Malwarebytes Forum > TROJAN.VUNDO.H / TROJAN.AGENT

Full Version: TROJAN.VUNDO.H / TROJAN.AGENT

Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs

h2otech1

Nov 25 2008, 05:07 AM

Hello,

I hope this is the right place to post, and MB seems to be well versed and educated, so here is my problem (like others):

Got infected w/ the Vundo & Agent so downloaded MBAM. Got rid of most but there are still 8 lingering bugs I cannot get rid of. Tried many times w/ MBAM, please help and thank you in advance. In looking at other posts, I beleive I need to tell you what OS I have and give you my MBAM log files so I hope this is enough:

MS Window XP
Home Edition
Version 2002
Service Pack 3

Log Files---------------------------------------------------

Malwarebytes' Anti-Malware 1.30
Database version: 1419
Windows 5.1.2600 Service Pack 3

11/24/2008 8:35:05 PM
mbam-log-2008-11-24 (20-35-05).txt

Scan type: Quick Scan
Objects scanned: 57578
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nfhakpga (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\qsjatud.dll (Trojan.Vundo.H) -> Delete on reboot.

I have tried to reboot immediately afterward, but cannot remove the 8.
Thank you again for any help....

h2otech1

Raid

Nov 25 2008, 05:17 AM

Hi There.

Your running a slightly outdated version of MBAM, please update it and proceed as instructed below:

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I need you to follow the instructions provided here Pre- HJT Post Instructions first.

I also need for you to download this program OTListIt.exe to your desktop.
Close all applications and windows so that you have nothing open and are at your Desktop
Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.
Place a checkmark in the "Scan All Users" checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)
Click the Run Scan button
NOTE: Please be patient and let the scan run without using the computer
When the scan is complete, a text file (OTListIt.Txt) will open in Notepad (if not, it can be found on your Desktop)
In Notepad, click Edit, Select all then Edit, Copy
Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.
Submit your reply and close the Notepad window with OTList.txt
Also OTListIt's Extras.txt log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window
In Notepad, click Edit, Select all then Edit, Copy
Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.
NOTE: If the files (OTListIt.txt, Extras.txt) do not appear in your taskbar, just open the files in notepad from your desktop.

Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

h2otech1

Nov 25 2008, 07:01 PM

Thanks for the reply!!!!

1) Ran Spybot S&D.
2) Reinstalled MBAM, scanned and the log is found below. I will continue with your instructions and repost the other logs. Thank you!!!!!

Malwarebytes' Anti-Malware 1.30
Database version: 1423
Windows 5.1.2600 Service Pack 3

11/25/2008 10:58:00 AM
mbam-log-2008-11-25 (10-58-00).txt

Scan type: Quick Scan
Objects scanned: 57699
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nfhakpga (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\qsjatud.dll (Trojan.Vundo.H) -> Delete on reboot.

h2otech1

Nov 25 2008, 08:24 PM

And here is the log from Panda Security:

;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-11-25 12:22:29
PROTECTIONS: 1
MALWARE: 5
SUSPECTS: 5
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Norton AntiVirus 16.0.0.125 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Default User\Cookies\system@atdmt[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@ad.yieldmanager[1].txt
02077612 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0009168.exe
03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\drivers\qouwge.sys
04156665 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\clusapim.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location y
;===============================================================================
================================================================================
=
===================
No C:\hp\bin\KillIt.exe y
No C:\hp\recovery\wizard\SWR_Wizard.exe y
No C:\Program Files\Online Services\NetscapeOnline\NSsetup.exe y
No C:\WINDOWS\Installer\167ae975.msi[unk_0100] y
No C:\WINDOWS\system32\bw7nir4b.exe y
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description y
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================

h2otech1

Nov 25 2008, 08:29 PM

And the log file from HiJack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:35 PM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon06.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Browser Mouse\MOffice.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Browser Mouse\MOUSE32A.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: (no name) - {8C760D34-E6A5-4111-BFE1-4EF0620B8ECA} - C:\WINDOWS\system32\clusapim.dll
O2 - BHO: (no name) - {CE27CD53-6FFD-49C4-A72A-60B139E15E4B} - c:\windows\system32\qsjatud.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [AlcWzrd] "C:\WINDOWS\ALCWZRD.EXE"
O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\URGOKQQC\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon06] "C:\WINDOWS\system32\hphmon06.exe"
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe" -startup -product IncrediMail
O4 - HKLM\..\Run: [hpsysdrv] "c:\windows\system\hpsysdrv.exe"
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] "C:\WINDOWS\system32\HDAudPropShortcut.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] "C:\Program Files\Browser Mouse\MOffice.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KBD] "C:\HP\KBD\KBD.EXE"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\InstallHelper.exe" /uninstalltrackingvendor=Verizon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SFP] "C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE" /s
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O20 - Winlogon Notify: nfhakpga - C:\WINDOWS\SYSTEM32\qsjatud.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11280 bytes

h2otech1

Nov 25 2008, 08:42 PM

And here is the log file for OTListIt:

OTListIt logfile created on: 11/25/2008 12:40:00 PM - Run
OTListIt by OldTimer - Version 1.0.12.0 Folder = C:\Documents and Settings\HP_Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.29 Mb Total Physical Memory | 492.91 Mb Available Physical Memory | 48.55% Memory free
2.39 Gb Paging File | 1.95 Gb Available in Paging File | 81.68% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 179.33 Gb Total Space | 158.95 Gb Free Space | 88.63% Space Free | Partition Type: NTFS
Drive D: | 6.96 Gb Total Space | 1.84 Gb Free Space | 26.41% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-4F1261A8E5
Current User Name: HP_Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2004/11/02 00:59:42 | 00,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
[2005/03/04 11:01:56 | 00,088,209 | ---- | M] (Agere Systems) -- C:\WINDOWS\AGRSMMSG.exe
[2005/02/25 05:39:16 | 00,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[2005/04/06 17:57:12 | 00,090,112 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
[2005/04/06 17:53:00 | 02,805,248 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE
[2005/04/12 00:10:22 | 00,065,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCMTR.EXE
[2007/05/08 16:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[2004/06/07 03:42:30 | 00,659,456 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\hphmon06.exe
[1998/05/07 01:04:38 | 00,052,736 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system\hpsysdrv.exe
[2006/12/07 17:25:19 | 00,958,464 | ---- | M] () -- C:\Program Files\Browser Mouse\MOffice.exe
[2006/10/25 18:58:18 | 00,282,624 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe
[2006/12/07 17:25:18 | 00,356,352 | ---- | M] () -- C:\Program Files\Browser Mouse\mouse32a.exe
[2006/10/30 09:36:36 | 00,256,576 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
[2005/02/02 16:44:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\hp\KBD\kbd.exe
[2007/11/28 19:51:10 | 00,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
[2008/02/22 03:25:21 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[2008/08/09 15:04:58 | 05,418,864 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
[2007/01/05 14:04:10 | 00,554,616 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
[2008/09/16 12:16:08 | 01,833,296 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[2004/11/04 19:28:24 | 00,258,048 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2004/08/11 01:22:40 | 00,757,760 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
[2004/02/13 13:12:08 | 00,016,423 | ---- | M] () -- C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
[2005/02/25 05:49:52 | 00,045,056 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
[2004/05/24 11:35:52 | 00,322,104 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\KodakCCS.exe
[2005/07/24 22:35:00 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- c:\Program Files\Common Files\LightScribe\LSSrvc.exe
[2007/11/28 19:51:10 | 00,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[2008/11/04 20:24:52 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
[2008/02/08 12:01:34 | 01,251,720 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
[2008/08/09 13:42:02 | 03,585,384 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
[2006/10/30 09:36:32 | 00,492,608 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
[2008/11/04 20:24:52 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
[2008/02/22 03:25:20 | 00,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
[2008/08/09 13:42:02 | 00,181,608 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SSU.exe
[2008/11/25 12:33:18 | 00,418,304 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Owner\Desktop\OTListIt.exe

========== (O23) Win32 Services ==========

[2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/01/05 14:04:10 | 00,554,616 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Auto | Running])
[2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2006/10/30 09:36:32 | 00,492,608 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
[2004/05/24 11:35:52 | 00,322,104 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\KodakCCS.exe -- (KodakCCS [Auto | Running])
[2005/07/24 22:35:00 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- c:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
[2007/01/05 14:04:04 | 02,918,008 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate [On_Demand | Stopped])
File not found -- -- (LiveUpdate Notice Ex [Auto | Stopped])
[2007/11/28 19:51:10 | 00,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service [Auto | Running])
[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
[2008/11/04 20:24:52 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe -- (Norton AntiVirus [Auto | Running])
[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/08/08 23:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Stopped])
[2008/02/08 12:01:34 | 01,251,720 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC [Auto | Running])
[2008/08/09 13:42:02 | 03,585,384 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- (WebrootSpySweeperService [Auto | Running])
[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2005/03/04 11:02:20 | 01,066,278 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
[2008/11/04 20:25:03 | 00,255,536 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\BHDrvx86.sys -- (BHDrvx86 [System | Running])
[2008/11/20 09:22:32 | 00,362,544 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\cchpx86.sys -- (ccHP [System | Running])
[2004/05/20 07:21:10 | 00,036,918 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcCam.sys -- (DcCam [System | Running])
[2004/05/20 07:41:54 | 00,061,564 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcFpoint.sys -- (DcFpoint [On_Demand | Stopped])
[2004/06/02 12:19:00 | 00,038,705 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DCFS2k.sys -- (DCFS2K [Auto | Running])
[2004/05/20 07:39:42 | 00,008,022 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcLps.sys -- (DcLps [On_Demand | Stopped])
[2004/05/20 07:45:20 | 00,068,950 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcPtp.sys -- (DcPTP [On_Demand | Stopped])
[2008/11/20 09:22:32 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
[2008/11/20 09:22:32 | 00,099,376 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
[2004/06/02 12:17:56 | 00,151,985 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\ExportIt.sys -- (Exportit [System | Stopped])
[2006/09/19 15:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2004/03/17 16:10:40 | 00,113,664 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService [On_Demand | Stopped])
[2008/04/13 08:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2004/12/14 08:07:44 | 00,051,120 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
[2004/12/14 08:07:44 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
[2004/12/14 08:07:44 | 00,021,744 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
[2004/11/02 01:27:20 | 00,773,565 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Running])
[2008/11/20 09:22:32 | 00,274,808 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081120.006\IDSxpx86.sys -- (IDSxpx86 [System | Stopped])
[2005/04/15 17:05:42 | 02,564,032 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
[2003/09/10 23:36:54 | 00,021,060 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])
[2008/04/13 10:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2007/09/28 10:30:57 | 00,019,345 | ---- | M] (Motive, Inc.) -- C:\Program Files\Common Files\Motive\MREMPR5.sys -- (MREMPR5 [On_Demand | Stopped])
[2007/09/28 10:30:49 | 00,018,003 | ---- | M] (Motive, Inc.) -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5 [On_Demand | Stopped])
[2008/11/20 01:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081124.023\NAVENG.SYS -- (NAVENG [On_Demand | Running])
[2008/11/20 01:00:00 | 00,876,112 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081124.023\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
[2003/09/19 01:47:00 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc [On_Demand | Running])
[2005/12/12 17:27:00 | 00,019,072 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2 [On_Demand | Running])
[2004/08/03 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2005/02/25 05:38:09 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2002/10/04 02:04:10 | 00,046,976 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139 [On_Demand | Running])
[2007/04/03 12:59:30 | 00,083,208 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616bus.sys -- (s616bus [On_Demand | Stopped])
[2007/04/03 12:59:36 | 00,015,112 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616mdfl.sys -- (s616mdfl [On_Demand | Stopped])
[2007/04/03 12:59:38 | 00,108,680 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616mdm.sys -- (s616mdm [On_Demand | Stopped])
[2007/04/03 12:59:40 | 00,100,360 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616mgmt.sys -- (s616mgmt [On_Demand | Stopped])
[2007/04/03 12:59:42 | 00,098,568 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616obex.sys -- (s616obex [On_Demand | Stopped])
[2007/04/03 12:59:42 | 00,099,080 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s616unic.sys -- (s616unic [On_Demand | Stopped])
[2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2008/11/04 20:25:03 | 00,306,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\srtsp.sys -- (SRTSP [On_Demand | Running])
[2008/11/04 20:25:03 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\srtspx.sys -- (SRTSPX [System | Running])
[2008/08/09 13:42:12 | 00,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\ssfs0bbc.sys -- (ssfs0bbc [Boot | Running])
[2008/08/09 13:42:14 | 00,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\sshrmd.sys -- (SSHRMD [Boot | Running])
[2008/08/09 13:42:14 | 00,166,512 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\ssidrv.sys -- (SSIDRV [Boot | Running])
[2008/01/04 20:34:36 | 00,023,920 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\WINDOWS\system32\drivers\sskbfd.sys -- (SSKBFD [On_Demand | Running])
[2008/11/20 09:22:34 | 00,012,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\symdns.sys -- (SYMDNS [On_Demand | Stopped])
[2008/11/04 20:25:03 | 00,309,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\SymEFA.sys -- (SymEFA [Boot | Running])
[2008/11/20 09:22:44 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2008/11/20 09:22:35 | 00,089,904 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\symfw.sys -- (SYMFW [On_Demand | Stopped])
[2008/11/20 09:22:36 | 00,034,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\symids.sys -- (SYMIDS [On_Demand | Stopped])
[2008/11/20 09:22:36 | 00,035,888 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM [On_Demand | Stopped])
[2008/11/20 09:22:36 | 00,035,888 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP [On_Demand | Running])
[2006/06/14 19:42:59 | 00,010,344 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd [Auto | Running])
[2008/11/20 09:22:36 | 00,037,424 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\symndis.sys -- (SYMNDIS [On_Demand | Stopped])
[2008/11/20 09:22:36 | 00,024,752 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1001000.021\symredrv.sys -- (SYMREDRV [On_Demand | Stopped])
[2008/04/13 10:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS_XP [On_Demand | Stopped])
[2004/08/03 20:00:00 | 00,023,424 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\zthhzhwv.sys -- (zthhzhwv [Boot | Running])

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?P...pdate&O1=b1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions =
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\SearchURL\CNNSI, = search.sportsillustrated.cnn.com/pages/search.jsp?query=%s
HKCU\Software\Microsoft\Internet Explorer\SearchURL\Dictionary, = dictionary.reference.com/search?q=%s
HKCU\Software\Microsoft\Internet Explorer\SearchURL\Google, = google.com/search?q=%s
HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleGroups, = groups-beta.google.com/groups?q=%s
HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleImages, = images.google.com/images?hl=en&lr=&q=%s
HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleNews, = news.google.com/news?tab=gn&hl=en&ie=UTF-8&q=%s&btnG=Search+News
HKCU\Software\Microsoft\Internet Explorer\SearchURL\KB, = support.microsoft.com/search/default.aspx?query=%s
HKCU\Software\Microsoft\Internet Explorer\SearchURL\KBDLL, = support.microsoft.com/dllhelp/default.aspx?dlltype=file&l=55&alpha=%s&S=1
HKCU\Software\Microsoft\Internet Explorer\SearchURL\Movies, = fandango.com/my_box_office.asp?searchby=2&txtCityZip=%s
HKCU\Software\Microsoft\Internet Explorer\SearchURL\MSN, = search.msn.com/results.asp?q=%s
HKCU\Software\Microsoft\Internet Explorer\SearchURL\Thesaurus, = thesaurus.reference.com/search?q=%s
HKCU\Software\Microsoft\Internet Explorer\SearchURL\Weather, = weather.com/weather/local/%s
HKCU\Software\Microsoft\Internet Explorer\SearchURL\Yahoo, = search.yahoo.com/search?p=%s
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?P...pdate&O1=b1
HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions =
HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\CNNSI, = search.sportsillustrated.cnn.com/pages/search.jsp?query=%s
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Dictionary, = dictionary.reference.com/search?q=%s
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Google, = google.com/search?q=%s
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\GoogleGroups, = groups-beta.google.com/groups?q=%s
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\GoogleImages, = images.google.com/images?hl=en&lr=&q=%s
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\GoogleNews, = news.google.com/news?tab=gn&hl=en&ie=UTF-8&q=%s&btnG=Search+News
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\KB, = support.microsoft.com/search/default.aspx?query=%s
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\KBDLL, = support.microsoft.com/dllhelp/default.aspx?dlltype=file&l=55&alpha=%s&S=1
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Movies, = fandango.com/my_box_office.asp?searchby=2&txtCityZip=%s
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\MSN, = search.msn.com/results.asp?q=%s
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Thesaurus, = thesaurus.reference.com/search?q=%s
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Weather, = weather.com/weather/local/%s
HKU\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Internet Explorer\SearchURL\Yahoo, = search.yahoo.com/search?p=%s
HKU\S-1-5-21-691311170-1838169275-933237389-1009\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
HKU\S-1-5-21-691311170-1838169275-933237389-1009\S-1-5-21-691311170-1838169275-933237389-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

O1 HOSTS File: (23 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (no name) - {8C760D34-E6A5-4111-BFE1-4EF0620B8ECA} - C:\WINDOWS\system32\clusapim.dll (Alcohol Soft Development Team)
O2 - BHO: () - {CE27CD53-6FFD-49C4-A72A-60B139E15E4B} - c:\WINDOWS\system32\qsjatud.dll ()
O3 - HKLM\..\Toolbar: (no name) - - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKLM\..\Toolbar: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKCU\..\Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKCU\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKCU\..\Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\.DEFAULT\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\.DEFAULT\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-18\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-18\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..\Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key does not exist or could not be opened. File not found
O4 - HKLM..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe" (Agere Systems)
O4 - HKLM..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE" (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] "C:\WINDOWS\ALCWZRD.EXE" (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [ccApp] - File not found
O4 - HKLM..\Run: [FLMOFFICE4DMOUSE] "C:\Program Files\Browser Mouse\MOffice.exe" ()
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] "C:\WINDOWS\system32\HDAudPropShortcut.exe" (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe" (Intel Corporation)
O4 - HKLM..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" (Hewlett-Packard)
O4 - HKLM..\Run: [HPHmon06] "C:\WINDOWS\system32\hphmon06.exe" (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" (Hewlett-Packard)
O4 - HKLM..\Run: [hpsysdrv] "c:\windows\system\hpsysdrv.exe" (Hewlett-Packard Company)
O4 - HKLM..\Run: [ImInstaller_IncrediMail] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe" -startup -product IncrediMail File not found
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Computer, Inc.)
O4 - HKLM..\Run: [KBD] "C:\HP\KBD\KBD.EXE" (Hewlett-Packard Company)
O4 - HKLM..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\URGOKQQC\WAS5Scan[1].exe" File not found
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
O4 - HKLM..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE" (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray (Webroot Software, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" (Symantec Corporation)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKLM..\Run: [Verizon Custom Uninstall Tracking] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\InstallHelper.exe" /uninstalltrackingvendor=Verizon File not found
O4 - HKLM..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN File not found
O4 - HKCU..\Run: [SFP] "C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE" /s File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" (Safer Networking Limited)
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (AWS Convergence Technologies, Inc.)
O4 - HKU\S-1-5-21-691311170-1838169275-933237389-1009..\Run: [SFP] "C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE" /s File not found
O4 - HKU\S-1-5-21-691311170-1838169275-933237389-1009..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" (Safer Networking Limited)
O4 - HKU\S-1-5-21-691311170-1838169275-933237389-1009..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (AWS Convergence Technologies, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe (Hewlett-Packard)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: 2 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-691311170-1838169275-933237389-1009\..Trusted Sites: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} http://forms.real.com/real/player/download...ne_Inst_Win.cab (Reg Error: Key does not exist or could not be opened.)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (Get_ActiveX Control)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://download.games.yahoo.com/games/web_...e/gpcontrol.cab (TikGames Online Control)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key does not exist or could not be opened.)
O18 - Protocol\Handler: - ipp - No CLSID value found
O18 - Protocol\Handler: - ipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - msdaipp - No CLSID value found
O18 - Protocol\Handler: - msdaipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - msdaipp\oledb - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - ms-itss - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler: - mso-offdap - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - mso-offdap11 - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - See sections below for AppInitDlls and Winlogon settings

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxsrvc.dll -- C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
nfhakpga: "DllName" = qsjatud.dll -- C:\WINDOWS\system32\qsjatud.dll ()

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages" = msv1_0,OWS\S
>File not found --

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT [PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | ]
[2005/02/25 06:18:25 | 00,000,050 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTOEXEC.BAT []
[2001/07/28 05:07:38 | 00,000,000 | -HS- | M] () -- D:\AUTOEXEC.BAT -- [ FAT32 ]

Autorun.inf [[AUTORUN] | ShellExecute=Info.exe protect.ed 480 480 | ]
[2004/04/30 21:01:14 | 00,000,053 | -HS- | M] () -- D:\Autorun.inf -- [ FAT32 ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell]
"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell\AutoRun]
"" = Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell\AutoRun\command]
"" = D:\setup.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2008/11/25 12:33:18 | 00,418,304 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Owner\Desktop\OTListIt.exe
[2008/11/25 12:27:37 | 00,001,745 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\HijackThis.lnk
[2008/11/25 12:27:36 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/11/25 11:05:26 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2008/11/25 11:05:01 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2008/11/25 11:05:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2008/11/25 11:00:48 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\qouwge.sys
[2008/11/25 10:07:41 | 00,000,944 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\Spybot - Search & Destroy.lnk
[2008/11/25 10:07:31 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2008/11/25 10:07:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008/11/24 20:07:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
[2008/11/24 13:44:11 | 00,917,504 | ---- | C] (Macromedia, Inc.) -- C:\WINDOWS\System32\FLASH.OCX
[2008/11/24 13:01:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\My Documents\ARCHIVED EMAIL
[2008/11/24 10:14:14 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2008/11/24 10:14:14 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2008/11/24 10:01:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\My Documents\BACKED UP FILES MY DOCUMENTS
[2008/11/23 08:47:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
[2008/11/23 08:47:14 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/11/23 08:47:14 | 00,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/23 08:47:11 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/11/23 08:47:09 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/11/23 08:47:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/20 16:32:23 | 00,001,826 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Bejeweled 2 Deluxe.lnk
[2008/11/20 10:47:34 | 00,620,006 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\Cat.DB
[2008/11/20 10:34:56 | 00,198,192 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symtdi.sys
[2008/11/20 10:34:55 | 00,309,296 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.sys
[2008/11/20 10:34:55 | 00,089,904 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symfw.sys
[2008/11/20 10:34:55 | 00,040,496 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symndisv.sys
[2008/11/20 10:34:55 | 00,037,424 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symndis.sys
[2008/11/20 10:34:55 | 00,034,608 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symids.sys
[2008/11/20 10:34:55 | 00,024,752 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symredrv.sys
[2008/11/20 10:34:55 | 00,013,089 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymNet.cat
[2008/11/20 10:34:55 | 00,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.inf
[2008/11/20 10:34:55 | 00,001,611 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymNet.inf
[2008/11/20 10:34:54 | 00,306,736 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.sys
[2008/11/20 10:34:54 | 00,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.sys
[2008/11/20 10:34:54 | 00,012,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symdns.sys
[2008/11/20 10:34:54 | 00,008,428 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.cat
[2008/11/20 10:34:54 | 00,008,390 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.cat
[2008/11/20 10:34:54 | 00,008,386 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.cat
[2008/11/20 10:34:54 | 00,001,388 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.inf
[2008/11/20 10:34:54 | 00,001,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.inf
[2008/11/20 10:34:52 | 00,255,536 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.sys
[2008/11/20 10:34:52 | 00,008,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.CAT
[2008/11/20 10:34:52 | 00,000,640 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.inf
[2008/11/20 10:33:52 | 00,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\isolate.ini
[2008/11/20 10:33:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1001000.021
[2008/11/20 09:22:47 | 00,035,888 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2008/11/20 09:22:44 | 00,124,464 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2008/11/20 09:22:44 | 00,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2008/11/20 09:22:44 | 00,010,635 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2008/11/20 09:22:44 | 00,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2008/11/20 09:22:37 | 00,002,091 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.lnk
[2008/11/20 09:22:06 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV
[2008/11/20 09:22:04 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2008/11/20 09:21:42 | 00,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2008/11/19 14:24:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla
[2008/11/19 14:24:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\tdfjfgji
[2008/11/19 14:24:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Application Data\tdfjfgji
[2008/11/15 06:29:29 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bw7nir4b.exe
[2008/11/15 06:28:56 | 00,000,434 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2008/11/15 06:28:31 | 00,098,816 | ---- | C] (Alcohol Soft Development Team) -- C:\WINDOWS\System32\clusapim.dll
[2008/11/12 09:19:07 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2008/11/12 09:18:56 | 01,106,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml3.dll

========== Files - Modified Within 30 Days ==========

[20 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2008/11/25 12:33:18 | 00,418,304 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Owner\Desktop\OTListIt.exe
[2008/11/25 12:27:37 | 00,001,745 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\HijackThis.lnk
[2008/11/25 11:00:48 | 00,061,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\qouwge.sys
[2008/11/25 10:50:27 | 00,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/25 10:46:18 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/25 10:44:49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/11/25 10:44:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/11/25 10:44:44 | 10,646,85568 | -HS- | M] () -- C:\hiberfil.sys
[2008/11/25 10:39:39 | 05,890,576 | -H-- | M] () -- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\IconCache.db
[2008/11/25 10:07:41 | 00,000,944 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\Spybot - Search & Destroy.lnk
[2008/11/25 09:58:04 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\Microsoft Office Word 2003.lnk
[2008/11/24 20:54:28 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\EMAIL.lnk
[2008/11/24 20:08:14 | 00,445,458 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/24 20:08:14 | 00,384,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/11/24 20:08:14 | 00,054,280 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/11/24 18:52:54 | 00,000,434 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2008/11/24 13:44:11 | 00,917,504 | ---- | M] (Macromedia, Inc.) -- C:\WINDOWS\System32\FLASH.OCX
[2008/11/24 13:39:44 | 00,000,847 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/11/24 13:00:02 | 00,001,692 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_L8426DC16FCF345DE92DE2F2DDAB65B37.job
[2008/11/24 10:14:33 | 00,001,755 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/11/24 10:14:14 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/11/24 10:14:14 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2008/11/22 09:18:00 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2008/11/21 10:21:40 | 00,122,880 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\WEEKLY POOL PRINTOUT.doc
[2008/11/20 16:32:23 | 00,001,826 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Bejeweled 2 Deluxe.lnk
[2008/11/20 10:48:56 | 00,002,091 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.lnk
[2008/11/20 10:47:46 | 00,620,006 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\Cat.DB
[2008/11/20 10:33:52 | 00,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\isolate.ini
[2008/11/20 09:22:44 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2008/11/20 09:22:44 | 00,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2008/11/20 09:22:44 | 00,010,635 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2008/11/20 09:22:44 | 00,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2008/11/20 09:22:36 | 00,198,192 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symtdi.sys
[2008/11/20 09:22:36 | 00,040,496 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symndisv.sys
[2008/11/20 09:22:36 | 00,037,424 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symndis.sys
[2008/11/20 09:22:36 | 00,035,888 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2008/11/20 09:22:36 | 00,034,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symids.sys
[2008/11/20 09:22:36 | 00,024,752 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symredrv.sys
[2008/11/20 09:22:35 | 00,089,904 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symfw.sys
[2008/11/20 09:22:34 | 00,012,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\symdns.sys
[2008/11/19 12:58:27 | 00,001,692 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_LFD35ABAF75F84190804C495313906639.job
[2008/11/15 06:29:22 | 00,016,896 | ---- | M] () -- C:\WINDOWS\System32\bw7nir4b.exe
[2008/11/13 05:13:29 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2008/11/07 20:40:40 | 00,002,495 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\Microsoft Office Excel 2003.lnk
[2008/11/04 20:25:03 | 00,309,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.sys
[2008/11/04 20:25:03 | 00,306,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.sys
[2008/11/04 20:25:03 | 00,255,536 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.sys
[2008/11/04 20:25:03 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.sys
[2008/11/04 20:24:59 | 00,003,373 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.inf
[2008/11/04 20:24:59 | 00,001,611 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymNet.inf
[2008/11/04 20:24:59 | 00,001,388 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.inf
[2008/11/04 20:24:59 | 00,001,382 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.inf
[2008/11/04 20:24:59 | 00,000,640 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.inf
[2008/11/04 20:24:55 | 00,013,089 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymNet.cat
[2008/11/04 20:24:55 | 00,008,428 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\SymEFA.cat
[2008/11/04 20:24:55 | 00,008,390 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtspx.cat
[2008/11/04 20:24:55 | 00,008,386 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\srtsp.cat
[2008/11/04 20:24:55 | 00,008,382 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1001000.021\BHDrvx86.CAT
[2008/11/03 16:10:25 | 17,318,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

< End of report >

h2otech1

Nov 25 2008, 08:44 PM

And the OTListIt's Extras Log File: Again, thanks for all of your help, cause I no idea what all this means!!!!!!!!!

OTListIt Extras logfile created on: 11/25/2008 12:40:00 PM - Run
OTListIt by OldTimer - Version 1.0.12.0 Folder = C:\Documents and Settings\HP_Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.29 Mb Total Physical Memory | 492.91 Mb Available Physical Memory | 48.55% Memory free
2.39 Gb Paging File | 1.95 Gb Available in Paging File | 81.68% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 179.33 Gb Total Space | 158.95 Gb Free Space | 88.63% Space Free | Partition Type: NTFS
Drive D: | 6.96 Gb Total Space | 1.84 Gb Free Space | 26.41% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-4F1261A8E5
Current User Name: HP_Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2006/10/30 09:36:32 | 15,338,560 | ---- | M] (Apple Computer, Inc.) -- %ProgramFiles%\iTunes\iTunes.exe:*:enabled:iTunes
[2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2005/02/25 05:49:52 | 00,045,056 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe:*:Enabled:BackWeb for Pavilion
File not found -- C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
[2004/02/13 13:12:08 | 00,016,423 | ---- | M] () -- C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater
File not found -- C:\Documents and Settings\HP_Owner\My Documents\My PSP Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
File not found -- C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\NHW8CZ33\incredimail_install[1].exe:*:Enabled:IncrediMail Installer
File not found -- C:\Documents and Settings\HP_Owner\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe:*:Enabled:IncrediMail Installer
[2006/10/30 09:36:32 | 15,338,560 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/08/21 12:59:55 | 00,147,456 | ---- | M] (Lime Wire, LLC) -- C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
[2008/11/15 06:29:22 | 00,016,896 | ---- | M] () -- C:\WINDOWS\system32\bw7nir4b.exe:*:Disabled:bw7nir4b

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA}" = PC-Doctor for Windows
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0FF18B53-CA57-40BB-B562-21A27B662005}" = 1600
"{10E98E14-832C-4AF7-A4D1-6A9EF83B282E}" = VCAMCEN
"{14589F05-C658-4594-9429-D437BA688686}" = IntelliMover Data Transfer Demo
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{1A103D70-5C9B-4E1A-B306-5106C68F9914}" = Microsoft Plus! Dancer LE
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{28CFF19D-B92C-4109-A427-F75505E81688}" = cp_dwSharkTaleAlbums1
"{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FCD82D-1CED-436d-B33C-874EEC666D68}" = cp_dwSharkTaleCards1
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{38441BE7-79B0-42B8-8297-833704F949FE}" = HLPIndex
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{3AEF2F6C-F1D3-47CD-BF3B-A327F1FABE58}" = PSPrinters06
"{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}" = OTtBPSDK
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{446DBFFA-4088-48E3-8932-74316BA4CAE4}" = iTunes
"{469730CC-78DF-4CD3-B286-562D459EA619}" = ESSCAM
"{48C82F7A-F100-4DAB-A310-8E18BF2159E1}" = ESSvpot
"{4C04DF1B-6A39-4299-9DD1-1FA60000266E}" = HP Photosmart Cameras 4.0
"{4F677FC7-7AA8-412B-A957-F13CBE1C7331}" = ESSSONIC
"{50D8FFDD-90CD-4859-841F-AA1961C7767A}" = QuickTime
"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
"{55508A44-8225-47AB-9666-1F57A5B5CE2E}" = CP_PLSBusinessFlyers
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{64D5E9DE-7890-4FB0-8865-8B24BE1773F7}" = LightScribe 1.4.42.1
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{69BD6399-3D8F-45B7-81D9-819361F5101D}" = PCDLNCH
"{6B350CA4-0031-0002-3757-34999AD85AEC}" = InterVideo WinDVD Creator
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{70DECFBF-9119-4434-B2D3-A3C283D15E45}" = WeatherBug
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{725249C3-B94C-4141-8799-0D3BA43D0812}" = CameraDrivers
"{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1" = Spy Sweeper
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{7B98685A-4E21-4A4F-A2D6-DC557042BADA}" = HPIZplus450
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}" = ESSCT
"{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}" = URGE
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD Player
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9CB2512B-3EC4-43DF-8002-46BDAB5EDD1B}" = QuickProjects
"{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}" = CCHelp
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{9EEBF8D5-8712-4D1D-88F4-4CDC2D270BC3}" = PrintScreen
"{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}" = SFR2
"{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}" = ESSvpaht
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{A6F18A67-B771-4191-8A33-36D2E742D6D9}" = ESSANUP
"{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}" = Photosmart 320,370,7400,8100,8400 Series
"{AADAC983-FDE9-42FA-8FD9-7BB324155593}" = HLPRFO
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B103C8A7-D1CC-4B1A-BD41-883F652E097D}" = muvee autoProducer 3.5 magicMoments - HPD
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
"{BD29EBAC-AD7D-4b27-B727-4CC6AC52D36B}" = MarketResearch
"{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}" = SFR
"{C3F058C0-A21C-452D-8D99-95B1A45F417D}" = InterVideo DiscLabel
"{CA60320D-6A16-49C8-A34F-84EEF4799567}" = ESSTUTOR
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB449D5A-7710-47aa-B9F5-352B877C90E6}" = 1600_Help
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer
"{D0122362-6333-4DE4-93F6-A5A2F3CC101A}" = HP Organize
"{D0420D64-8D33-4374-A2B2-9225C7925CA6}" = HP Image Zone Plus 4.5.3
"{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}" = ESSAdpt
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D42B6F90-1084-4C9B-AF28-958926E6E32E}" = LP_Flash
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)
"{E2EFF20D-30BF-4907-B1FD-B7EBCED798D6}" = HPHDiscovery
"{F2D0C1B1-80FF-46F9-BA61-33B01A07FAFC}" = HLPCCTR
"{F419D20A-7719-4639-8E30-C073A040D878}" = HP Deskjet Preloaded Printer Drivers
"{F4C6CC40-1142-49be-A28C-7BBD36F0B41A}" = 1600Trb
"{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"{FEE5C812-51C7-4A6B-9DC0-4618AC9F6BD4}" = JD2 Tube Bend App.
"Absolute Poker Basic" = Absolute Poker Basic
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"BackWeb-309731 Uninstaller" = Updates from HP
"Bejeweled 2 Deluxe" = Bejeweled 2 Deluxe (remove only)
"Browser Mouse" = Browser Mouse
"Help and Support Additions" = Help and Support Additions
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.7
"HPExtendedCapabilities" = HP Extended Capabilities 4.7
"InstallShield_{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA}" = PC-Doctor for Windows
"InstallShield_{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"LimeWire" = LimeWire 4.18.6
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NAV" = Norton AntiVirus
"Pdf995" = Pdf995
"PdfEdit995" = PdfEdit995
"Pro Media Director_is1" = Pro Media Director Version 1.1.1.1
"PS2" = PS2
"RadialpointClientGateway_is1" = Verizon Servicepoint 1.5.12
"RealPlayer 6.0" = RealPlayer
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Sierra Utilities" = Sierra Utilities
"TaxCut Basic 2006" = TaxCut Basic 2006
"TaxCut Standard 2005" = TaxCut Standard 2005
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/16/2008 3:30:29 PM | Computer Name = YOUR-4F1261A8E5 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x0009586f.

Error - 11/19/2008 2:36:56 AM | Computer Name = YOUR-4F1261A8E5 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.5512, fault address 0x000100c8.

Error - 11/20/2008 1:21:56 PM | Computer Name = YOUR-4F1261A8E5 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x0c4f740d.

Error - 11/21/2008 9:42:32 AM | Computer Name = YOUR-4F1261A8E5 | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Initialization of the COM subsystem failed.
Error code: 0x80080005

Error - 11/23/2008 5:09:11 PM | Computer Name = YOUR-4F1261A8E5 | Source = ESENT | ID = 490
Description = wuauclt (2792) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 11/23/2008 5:09:21 PM | Computer Name = YOUR-4F1261A8E5 | Source = ESENT | ID = 490
Description = wuauclt (2792) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 11/23/2008 5:20:41 PM | Computer Name = YOUR-4F1261A8E5 | Source = ESENT | ID = 490
Description = wuauclt (1380) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 11/23/2008 5:20:51 PM | Computer Name = YOUR-4F1261A8E5 | Source = ESENT | ID = 490
Description = wuauclt (1380) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 11/24/2008 2:34:55 PM | Computer Name = YOUR-4F1261A8E5 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x026823ac.

Error - 11/25/2008 1:13:10 AM | Computer Name = YOUR-4F1261A8E5 | Source = pctsSvc.exe | ID = 0
Description =

[ System Events ]
Error - 11/24/2008 11:53:15 PM | Computer Name = YOUR-4F1261A8E5 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 11/24/2008 11:53:37 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

Error - 11/25/2008 12:36:41 AM | Computer Name = YOUR-4F1261A8E5 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 11/25/2008 12:37:00 AM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

Error - 11/25/2008 12:44:05 AM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

Error - 11/25/2008 1:16:38 AM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

Error - 11/25/2008 1:29:00 AM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

Error - 11/25/2008 1:52:09 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

Error - 11/25/2008 2:41:47 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

Error - 11/25/2008 2:45:35 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

< End of report >

Raid

Nov 25 2008, 08:47 PM

Looks like we have a few trojans remaining...

C:\WINDOWS\system32\clusapim.dll
c:\windows\system32\qsjatud.dll

Can you zip both of these please, and send them to uploads.malwarebytes.org

h2otech1

Nov 25 2008, 10:42 PM

I tried to zip the clusapim file but I get an error message of file not found.

I did the same w/ the qsjatud file and it seems like it zipped, but I don't know where to find the folder. Sorry, not real familiar w/ zipping.

I then tried to upload the files using your supplied upload link and got a message that the clusapim was not found.

Don't mean to be a pain in the A$$, but I am not that PC savy.

Thank again, really!!!!!!!!!

Raid

Nov 26 2008, 05:12 AM

That's okay. In this case, lets just have you follow these instructions. I won't worry too much about collecting samples in your case.

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

Trend Micro Damage Cleanup Engine

Make sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1st
Basically there are 3 parts that need to be downloaded from these links:

Sysclean Package
Virus Pattern Files
Spyware Pattern Files

As an example on 2008-10-17 the files to download are: sysclean.com | lpt605.zip | ssapiptn697.zip
NOTE! These file names are examples and you must visit Trend Micro for the very latest files which may have different names.
Create a brand new folder to copy these files to.
As an example: C:\DCE
Then open each of the zipped archive files and copy their contents to C:\DCE
Copy the file sysclean.com to the new folder C:\DCE as well.
Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

This self-extracting archive is a stand-alone fix package that incorporates the Trend Micro VSAPI Malware and Spyware scanning engines as well as the Trend Micro Damage Cleanup Engine and Template.
This tool supports the following features:
o Terminate all detected malware/spyware instances in memory
o Remove malware/spyware registry entries
o Remove malware/spyware entries from system files
o Scan for and delete all detected malware/spyware copies in all local drives

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

h2otech1

Nov 26 2008, 05:29 PM

Thanks Raid, I will tackle this later on today. After all the scans and cleaning, everthing seems to running good right now, at least at the level at was last week prior to all of this. Do you think we need to continue? Does every PC need zero viruses / trojans to run effeciently? If one exists that you cannot get rid of, will it propogate others to intrude?

On a side note, I had just renewed norton about 4 weeks ago and it did nothing to catch any of this. Co-workers have suggested not using norton and instead use AVG. I uninstalled norton late yesterday and installed AVG. So, hopefully the risk will be more minimal than before???

Thank again!!!!!!!

Raid

Nov 27 2008, 02:58 AM

QUOTE (h2otech1 @ Nov 26 2008, 12:29 PM)

We have a few more things left to do, to ensure your system is Clean and will hopefully remain that way. PC's shouldn't have any viruses/trojans or other forms of malware on them. At the very least, they steal resources from you. Be it hard disk space for physically storing them, to abusing network/cpu resources.

I've never personally been a fan of Norton. AVG is a decent scanner, but is more prone to false positives than some others; due to it's hueristics engine.

h2otech1

Nov 27 2008, 05:16 AM

Again............................ YOU ROCK!!!!!!!!!!!!!!!

OK, did not get to this today for all seems OK. I will continue hopefully tomorrow morning????? TXgiving and all. I will continue w/ your advice and try to fully eradicate these l'll bastards!!!!!!

If you don't hear from me, its because I'm off to the dezert for the weekend.............

Happy Turkey Day, and again......................... THANK YOU!!!!!!!!!!!!!!!!!!!!!!!!

h2otech1

Dec 2 2008, 10:52 PM

Raid-

Ok, finally got back to dealing with this. Here is the sysclean log file:

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2008-12-02, 11:34:25, Auto-clean mode specified.
2008-12-02, 11:34:26, Initialized Rootkit Driver version 2.2.0.1004.
2008-12-02, 11:34:26, Running scanner "C:\MALWARE CLEANUP\TSC.BIN"...
2008-12-02, 11:35:16, Scanner "C:\MALWARE CLEANUP\TSC.BIN" has finished running.
2008-12-02, 11:35:16, TSC Log:

ÿþD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 0 ( B u i l d 1 0 6 4 )

W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )

S t a r t t i m e : T u e D e c 0 2 2 0 0 8 1 1 : 3 4 : 3 0

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ M A L W A R E C L E A N U P \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ M A L W A R E C L E A N U P \ t s c . p t n " ( v e r s i o n 9 9 3 ) [ s u c c e s s ]

C o m p l e t e t i m e : T u e D e c 0 2 2 0 0 8 1 1 : 3 5 : 1 6

E x e c u t e p a t t e r n c o u n t ( 3 0 3 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )

2008-12-02, 11:35:16, Running scanner "C:\MALWARE CLEANUP\VSCANTM.BIN"...
2008-12-02, 12:49:11, Scanner "C:\MALWARE CLEANUP\VSCANTM.BIN" has finished running.
2008-12-02, 12:49:11, VSCANTM Log:

2008-12-02, 12:49:11, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 12/2/2008 11:35:17
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 685 (340188/340188 Patterns) (2008/12/01) (568500)

Command Line: C:\MALWARE CLEANUP\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\MALWARE CLEANUP\lpt$vpn.685

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip [WORM_BAGLE.GEN-1]
93051 files have been read.
93051 files have been checked.
92875 files have been scanned.
328395 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/2/2008 12:49:11 1 hour 13 minutes 53 seconds (4432.66 seconds) has elapsed.(47.637 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-12-02, 12:49:11, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 12/2/2008 11:35:17
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 685 (340188/340188 Patterns) (2008/12/01) (568500)

Command Line: C:\MALWARE CLEANUP\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\MALWARE CLEANUP\lpt$vpn.685

93051 files have been read.
93051 files have been checked.
92875 files have been scanned.
328395 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/2/2008 12:49:11 1 hour 13 minutes 53 seconds (4432.66 seconds) has elapsed.(47.637 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-12-02, 12:49:11, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 12/2/2008 11:35:17
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 685 (340188/340188 Patterns) (2008/12/01) (568500)

Command Line: C:\MALWARE CLEANUP\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\MALWARE CLEANUP\lpt$vpn.685

93051 files have been read.
93051 files have been checked.
92875 files have been scanned.
328395 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/2/2008 12:49:11 1 hour 13 minutes 53 seconds (4432.66 seconds) has elapsed.(47.637 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-12-02, 12:49:11, Running scanner "C:\MALWARE CLEANUP\VSCANTM.BIN"...
2008-12-02, 13:19:30, Scanner "C:\MALWARE CLEANUP\VSCANTM.BIN" has finished running.
2008-12-02, 13:19:30, VSCANTM Log:

2008-12-02, 13:19:30, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 12/2/2008 12:49:13
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 685 (340188/340188 Patterns) (2008/12/01) (568500)

Command Line: C:\MALWARE CLEANUP\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\MALWARE CLEANUP\lpt$vpn.685

11415 files have been read.
11415 files have been checked.
11415 files have been scanned.
36687 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/2/2008 13:19:30 30 minutes 16 seconds (1815.78 seconds) has elapsed.(159.070 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-12-02, 13:19:30, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 12/2/2008 12:49:13
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 685 (340188/340188 Patterns) (2008/12/01) (568500)

Command Line: C:\MALWARE CLEANUP\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\MALWARE CLEANUP\lpt$vpn.685

11415 files have been read.
11415 files have been checked.
11415 files have been scanned.
36687 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/2/2008 13:19:30 30 minutes 16 seconds (1815.78 seconds) has elapsed.(159.070 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-12-02, 13:19:30, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 12/2/2008 12:49:13
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 685 (340188/340188 Patterns) (2008/12/01) (568500)

Command Line: C:\MALWARE CLEANUP\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\MALWARE CLEANUP\lpt$vpn.685

11415 files have been read.
11415 files have been checked.
11415 files have been scanned.
36687 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/2/2008 13:19:30 30 minutes 16 seconds (1815.78 seconds) has elapsed.(159.070 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-12-02, 13:19:30, Running SSAPI scanner ""...
2008-12-02, 14:27:06, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.09
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 12/02/2008 13:19:40

SSAPI requires the system to reboot.
Detected Items:
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:hp_owner@server.iad.liveperson.net/hc/19452074,C:\Documents and Settings\HP_Owner\Cookies\hp_owner@19452074[2].txt
[CLEAN SUCCESS][Cookie_InsightExpressAI] Internet Explorer Cache\insightexpressai.com,Cookie:hp_owner@insightexpressai.com/,C:\Documents and Settings\HP_Owner\Cookies\hp_owner@insightexpressai[2].txt
[CLEAN SUCCESS][Cookie_Revsci] Internet Explorer Cache\revsci.net,Cookie:hp_owner@revsci.net/,C:\Documents and Settings\HP_Owner\Cookies\hp_owner@revsci[1].txt
[CLEAN SUCCESS][Adware_BHO_MySearch] SOFTWARE\Classes\CLSID\{014DA6CE-189F-421a-88CD-07CFE51CFF10}\
Detected: 4 items.
Cleaned Success: 4 items.
Clean Failed: 0 items.

Spyware Scan Ended: 12/02/2008 14:27:04
Scan Complete. Time=4049.762451.

Raid

Dec 3 2008, 01:52 AM

How is the computer running now? Are you still having trouble?

Please post a fresh hijackthislog.

h2otech1

Dec 3 2008, 05:36 PM

Raid-

The PC seems to be running at normal now, the same as it was prior to recieving these bugs. Speed is ok, resources are ok. Here is the HiJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:49 AM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon06.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Browser Mouse\MOffice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\MOUSE32A.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\EJ23QHYF\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {8C760D34-E6A5-4111-BFE1-4EF0620B8ECA} - C:\WINDOWS\system32\clusapim.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {CE27CD53-6FFD-49C4-A72A-60B139E15E4B} - c:\windows\system32\qsjatud.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [AlcWzrd] "C:\WINDOWS\ALCWZRD.EXE"
O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\URGOKQQC\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon06] "C:\WINDOWS\system32\hphmon06.exe"
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe" -startup -product IncrediMail
O4 - HKLM\..\Run: [hpsysdrv] "c:\windows\system\hpsysdrv.exe"
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] "C:\WINDOWS\system32\HDAudPropShortcut.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] "C:\Program Files\Browser Mouse\MOffice.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KBD] "C:\HP\KBD\KBD.EXE"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\InstallHelper.exe" /uninstalltrackingvendor=Verizon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [SFP] "C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE" /s
O4 - HKCU\..\Run: [Weather] "C:\Program Files\AWS\WeatherBug\Weather.exe" 1
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: nfhakpga - C:\WINDOWS\SYSTEM32\qsjatud.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10020 bytes

Raid

Dec 4 2008, 12:10 AM

QUOTE (h2otech1 @ Dec 3 2008, 12:36 PM)

Raid-

The PC seems to be running at normal now, the same as it was prior to recieving these bugs. Speed is ok, resources are ok. Here is the HiJack log:

Great. Go ahead and open Hijackthis, select the following:

O2 - BHO: (no name) - {8C760D34-E6A5-4111-BFE1-4EF0620B8ECA} - C:\WINDOWS\system32\clusapim.dll
O2 - BHO: (no name) - {CE27CD53-6FFD-49C4-A72A-60B139E15E4B} - c:\windows\system32\qsjatud.dll
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\URGOKQQC\WAS5Scan[1].exe"
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: nfhakpga - C:\WINDOWS\SYSTEM32\qsjatud.dll

Hit Fix, restart your PC, post a fresh hijackthislog.

h2otech1

Dec 4 2008, 09:49 PM

Raid, here ya go, the log file from Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:19 PM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon06.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Browser Mouse\MOffice.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\MOUSE32A.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {8C760D34-E6A5-4111-BFE1-4EF0620B8ECA} - C:\WINDOWS\system32\clusapim.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {CE27CD53-6FFD-49C4-A72A-60B139E15E4B} - c:\windows\system32\qsjatud.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [AlcWzrd] "C:\WINDOWS\ALCWZRD.EXE"
O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon06] "C:\WINDOWS\system32\hphmon06.exe"
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe" -startup -product IncrediMail
O4 - HKLM\..\Run: [hpsysdrv] "c:\windows\system\hpsysdrv.exe"
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] "C:\WINDOWS\system32\HDAudPropShortcut.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] "C:\Program Files\Browser Mouse\MOffice.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KBD] "C:\HP\KBD\KBD.EXE"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\InstallHelper.exe" /uninstalltrackingvendor=Verizon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [SFP] "C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE" /s
O4 - HKCU\..\Run: [Weather] "C:\Program Files\AWS\WeatherBug\Weather.exe" 1
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: nfhakpga - C:\WINDOWS\SYSTEM32\qsjatud.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9744 bytes

Raid

Dec 4 2008, 10:24 PM

Okay. Please update mbam, a new version was released yesterday with goodies specifically designed to handle vundo. Scan again with it and provide it's logfile.

h2otech1

Dec 5 2008, 12:03 AM

Raid-

I updated mbam and ran both the full scan and then again the quick scan. Here are the logs, full first then the quick:

Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 3

12/4/2008 3:42:06 PM
mbam-log-2008-12-04 (15-42-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 147507
Time elapsed: 44 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nfhakpga (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8c760d34-e6a5-4111-bfe1-4ef0620b8eca} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8c760d34-e6a5-4111-bfe1-4ef0620b8eca} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8c760d34-e6a5-4111-bfe1-4ef0620b8eca} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\qsjatud.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\clusapim.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\HP_Owner\GoToAssist_chat2way__317_en.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 3

12/4/2008 4:00:55 PM
mbam-log-2008-12-04 (16-00-55).txt

Scan type: Quick Scan
Objects scanned: 70212
Time elapsed: 11 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nfhakpga (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ce27cd53-6ffd-49c4-a72a-60b139e15e4b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8c760d34-e6a5-4111-bfe1-4ef0620b8eca} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8c760d34-e6a5-4111-bfe1-4ef0620b8eca} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8c760d34-e6a5-4111-bfe1-4ef0620b8eca} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\qsjatud.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\clusapim.dll (Trojan.Vundo.H) -> Delete on reboot.

Raid

Dec 5 2008, 12:49 AM

Are you rebooting as it's asking?

I really need to know that, because mbam's logs indicate it should be able to finish the files off once you restart. If this is not occuring, I need to know so we can find the installer that's evading us.

Please follow ALL of the following instructions:

CCleaner

CCleaner
Double-click on the downloaded file "ccsetup213.exe" and install the application.
Keep the default installation folder "C:\Program Files\CCleaner"
Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
Click finish when done and close ALL PROGRAMS
Start the CCleaner program.
Click on Registry and Uncheck Registry Integrity so that it does not run
Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
Click back to Cleaner and click on the Run Cleaner button on the bottom right side of the program.
Click OK to any prompts

Please download the following scanning tool. GMER

Open the zip file and copy the file gmer.exe to your Desktop.
Double click on gmer.exe and run it.
It may take a minute to load and become available.
Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
Click OK and quit the GMER program.

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I need you to follow the instructions provided here Pre- HJT Post Instructions first.

I also need for you to download this program OTListIt.exe to your desktop.
Close all applications and windows so that you have nothing open and are at your Desktop
Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.
Place a checkmark in the "Scan All Users" checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)
Click the Run Scan button
NOTE: Please be patient and let the scan run without using the computer
When the scan is complete, a text file (OTListIt.Txt) will open in Notepad (if not, it can be found on your Desktop)
In Notepad, click Edit, Select all then Edit, Copy
Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.
Submit your reply and close the Notepad window with OTList.txt
Also OTListIt's Extras.txt log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window
In Notepad, click Edit, Select all then Edit, Copy
Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.
NOTE: If the files (OTListIt.txt, Extras.txt) do not appear in your taskbar, just open the files in notepad from your desktop.

Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.