Search Engine Redirecting Problem

March 15, 2010 at 20:57:15
Specs: Microsoft Windows XP Professional, 2.204 GHz / 958 MB
I am unsure of when this issue began but no matter which search engine I use such as (google,yahoo,bingo), I am redirected to some random website with icons such as a green globe and a red squiggly line. McAfee and Malwarebytes haven't been much help in solving the problem. Thank you for any help, I am sorry for adding another pesky question.

See More: Search Engine Redirecting Problem

Report •


#1
March 15, 2010 at 21:05:33
Run these scans just a s requested, if duing the cleaning process a reboot is needed by Malwarebytes you need to re-run Rkill.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Then,You may need to download these to a cd, external drive, or usb drive and run it on the infected computer but first try to run it from the infected computer.

Please download Rkill from the following link.

Rkill

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. This link will help you disable them:

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)

A black screen will appear and then disappear. Please do not worry, that is normal.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the malware . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Remember..your "Antivirus" and any " realtime Antispyware" (excluding Malwarebytes) must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#2
March 15, 2010 at 22:24:07
exeHelper by Raktor
exeHelper by Raktor
Build 20091220
Build 20091220
Run at Run at 21:34:4121:34:41 on on 03/15/10

Now searching...
Checking for numerical processes...
Checking for numerical processes...
Checking for sysguard processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad processes...
Checking for bad files...
Checking for bad files...
Checking for bad registry entries...
Checking for bad registry entries...
Resetting filetype association for .Resetting filetype association for .exeexe

Resetting filetype association for .Resetting filetype association for .comcom

Resetting userinit and shell values...
Resetting policies...
Resetting userinit and shell values...
--Finished--

Resetting policies...
--Finished--


Report •

#3
March 15, 2010 at 22:26:06
Malwarebytes' Anti-Malware 1.44
Database version: 3872
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/15/2010 9:56:30 PM
mbam-log-2010-03-15 (21-56-30).txt

Scan type: Quick Scan
Objects scanned: 147790
Time elapsed: 8 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

Related Solutions

#4
March 15, 2010 at 22:26:53
ComboFix 10-03-15.04 - HP_Administrator 03/15/2010 22:05:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.555 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\combofix.exe.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\numago.vbs
c:\documents and settings\HP_Administrator\Application Data\iniasd.txt
c:\documents and settings\HP_Administrator\Application Data\inst.exe
c:\documents and settings\HP_Administrator\Application Data\ysavy.bat
c:\recycler\S-1-5-21-1409337509-448359793-3408814319-1007
c:\recycler\S-1-5-21-2382170527-1179737543-1896234604-1007
c:\recycler\S-1-5-21-710179315-3862230021-791084368-1007
c:\temp\isgTi19
c:\windows\gyqumitoho.bat
c:\windows\imij.reg
c:\windows\vipaqatozy.dll
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))
.

2010-03-16 03:20 . 2010-03-16 03:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-16 03:13 . 2010-03-16 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-03-16 03:10 . 2009-11-11 18:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-16 03:10 . 2009-11-11 18:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-03-16 03:10 . 2009-11-11 18:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-03-16 03:10 . 2009-07-16 19:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-03-16 03:09 . 2010-03-16 03:09 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-03-16 03:09 . 2010-03-16 03:10 -------- d-----w- c:\program files\Common Files\McAfee
2010-03-16 03:09 . 2010-03-16 03:09 -------- d-----w- c:\program files\McAfee.com
2010-03-16 03:09 . 2010-03-16 05:04 -------- d-----w- c:\program files\McAfee
2010-03-16 03:08 . 2010-03-16 03:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-16 03:04 . 2009-11-11 18:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-03-16 02:54 . 2010-03-16 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-14 03:31 . 2010-03-14 03:31 -------- d-sh--w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\PrivacIE
2010-03-14 02:57 . 2010-03-14 02:57 -------- d-sh--w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\IETldCache
2010-03-14 01:41 . 2010-03-14 01:41 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2010-03-08 06:04 . 2010-03-08 06:04 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Malwarebytes
2010-03-08 06:04 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-08 06:03 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 04:59 . 2010-03-16 03:21 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 03:36 . 2010-03-16 03:36 195584 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-758f74da-n\WMINative.dll
2010-03-16 02:09 . 2006-09-02 04:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-16 02:09 . 2006-09-02 04:41 -------- d-----w- c:\program files\Symantec
2010-03-16 02:09 . 2006-09-02 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-16 02:08 . 2006-09-02 04:42 -------- d-----w- c:\program files\Norton Internet Security
2010-03-14 03:36 . 2008-01-11 03:11 -------- d-----w- c:\program files\LimeWire
2010-03-14 01:31 . 2006-09-02 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-03-14 00:29 . 2004-08-10 04:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-08 06:04 . 2009-11-18 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-04 03:22 . 2008-10-24 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-30 00:39 . 2010-01-30 00:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-30 00:38 . 2010-01-30 00:38 152576 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-01-26 01:11 . 2010-01-26 01:11 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\AdobeUM
2010-01-06 01:04 . 2010-01-06 01:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-31 16:14 . 2004-08-10 04:00 352640 ------w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58 . 2004-08-10 04:00 343040 ------w- c:\windows\system32\mspaint.exe
2006-01-02 02:13 . 2006-01-02 02:13 14387 ----a-w- c:\program files\Common Files\sonapujev.dl
2006-01-02 02:13 . 2006-01-02 02:13 11128 ----a-w- c:\program files\Common Files\ekavote.db
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 04:39 . 2002-09-11 05:26 368706 c:\program files\BroadJump\Client Foundation\bak\CFD.exe

2006-09-02 04:12 . 2006-09-02 04:12 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
2006-09-02 04:12 . 2006-09-02 04:12 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

2008-02-09 04:27 . 2009-10-15 23:53 9157 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv
2005-08-16 23:35 . 2010-03-16 04:29 1942 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.csv

2006-02-16 05:34 . 2006-02-16 05:34 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
2006-02-16 05:34 . 2006-02-16 05:34 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

2005-02-17 13:11 . 2005-02-17 13:11 49152 c:\program files\HP\HP Software Update\bak\HPwuSchd2.exe
2005-02-17 13:11 . 2005-02-17 13:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2006-04-13 16:05 . 2006-04-13 16:05 90112 c:\program files\HP DigitalMedia Archive\bak\DMAScheduler.exe
2006-04-13 16:05 . 2006-04-13 16:05 90112 c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

2008-01-06 02:38 . 2006-07-22 00:19 129536 c:\program files\Yahoo!\browser\bak\ybrwicon.exe

2008-01-06 02:38 . 2007-08-31 01:43 4670704 c:\program files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

2006-09-02 04:23 . 2004-12-14 09:23 663552 c:\windows\CREATOR\bak\Remind_XP.exe
2006-09-02 04:23 . 2004-12-14 09:23 663552 c:\windows\CREATOR\Remind_XP.exe

2004-08-10 10:04 . 2005-09-30 04:01 67584 c:\windows\ehome\bak\ehtray.exe
2004-08-10 10:04 . 2005-09-30 04:01 67584 c:\windows\ehome\ehtray.exe

2006-09-02 04:23 . 2005-07-23 05:14 237568 c:\windows\SMINST\bak\RECGUARD.EXE
2006-09-02 04:23 . 2005-07-23 05:14 237568 c:\windows\SMINST\Recguard.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"PCDrProfiler"="" [N/A]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-30 149280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-2 110592]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-2 110592]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2008-1-4 217088]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-1 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/15/2010 8:13 PM 203280]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [9/1/2006 9:04 PM 82048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 02:23]

2010-03-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-16 19:22]

2010-03-16 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-16 19:22]

2010-03-16 c:\windows\Tasks\User_Feed_Synchronization-{FA08C773-8834-40CD-8254-3A4354F9E40C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\spr7iec0.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-15 22:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2908)
c:\docume~1\HP_ADM~1.YOU\LOCALS~1\Temp\IadHide5.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
c:\program files\AIM6\aolsoftware.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\hp\KBD\KBD.EXE
.
**************************************************************************
.
Completion time: 2010-03-15 22:20:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-16 05:20

Pre-Run: 188,973,596,672 bytes free
Post-Run: 189,341,929,472 bytes free

- - End Of File - - FAFDA276AE499708A2129A91E241C7B6


Report •

#5
March 16, 2010 at 17:38:20
Please go to Virus Total and upload the following file for analysis:

c:\program files\Common Files\sonapujev.dl

c:\program files\Common Files\ekavote.db

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file". If the file has already been analyzed click the reanalyze button to have it checked again.

Post the results in your reply.


Report •

#6
March 16, 2010 at 20:20:02

File sonapujev.dl received on 2010.03.17 03:13:22 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/42 (0%)


Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.17 -
AhnLab-V3 5.0.0.2 2010.03.16 -
AntiVir 8.2.1.180 2010.03.16 -
Antiy-AVL 2.0.3.7 2010.03.16 -
Authentium 5.2.0.5 2010.03.17 -
Avast 4.8.1351.0 2010.03.16 -
Avast5 5.0.332.0 2010.03.16 -
AVG 9.0.0.787 2010.03.17 -
BitDefender 7.2 2010.03.17 -
CAT-QuickHeal 10.00 2010.03.17 -
ClamAV 0.96.0.0-git 2010.03.17 -
Comodo 4289 2010.03.17 -
DrWeb 5.0.1.12222 2010.03.17 -
eSafe 7.0.17.0 2010.03.16 -
eTrust-Vet 35.2.7365 2010.03.16 -
F-Prot 4.5.1.85 2010.03.17 -
F-Secure 9.0.15370.0 2010.03.17 -
Fortinet 4.0.14.0 2010.03.15 -
GData 19 2010.03.17 -
Ikarus T3.1.1.80.0 2010.03.17 -
Jiangmin 13.0.900 2010.03.16 -
K7AntiVirus 7.10.999 2010.03.16 -
Kaspersky 7.0.0.125 2010.03.17 -
McAfee 5922 2010.03.16 -
McAfee+Artemis 5922 2010.03.16 -
McAfee-GW-Edition 6.8.5 2010.03.16 -
Microsoft 1.5605 2010.03.16 -
NOD32 4950 2010.03.16 -
Norman 6.04.08 2010.03.16 -
nProtect 2009.1.8.0 2010.03.16 -
Panda 10.0.2.6 2010.03.16 -
PCTools 7.0.3.5 2010.03.15 -
Prevx 3.0 2010.03.17 -
Rising 22.39.01.07 2010.03.17 -
Sophos 4.51.0 2010.03.17 -
Sunbelt 5926 2010.03.17 -
Symantec 20091.2.0.41 2010.03.17 -
TheHacker 6.5.2.0.235 2010.03.17 -
TrendMicro 9.120.0.1004 2010.03.16 -
VBA32 3.12.12.2 2010.03.16 -
ViRobot 2010.3.16.2230 2010.03.16 -
VirusBuster 5.0.27.0 2010.03.16 -
Additional information
File size: 14387 bytes
MD5...: 0cba52808f39b6074be430ed94a48fe8
SHA1..: db09361b43f188a8a518a5cc5def9e4eee508f2a
SHA256: 44cfa32672a087fc9441175de0822ddafdf8627c396d23e5a15c32ce4171fe28
ssdeep: 384:VrM31fZQ/5Cf3lkiuz/KhA+Ed+CCjOofN/k7i8:tMFfZOGuz/K++OU1w3
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


Report •

#7
March 16, 2010 at 20:23:46
File ekavote.db received on 2010.03.17 03:21:10 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/42 (0%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.17 -
AhnLab-V3 5.0.0.2 2010.03.16 -
AntiVir 8.2.1.180 2010.03.16 -
Antiy-AVL 2.0.3.7 2010.03.16 -
Authentium 5.2.0.5 2010.03.17 -
Avast 4.8.1351.0 2010.03.16 -
Avast5 5.0.332.0 2010.03.16 -
AVG 9.0.0.787 2010.03.17 -
BitDefender 7.2 2010.03.17 -
CAT-QuickHeal 10.00 2010.03.17 -
ClamAV 0.96.0.0-git 2010.03.17 -
Comodo 4289 2010.03.17 -
DrWeb 5.0.1.12222 2010.03.17 -
eSafe 7.0.17.0 2010.03.16 -
eTrust-Vet 35.2.7365 2010.03.16 -
F-Prot 4.5.1.85 2010.03.17 -
F-Secure 9.0.15370.0 2010.03.17 -
Fortinet 4.0.14.0 2010.03.15 -
GData 19 2010.03.17 -
Ikarus T3.1.1.80.0 2010.03.17 -
Jiangmin 13.0.900 2010.03.16 -
K7AntiVirus 7.10.999 2010.03.16 -
Kaspersky 7.0.0.125 2010.03.17 -
McAfee 5922 2010.03.16 -
McAfee+Artemis 5922 2010.03.16 -
McAfee-GW-Edition 6.8.5 2010.03.16 -
Microsoft 1.5605 2010.03.16 -
NOD32 4950 2010.03.16 -
Norman 6.04.08 2010.03.16 -
nProtect 2009.1.8.0 2010.03.16 -
Panda 10.0.2.6 2010.03.16 -
PCTools 7.0.3.5 2010.03.15 -
Prevx 3.0 2010.03.17 -
Rising 22.39.01.07 2010.03.17 -
Sophos 4.51.0 2010.03.17 -
Sunbelt 5926 2010.03.17 -
Symantec 20091.2.0.41 2010.03.17 -
TheHacker 6.5.2.0.235 2010.03.17 -
TrendMicro 9.120.0.1004 2010.03.16 -
VBA32 3.12.12.2 2010.03.16 -
ViRobot 2010.3.16.2230 2010.03.16 -
VirusBuster 5.0.27.0 2010.03.16 -
Additional information
File size: 11128 bytes
MD5...: 6d0212b52f50e6a2ac8ec5a85f74841b
SHA1..: 89a943d6ba25c4c0e4e1129e7a607b6e894624a6
SHA256: ec85d23690a0b9223dd1943a9496c444cf2abc1766f9dfe42340b3d44b33b88f
ssdeep: 192:pfLN/TymS0uFA3Xez/3CUbjbMAyyCFjyC9xba6TwHuqz2VtMrGyo1a:FLBmA
+z/H70FX9xOU342VtMSyok
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


Report •

#8
March 16, 2010 at 20:53:26
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\program files\Common Files\sonapujev.dl
c:\program files\Common Files\ekavote.db

AWF::
c:\program files\BroadJump\Client Foundation\bak\CFD.exe
c:\program files\Yahoo!\browser\bak\ybrwicon.exe
c:\program files\Yahoo!\Messenger\bak\YAHOOM~1.exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.


Report •

#9
March 16, 2010 at 21:47:04
ComboFix 10-03-15.04 - HP_Administrator 03/16/2010 21:14:21.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.525 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\combofix.exe.exe
Command switches used :: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\CFScript.txt.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\program files\Common Files\ekavote.db"
"c:\program files\Common Files\sonapujev.dl"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{9D74F8A2-8723-4AD7-B183-C0E92C318BA3}
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{9D74F8A2-8723-4AD7-B183-C0E92C318BA3}\chrome.manifest
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{9D74F8A2-8723-4AD7-B183-C0E92C318BA3}\chrome\content\_cfg.js
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{9D74F8A2-8723-4AD7-B183-C0E92C318BA3}\chrome\content\overlay.xul
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{9D74F8A2-8723-4AD7-B183-C0E92C318BA3}\install.rdf
c:\program files\Common Files\ekavote.db
c:\program files\Common Files\sonapujev.dl

.
((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-16 03:36 . 2010-03-16 03:36 195584 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-758f74da-n\WMINative.dll
2010-03-16 03:20 . 2010-03-16 03:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-16 03:13 . 2010-03-16 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-03-16 03:10 . 2009-11-11 18:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-16 03:10 . 2009-11-11 18:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-03-16 03:10 . 2009-11-11 18:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-03-16 03:10 . 2009-07-16 19:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-03-16 03:09 . 2010-03-16 03:09 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-03-16 03:09 . 2010-03-16 03:10 -------- d-----w- c:\program files\Common Files\McAfee
2010-03-16 03:09 . 2010-03-16 03:09 -------- d-----w- c:\program files\McAfee.com
2010-03-16 03:09 . 2010-03-16 05:04 -------- d-----w- c:\program files\McAfee
2010-03-16 03:08 . 2010-03-16 03:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-16 03:04 . 2009-11-11 18:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-03-16 02:54 . 2010-03-16 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-16 01:13 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-16 01:13 . 2009-12-21 19:14 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-16 01:13 . 2009-12-21 19:14 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-16 01:13 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-16 01:13 . 2009-12-21 19:14 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-03-16 01:13 . 2009-12-21 19:14 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-03-14 03:31 . 2010-03-14 03:31 -------- d-sh--w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\PrivacIE
2010-03-14 02:57 . 2010-03-14 02:57 -------- d-sh--w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\IETldCache
2010-03-14 01:41 . 2010-03-14 01:41 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2010-03-08 06:04 . 2010-03-08 06:04 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Malwarebytes
2010-03-08 06:04 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-08 06:03 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 04:59 . 2010-03-16 03:21 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 02:09 . 2006-09-02 04:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-16 02:09 . 2006-09-02 04:41 -------- d-----w- c:\program files\Symantec
2010-03-16 02:09 . 2006-09-02 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-16 02:08 . 2006-09-02 04:42 -------- d-----w- c:\program files\Norton Internet Security
2010-03-14 03:36 . 2008-01-11 03:11 -------- d-----w- c:\program files\LimeWire
2010-03-14 01:31 . 2006-09-02 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-03-14 00:29 . 2004-08-10 04:00 95360 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-08 06:04 . 2009-11-18 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-04 03:22 . 2008-10-24 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-30 00:39 . 2010-01-30 00:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-30 00:38 . 2010-01-30 00:38 152576 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-01-26 01:11 . 2010-01-26 01:11 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\AdobeUM
2010-01-06 01:04 . 2010-01-06 01:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-31 16:14 . 2004-08-10 04:00 352640 ------w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-09-02 04:12 . 2006-09-02 04:12 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
2006-09-02 04:12 . 2006-09-02 04:12 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

2008-02-09 04:27 . 2009-10-15 23:53 9157 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv
2005-08-16 23:35 . 2010-03-17 03:18 1990 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.csv

2006-02-16 05:34 . 2006-02-16 05:34 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
2006-02-16 05:34 . 2006-02-16 05:34 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

2005-02-17 13:11 . 2005-02-17 13:11 49152 c:\program files\HP\HP Software Update\bak\HPwuSchd2.exe
2005-02-17 13:11 . 2005-02-17 13:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2006-04-13 16:05 . 2006-04-13 16:05 90112 c:\program files\HP DigitalMedia Archive\bak\DMAScheduler.exe
2006-04-13 16:05 . 2006-04-13 16:05 90112 c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

2008-01-06 02:38 . 2007-08-31 01:43 4670704 c:\program files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

2006-09-02 04:23 . 2004-12-14 09:23 663552 c:\windows\CREATOR\bak\Remind_XP.exe
2006-09-02 04:23 . 2004-12-14 09:23 663552 c:\windows\CREATOR\Remind_XP.exe

2004-08-10 10:04 . 2005-09-30 04:01 67584 c:\windows\ehome\bak\ehtray.exe
2004-08-10 10:04 . 2005-09-30 04:01 67584 c:\windows\ehome\ehtray.exe

2006-09-02 04:23 . 2005-07-23 05:14 237568 c:\windows\SMINST\bak\RECGUARD.EXE
2006-09-02 04:23 . 2005-07-23 05:14 237568 c:\windows\SMINST\Recguard.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"PCDrProfiler"="" [N/A]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-30 149280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-2 110592]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-2 110592]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2008-1-4 217088]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-1 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/15/2010 8:13 PM 203280]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [9/1/2006 9:04 PM 82048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 02:23]

2010-03-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-16 19:22]

2010-03-16 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-16 19:22]

2010-03-17 c:\windows\Tasks\User_Feed_Synchronization-{FA08C773-8834-40CD-8254-3A4354F9E40C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\spr7iec0.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 21:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1.YOU\LOCALS~1\Temp\IadHide5.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\ARPWRMSG.EXE
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
c:\program files\AIM6\aolsoftware.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\hp\KBD\KBD.EXE
.
**************************************************************************
.
Completion time: 2010-03-16 21:27:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-17 04:27
ComboFix2.txt 2010-03-16 05:20

Pre-Run: 189,216,403,456 bytes free
Post-Run: 189,189,070,848 bytes free

- - End Of File - - F864FA022F50CFE1960321454113A8D9


Report •

#10
March 16, 2010 at 21:47:37
BitDefender QuickScan Beta 32-bit v0.9.9.9
------------------------------------------

Scan date: Tue Mar 16 21:40:27 2010
Machine ID: 381A7E08

No infection found.
---------------------


Processes
---------
<unsigned> 3000 C:\Program Files\DISC\DiscStreamHub.exe
<unsigned> 576 C:\Program Files\DISC\DiscUpdMgr.exe
<unsigned> AcroTray - Adobe Acrobat Distiller help 3660 C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
<unsigned> DISCover Drop & Play System 1460 C:\Program Files\DISC\DISCover.exe
<unsigned> DMAScheduler 2844 C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
<unsigned> Hewlett-Packard Company KBD EXE 3236 C:\HP\KBD\KBD.EXE
<unsigned> hp digital imaging - hp all-in-one seri 2124 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
<unsigned> hpsysdrv 3268 C:\windows\system\hpsysdrv.exe
<unsigned> LightScribe 560 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
<unsigned> mpbtn.exe 3976 C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
<unsigned> RunnerEXE Application 3856 C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

<verified> ARPowerMsg Application 2728 C:\WINDOWS\ARPWRMSG.EXE
<verified> Apple Mobile Device Service 1996 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
<verified> ARSVC Application 2016 C:\WINDOWS\arservice.exe
<verified> Bonjour 152 C:\Program Files\Bonjour\mDNSResponder.exe
<verified> Firefox 2768 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> iTunes 3124 C:\Program Files\iPod\bin\iPodService.exe
<verified> iTunes 3900 C:\Program Files\iTunes\iTunesHelper.exe
<verified> Java(TM) Platform SE 6 U16 500 C:\Program Files\Java\jre6\bin\jqs.exe
<verified> Java(TM) Platform SE 6 U16 3016 C:\Program Files\Java\jre6\bin\jusched.exe
<verified> McAfee Integrated Security Platform 1672 C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
<verified> McAfee Personal Firewall 1964 C:\Program Files\McAfee\MPF\MPFSrv.exe
<verified> McAfee Proxy 1728 C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
<verified> McAfee SecurityCenter 2600 C:\Program Files\McAfee.com\Agent\mcagent.exe
<verified> McAfee SecurityCenter 1416 C:\Program Files\McAfee\MSC\mcmscsvc.exe
<verified> McAfee VirusScan API 3020 C:\Program Files\McAfee\VirusScan\mcsysmon.exe
<verified> McSACore.exe 592 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
<verified> Microsoft® Windows® Operating System 2712 C:\WINDOWS\eHome\ehmsas.exe
<verified> Microsoft® Windows® Operating System 224 C:\WINDOWS\eHome\ehRecvr.exe
<verified> Microsoft® Windows® Operating System 368 C:\WINDOWS\eHome\ehSched.exe
<verified> Microsoft® Windows® Operating System 2516 C:\WINDOWS\ehome\ehtray.exe
<verified> Microsoft® Windows® Operating System 2188 C:\WINDOWS\ehome\mcrdsvc.exe
<verified> Microsoft® Windows® Operating System 2544 C:\WINDOWS\explorer.exe
<verified> Microsoft® Windows® Operating System 3520 C:\WINDOWS\System32\alg.exe
<verified> Microsoft® Windows® Operating System 756 C:\WINDOWS\system32\csrss.exe
<verified> Microsoft® Windows® Operating System 2924 C:\WINDOWS\system32\dllhost.exe
<verified> Microsoft® Windows® Operating System 836 C:\WINDOWS\system32\lsass.exe
<verified> Microsoft® Windows® Operating System 2160 C:\WINDOWS\system32\notepad.exe
<verified> Microsoft® Windows® Operating System 824 C:\WINDOWS\system32\services.exe
<verified> Microsoft® Windows® Operating System 688 C:\WINDOWS\System32\smss.exe
<verified> Microsoft® Windows® Operating System 1564 C:\WINDOWS\system32\spoolsv.exe
<verified> Microsoft® Windows® Operating System 1912 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1368 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1292 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1232 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1172 C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 1124 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1076 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1028 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 3916 C:\WINDOWS\system32\wbem\wmiprvse.exe
<verified> Microsoft® Windows® Operating System 1852 C:\WINDOWS\system32\wdfmgr.exe
<verified> Microsoft® Windows® Operating System 780 C:\WINDOWS\system32\winlogon.exe
<verified> Microsoft® Windows® Operating System 3104 C:\WINDOWS\system32\wuauclt.exe
<verified> NVIDIA Driver Helper Service, Version 8 284 C:\WINDOWS\system32\nvsvc32.exe
<verified> Realtek HD Audio Sound Effect Manager 2680 C:\WINDOWS\RTHDCPL.EXE
<verified> VSCORE.14.0.0.435.x86 1784 C:\Program Files\McAfee\VirusScan\Mcshield.exe
<verified> Yahoo! AutoUpdater 2096 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
<verified> Yahoo! Messenger 2076 C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe


Network activity
----------------
Process firefox.exe (2768) connected on port 80 (HTTP) - *.122.2o7.net
Process firefox.exe (2768) connected on port 80 (HTTP) - a72-247-49-115.deploy.akamaitechnologies.com
Process firefox.exe (2768) connected on port 80 (HTTP) - lax04s01-in-f101.1e100.net

Process svchost.exe (1076) listens on ports: 135 (RPC)
Process McNASvc.exe (1672) listens on ports: 6646
Process DiscStreamHub.exe (3000) listens on ports: 9485


Autoruns and critical files
---------------------------
<unsigned> Application Remind_XP C:\Windows\Creator\Remind_XP.exe
<unsigned> DMAScheduler C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
<unsigned> hp digital imaging - hp all-in-one seri C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
<unsigned> HP Service Delivery Platform C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exe
<unsigned> HPBootOp C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
<unsigned> nwiz.exe C:\WINDOWS\system32\nwiz.exe
<unsigned> QuickTime C:\Program Files\QuickTime\QTTask.exe
<unsigned> Recguard Application C:\WINDOWS\SMINST\RECGUARD.EXE

<verified> ARPowerMsg Application C:\WINDOWS\ARPWRMSG.EXE
<verified> AOL Service Libraries C:\Program Files\AIM6\aim6.exe
<verified> EasyNetwork C:\PROGRA~1\McAfee\MHN\McENUI.exe
<verified> fasttraktype Dynamic Link Library C:\WINDOWS\system32\ftutil2.dll
<verified> Java(TM) Platform SE 6 U16 C:\Program Files\Java\jre6\bin\jusched.exe
<verified> McAfee QuickClean c:\Program Files\McAfee\MQC\QcConsol.exe
<verified> McAfee SecurityCenter C:\Program Files\McAfee.com\Agent\mcagent.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\ehome\ehtray.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
<verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
<verified> NVIDIA Compatible Windows 2000 Display C:\WINDOWS\system32\NvCpl.dll
<verified> Realtek HD Audio Sound Effect Manager C:\WINDOWS\RTHDCPL.EXE
<verified> Windows® Internet Explorer C:\WINDOWS\system32\msfeedssync.exe
<verified> Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll
<verified> Yahoo! Messenger C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe


Browser plugins
---------------
<unsigned> Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<unsigned> Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> HP eHelp c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\webhelper.dll
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll
<unsigned> Java(TM) Platform SE 6 U16 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned> QuickTime Plug-in 7.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> RealJukebox NS Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned> RealPlayer Version Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned> RealPlayer(tm) G2 LiveConnect-Enabled P C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
<unsigned> unagiuninst.exe C:\WINDOWS\Downloaded Program Files\unagiuninst.exe

<verified> AcroIEHelper Library c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
<verified> AOL Media Playback Control C:\WINDOWS\Downloaded Program Files\ampAx3.0.84.2.dll
<verified> BitDefender QuickScan C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles/spr7iec0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified> BitDefender QuickScan C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles/spr7iec0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified> getPlusPlus for Adobe 16249 C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
<verified> Java Deployment Toolkit 6.0.160.1 C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
<verified> Java(TM) Platform SE 6 U16 c:\program files\java\jre6\bin\jp2ssv.dll
<verified> mcieplg.dll c:\program files\mcafee\siteadvisor\mcieplg.dll
<verified> Messenger C:\Program Files\Messenger\msmsgs.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> Norton AntiVirus c:\program files\norton internet security\norton antivirus\navshext.dll
<verified> npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> VSCORE.14.0.0.435.x86 c:\program files\mcafee\virusscan\scriptsn.dll
<verified> Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll
<verified> Yahoo Application State Plugin C:\Program Files\Yahoo!\Shared\npYState.dll
<verified> Yahoo! Single Instance for Mail c:\program files\yahoo!\companion\installs\cpn0\ytsingleinstance.dll
<verified> Yahoo! Toolbar c:\program files\yahoo!\companion\installs\cpn0\yt.dll
<verified> YInstHelper Module C:\WINDOWS\Downloaded Program Files\CONFLICT.1\yinsthelper.dll
<verified> YInstHelper Module C:\WINDOWS\Downloaded Program Files\yinsthelper.dll


Scan
----
<unsigned> MD5: 909efa2d854af25d1164bd5b02065fce C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\temp\IadHide5.dll
<unsigned> MD5: 308c9ddbd043903534514b097396e017 C:\hp\KBD\aol.dll
<unsigned> MD5: 261e5e3602941656a1442b255c936b9e C:\hp\KBD\cfg.dll
<unsigned> MD5: c81be1b951c36e97d3da90da745da5f7 C:\HP\KBD\KBD.EXE
<unsigned> MD5: f68a3f0d63be926ed65ed1c8c5b03a3d C:\hp\KBD\led.dll
<unsigned> MD5: 205db5a0dd15df2657efd4b64d0cc4a3 C:\hp\KBD\msg.dll
<unsigned> MD5: 60db5561f7b646fa217e9ea6561e6705 C:\hp\KBD\msikbdif.dll
<unsigned> MD5: fb8bfcdf02173e59f8336c3eaece76e5 C:\hp\KBD\Onl.dll
<unsigned> MD5: 5f1ec8079dcc3acb3315966a9a7e2391 C:\hp\KBD\OSD.DLL
<unsigned> MD5: 2ae54f20144b2af570587a8478d02885 C:\hp\KBD\PS2.dll
<unsigned> MD5: 2f420c4dcffacf50f73cab6c27dda901 C:\hp\KBD\sct.dll
<unsigned> MD5: 996fc333026a68a66078a4ab6c9ea54c C:\hp\KBD\url.dll
<unsigned> MD5: f8c008da6f620e822394781c894a06db C:\hp\KBD\usb.dll
<unsigned> MD5: 78bfe3201ada2fe02d1e35d2488e5f55 C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
<unsigned> MD5: 292f92469efb2fd402e00742c06d539d C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> MD5: 6f95324909b502e2651442c1548ab12f C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
<unsigned> MD5: d9644240103e4c16f18facd4a1b7ad72 C:\Program Files\Common Files\LightScribe\LSLog.dll
<unsigned> MD5: c8dbf703ba6788a51db342f6a366ddcd C:\Program Files\Common Files\LightScribe\LSSProxy.dll
<unsigned> MD5: 5d4b38a8d8525356798f5e560c3a3090 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
<unsigned> MD5: a1c2b6553dc4f9d137a3b8c2ae5c8d06 C:\Program Files\Common Files\Sonic Shared\Sonic Central\Engine\PxWrap.dll
<unsigned> MD5: 57aa81c8f01281f8f8fce95694a25513 C:\Program Files\DISC\BackgroundCopyManager.DLL
<unsigned> MD5: 63ea1fe4a83c353b03776780ff83af34 C:\Program Files\DISC\BITSDownloadManager.dll
<unsigned> MD5: 3e81f86ecb9337ff67bdf56ec4d9a1fc C:\Program Files\DISC\DashboardPack.dll
<unsigned> MD5: 88b9c17493f696719957251fdd4f4a0c C:\Program Files\DISC\DiscDLL.DLL
<unsigned> MD5: 81ad1e8c753bb7015009198783333573 C:\Program Files\DISC\DiscObjsLib.dll
<unsigned> MD5: 074bdcd9685b7f9be26738af5a128c34 C:\Program Files\DISC\DISCover.exe
<unsigned> MD5: c1c37fe08cf9465d162f9e60a24e5d44 C:\Program Files\DISC\DiscStreamHub.exe
<unsigned> MD5: 62c8b30d352aa3f8ed0fcf238da66de4 C:\Program Files\DISC\DiscUpdMgr.exe
<unsigned> MD5: a62203f24f45f169fca39e8940593c48 C:\Program Files\DISC\downloadMgr.dll
<unsigned> MD5: 7e91b722f20ee4ae4aca12a13918259f C:\Program Files\DISC\EBGamesPack.dll
<unsigned> MD5: 7dd35be16e2094655409a2e3a4af43d1 C:\Program Files\DISC\Interop.YummyPlayer.dll
<unsigned> MD5: 27e1671cb239aa2d2cabb4a910a3ac2b C:\Program Files\DISC\LogitechProfilerPack.dll
<unsigned> MD5: 511fae23ec6f02699418538db875c836 C:\Program Files\DISC\Microsoft.Msdn.Samples.BITS.dll
<unsigned> MD5: ffc54c15c2c8560ec6a36112af5e337b C:\Program Files\DISC\mytdlib.dll
<unsigned> MD5: 320806fea6759832e42f75fb4fe9af2e C:\Program Files\DISC\SecureComm.dll
<unsigned> MD5: 0b0a2f080522cd095ed3b56fc99f5d85 C:\Program Files\DISC\SocketComm.dll
<unsigned> MD5: 0af233008f285e17dd472bd1167f2bdc C:\Program Files\DISC\StdDisc.dll
<unsigned> MD5: 082658c0678cdb15de49acba47531ae4 C:\Program Files\DISC\YummyPack.dll
<unsigned> MD5: a789b145f17fa5c2326907f4872fe173 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
<unsigned> MD5: a81ec81450d5176701d804f235483f31 C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exe
<unsigned> MD5: 9e1992c27ecf7f08c154dcacf32f1aab C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
<unsigned> MD5: 09af8187898371f1b25d65c7a0729e73 C:\Program Files\HP DigitalMedia Archive\EAFunctions.dll
<unsigned> MD5: 821f73b833c4daebc33c1a9a4b16bb5a C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
<unsigned> MD5: 8f5927706ae17cd50541f5c417248ea8 C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> MD5: 37edbcc7e5e0b89e59941ff79a2f9746 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned> MD5: 9c64289e6b6d270a50dae8fa0972fcb1 C:\Program Files\McAfee\VirusScan\Engine\5301.4018\mc5300up.001
<unsigned> MD5: 7d2db489f984628a63aa4d3703b079b4 C:\Program Files\McAfee\VirusScan\Engine\5301.4018\mcscan32.dll
<unsigned> MD5: 462e2f4886a0b389d4fda12a15f8219a C:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned> MD5: 52d4d6ec27a57313ab9f90e242c3cfa4 C:\Program Files\Mozilla Firefox\nssdbm3.dll
<unsigned> MD5: 33df4f19b0a5c0a66fdf5cc9d2848b8f C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> MD5: 33df4f19b0a5c0a66fdf5cc9d2848b8f C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> MD5: 33df4f19b0a5c0a66fdf5cc9d2848b8f C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> MD5: 33df4f19b0a5c0a66fdf5cc9d2848b8f C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> MD5: 33df4f19b0a5c0a66fdf5cc9d2848b8f C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> MD5: 33df4f19b0a5c0a66fdf5cc9d2848b8f C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> MD5: 33df4f19b0a5c0a66fdf5cc9d2848b8f C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> MD5: a87b04299a14747bbcbe8cb4147612c2 C:\Program Files\Mozilla Firefox\softokn3.dll
<unsigned> MD5: 84f6b3ae2bbbfc146a27ede853eccb6b C:\Program Files\QuickTime\QTSystem\QTCF.dll
<unsigned> MD5: 86d32bb043c88fd79194ff7ab2ab3434 C:\Program Files\QuickTime\QTSystem\QuickTime.qts
<unsigned> MD5: eadfcaf6888b10183a0ef881453fa0ba C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.dll
<unsigned> MD5: 239eadd6b5ab68051c3dad1e9403b33d C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\QuickTime.dll
<unsigned> MD5: 55d7a219ad8d0db8980528944152a6fd C:\Program Files\QuickTime\QTTask.exe
<unsigned> MD5: e2b8c15caab06c6389184f23bac5ad6f C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
<unsigned> MD5: 3d304c8a8aa570169d87b0fc1701a864 C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned> MD5: 4b2f61dca7db661570828dce5d302525 C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned> MD5: d30e94a9f8b07912077a57be4eb5391b C:\Program Files\SBC Self Support Tool\bin\AsstCatalog.dll
<unsigned> MD5: e6003e6828c5d8a1b8142aeff9c567ff C:\Program Files\SBC Self Support Tool\bin\clientutil52.dll
<unsigned> MD5: b7c2ff23cc8230b84d493b912713e197 C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
<unsigned> MD5: a2532363367bcfeb02175a8e57eb6ee8 C:\Program Files\SBC Self Support Tool\bin\resource.dll
<unsigned> MD5: 149844639a31ad0d97a8b8a10fdc1faa C:\Program Files\Updates from HP\9972322\6.3.2.116-9972322\Program\backweb.dll
<unsigned> MD5: 8b89affb35202b8f15a927dc1169f850 C:\Program Files\Updates from HP\9972322\6.3.2.116-9972322\Program\bwfiles.dll
<unsigned> MD5: 0e21535e9bc633ad345bc0f4d2249b33 C:\Program Files\Updates from HP\9972322\6.3.2.116-9972322\Program\bwsec.dll
<unsigned> MD5: a12baa38ce07b522671678500d035d40 C:\Program Files\Updates from HP\9972322\6.3.2.116-9972322\Program\clntutil.dll
<unsigned> MD5: 29aed649f05213a527e5f62967dbba41 C:\Program Files\Updates from HP\9972322\6.3.2.116-9972322\Program\FrExt.dll
<unsigned> MD5: 8779099e892c0750321741bb2038be9f C:\Program Files\Updates from HP\9972322\Program\BWfiles-9972322.dll
<unsigned> MD5: 8779099e892c0750321741bb2038be9f C:\Program Files\Updates from HP\9972322\Program\frext-9972322.dll
<unsigned> MD5: 3b224591ceff2f3666c267263f5a3dcd C:\Program Files\Updates from HP\9972322\Program\HPClientExt.dll
<unsigned> MD5: cbcda25b76b570a8252644594edf3be9 C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
<unsigned> MD5: cd81d51cbfd4dc6540340f761bb2e6b6 C:\PROGRA~1\UPDATE~1\9972322\632~1.116\Program\EN\ClientRc.dll
<unsigned> MD5: 871e07916ee1bb038242c69725508cd9 C:\PROGRA~1\Yahoo!\Messenger\resources\en-US\res_msgr.dll
<unsigned> MD5: 03115382e0b298de872f99abb417b867 C:\PROGRA~1\Yahoo!\Messenger\yui.dll
<unsigned> MD5: 00ab99e13c24aee11a547be3301eaf59 C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
<unsigned> MD5: bcf15390de7368639c593735bf938d7a C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
<unsigned> MD5: 30d9cfddde206082a5a3cf71aab6c9c3 C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
<unsigned> MD5: 236b31c60d401f1ab428ca14d808dc95 C:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll
<unsigned> MD5: 48c932dff75b29b795ed320e0ab7eb1f C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
<unsigned> MD5: 2814e9bdb75088c0b4cf6c1123f6ec8e C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
<unsigned> MD5: a5205b3af85b1477ab2c2a1e12201598 C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll
<unsigned> MD5: d48fdd9a1a20801024dbefd215de3b22 C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
<unsigned> MD5: 0cd9d9f0be539ec7ae2bd9a2a4e3fffd C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_ffe303ee\mscorlib.dll
<unsigned> MD5: 5ae740cd591ae517665378989945d004 C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_b7a4f8d6\System.Drawing.dll
<unsigned> MD5: 4a0b1502a714c21139e012f031ac9b8c C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_72307c76\System.Windows.Forms.dll
<unsigned> MD5: 052a5fd315df9d78d464118872b15838 C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_b1bc4020\System.Xml.dll
<unsigned> MD5: 86eef5903b0353f48c9315becf02840c C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_fe88afa8\System.dll
<unsigned> MD5: b385eaa6cc24bf7cb8fa7fc031d79b7a C:\Windows\Creator\Remind_XP.exe
<unsigned> MD5: 3fea9d2edf23b0283c7a66c8dea380bd C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<unsigned> MD5: cdbe35ea59bc9223e4f800bd1db82d27 C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<unsigned> MD5: 6f88f1de97b7ba6e2be4dc29aeeacf0d C:\WINDOWS\Downloaded Program Files\isusweb.dll
<unsigned> MD5: 6f678556a6fce04fc94f3435f6313705 C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
<unsigned> MD5: e1a1206a4fb19b675e947b29ccd25fba C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
<unsigned> MD5: 7c87a5fb95777e4132b11fc3d92caaf5 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll
<unsigned> MD5: efad1fe6e6bc3f65d6c453e70bb061c2 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
<unsigned> MD5: 1dfe3fbe7e2cd236218ad6a6eccd6824 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
<unsigned> MD5: 2f67c092a56f2814be4c75ede8d1e176 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
<unsigned> MD5: c710ae9090389e218152995074f5c576 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
<unsigned> MD5: 398f5bd3729e72ede7efe917cf035227 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
<unsigned> MD5: bebdf2293f53049569285b9b2fa7ec68 c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\webhelper.dll
<unsigned> MD5: f3eaea279f09a7779c18793c87640794 C:\WINDOWS\SMINST\RECGUARD.EXE
<unsigned> MD5: 97b735de4e3cd44c71c8cb09bdbf07b7 C:\WINDOWS\System32\Drivers\PxHelp20.sys
<unsigned> MD5: 8d1805727e8642ff88de9daeb088adef C:\WINDOWS\system32\fpalsu.dll
<unsigned> MD5: b5b67ee09b52d7129b8041b9bd411f7b C:\WINDOWS\system32\mscoree.dll
<unsigned> MD5: 96337880d0957f5c0c3d48bd3bbf89ff C:\WINDOWS\system32\nwiz.exe
<unsigned> MD5: 06a1ecb63df139ec639e084d4ab3c9d7 C:\windows\system\hpsysdrv.exe

The following file(s) must be uploaded for server-side scanning:
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_b7a4f8d6\System.Drawing.dll

Upload started - 1 file(s)
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_b7a4f8d6\System.Drawing.dll (835584)
Upload speed - 21 KB/s
Upload finished - 1 uploaded, 0 failed

The uploaded file(s) were found clean.

Scan finished - communication took 42 sec
Total traffic - 0.88 MB sent, 3.28 KB recvd
Scanned 1330 files and modules - 243 seconds


Report •

#11
March 18, 2010 at 17:57:11
How is the computer operating?

Report •

#12
March 18, 2010 at 18:18:19
It is running great. Thank you so much for the help.

Report •

#13
March 18, 2010 at 19:49:45
jabuck - I am having the same problem as sick23. I am currently trying to run thru the same process as you offered. Malware scan in running now. Do you want me to also post my reports? Is there anything I should do differently?

Report •

#14
March 18, 2010 at 19:55:29
exeHelper by Raktor
Build 20091220
Run at 21:52:26 on 03/18/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Report •

#15
March 18, 2010 at 19:58:40
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as XXXXXXX on 03/18/2010 at 22:02:46.


Processes terminated by Rkill or while it was running:


C:\WINDOWS\System32\nvsvc32.exe
C:\Documents and Settings\JANICE\Desktop\rkill.pif


Rkill completed on 03/18/2010 at 22:02:56.


Report •

#16
March 18, 2010 at 20:04:10
Malwarebytes' Anti-Malware 1.44
Database version: 3884
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

3/18/2010 11:02:58 PM
mbam-log-2010-03-18 (23-02-58).txt

Scan type: Quick Scan
Objects scanned: 192079
Time elapsed: 49 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.pox (Rogue.FixTool) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pofile (Rogue.FixTool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A14A8608-CF1C-4010-A348-7EA220C70305}_is1 (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Miracle (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\7WZJZZCI\ASetup_2014-1[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Report •

#17
March 18, 2010 at 21:25:00
ComboFix 10-03-18.01 - JANICE 03/18/2010 23:40:59.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.761 [GMT -4:00]
Running from: c:\documents and settings\JANICE\Desktop\Combo-Fix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\FBStoolbar.dll
c:\program files\Fast Browser Search\icons.bmp
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\BHO.dll
c:\program files\Fast Browser Search\IE\fbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.exe
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbhelper.dll
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\Fast Browser Search\info.txt
c:\program files\Fast Browser Search\local.xml
c:\program files\Fast Browser Search\logobg.bmp
c:\program files\Search Guard PlusU
c:\program files\Search Guard PlusU\SGPU.ico
c:\program files\Search Guard PlusU\sgpUpdater.exe
c:\program files\Search Guard PlusU\sgpUpdater.xml
c:\program files\Search Guard PlusU\uninstalSGPU.exe
c:\program files\SGPSA
c:\windows\system32\_003778_.tmp.dll
c:\windows\system32\_003779_.tmp.dll
c:\windows\system32\_003780_.tmp.dll
c:\windows\system32\_003781_.tmp.dll
c:\windows\system32\_003787_.tmp.dll
c:\windows\system32\_003788_.tmp.dll
c:\windows\system32\_003789_.tmp.dll
c:\windows\system32\_003790_.tmp.dll
c:\windows\system32\_003791_.tmp.dll
c:\windows\system32\_003792_.tmp.dll
c:\windows\system32\_003793_.tmp.dll
c:\windows\system32\_003794_.tmp.dll
c:\windows\system32\_003795_.tmp.dll
c:\windows\system32\_003796_.tmp.dll
c:\windows\system32\_003797_.tmp.dll
c:\windows\system32\_003799_.tmp.dll
c:\windows\system32\_003800_.tmp.dll
c:\windows\system32\_003801_.tmp.dll
c:\windows\system32\_003803_.tmp.dll
c:\windows\system32\_003804_.tmp.dll
c:\windows\system32\_003806_.tmp.dll
c:\windows\system32\_003807_.tmp.dll
c:\windows\system32\_003811_.tmp.dll
c:\windows\system32\_003812_.tmp.dll
c:\windows\system32\_003813_.tmp.dll
c:\windows\system32\_003814_.tmp.dll
c:\windows\system32\_003815_.tmp.dll
c:\windows\system32\_003816_.tmp.dll
c:\windows\system32\_003817_.tmp.dll
c:\windows\system32\_003819_.tmp.dll
c:\windows\system32\_003820_.tmp.dll
c:\windows\system32\_003821_.tmp.dll
c:\windows\system32\_003822_.tmp.dll
c:\windows\system32\_003823_.tmp.dll
c:\windows\system32\_003824_.tmp.dll
c:\windows\system32\_003825_.tmp.dll
c:\windows\system32\_003826_.tmp.dll
c:\windows\system32\_003827_.tmp.dll
c:\windows\system32\_003828_.tmp.dll
c:\windows\system32\_003829_.tmp.dll
c:\windows\system32\_003832_.tmp.dll
c:\windows\system32\_003833_.tmp.dll
c:\windows\system32\_003834_.tmp.dll
c:\windows\system32\_003836_.tmp.dll
c:\windows\system32\_003837_.tmp.dll
c:\windows\system32\_003838_.tmp.dll
c:\windows\system32\_003839_.tmp.dll
c:\windows\system32\_003841_.tmp.dll
c:\windows\system32\_003844_.tmp.dll
c:\windows\system32\_003845_.tmp.dll
c:\windows\system32\_003846_.tmp.dll
c:\windows\system32\_003847_.tmp.dll
c:\windows\system32\_003848_.tmp.dll
c:\windows\system32\_003849_.tmp.dll
c:\windows\system32\_003850_.tmp.dll
c:\windows\system32\_003851_.tmp.dll
c:\windows\system32\_003852_.tmp.dll
c:\windows\system32\_003855_.tmp.dll
c:\windows\system32\_003857_.tmp.dll
c:\windows\system32\_003858_.tmp.dll
c:\windows\system32\_003859_.tmp.dll
c:\windows\system32\_003860_.tmp.dll
c:\windows\system32\_003861_.tmp.dll
c:\windows\system32\_003862_.tmp.dll
c:\windows\system32\_003863_.tmp.dll
c:\windows\system32\_003864_.tmp.dll
c:\windows\system32\_003865_.tmp.dll
c:\windows\system32\_003866_.tmp.dll
c:\windows\system32\_003867_.tmp.dll
c:\windows\system32\_003868_.tmp.dll
c:\windows\system32\_003869_.tmp.dll
c:\windows\system32\_003870_.tmp.dll
c:\windows\system32\_003871_.tmp.dll
c:\windows\system32\_003872_.tmp.dll
c:\windows\system32\_003873_.tmp.dll
c:\windows\system32\_003874_.tmp.dll
c:\windows\system32\_003875_.tmp.dll
c:\windows\system32\_003876_.tmp.dll
c:\windows\system32\_003879_.tmp.dll
c:\windows\system32\_003880_.tmp.dll
c:\windows\system32\_003882_.tmp.dll
c:\windows\system32\_003883_.tmp.dll
c:\windows\system32\_003884_.tmp.dll
c:\windows\system32\_003886_.tmp.dll
c:\windows\system32\_003887_.tmp.dll
c:\windows\system32\_003889_.tmp.dll
c:\windows\system32\_003890_.tmp.dll
c:\windows\system32\_003892_.tmp.dll
c:\windows\system32\_003893_.tmp.dll
c:\windows\system32\_003894_.tmp.dll
c:\windows\system32\_003895_.tmp.dll
c:\windows\system32\_003896_.tmp.dll
c:\windows\system32\_003897_.tmp.dll
c:\windows\system32\_003899_.tmp.dll
c:\windows\system32\_003900_.tmp.dll
c:\windows\system32\_003901_.tmp.dll
c:\windows\system32\_003902_.tmp.dll
c:\windows\system32\_003903_.tmp.dll
c:\windows\system32\_003904_.tmp.dll
c:\windows\system32\_003905_.tmp.dll
c:\windows\system32\_003908_.tmp.dll
c:\windows\system32\_003909_.tmp.dll
c:\windows\system32\_003910_.tmp.dll
c:\windows\system32\_003911_.tmp.dll
c:\windows\system32\_003912_.tmp.dll
c:\windows\system32\_003913_.tmp.dll
c:\windows\system32\_003914_.tmp.dll
c:\windows\system32\_003916_.tmp.dll
c:\windows\system32\_003917_.tmp.dll
c:\windows\system32\_003918_.tmp.dll
c:\windows\system32\_003919_.tmp.dll
c:\windows\system32\_003920_.tmp.dll
c:\windows\system32\_003921_.tmp.dll
c:\windows\system32\_003923_.tmp.dll
c:\windows\system32\_003926_.tmp.dll
c:\windows\system32\_003927_.tmp.dll
c:\windows\system32\_003931_.tmp.dll
c:\windows\system32\_003932_.tmp.dll
c:\windows\system32\_003934_.tmp.dll
c:\windows\system32\_003937_.tmp.dll
c:\windows\system32\_003939_.tmp.dll
c:\windows\system32\_003940_.tmp.dll
c:\windows\system32\_003941_.tmp.dll
c:\windows\system32\_003942_.tmp.dll
c:\windows\system32\_003945_.tmp.dll
c:\windows\system32\_003946_.tmp.dll
c:\windows\system32\_003947_.tmp.dll
c:\windows\system32\_003948_.tmp.dll
c:\windows\system32\_003949_.tmp.dll
c:\windows\system32\_003954_.tmp.dll
c:\windows\system32\_003956_.tmp.dll
c:\windows\system32\_006204_.tmp.dll
c:\windows\system32\_006205_.tmp.dll
c:\windows\system32\_006206_.tmp.dll
c:\windows\system32\_006207_.tmp.dll
c:\windows\system32\_006214_.tmp.dll
c:\windows\system32\_006215_.tmp.dll
c:\windows\system32\_006216_.tmp.dll
c:\windows\system32\_006217_.tmp.dll
c:\windows\system32\_006219_.tmp.dll
c:\windows\system32\_006220_.tmp.dll
c:\windows\system32\_006223_.tmp.dll
c:\windows\system32\_006224_.tmp.dll
c:\windows\system32\_006226_.tmp.dll
c:\windows\system32\_006227_.tmp.dll
c:\windows\system32\_006228_.tmp.dll
c:\windows\system32\_006230_.tmp.dll
c:\windows\system32\_006233_.tmp.dll
c:\windows\system32\_006234_.tmp.dll
c:\windows\system32\_006238_.tmp.dll
c:\windows\system32\_006239_.tmp.dll
c:\windows\system32\_006241_.tmp.dll
c:\windows\system32\_006244_.tmp.dll
c:\windows\system32\_006246_.tmp.dll
c:\windows\system32\_006247_.tmp.dll
c:\windows\system32\_006248_.tmp.dll
c:\windows\system32\_006249_.tmp.dll
c:\windows\system32\_006250_.tmp.dll
c:\windows\system32\_006253_.tmp.dll
c:\windows\system32\_006254_.tmp.dll
c:\windows\system32\_006255_.tmp.dll
c:\windows\system32\_006256_.tmp.dll
c:\windows\system32\_006257_.tmp.dll
c:\windows\system32\_006262_.tmp.dll
c:\windows\system32\_006264_.tmp.dll
c:\windows\system32\_007357_.tmp.dll
c:\windows\system32\_007358_.tmp.dll
c:\windows\system32\_007359_.tmp.dll
c:\windows\system32\_007360_.tmp.dll
c:\windows\system32\_007367_.tmp.dll
c:\windows\system32\_007368_.tmp.dll
c:\windows\system32\_007369_.tmp.dll
c:\windows\system32\_007371_.tmp.dll
c:\windows\system32\_007372_.tmp.dll
c:\windows\system32\_007375_.tmp.dll
c:\windows\system32\_007376_.tmp.dll
c:\windows\system32\_007378_.tmp.dll
c:\windows\system32\_007379_.tmp.dll
c:\windows\system32\_007380_.tmp.dll
c:\windows\system32\_007382_.tmp.dll
c:\windows\system32\_007385_.tmp.dll
c:\windows\system32\_007386_.tmp.dll
c:\windows\system32\_007390_.tmp.dll
c:\windows\system32\_007391_.tmp.dll
c:\windows\system32\_007393_.tmp.dll
c:\windows\system32\_007396_.tmp.dll
c:\windows\system32\_007398_.tmp.dll
c:\windows\system32\_007399_.tmp.dll
c:\windows\system32\_007400_.tmp.dll
c:\windows\system32\_007401_.tmp.dll
c:\windows\system32\_007404_.tmp.dll
c:\windows\system32\_007405_.tmp.dll
c:\windows\system32\_007406_.tmp.dll
c:\windows\system32\_007407_.tmp.dll
c:\windows\system32\_007408_.tmp.dll
c:\windows\system32\_007413_.tmp.dll
c:\windows\system32\_007415_.tmp.dll
c:\windows\system32\_007416_.tmp.dll

----- BITS: Possible infected sites -----

hxxp://download.microsoft.coj+|Cv+@J:NGD_DQ{ztHG.XY\h5&H
Infected copy of c:\windows\system32\DRIVERS\IdeChnDr.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-19 00:44 . 2010-03-19 00:45 -------- d-----w- c:\windows\system32\NtmsData
2010-03-17 02:02 . 2010-03-17 02:02 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-03-17 02:02 . 2010-03-17 02:02 -------- d-----w- c:\program files\MSECACHE
2010-03-17 00:41 . 2010-03-17 00:41 -------- d-----w- c:\program files\TrendMicro
2010-03-15 22:14 . 2010-03-15 22:14 -------- d-----w- c:\program files\DIFX
2010-03-13 15:45 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 04:09 . 2010-03-09 04:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-09 04:09 . 2010-03-09 04:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-08 14:39 . 2010-03-08 14:39 -------- d-----w- c:\windows\Sun
2010-03-08 02:56 . 2010-03-08 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Weskysoft
2010-03-08 02:42 . 2010-03-17 00:10 -------- d-----w- c:\program files\Optimizer Tool
2010-03-08 00:40 . 2009-06-29 16:12 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-08 00:40 . 2009-06-29 16:12 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-03-07 01:40 . 2004-08-04 07:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-03-07 00:42 . 2004-08-04 07:56 11325 ------w- c:\windows\system32\drivers\vchnt5.dll
2010-03-07 00:41 . 2006-05-19 12:59 94720 ----a-w- c:\windows\system32\dllcache\iphlpapi.dll
2010-03-06 22:36 . 2010-03-13 22:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-06 20:10 . 2010-03-06 20:10 -------- d-----w- c:\documents and settings\JANICE\Application Data\Malwarebytes
2010-03-06 20:10 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-06 20:10 . 2010-03-19 02:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-06 20:10 . 2010-03-06 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-06 20:10 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-06 19:18 . 2010-03-06 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-06 16:36 . 2010-03-06 16:36 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-06 02:18 . 2010-03-06 02:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-05 00:27 . 2010-03-05 00:31 73449472 ----a-w- C:\VIPRERescue5746.exe
2010-03-04 23:47 . 2010-03-04 23:47 -------- d-----w- c:\program files\easy gadget
2010-03-04 03:10 . 2010-03-16 21:46 0 ----a-w- c:\windows\Jbuvakuc.bin
2010-03-04 03:10 . 2010-03-17 02:12 120 ----a-w- c:\windows\Pherocohuvilitac.dat
2010-03-04 03:10 . 2010-03-04 03:10 -------- d-----w- c:\documents and settings\JANICE\Local Settings\Application Data\{B4BD0BE9-7A3A-4FB6-BC80-4D614C9262D8}
2010-03-03 22:59 . 2010-03-03 22:59 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-03-03 22:59 . 2010-03-03 22:59 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-03-03 22:59 . 2010-03-03 22:59 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-03-03 22:59 . 2010-03-03 22:59 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-03-03 15:36 . 2010-03-16 02:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-03 13:58 . 2002-02-06 13:53 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-03-03 13:58 . 2010-03-19 03:15 -------- d-----w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 00:05 . 2007-02-24 17:13 -------- d-----w- c:\program files\TaxCut06
2010-03-18 23:07 . 2002-09-01 22:32 92200 ----a-w- c:\documents and settings\JANICE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 02:02 . 2010-03-17 02:02 3584 ----a-r- c:\documents and settings\JANICE\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-03-17 01:07 . 2004-02-14 18:47 -------- d-----w- c:\program files\Design Science
2010-03-17 00:52 . 2007-11-06 23:55 -------- d-----w- c:\documents and settings\JANICE\Application Data\MSNInstaller
2010-03-17 00:41 . 2010-03-17 00:41 388096 ----a-r- c:\documents and settings\JANICE\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-10 22:17 . 2002-02-09 02:17 -------- d-----w- c:\documents and settings\JANICE\Application Data\MSN6
2010-03-09 00:59 . 2005-10-25 18:50 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2010-03-09 00:45 . 2005-10-25 18:58 50 ----a-w- c:\windows\system32\BRIDF04A.dat
2010-03-08 03:33 . 2010-03-08 03:33 237568 ----a-w- c:\documents and settings\LocalService\NTUSER.DAT.tmp
2010-03-08 03:33 . 2010-03-08 03:33 237568 ----a-w- c:\documents and settings\NetworkService\NTUSER.DAT.tmp
2010-03-07 01:56 . 2002-02-06 13:48 87018 ----a-w- c:\windows\system32\drivers\IdeChnDr.sys
2010-03-06 19:23 . 2002-02-16 20:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-06 19:19 . 2010-03-06 19:19 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-06 02:18 . 2010-03-06 02:18 348160 ----a-w- c:\documents and settings\JANICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75714f6a-n\msvcr71.dll
2010-03-06 02:18 . 2010-03-06 02:18 503808 ----a-w- c:\documents and settings\JANICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75714f6a-n\msvcp71.dll
2010-03-06 02:18 . 2010-03-06 02:18 499712 ----a-w- c:\documents and settings\JANICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75714f6a-n\jmc.dll
2010-03-06 02:18 . 2010-03-06 02:18 61440 ----a-w- c:\documents and settings\JANICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6950817b-n\decora-sse.dll
2010-03-06 02:18 . 2010-03-06 02:18 12800 ----a-w- c:\documents and settings\JANICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6950817b-n\decora-d3d.dll
2010-03-06 01:38 . 2002-02-06 13:46 -------- d-----w- c:\program files\Dell
2010-03-05 00:30 . 2005-08-10 00:09 -------- d-----w- c:\program files\Dell Support
2010-02-14 19:00 . 2010-02-14 18:59 18205512 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026401dupd.exe
2010-02-14 18:58 . 2008-03-07 23:38 -------- d-----w- c:\documents and settings\JANICE\Application Data\TaxCut
2010-02-14 18:57 . 2010-02-14 18:55 -------- d-----w- c:\program files\HRBlock2009
2010-02-14 18:53 . 2008-03-07 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-02-14 18:52 . 2009-08-15 21:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-14 18:51 . 2010-03-17 03:33 38784 ----a-w- c:\documents and settings\Administrator.MOM\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-14 18:51 . 2009-08-15 21:02 38784 ----a-w- c:\documents and settings\JANICE\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-04 22:02 . 2010-01-04 22:02 27984 ----a-w- c:\windows\system32\sbbd.exe
2009-12-31 16:14 . 2010-03-07 00:41 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2002-04-14 14:56 . 2002-04-13 16:26 427 ----a-w- c:\program files\SSLresp.txt
2002-04-13 16:26 . 2002-04-13 16:28 7331 ----a-w- c:\program files\198F6271.taf
2002-03-23 20:16 . 2002-03-23 20:14 8462 ----a-w- c:\program files\measuredImportReport.log
2002-03-23 20:16 . 2002-03-23 20:14 2534 ----a-w- c:\program files\measuredWizard.log
2002-03-22 02:26 . 2002-03-22 02:25 285762 ----a-w- c:\program files\TaxCut_2001_Florida_InstallerB.exe
2002-02-16 20:00 . 2002-02-16 20:00 8981440 ----a-w- c:\program files\ar505enu.exe
2002-01-14 16:13 . 2002-03-22 02:00 128590 ------w- c:\program files\removetc.exe
2001-05-24 17:59 . 2002-03-22 02:00 162304 ------w- c:\program files\rmtc.exe
2002-03-22 02:24 . 2002-03-22 02:24 98304 ----a-w- c:\program files\internet explorer\plugins\IEHelper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-01-04 959824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SetDefPrt"="c:\program files\Brother\Brmfl04b\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2001-10-09 200704]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-06-15 254022]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

c:\documents and settings\JANICE\Start Menu\Programs\Startup\
easy gadget.lnk - c:\program files\easy gadget\easy gadget.exe [2010-3-4 95232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRealMode"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 01
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Internet Security Suite

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Linksys\\LogViewer\\LogViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 sbaphd;sbaphd;c:\windows\SYSTEM32\DRIVERS\sbaphd.sys [1/18/2010 11:11 AM 13360]
R1 sbtis;sbtis;c:\windows\SYSTEM32\DRIVERS\sbtis.sys [11/17/2008 12:32 AM 202928]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [1/4/2010 6:02 PM 1012080]
R2 sbapifs;sbapifs;c:\windows\SYSTEM32\DRIVERS\sbapifs.sys [1/18/2010 11:13 AM 69936]
S3 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [10/13/2009 9:22 AM 95024]
.
Contents of the 'Scheduled Tasks' folder

2009-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-03-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2002-02-09 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-09-14 07:56]

2002-02-09 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-09-14 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd....
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-OM_Monitor - c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\Money Express.exe
HKLM-Run-Pqevetox - c:\windows\ozenocopolo.dll
Notify-dimsntfy - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-19 00:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2960)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\msi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\Brmfrmps.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Brother\Brmfcmon\BrMfcmon.exe
.
**************************************************************************
.
Completion time: 2010-03-19 00:10:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-19 04:10

Pre-Run: 10,861,899,776 bytes free
Post-Run: 11,687,002,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 36600BBF42FE559935CA6AC042E0961E


Report •

#18
March 19, 2010 at 20:48:05
jlayman, Just for the record...
1. You are still infected.
2. Attempting to get help this way is called Hijacking a post.
3. If you want help you need to start your own thread, we can't work on more than one computer per post it gets to confusing.

Report •


Ask Question