12 replies to this topic

[virus_hater]

I'm close to beating this thing but I need help. Here are the logs.
--------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.36
Database version: 1971
Windows 5.1.2600 Service Pack 2

4/13/2009 11:00:22 PM
mbam-log-2009-04-13 (23-00-11).txt

Scan type: Quick Scan
Objects scanned: 78059
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7e543082-2ca5-4097-a49f-864ce0783278} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7e543082-2ca5-4097-a49f-864ce0783278} (Trojan.BHO.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7e543082-2ca5-4097-a49f-864ce0783278} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\atmf.dll (Trojan.BHO.H) -> No action taken.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\aqfehdap.dat (Rootkit.Agent) -> No action taken.
-----------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:02:56, on 4/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdnserv.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\Lexmark 2600 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E543082-2CA5-4097-A49F-864CE0783278} - C:\WINDOWS\system32\atmf.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2600 Series\ezprint.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: AutorunsDisabled (User 'SYSTEM')
O4 - .DEFAULT Startup: AutorunsDisabled (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolo...larkActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184808453317
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - http://www.evite.com...geUploader4.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://65.15.86.158/...in/h263ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.co...snmusax4616.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdncoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 10751 bytes

[miekiemoes]

Hi,

From your log I can see that no action was taken, so please rescan again and remove what mbam found. But before you do, please update first (update tab > check for updates)
After reboot, rescan with HijackThis and post a new log in your next reply.

[virus_hater]

miekiemoes, on Apr 14 2009, 04:07 PM, said:

Hi,

From your log I can see that no action was taken, so please rescan again and remove what mbam found. But before you do, please update first (update tab > check for updates)
After reboot, rescan with HijackThis and post a new log in your next reply.

-----------------------------------------------------------------
updated.....new mbam log

Malwarebytes' Anti-Malware 1.36
Database version: 1983
Windows 5.1.2600 Service Pack 2

4/14/2009 07:26:48 PM
mbam-log-2009-04-14 (19-26-48).txt

Scan type: Quick Scan
Objects scanned: 79284
Time elapsed: 9 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7e543082-2ca5-4097-a49f-864ce0783278} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7e543082-2ca5-4097-a49f-864ce0783278} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7e543082-2ca5-4097-a49f-864ce0783278} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\atmf.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\aqfehdap.dat (Rootkit.Agent) -> Delete on reboot.


-------new hjt log after rebootLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:30:13, on 4/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\Lexmark 2600 Series\ezprint.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\eHome\ehRec.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdnserv.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E543082-2CA5-4097-A49F-864CE0783278} - C:\WINDOWS\system32\atmf.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2600 Series\ezprint.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: AutorunsDisabled (User 'SYSTEM')
O4 - .DEFAULT Startup: AutorunsDisabled (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolo...larkActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184808453317
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - http://www.evite.com...geUploader4.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://65.15.86.158/...in/h263ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.co...snmusax4616.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdncoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 10401 bytes

[miekiemoes]

Hi,

Open HijackThis and check the following entries in it:

O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: (no name) - {7E543082-2CA5-4097-A49F-864CE0783278} - C:\WINDOWS\system32\atmf.dll

Click the fix checked button below. Don't worry if an entry won't get fixed.
Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[virus_hater]

here's my Combo Log -- the only weird thing that happened was some Fax program was trying to load during the reboot (this has been going on for 2 or 3 days)

********************************************************************************
********************
ComboFix 09-04-15.08 - HP_Administrator 04/15/2009 20:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1479 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Avanquest Fix-It *On-access scanning disabled* (Updated)
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\020000005bdddece573C.manifest
c:\documents and settings\Administrator\Application Data\020000005bdddece573O.manifest
c:\documents and settings\Administrator\Application Data\020000005bdddece573P.manifest
c:\documents and settings\Administrator\Application Data\020000005bdddece573S.manifest
c:\documents and settings\HP_Administrator\Application Data\020000005bdddece573C.manifest
c:\documents and settings\HP_Administrator\Application Data\020000005bdddece573O.manifest
c:\documents and settings\HP_Administrator\Application Data\020000005bdddece573P.manifest
c:\documents and settings\HP_Administrator\Application Data\020000005bdddece573S.manifest
c:\windows\GnuHashes.ini
c:\windows\system32\_004865_.tmp.dll
c:\windows\system32\_004866_.tmp.dll
c:\windows\system32\_004867_.tmp.dll
c:\windows\system32\_004868_.tmp.dll
c:\windows\system32\_004875_.tmp.dll
c:\windows\system32\_004876_.tmp.dll
c:\windows\system32\_004877_.tmp.dll
c:\windows\system32\_004878_.tmp.dll
c:\windows\system32\_004879_.tmp.dll
c:\windows\system32\_004880_.tmp.dll
c:\windows\system32\_004881_.tmp.dll
c:\windows\system32\_004882_.tmp.dll
c:\windows\system32\_004883_.tmp.dll
c:\windows\system32\_004884_.tmp.dll
c:\windows\system32\_004885_.tmp.dll
c:\windows\system32\_004886_.tmp.dll
c:\windows\system32\_004887_.tmp.dll
c:\windows\system32\_004888_.tmp.dll
c:\windows\system32\_004889_.tmp.dll
c:\windows\system32\_004890_.tmp.dll
c:\windows\system32\_004891_.tmp.dll
c:\windows\system32\_004892_.tmp.dll
c:\windows\system32\_004893_.tmp.dll
c:\windows\system32\_004894_.tmp.dll
c:\windows\system32\_004895_.tmp.dll
c:\windows\system32\_004896_.tmp.dll
c:\windows\system32\_004899_.tmp.dll
c:\windows\system32\_004900_.tmp.dll
c:\windows\system32\_004901_.tmp.dll
c:\windows\system32\_004902_.tmp.dll
c:\windows\system32\_004903_.tmp.dll
c:\windows\system32\_004904_.tmp.dll
c:\windows\system32\_004905_.tmp.dll
c:\windows\system32\_004907_.tmp.dll
c:\windows\system32\_004908_.tmp.dll
c:\windows\system32\_004909_.tmp.dll
c:\windows\system32\_004910_.tmp.dll
c:\windows\system32\_004911_.tmp.dll
c:\windows\system32\_004912_.tmp.dll
c:\windows\system32\_004913_.tmp.dll
c:\windows\system32\_004914_.tmp.dll
c:\windows\system32\_004915_.tmp.dll
c:\windows\system32\_004916_.tmp.dll
c:\windows\system32\_004917_.tmp.dll
c:\windows\system32\_004918_.tmp.dll
c:\windows\system32\_004919_.tmp.dll
c:\windows\system32\_004920_.tmp.dll
c:\windows\system32\_004921_.tmp.dll
c:\windows\system32\_004922_.tmp.dll
c:\windows\system32\_004923_.tmp.dll
c:\windows\system32\_004924_.tmp.dll
c:\windows\system32\_004925_.tmp.dll
c:\windows\system32\_004926_.tmp.dll
c:\windows\system32\_004927_.tmp.dll
c:\windows\system32\_004928_.tmp.dll
c:\windows\system32\_004929_.tmp.dll
c:\windows\system32\_004930_.tmp.dll
c:\windows\system32\_004931_.tmp.dll
c:\windows\system32\_004932_.tmp.dll
c:\windows\system32\_004933_.tmp.dll
c:\windows\system32\_004934_.tmp.dll
c:\windows\system32\_004935_.tmp.dll
c:\windows\system32\_004936_.tmp.dll
c:\windows\system32\_004937_.tmp.dll
c:\windows\system32\_004938_.tmp.dll
c:\windows\system32\_004939_.tmp.dll
c:\windows\system32\_004940_.tmp.dll
c:\windows\system32\_004941_.tmp.dll
c:\windows\system32\_004942_.tmp.dll
c:\windows\system32\_004943_.tmp.dll
c:\windows\system32\_004944_.tmp.dll
c:\windows\system32\_004945_.tmp.dll
c:\windows\system32\_004946_.tmp.dll
c:\windows\system32\_004947_.tmp.dll
c:\windows\system32\_004948_.tmp.dll
c:\windows\system32\_004949_.tmp.dll
c:\windows\system32\_004950_.tmp.dll
c:\windows\system32\_004951_.tmp.dll
c:\windows\system32\_004952_.tmp.dll
c:\windows\system32\_004953_.tmp.dll
c:\windows\system32\_004954_.tmp.dll
c:\windows\system32\_004955_.tmp.dll
c:\windows\system32\_004956_.tmp.dll
c:\windows\system32\_004957_.tmp.dll
c:\windows\system32\_004958_.tmp.dll
c:\windows\system32\_004959_.tmp.dll
c:\windows\system32\_004960_.tmp.dll
c:\windows\system32\_004961_.tmp.dll
c:\windows\system32\_004962_.tmp.dll
c:\windows\system32\_004964_.tmp.dll
c:\windows\system32\_004966_.tmp.dll
c:\windows\system32\_004967_.tmp.dll
c:\windows\system32\_004968_.tmp.dll
c:\windows\system32\_004969_.tmp.dll
c:\windows\system32\_004970_.tmp.dll
c:\windows\system32\_004971_.tmp.dll
c:\windows\system32\_004972_.tmp.dll
c:\windows\system32\_004973_.tmp.dll
c:\windows\system32\_004974_.tmp.dll
c:\windows\system32\_004976_.tmp.dll
c:\windows\system32\_004977_.tmp.dll
c:\windows\system32\_004978_.tmp.dll
c:\windows\system32\_004979_.tmp.dll
c:\windows\system32\_004980_.tmp.dll
c:\windows\system32\_004981_.tmp.dll
c:\windows\system32\_004982_.tmp.dll
c:\windows\system32\_004985_.tmp.dll
c:\windows\system32\_004986_.tmp.dll
c:\windows\system32\_004987_.tmp.dll
c:\windows\system32\_004988_.tmp.dll
c:\windows\system32\_004989_.tmp.dll
c:\windows\system32\_004990_.tmp.dll
c:\windows\system32\_004991_.tmp.dll
c:\windows\system32\_004993_.tmp.dll
c:\windows\system32\_004994_.tmp.dll
c:\windows\system32\_004995_.tmp.dll
c:\windows\system32\_004996_.tmp.dll
c:\windows\system32\_004997_.tmp.dll
c:\windows\system32\_004998_.tmp.dll
c:\windows\system32\_004999_.tmp.dll
c:\windows\system32\_005000_.tmp.dll
c:\windows\system32\_005001_.tmp.dll
c:\windows\system32\_005002_.tmp.dll
c:\windows\system32\_005003_.tmp.dll
c:\windows\system32\_005005_.tmp.dll
c:\windows\system32\_005006_.tmp.dll
c:\windows\system32\_005007_.tmp.dll
c:\windows\system32\_005008_.tmp.dll
c:\windows\system32\_005010_.tmp.dll
c:\windows\system32\_005012_.tmp.dll
c:\windows\system32\_005013_.tmp.dll
c:\windows\system32\_005014_.tmp.dll
c:\windows\system32\_005016_.tmp.dll
c:\windows\system32\_005017_.tmp.dll
c:\windows\system32\_005018_.tmp.dll
c:\windows\system32\_005019_.tmp.dll
c:\windows\system32\_005020_.tmp.dll
c:\windows\system32\_005021_.tmp.dll
c:\windows\system32\_005022_.tmp.dll
c:\windows\system32\_005023_.tmp.dll
c:\windows\system32\_005024_.tmp.dll
c:\windows\system32\_005025_.tmp.dll
c:\windows\system32\_005026_.tmp.dll
c:\windows\system32\_005027_.tmp.dll
c:\windows\system32\_005029_.tmp.dll
c:\windows\system32\_005032_.tmp.dll
c:\windows\system32\_005033_.tmp.dll
c:\windows\system32\_005034_.tmp.dll
c:\windows\system32\_005035_.tmp.dll
c:\windows\system32\_005039_.tmp.dll
c:\windows\system32\_005040_.tmp.dll
c:\windows\system32\_005042_.tmp.dll
c:\windows\system32\_005045_.tmp.dll
c:\windows\system32\_005048_.tmp.dll
c:\windows\system32\_005050_.tmp.dll
c:\windows\system32\_005051_.tmp.dll
c:\windows\system32\_005054_.tmp.dll
c:\windows\system32\_005055_.tmp.dll
c:\windows\system32\_005056_.tmp.dll
c:\windows\system32\_005057_.tmp.dll
c:\windows\system32\_005058_.tmp.dll
c:\windows\system32\_005063_.tmp.dll
c:\windows\system32\_005065_.tmp.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\AIhPYccf.ini
c:\windows\system32\AIhPYccf.ini2
c:\windows\system32\dumphive.exe
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\jihgQqru.ini
c:\windows\system32\jihgQqru.ini2
c:\windows\system32\ltwluktw.ini
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vjweplhb.ini
c:\windows\system32\WS2Fix.exe
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-14 03:02 . 2009-04-14 03:02 -------- d-----w c:\program files\Trend Micro
2009-04-14 02:33 . 2009-04-14 02:49 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-14 02:33 . 2009-04-14 02:33 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2009-04-14 02:33 . 2009-04-14 02:33 -------- d-----w c:\program files\Yahoo!
2009-04-14 02:33 . 2009-04-14 02:33 -------- d-----w c:\program files\CCleaner
2009-04-14 02:17 . 2009-04-14 02:17 -------- d-----w c:\documents and settings\LocalService\Application Data\Avanquest
2009-04-14 02:09 . 2009-04-14 02:09 93736 ----a-w c:\windows\system32\atmf.zip
2009-04-14 02:08 . 2009-04-14 02:08 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-14 02:02 . 2009-04-14 02:02 -------- d-----w c:\documents and settings\Administrator\Application Data\Avanquest
2009-04-13 23:27 . 2009-04-13 23:29 -------- d-----w C:\!KillBox
2009-04-13 23:24 . 2009-04-13 23:24 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Desktopicon
2009-04-13 23:23 . 2009-04-13 23:32 -------- d-----w c:\program files\Unlocker
2009-04-13 23:05 . 2009-04-13 23:05 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-13 23:05 . 2009-04-13 23:05 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-13 23:05 . 2009-04-13 23:05 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-04-13 00:29 . 2008-07-18 05:26 68912 ----a-w c:\windows\system32\drivers\sbapifs.sys
2009-04-13 00:29 . 2008-07-18 05:26 13360 ----a-w c:\windows\system32\drivers\sbaphd.sys
2009-04-13 00:23 . 2009-04-13 00:23 -------- d-----w c:\program files\Avanquest update
2009-04-13 00:23 . 2009-04-13 00:23 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-04-11 18:13 . 2009-04-11 18:13 -------- d-----w C:\VundoFix Backups
2009-04-11 17:23 . 2009-04-13 00:23 -------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2009-04-11 17:21 . 2009-04-11 17:21 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\{797F5EE7-3D5A-40CE-A4B4-EDC1687FEFE9}
2009-04-11 16:14 . 2009-04-11 16:14 -------- d-----w c:\program files\Sun
2009-04-11 16:14 . 2009-04-11 16:14 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-10 15:49 . 2004-08-10 12:00 97792 ----a-w c:\windows\system32\atmf.dll
2009-04-09 15:30 . 2009-04-13 04:03 0 ----a-w c:\windows\Rkobisabam.bin
2009-04-09 15:30 . 2009-04-13 03:12 408 ----a-w c:\windows\Jzogiq.dat
2009-04-09 13:19 . 2009-04-09 15:30 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\{842D2C26-3AB0-474D-A576-3B096374AC04}
2009-04-08 06:01 . 2009-04-08 06:01 615 ----a-w c:\windows\system32\UWs4gZqHPH3StRI.vbs
2009-03-21 07:15 . 2009-04-11 16:14 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-21 07:02 . 2009-03-21 07:02 206 ----a-w c:\windows\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 00:33 . 2008-12-14 04:08 12331 ----a-w C:\CDAVFSuser.log
2009-04-16 00:31 . 2008-05-04 17:50 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-15 10:41 . 2008-05-04 17:50 -------- d-----w c:\program files\Spyware Doctor
2009-04-14 02:27 . 2009-04-11 18:13 1421 ----a-w C:\VundoFix.txt
2009-04-13 23:18 . 2008-12-15 01:51 5303 ----a-w C:\rapport.txt
2009-04-13 04:28 . 2008-12-15 02:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 01:58 . 2007-01-27 15:33 -------- d-----w c:\program files\LimeWire
2009-04-13 01:58 . 2008-12-15 00:50 -------- d-----w c:\program files\WebEx
2009-04-13 00:23 . 2005-05-17 00:31 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-13 00:23 . 2008-12-14 19:05 -------- d-----w c:\program files\Common Files\AntiVirus
2009-04-13 00:21 . 2008-12-14 19:02 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-11 23:29 . 2008-07-10 19:14 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\FrostWire
2009-04-11 22:54 . 2004-08-10 18:00 250032 --sha-r C:\ntldr
2009-04-11 16:14 . 2005-05-16 23:56 -------- d-----w c:\program files\Java
2009-04-11 15:39 . 2008-06-10 19:39 -------- d-----w c:\program files\LightWork Design
2009-04-08 07:06 . 2008-05-29 00:10 -------- d-----w c:\program files\Incomplete
2009-04-07 23:47 . 2005-10-12 01:50 -------- d-----w c:\program files\Microsoft Money 2005
2009-04-06 19:32 . 2008-12-15 02:05 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-15 02:05 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 20:40 . 2008-04-13 17:47 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\TaxCut
2009-04-04 20:35 . 2008-04-13 17:43 -------- d-----w c:\documents and settings\All Users\Application Data\TaxCut
2009-03-07 20:01 . 2005-09-25 12:31 9974 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-03-02 22:06 . 2005-09-24 04:39 79656 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 10:19 . 2009-04-11 22:35 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:19 . 2009-04-11 22:35 1846272 ----a-w c:\windows\system32\dllcache\win32k.sys
2009-01-17 02:35 . 2004-08-10 11:00 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-03-09 20:47 . 2008-03-09 20:47 16 -c-ha-w c:\program files\Common Files\mxfilerelatedcache.mxc2
2008-03-09 20:47 . 2008-03-09 20:47 16 -c-ha-w c:\program files\mxfilerelatedcache.mxc2
2007-04-20 01:25 . 2007-04-20 01:25 722176 -c--a-w c:\documents and settings\HP_Administrator\gotomypc_428.exe
2006-07-21 17:57 . 2006-07-21 17:57 563712 -c--a-w c:\documents and settings\HP_Administrator\gotomypc_370.exe
2006-03-23 02:00 . 2006-03-23 01:59 3167744 -c--a-w c:\documents and settings\HP_Administrator\gosetup.exe
2006-03-22 23:59 . 2006-03-22 23:59 563712 -c--a-w c:\documents and settings\HP_Administrator\370_gotomypc.exe
2005-11-29 23:34 . 2005-11-29 23:34 251 -c--a-w c:\program files\wt3d.ini
2005-09-24 04:28 . 2006-09-10 01:40 139 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2005-05-17 00:27 . 2005-05-17 00:27 136 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-10 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[7] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-10 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2007-09-07 20:33 359808 BA57942C0029B0878AFBA052A3E33689 c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2008-01-10 12:24 360064 34A663E7F74AE8B2C992C2513343477E c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[-] 2008-07-09 15:10 360320 1AB9333EC47BC064050A2BF554AE5A95 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E543082-2CA5-4097-A49F-864CE0783278}]
2004-08-10 12:00 97792 ----a-w c:\windows\system32\atmf.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2007-12-17 660136]
"EzPrint"="c:\program files\Lexmark 2600 Series\ezprint.exe" [2007-12-17 107176]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-04-13 14156800]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\AutorunsDisabled
powerreg scheduler v3.exe [2005-9-24 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2007-11-16 02:51 166304 -c--a-w c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SBAMSvc"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"SymAppCore"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Fix-It Task Manager"=2 (0x2)
"FirebirdServerMAGIXInstance"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"LightScribeService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnwbgw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgalry.exe"=
"c:\\Program Files\\CyberDefender\\AntiSpyware\\cdas98.exe"=

R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 544768]
R4 CDAVFS;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys [2008-12-14 67424]
R4 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-04-17 109616]
R4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
R4 rngjt;rngjt; [x]
R4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
R4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
R4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
R4 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2007-11-06 87848]
R4 winghz;winghz; [x]
S0 djnguxci;djnguxci;c:\windows\system32\drivers\djnguxci.sys [2004-08-10 23424]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-07-18 13360]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [2007-12-05 594600]
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe [2007-12-05 98984]
S2 SBAMSvc;Sunbelt VIPRE Antivirus Service;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [2008-08-05 849192]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-07-18 68912]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2005-04-12 85248]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2006-09-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-04-11 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 16:00]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-AutorunsDisabled - c:\program files\SUPERAntiSpyware\SASWINLO.dll efcCrOif.dll c:\windows\system32\__c004E750.dat c:\windows\system32\__c00CFC80.dat c:\windows\system32\__c00FC832.dat
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - hxxp://www.evite.com/html/imageUpload/ImageUploader4.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 20:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,6a,c3,37,35,3f,
a5,1f,c2,c8,28,51,af,b0,29,a3,98,a7,6d,60,5e,a6,14,93,9f,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,c3,5a,69,fa,c8,
a9,e7,6f,71,3b,04,66,8b,46,0d,96,f1,ac,c7,e3,dd,60,e0,fc,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,91,92,5c,12,d4,
a9,bb,82,25,da,ec,7e,55,20,c9,26,a2,07,ea,56,d4,25,78,3f,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,cb,83,5e,08,9b,
19,b3,08,3e,1e,9e,e0,57,5a,93,61,10,22,63,f6,fa,f4,36,d7,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,5f,9d,72,09,2e,
e7,a8,89,cd,44,cd,b9,a6,33,6c,cd,c7,8b,45,31,88,e0,33,92,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,fe,f3,e5,81,69,
70,88,b6,b0,18,ed,a7,3f,8d,37,a4,e0,27,37,34,87,ef,90,ed,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,82,64,26,9c,60,
56,e4,59,31,77,e1,ba,b1,f8,68,02,80,fb,03,99,82,f0,9b,8f,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,74,c5,ef,b4,96,
78,ba,dc,83,6c,56,8b,a0,85,96,ab,8e,52,c9,31,d3,2a,0a,af,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,98,f5,12,e1,50,
d5,ed,35,51,fa,6e,91,28,9e,14,cc,ea,3b,38,30,1a,9f,97,74,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,7e,8b,f5,d5,a9,
15,da,c5,b1,cd,45,5a,a8,c4,f8,b9,b5,0e,f3,9e,cc,fc,fc,e7,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,7b,c6,3f,ec,d9,
4b,cf,f5,e3,0e,66,d5,eb,bc,2f,6b,64,db,84,30,28,9c,7b,54,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,3b,73,76,28,0c,
f7,23,89,fa,ea,66,7f,d4,3b,6b,70,d4,76,33,e7,0a,e5,cf,8e,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2312)
c:\progra~1\AVANQU~1\Fix-It\WinHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\AVANQU~1\Fix-It\mxtask.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe
c:\progra~1\AVANQU~1\Fix-It\mxtask.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wscntfy.exe
c:\hp\KBD\KBD.exe
c:\windows\ALCMTR.EXE
.
**************************************************************************
.
Completion time: 2009-04-16 20:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 00:50

Pre-Run: 181,147,049,984 bytes free
Post-Run: 181,076,897,792 bytes free

504 --- E O F --- 2009-04-14 12:02

[virus_hater]

fyi -- still infected, here's a mbam log from after combo fix
Malwarebytes' Anti-Malware 1.36
Database version: 1983
Windows 5.1.2600 Service Pack 2

4/15/2009 9:01:55 PM
mbam-log-2009-04-15 (21-01-55).txt

Scan type: Quick Scan
Objects scanned: 77282
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7e543082-2ca5-4097-a49f-864ce0783278} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7e543082-2ca5-4097-a49f-864ce0783278} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7e543082-2ca5-4097-a49f-864ce0783278} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\atmf.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\aqfehdap.dat (Rootkit.Agent) -> Delete on reboot.


and HJT log ..........
********************************************************************************
*****************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:18 PM, on 4/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\Lexmark 2600 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdnserv.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msiexec.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E543082-2CA5-4097-A49F-864CE0783278} - C:\WINDOWS\system32\atmf.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2600 Series\ezprint.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: AutorunsDisabled (User 'SYSTEM')
O4 - .DEFAULT Startup: AutorunsDisabled (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolo...larkActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184808453317
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - http://www.evite.com...geUploader4.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://65.15.86.158/...in/h263ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.co...snmusax4616.cab
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdncoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 9047 bytes

[miekiemoes]

Hi,

I know you would be still infected. That's why I needed the logs first so we can deal with all in one.
First of all I need some samples, so Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Qoobox\quarantine\C\windows\system32\_004920_.tmp.dll.vir

Select it and click ok:
Then click the Send File button below.

Do the same for the following one:

C:\Qoobox\quarantine\C\windows\system32\_004921_.tmp.dll.vir

This because I want to compare if the are exactly the same - so I can add detection.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\drivers\djnguxci.sys
c:\windows\system32\atmf.dll
c:\windows\Rkobisabam.bin
c:\windows\Jzogiq.dat
c:\windows\system32\UWs4gZqHPH3StRI.vbs
Driver::
djnguxci
rngjt
winghz
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E543082-2CA5-4097-A49F-864CE0783278}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Also,

AV: Avanquest Fix-It *On-access scanning disabled* (Updated)
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*

I notice from your log that there's more than 1 Antivirus installed. As a matter of fact 3!
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one. I don't know which one you purchased, but if you didn't purchase any of them, then I suggest you uninstall all 3 of them and replace it with a Free Antivirus. For example Avira Antivirus is a great Free Antivirus.
Then reboot after uninstalling.

Quote

the only weird thing that happened was some Fax program was trying to load during the reboot (this has been going on for 2 or 3 days)

According to your logs, it's also supposed to do that because it's set as a service. Please verify if it's lxdnserv.exe causing this. If not, then what process is doing this, because you also have many HP references set up to startup with Windows. In anyway, that's no priority now, let's deal with malware first.

[virus_hater]

a. 2 files uploaded as requested
b. new combo fix log here
c. i will get it down to just one AV program soon -- maybe now while I wait for your reply


************************************************************
ComboFix 09-04-17.01 - HP_Administrator 04/16/2009 20:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1419 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Avanquest Fix-It *On-access scanning disabled* (Updated)
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point

FILE ::
c:\windows\Jzogiq.dat
c:\windows\Rkobisabam.bin
c:\windows\system32\atmf.dll
c:\windows\system32\drivers\djnguxci.sys
c:\windows\system32\UWs4gZqHPH3StRI.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Jzogiq.dat
c:\windows\Rkobisabam.bin
c:\windows\system32\atmf.dll
c:\windows\system32\drivers\djnguxci.sys
c:\windows\system32\UWs4gZqHPH3StRI.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DJNGUXCI
-------\Service_djnguxci
-------\Service_rngjt
-------\Service_winghz


((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))
.

2009-04-14 03:02 . 2009-04-14 03:02 -------- d-----w c:\program files\Trend Micro
2009-04-14 02:33 . 2009-04-14 02:49 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-14 02:33 . 2009-04-14 02:33 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2009-04-14 02:33 . 2009-04-14 02:33 -------- d-----w c:\program files\Yahoo!
2009-04-14 02:33 . 2009-04-14 02:33 -------- d-----w c:\program files\CCleaner
2009-04-14 02:17 . 2009-04-14 02:17 -------- d-----w c:\documents and settings\LocalService\Application Data\Avanquest
2009-04-14 02:09 . 2009-04-14 02:09 93736 ----a-w c:\windows\system32\atmf.zip
2009-04-14 02:08 . 2009-04-14 02:08 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-14 02:02 . 2009-04-14 02:02 -------- d-----w c:\documents and settings\Administrator\Application Data\Avanquest
2009-04-13 23:27 . 2009-04-13 23:29 -------- d-----w C:\!KillBox
2009-04-13 23:24 . 2009-04-13 23:24 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Desktopicon
2009-04-13 23:23 . 2009-04-13 23:32 -------- d-----w c:\program files\Unlocker
2009-04-13 23:05 . 2009-04-13 23:05 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-13 23:05 . 2009-04-13 23:05 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-13 23:05 . 2009-04-13 23:05 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-04-13 00:29 . 2008-07-18 05:26 68912 ----a-w c:\windows\system32\drivers\sbapifs.sys
2009-04-13 00:29 . 2008-07-18 05:26 13360 ----a-w c:\windows\system32\drivers\sbaphd.sys
2009-04-13 00:23 . 2009-04-13 00:23 -------- d-----w c:\program files\Avanquest update
2009-04-13 00:23 . 2009-04-13 00:23 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-04-11 18:13 . 2009-04-11 18:13 -------- d-----w C:\VundoFix Backups
2009-04-11 17:23 . 2009-04-13 00:23 -------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2009-04-11 17:21 . 2009-04-11 17:21 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\{797F5EE7-3D5A-40CE-A4B4-EDC1687FEFE9}
2009-04-11 16:14 . 2009-04-11 16:14 -------- d-----w c:\program files\Sun
2009-04-11 16:14 . 2009-04-11 16:14 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-09 13:19 . 2009-04-09 15:30 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\{842D2C26-3AB0-474D-A576-3B096374AC04}
2009-03-21 07:15 . 2009-04-11 16:14 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-21 07:02 . 2009-03-21 07:02 206 ----a-w c:\windows\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 00:41 . 2008-05-04 17:50 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-17 00:33 . 2004-08-10 12:00 23424 ----a-w c:\windows\system32\drivers\axjcgezh.sys
2009-04-17 00:29 . 2008-12-14 04:08 13516 ----a-w C:\CDAVFSuser.log
2009-04-17 00:26 . 2008-12-14 04:08 13505 ----a-w C:\CDAVFSuserBackup.log
2009-04-16 11:03 . 2008-05-04 17:50 -------- d-----w c:\program files\Spyware Doctor
2009-04-16 01:18 . 2005-09-24 04:39 79656 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 02:27 . 2009-04-11 18:13 1421 ----a-w C:\VundoFix.txt
2009-04-13 23:18 . 2008-12-15 01:51 5303 ----a-w C:\rapport.txt
2009-04-13 04:28 . 2008-12-15 02:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 01:58 . 2007-01-27 15:33 -------- d-----w c:\program files\LimeWire
2009-04-13 01:58 . 2008-12-15 00:50 -------- d-----w c:\program files\WebEx
2009-04-13 00:23 . 2005-05-17 00:31 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-13 00:23 . 2008-12-14 19:05 -------- d-----w c:\program files\Common Files\AntiVirus
2009-04-13 00:21 . 2008-12-14 19:02 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-11 23:29 . 2008-07-10 19:14 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\FrostWire
2009-04-11 22:54 . 2004-08-10 18:00 250032 --sha-r C:\ntldr
2009-04-11 16:14 . 2005-05-16 23:56 -------- d-----w c:\program files\Java
2009-04-11 15:39 . 2008-06-10 19:39 -------- d-----w c:\program files\LightWork Design
2009-04-08 07:06 . 2008-05-29 00:10 -------- d-----w c:\program files\Incomplete
2009-04-07 23:47 . 2005-10-12 01:50 -------- d-----w c:\program files\Microsoft Money 2005
2009-04-06 19:32 . 2008-12-15 02:05 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-15 02:05 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 20:40 . 2008-04-13 17:47 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\TaxCut
2009-04-04 20:35 . 2008-04-13 17:43 -------- d-----w c:\documents and settings\All Users\Application Data\TaxCut
2009-03-07 20:01 . 2005-09-25 12:31 9974 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-02-09 10:19 . 2009-04-11 22:35 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:19 . 2009-04-11 22:35 1846272 ----a-w c:\windows\system32\dllcache\win32k.sys
2009-01-17 02:35 . 2004-08-10 11:00 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-03-09 20:47 . 2008-03-09 20:47 16 -c-ha-w c:\program files\Common Files\mxfilerelatedcache.mxc2
2008-03-09 20:47 . 2008-03-09 20:47 16 -c-ha-w c:\program files\mxfilerelatedcache.mxc2
2007-04-20 01:25 . 2007-04-20 01:25 722176 -c--a-w c:\documents and settings\HP_Administrator\gotomypc_428.exe
2006-07-21 17:57 . 2006-07-21 17:57 563712 -c--a-w c:\documents and settings\HP_Administrator\gotomypc_370.exe
2006-03-23 02:00 . 2006-03-23 01:59 3167744 -c--a-w c:\documents and settings\HP_Administrator\gosetup.exe
2006-03-22 23:59 . 2006-03-22 23:59 563712 -c--a-w c:\documents and settings\HP_Administrator\370_gotomypc.exe
2005-11-29 23:34 . 2005-11-29 23:34 251 -c--a-w c:\program files\wt3d.ini
2005-09-24 04:28 . 2006-09-10 01:40 139 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2005-05-17 00:27 . 2005-05-17 00:27 136 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-10 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[7] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-10 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2007-09-07 20:33 359808 BA57942C0029B0878AFBA052A3E33689 c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2008-01-10 12:24 360064 34A663E7F74AE8B2C992C2513343477E c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[-] 2008-07-09 15:10 360320 1AB9333EC47BC064050A2BF554AE5A95 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-16_00.46.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 00:40 . 2009-04-17 00:40 16384 c:\windows\Temp\Perflib_Perfdata_444.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2007-12-17 660136]
"EzPrint"="c:\program files\Lexmark 2600 Series\ezprint.exe" [2007-12-17 107176]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-04-13 14156800]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\AutorunsDisabled
powerreg scheduler v3.exe [2005-9-24 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2007-11-16 02:51 166304 -c--a-w c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SBAMSvc"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"SymAppCore"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Fix-It Task Manager"=2 (0x2)
"FirebirdServerMAGIXInstance"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"LightScribeService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnwbgw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgalry.exe"=
"c:\\Program Files\\CyberDefender\\AntiSpyware\\cdas98.exe"=

R4 CDAVFS;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys [2008-12-14 67424]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2005-04-12 85248]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - DJNGUXCI
*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2006-09-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-04-11 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 16:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - hxxp://www.evite.com/html/imageUpload/ImageUploader4.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 20:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,6a,c3,37,35,3f,
a5,1f,c2,c8,28,51,af,b0,29,a3,98,a7,6d,60,5e,a6,14,93,9f,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,c3,5a,69,fa,c8,
a9,e7,6f,71,3b,04,66,8b,46,0d,96,f1,ac,c7,e3,dd,60,e0,fc,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,91,92,5c,12,d4,
a9,bb,82,25,da,ec,7e,55,20,c9,26,a2,07,ea,56,d4,25,78,3f,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,cb,83,5e,08,9b,
19,b3,08,3e,1e,9e,e0,57,5a,93,61,10,22,63,f6,fa,f4,36,d7,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,5f,9d,72,09,2e,
e7,a8,89,cd,44,cd,b9,a6,33,6c,cd,c7,8b,45,31,88,e0,33,92,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,fe,f3,e5,81,69,
70,88,b6,b0,18,ed,a7,3f,8d,37,a4,e0,27,37,34,87,ef,90,ed,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,82,64,26,9c,60,
56,e4,59,31,77,e1,ba,b1,f8,68,02,80,fb,03,99,82,f0,9b,8f,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,74,c5,ef,b4,96,
78,ba,dc,83,6c,56,8b,a0,85,96,ab,8e,52,c9,31,d3,2a,0a,af,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,98,f5,12,e1,50,
d5,ed,35,51,fa,6e,91,28,9e,14,cc,ea,3b,38,30,1a,9f,97,74,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,7e,8b,f5,d5,a9,
15,da,c5,b1,cd,45,5a,a8,c4,f8,b9,b5,0e,f3,9e,cc,fc,fc,e7,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,7b,c6,3f,ec,d9,
4b,cf,f5,e3,0e,66,d5,eb,bc,2f,6b,64,db,84,30,28,9c,7b,54,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,3b,73,76,28,0c,
f7,23,89,fa,ea,66,7f,d4,3b,6b,70,d4,76,33,e7,0a,e5,cf,8e,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(904)
c:\progra~1\AVANQU~1\Fix-It\WinHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\AVANQU~1\Fix-It\mxtask.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe
c:\progra~1\AVANQU~1\Fix-It\mxtask.exe
c:\windows\system32\lxdncoms.exe
c:\program files\Common Files\AntiVirus\SBAMSvc.exe
c:\program files\Spyware Doctor\pctsAuxs.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\hp\KBD\KBD.exe
c:\windows\ALCMTR.EXE
c:\windows\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
.
**************************************************************************
.
Completion time: 2009-04-17 20:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-17 00:46
ComboFix2.txt 2009-04-16 00:50

Pre-Run: 180,839,608,320 bytes free
Post-Run: 180,878,499,840 bytes free

321 --- E O F --- 2009-04-14 12:02

[miekiemoes]

Hi,

This looks OK again. * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[virus_hater]

miekiemoes, on Apr 17 2009, 09:45 AM, said:

Hi,

This looks OK again. * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

-- I have unistalled combo fix but left with a few issues

-- after performing the last set of instructions MBAM showed all clear so I unistalled all other AV programs and install my Avira

--- Avira found 33 items, mostly q-tined combo.fix stuff and put them in it's own q-tine folder

--- also ran CC cleaner (and maybe I shouldn't have done any of this)

since then my microsoft outlook express v6.0 will not open , i keep getting the following

"Visual C++ Runtime Library runtime error
The application has requested the runtime to terminate in an unusual way. Please contact the application's support team for more information."


I switched over to make Microsoft Outlook my email program which sort of worked but was very unstable and kept crashing (maybe a previous unresolved problem anyway because that why i was using the express version because it's quite possible I have Outlook 2000 installed on top of Outlook 2003)

however, i need to resolve either that or the new outlook express problem----i have had similar troubles with email programs right after major virus infections and that's probably why i have so many (ill-installed) email programs.............

However, the rest of the system is running quite well...........

[virus_hater]

virus_hater, on Apr 18 2009, 12:24 AM, said:

-- I have unistalled combo fix but left with a few issues

-- after performing the last set of instructions MBAM showed all clear so I unistalled all other AV programs and install my Avira

--- Avira found 33 items, mostly q-tined combo.fix stuff and put them in it's own q-tine folder

--- also ran CC cleaner (and maybe I shouldn't have done any of this)

since then my microsoft outlook express v6.0 will not open , i keep getting the following

"Visual C++ Runtime Library runtime error
The application has requested the runtime to terminate in an unusual way. Please contact the application's support team for more information."


I switched over to make Microsoft Outlook my email program which sort of worked but was very unstable and kept crashing (maybe a previous unresolved problem anyway because that why i was using the express version because it's quite possible I have Outlook 2000 installed on top of Outlook 2003)

however, i need to resolve either that or the new outlook express problem----i have had similar troubles with email programs right after major virus infections and that's probably why i have so many (ill-installed) email programs.............

However, the rest of the system is running quite well...........

*** uninstalled outlook express from windows components in add/remove programs
*** rebooted -- reinstalled it and it opens and works fine, though I prefer regular outlook but.....this computer is now in great shape!!!!!!!! I think we're done here??????????????????????????????????????????????????????????????

[miekiemoes]

Hi,

Quote

--- also ran CC cleaner (and maybe I shouldn't have done any of this)

since then my microsoft outlook express v6.0 will not open , i keep getting the following

"Visual C++ Runtime Library runtime error
The application has requested the runtime to terminate in an unusual way. Please contact the application's support team for more information."

Yes, this may happen if you use certain cleaners, especially the Registry cleaning option... and I guess that's what you have done here.
In anyway, good to hear that you solved it.


Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.