 23:38:30 -------- d-----w- c:\progra~2\SecTaskMan

2011-03-30 22:28:12 -------- d-----w- C:\$RECYCLE.BIN

2011-03-29 23:50:07 -------- d-----w- c:\program files\Trend Micro

2011-03-29 08:03:18 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{e9a7c9cf-5dc9-4241-b56c-190cd68677d8}\mpengine.dll

2011-03-28 22:07:50 89088 ----a-w- c:\windows\MBR.exe

2011-03-28 22:07:50 256512 ----a-w- c:\windows\PEV.exe

2011-03-28 22:07:49 98816 ----a-w- c:\windows\sed.exe

2011-03-28 22:07:49 161792 ----a-w- c:\windows\SWREG.exe

2011-03-23 23:01:00 -------- d-----w- c:\users\hood\appdata\roaming\Malwarebytes

2011-03-23 23:00:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-23 23:00:10 -------- d-----w- c:\progra~2\Malwarebytes

2011-03-23 23:00:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-23 23:00:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-23 22:42:54 7734240 ----a-w- C:\mbam-setup.exe

2011-03-23 22:37:36 66896 ----a-w- C:\mbam-clean.exe

2011-03-22 22:47:37 -------- d-----w- C:\Malwarebytes

2011-03-22 22:37:40 -------- d-----w- c:\windows\pss

2011-03-22 20:58:38 797696 ----a-w- c:\windows\system32\FntCache.dll

2011-03-22 20:58:38 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-03-22 20:58:38 1068544 ----a-w- c:\windows\system32\DWrite.dll

2011-03-22 00:52:50 7734208 ----a-w- C:\mbam-setup-1.50.1.1100(2).exe

2011-03-22 00:44:28 269741 ----a-w- C:\mbam-setup-1.50.1.1100.exe

2011-03-09 17:02:51 429056 ----a-w- c:\windows\system32\EncDec.dll

2011-03-09 17:02:51 322560 ----a-w- c:\windows\system32\sbe.dll

2011-03-09 17:02:51 177664 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-09 17:02:51 153088 ----a-w- c:\windows\system32\sbeio.dll

2011-03-09 17:02:49 2067968 ----a-w- c:\windows\system32\mstscax.dll

2011-03-09 17:02:48 677888 ----a-w- c:\windows\system32\mstsc.exe

.

==================== Find3M ====================

.

2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll

2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll

2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll

2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll

2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv

2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll

2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll

2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll

2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll

2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll

2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll

2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll

2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe

2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll

2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll

2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll

2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll

2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll

2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll

2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll

2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll

2009-04-11 06:28:20 606208 --sha-w- c:\windows\system32\lload88.dll

2009-04-11 06:28:20 606208 --sha-w- c:\windows\system32\config\systemprofile\lload88.dll

.

============= FINISH: 18:30:28.58 ===============

lload88.zip

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=78853
Collect::
c:\windows\System32\lload88.dll

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

ComboFix 11-04-01.01 - hood 04/01/2011 18:11:57.3.2 - x86

Running from: c:\users\hood\Desktop\ComboFix.exe

Command switches used :: c:\users\hood\Desktop\CFScript.txt

* Resident AV is active

.

.

file zipped: c:\windows\System32\lload88.dll

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\hood\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk

c:\users\hood\lload88.dll

c:\windows\system32\config\systemprofile\lload88.dll

c:\windows\System32\lload88.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))

.

.

2011-04-01 23:21 . 2011-04-01 23:21 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2011-04-01 23:21 . 2011-04-01 23:21 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-04-01 23:21 . 2011-04-01 23:21 -------- d-----w- c:\users\david\AppData\Local\temp

2011-04-01 06:06 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CC844733-950A-4245-ADB4-46B29E9EBE48}\mpengine.dll

2011-03-31 23:14 . 2011-03-31 23:15 -------- d-----w- c:\users\hood\AppData\Local\{E0A570FE-D755-432C-BB6D-09D976927275}

2011-03-30 23:38 . 2011-03-31 12:32 -------- d-----w- c:\programdata\SecTaskMan

2011-03-29 23:50 . 2011-03-29 23:50 388096 ----a-r- c:\users\david\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-03-29 23:50 . 2011-03-29 23:50 -------- d-----w- c:\program files\Trend Micro

2011-03-24 20:34 . 2011-03-24 20:35 -------- d-----w- c:\users\david\AppData\Local\Google

2011-03-24 17:56 . 2011-03-24 17:56 -------- d-----w- c:\users\david\AppData\Roaming\Malwarebytes

2011-03-24 13:48 . 2011-03-24 13:48 -------- d-----w- c:\users\david\AppData\Roaming\HPAppData

2011-03-24 13:47 . 2011-03-24 13:47 -------- d-----w- c:\users\david\AppData\Roaming\Yahoo!

2011-03-24 13:12 . 2011-03-24 13:12 -------- d-----w- c:\users\david\AppData\Local\ArcSoft

2011-03-24 13:12 . 2011-03-24 13:12 -------- d-----w- c:\users\david\AppData\Roaming\Smilebox

2011-03-24 13:12 . 2011-03-24 14:15 -------- d-----w- c:\users\david\AppData\Roaming\ArcSoft

2011-03-23 23:01 . 2011-03-23 23:01 -------- d-----w- c:\users\hood\AppData\Roaming\Malwarebytes

2011-03-23 23:00 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-23 23:00 . 2011-03-23 23:00 -------- d-----w- c:\programdata\Malwarebytes

2011-03-23 23:00 . 2011-03-23 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-23 23:00 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-23 22:42 . 2011-03-23 22:42 7734240 ----a-w- C:\mbam-setup.exe

2011-03-23 22:37 . 2011-03-23 22:36 66896 ----a-w- C:\mbam-clean.exe

2011-03-22 22:47 . 2011-03-22 22:47 -------- d-----w- C:\Malwarebytes

2011-03-22 20:58 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-03-22 20:58 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll

2011-03-22 20:58 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll

2011-03-22 00:52 . 2011-03-22 00:48 7734208 ----a-w- C:\mbam-setup-1.50.1.1100(2).exe

2011-03-22 00:44 . 2011-03-22 00:44 269741 ----a-w- C:\mbam-setup-1.50.1.1100.exe

2011-03-09 17:02 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll

2011-03-09 17:02 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll

2011-03-09 17:02 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll

2011-03-09 17:02 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-09 17:02 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll

2011-03-09 17:02 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-12 21:55 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2011-02-02 23:11 . 2009-10-03 11:27 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-01-20 16:37 . 2011-02-09 00:34 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-01-20 16:08 . 2011-02-09 00:34 478720 ----a-w- c:\windows\system32\dxgi.dll

2011-01-20 16:08 . 2011-02-09 00:34 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-01-20 16:08 . 2011-02-09 00:34 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2011-01-20 16:08 . 2011-02-09 00:34 1029120 ----a-w- c:\windows\system32\d3d10.dll

2011-01-20 16:08 . 2011-02-09 00:34 189952 ----a-w- c:\windows\system32\d3d10core.dll

2011-01-20 16:07 . 2011-02-09 00:34 37376 ----a-w- c:\windows\system32\cdd.dll

2011-01-20 16:07 . 2011-02-09 00:34 258048 ----a-w- c:\windows\system32\winspool.drv

2011-01-20 16:07 . 2011-02-09 00:34 586240 ----a-w- c:\windows\system32\stobject.dll

2011-01-20 16:06 . 2011-02-09 00:34 2873344 ----a-w- c:\windows\system32\mf.dll

2011-01-20 16:06 . 2011-02-09 00:34 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll

2011-01-20 16:04 . 2011-02-09 00:34 209920 ----a-w- c:\windows\system32\mfplat.dll

2011-01-20 16:04 . 2011-02-09 00:34 98816 ----a-w- c:\windows\system32\mfps.dll

2011-01-20 14:28 . 2011-02-09 00:34 1554432 ----a-w- c:\windows\system32\xpsservices.dll

2011-01-20 14:27 . 2011-02-09 00:34 876032 ----a-w- c:\windows\system32\XpsPrint.dll

2011-01-20 14:26 . 2011-02-09 00:34 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe

2011-01-20 14:25 . 2011-02-09 00:34 847360 ----a-w- c:\windows\system32\OpcServices.dll

2011-01-20 14:24 . 2011-02-09 00:34 135680 ----a-w- c:\windows\system32\XpsRasterService.dll

2011-01-20 14:15 . 2011-02-09 00:34 979456 ----a-w- c:\windows\system32\MFH264Dec.dll

2011-01-20 14:14 . 2011-02-09 00:34 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll

2011-01-20 14:14 . 2011-02-09 00:34 261632 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-01-20 14:14 . 2011-02-09 00:34 302592 ----a-w- c:\windows\system32\mfmp4src.dll

2011-01-20 14:12 . 2011-02-09 00:34 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2011-01-20 14:11 . 2011-02-09 00:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll

2011-01-20 13:47 . 2011-02-09 00:34 683008 ----a-w- c:\windows\system32\d2d1.dll

2011-01-08 08:47 . 2011-02-08 22:47 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-08 06:28 . 2011-02-08 22:47 292352 ----a-w- c:\windows\system32\atmfd.dll

2009-04-11 06:28 606208 --sha-w- c:\windows\System32\lload88.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{0C8413C1-FAD1-446C-8584-BE50576F863E}"= "c:\program files\Bing Toolbar\tbcore3.dll" [2009-11-10 2767360]

.

[HKEY_CLASSES_ROOT\clsid\{0c8413c1-fad1-446c-8584-be50576f863e}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974.3]

[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{0C8413C1-FAD1-446C-8584-BE50576F863E}"= "c:\program files\Bing Toolbar\tbcore3.dll" [2009-11-10 2767360]

.

[HKEY_CLASSES_ROOT\clsid\{0c8413c1-fad1-446c-8584-be50576f863e}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974.3]

[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]

[HKEY_CLASSES_ROOT\TBSB05974.TBSB05974]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 15028104]

"NvCplDaemonTool"="c:\users\hood\lload88.dll" [2009-04-11 606208]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"KBD"="c:\program files\Hewlett-Packard\KBD\KbdStub.EXE" [2008-07-21 12288]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]

"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]

"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]

"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-10-18 1152296]

"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-10-18 189736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]

"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]

"NvCplDaemonTool"="c:\windows\system32\lload88.dll" [2009-04-11 606208]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-9-8 430080]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder 2009.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder 2009.lnk

backup=c:\windows\pss\Event Planner Reminder 2009.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder 2010.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder 2010.lnk

backup=c:\windows\pss\Event Planner Reminder 2010.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder.lnk

backup=c:\windows\pss\Event Planner Reminder.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]

2010-06-30 05:14 1689144 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemonTool]

2009-04-11 06:28 606208 --sha-w- c:\windows\System32\lload88.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-53473447-3286257181-559794806-1000]

"EnableNotificationsRef"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 135664]

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

R3 CFcatchme;CFcatchme;c:\users\hood\AppData\Local\Temp\CFcatchme.sys [x]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]

R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2008-09-10 20640]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]

S2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\RaInfo.sys [2005-04-18 11136]

S3 ramirr;ramirr;c:\windows\system32\DRIVERS\ramirr.sys [2005-04-18 7424]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 15:16]

.

2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 15:16]

.

2011-03-22 c:\windows\Tasks\HPCeeScheduleForhood.job

- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-11-10 19:12]

.

2011-03-10 c:\windows\Tasks\PCDRScheduledMaintenance.job

- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]

.

2011-04-01 c:\windows\Tasks\User_Feed_Synchronization-{8AAC0136-4894-459F-B2BE-1C3B89C1DC88}.job

- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

Trusted Zone: plaxo.com\www

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-MyFunCardsbarIE Browser Plugin Loader - c:\progra~1\MYFUNC~2\bar\1.bin\c8brmon.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-01 18:28

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]

"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(4592)

c:\windows\system32\lload88.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\RemotelyAnywhere\RemotelyAnywhere.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\DRIVERS\xaudio.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\WUDFHost.exe

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe

c:\windows\System32\rundll32.exe

c:\windows\System32\rundll32.exe

c:\windows\ehome\ehmsas.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

c:\program files\Common Files\Java\Java Update\jucheck.exe

c:\windows\servicing\TrustedInstaller.exe

c:\program files\RemotelyAnywhere\RemotelyAnywhere.exe

.

**************************************************************************

.

Completion time: 2011-04-01 18:53:10 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-01 23:53

ComboFix2.txt 2011-03-30 22:59

ComboFix3.txt 2011-03-28 23:07

.

Pre-Run: 254,783,401,984 bytes free

Post-Run: 254,651,518,976 bytes free

.

- - End Of File - - BE565DF79F6EAEDDEE94CE0AF872836B

Upload was successful

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.