TechSpot

IE error and computer running slow

By ubaldo2003
Jul 7, 2011
  1. Good Evening,

    Mybrowser has been encountering a problem, i try to open a new window and it closes. Plus my computer has been running super slow.

    I believe i have malware.

    please any advice. thanks

    attached please find the malwarebytes log and hijackthis log



    MALWAREBYTES

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 7038

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    7/6/2011 9:52:55 PM
    mbam-log-2011-07-06 (21-52-55).txt

    Scan type: Quick scan
    Objects scanned: 183295
    Time elapsed: 5 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    HIJACKTHIS

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:08:04 PM, on 7/6/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    C:\Program Files\QuickTime\bak\QTTask.exe
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nlssrv32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\All Users\Application Data\Google\Google Toolbar\Update\gtbDB.tmp.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\913QXZB3\ccsetup308[1].exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O1 - Hosts: 213.203.216.114 marketsamurai.com
    O1 - Hosts: 204.9.178.11 typepad.com
    O1 - Hosts: 74.113.152.32 istockphoto.com
    O1 - Hosts: 208.94.0.38 yfrog.com
    O1 - Hosts: 63.309.5.102 virustotal.com
    O1 - Hosts: 123.125.50.22 126.com
    O1 - Hosts: 24.29.138.10 telegraph.co.uk
    O1 - Hosts: 174.36.28.11 SlideShare.com
    O1 - Hosts: 213.238.60.190 xing.com
    O1 - Hosts: 59.106.98.139 seesaa.net
    O1 - Hosts: 184.72.253.170 hootsuite.com
    O1 - Hosts: 211.151.146.16 soku.com
    O1 - Hosts: 74.208.73.101 qvc.com
    O1 - Hosts: 67.221.174.30 tagged.com
    O1 - Hosts: 72.32.120.222 metacafe.com
    O1 - Hosts: 89.105.6.98 bitdefender.com
    O1 - Hosts: 204.11.109.133 tribalfusion.com
    O1 - Hosts: 207.154.14.31 tripadvisor.com
    O1 - Hosts: 216.52.240.133 ustream.tv
    O1 - Hosts: 174.36.244.132 linkwithin.com
    O1 - Hosts: 80.82.137.230 thefreedictionary.com
    O1 - Hosts: 121.67.203.61 scan.novirusthanks.org
    O1 - Hosts: 209.172.34.139 imagevenue.com
    O1 - Hosts: 91.206.232.220 booking.com
    O1 - Hosts: 118.69.251.6 vnexpress.net
    O1 - Hosts: 64.34.110.174 plentyoffish.com
    O1 - Hosts: 140.211.166.21 drupal.org
    O1 - Hosts: 103.67.101.13 trendmicro.com
    O1 - Hosts: 208.85.40.80 pandora.com
    O1 - Hosts: 194.116.241.57 softonic.com
    O1 - Hosts: 208.83.243.15 match.com
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: BHO Project - {70C6E9DE-F30E-4A40-8A6F-9572C2328320} - C:\Program Files\Object\bho_project.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Program Files\NOS\bin\getPlusUninst_Adobe.exe" /Get1noarp
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Personal Coach.lnk = ?
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.doginhispen.com
    O15 - Trusted Zone: *.whataboutadog.com
    O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

    --
    End of file - 9849 bytes
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! Normally I would start off by asking you to complete the steps in out preliminary removal thread- and I will do that. But I can see that your hosts have been hijacked, so let's start with that first:

    Please reopen HijackThis to 'do system scan only/' Check each of the following, if present:

    O1 - Hosts: 204.9.178.11 typepad.com
    O1 - Hosts: 74.113.152.32 istockphoto.com
    O1 - Hosts: 208.94.0.38 yfrog.com
    O1 - Hosts: 63.309.5.102 virustotal.com
    O1 - Hosts: 123.125.50.22 126.com
    O1 - Hosts: 24.29.138.10 telegraph.co.uk
    O1 - Hosts: 174.36.28.11 SlideShare.com
    O1 - Hosts: 213.238.60.190 xing.com
    O1 - Hosts: 59.106.98.139 seesaa.net
    O1 - Hosts: 184.72.253.170 hootsuite.com
    O1 - Hosts: 211.151.146.16 soku.com
    O1 - Hosts: 74.208.73.101 qvc.com
    O1 - Hosts: 67.221.174.30 tagged.com
    O1 - Hosts: 72.32.120.222 metacafe.com
    O1 - Hosts: 89.105.6.98 bitdefender.com
    O1 - Hosts: 204.11.109.133 tribalfusion.com
    O1 - Hosts: 207.154.14.31 tripadvisor.com
    O1 - Hosts: 216.52.240.133 ustream.tv;O1
    O1 - Hosts: 174.36.244.132linkwithinn.com
    O1 - Hosts: 80.82.137.230thefreedictionaryy.com
    O1 - Hosts: 121.67.203.61 scan.novirusthanks.org
    O1 - Hosts: 209.172.34.139imagevenuee.com
    O1 - Hosts: 91.206.232.220 booking.com
    O1 - Hosts: 118.69.251.6vnexpresss.net
    O1 - Hosts: 64.34.110.174plentyoffishh.com
    O1 - Hosts: 140.211.166.21drupall.org
    O1 - Hosts: 103.67.101.13trendmicroo.com
    O1 - Hosts: 208.85.40.80pandoraa.com
    O1 - Hosts: 194.116.241.57softonicc.com
    O1 - Hosts: 208.83.243.15 match.com
    O15 - Trusted Zone: *.doginhispen.com
    O15 - Trusted Zone: *.whataboutadog.com


    Close all Windows except HijackThis and click on "Fix Checked."
    ===================================
    Open Internet Options through Tools in IE or the Control Panel> select the Security tab> Restricted sites> Sites>tyy[e in the following and click on Add after each:
    *.doginhispen.com
    *.whataboutadog.com


    When finished click on Apply> OK.

    Reboot and rescan with HijackThis.
    =================================================
    • Hold down Control and click on the following link to open ESETOnlineScann in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such asESETScann. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ========================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in therunboxx and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double clickcombofixxexee & follow the prompts.
    • ComboFixx will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed,ComboFixx will continue it's malware removal procedures.
    • Follow the prompts to allowComboFixx to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed usingComboFixx, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-clickCombofix'ss window while it is running. That may cause it to stall.
    Note 2:ComboFixx may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix preventsautorunn of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =====================================================
    Please include the logs for the HijackThis rescan, the Eset online AV scan and Combofix in your next reply.

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    Thank you for your assistance,

    HIJACKTHIS LOG

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:52:29 PM, on 7/7/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\QuickTime\bak\QTTask.exe
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\nlssrv32.exe
    C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Personal Coach.lnk = ?
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.doginhispen.com
    O15 - Trusted Zone: *.whataboutadog.com
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

    --
    End of file - 8119 bytes

    ESET ONLINE SCAN

    C:\Program Files\QuickTime\QTTask.exe a variant of Win32/Zonebac.AB trojan
    C:\Qoobox\Quarantine\C\Program Files\Common Files\AOL\1139033798\EE\AOLHostManager.exe.vir a variant of Win32/Zonebac.AB trojan
    C:\Qoobox\Quarantine\C\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe.vir a variant of Win32/Zonebac.AB trojan
    C:\Qoobox\Quarantine\C\Program Files\HP\HP Software Update\HPWuSchd2.exe.vir a variant of Win32/Zonebac.AB trojan
    C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\lsass.exe.vir Win32/AutoRun.KP worm
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP3\A0000453.exe a variant of Win32/Zonebac.AB trojan
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP4\A0001087.exe a variant of Win32/Zonebac.AB trojan
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP4\A0001088.exe a variant of Win32/Zonebac.AB trojan
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP4\A0001089.exe a variant of Win32/Zonebac.AB trojan
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP4\A0001091.exe Win32/AutoRun.KP worm
    D:\I386\Apps\APP27596\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
    D:\I386\Apps\APP27596\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application


    COMBOFIX SCAN

    ComboFix 11-07-07.03 - Compaq_Owner 07/07/2011 12:23:39.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.564 [GMT -7:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
    c:\documents and settings\Compaq_Owner\Application Data\Setup.exe
    c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
    c:\documents and settings\Compaq_Owner\WINDOWS
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\Guest\WINDOWS
    c:\program files\Common Files\AOL\1139033798\EE\AOLHostManager.exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    c:\program files\HP\HP Software Update\HPWuSchd2.exe
    c:\program files\Object\bho_project.dll
    c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
    c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\lsass.exe
    c:\windows\system32\config\systemprofile\WINDOWS
    c:\windows\system32\ps2.bat
    D:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-07 to 2011-07-07 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-07 18:38 . 2011-07-07 18:38 -------- d-----w- c:\windows\ServicePackFiles
    2011-07-07 18:37 . 2011-07-07 18:37 -------- d-----w- c:\program files\MSXML 4.0
    2011-07-07 05:09 . 2011-07-07 05:09 -------- d-----w- c:\program files\CCleaner
    2011-07-07 04:48 . 2011-07-07 04:48 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\program files\Trend Micro
    2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2011-07-07 04:44 . 2011-07-07 04:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-07-07 04:43 . 2011-07-07 04:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alien Skin
    2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Alien Skin
    2011-07-07 03:10 . 2011-07-07 03:10 -------- d-----w- c:\program files\Alien Skin
    2011-07-07 01:35 . 2011-07-07 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
    2011-07-07 01:35 . 2011-07-07 01:35 -------- d-----w- c:\program files\AOL Games
    2011-07-06 23:43 . 2011-07-07 00:18 -------- d-----w- c:\documents and settings\Compaq_Owner\.frostwire5
    2011-07-06 23:41 . 2011-07-06 23:44 -------- d-----w- c:\program files\FrostWire 5
    2011-07-06 23:41 . 2011-07-06 23:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-06 23:41 . 2011-07-06 23:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-06 22:55 . 2011-07-06 22:56 -------- d-----w- c:\program files\FrostWire
    2011-07-06 22:55 . 2011-07-06 23:00 -------- d-----w- c:\program files\Common Files\FreeCause
    2011-07-06 22:54 . 2011-07-07 19:27 -------- d-----w- c:\program files\Object
    2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
    2011-07-06 19:37 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2011-07-06 19:37 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
    2011-07-06 19:37 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-07-06 19:37 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2011-07-06 19:37 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
    2011-07-06 19:37 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2011-07-06 19:37 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
    2011-07-06 04:43 . 2011-07-06 04:43 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IECompatCache
    2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
    2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
    2011-07-06 04:40 . 2011-07-06 04:40 -------- dc-h--w- c:\windows\ie8
    2011-07-06 01:59 . 2011-07-06 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
    2011-06-24 02:04 . 2011-06-24 02:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Alien Skin
    2011-06-24 01:47 . 2009-12-09 21:22 57344 ----a-w- c:\windows\system32\nlssrv32.exe
    2011-06-23 22:55 . 2011-07-06 04:29 -------- d-----w- c:\documents and settings\Administrator
    2011-06-23 22:32 . 2011-06-23 22:32 1409 ----a-w- c:\windows\QTFont.for
    2011-06-23 22:32 . 2011-07-07 03:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Corel
    2011-06-23 22:31 . 2011-06-23 22:31 88 --sh--r- c:\windows\system32\DB8EA18C15.sys
    2011-06-23 22:31 . 2011-07-07 03:32 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Corel
    2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
    2011-06-23 22:27 . 2011-06-23 22:29 -------- d-----w- c:\program files\Common Files\Corel
    2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
    2011-06-23 21:04 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-06-23 21:04 . 2011-07-06 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-23 21:04 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-23 20:59 . 2011-06-23 22:27 -------- d-----w- c:\program files\Corel
    2011-06-23 20:59 . 2011-06-23 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InstallShield
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-26 04:08 . 2005-12-21 21:17 3649 ----a-w- c:\windows\viassary-hp.reg
    .
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2004-11-03 21:03 . 2004-11-03 21:03 125528 c:\program files\Common Files\AOL\1139033798\EE\bak\AOLHostManager.exe
    .
    2005-12-21 21:01 . 2005-12-21 21:01 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
    .
    2005-03-04 16:40 . 2005-03-04 16:40 48752 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
    .
    2004-11-03 07:59 . 2004-11-03 07:59 218240 c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
    .
    2007-10-03 03:21 . 2007-10-03 03:21 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
    .
    2005-12-21 21:36 . 2005-09-21 17:41 1605740 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
    .
    2005-05-12 06:12 . 2005-05-12 06:12 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
    .
    2007-06-29 13:24 . 2007-06-29 13:24 286720 c:\program files\QuickTime\bak\QTTask.exe
    2007-06-29 13:24 . 2007-10-06 01:05 27660 c:\program files\QuickTime\QTTask.exe
    .
    2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
    2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\ctfmon.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-07 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PCDrProfiler"="" [N/A]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [N/A]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [N/A]
    "QuickTime Task"="c:\program files\QuickTime\bak\QTTask.exe" [2007-06-29 286720]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
    "Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2004-06-24 729088]
    "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-01 28739]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-12-21 36903]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-1 65588]
    Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2007-2-13 2392064]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
    backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
    path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
    backup=c:\windows\pss\Compaq Organize.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
    2007-03-16 01:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    c:\program files\Common Files\AOL\1139033798\EE\AOLHostManager.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ccSetMgr"=2 (0x2)
    "ccPwdSvc"=3 (0x3)
    "ccProxy"=2 (0x2)
    "ccEvtMgr"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1139033798\\EE\\AOLServiceHost.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
    .
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/23/2011 2:04 PM 366640]
    R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [6/23/2011 6:47 PM 57344]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/23/2011 2:04 PM 22712]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2011 9:43 PM 136176]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
    .
    2011-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
    Trusted Zone: doginhispen.com
    Trusted Zone: whataboutadog.com
    TCP: DhcpNameServer = 192.168.7.254
    DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    AddRemove-{3BA95526-6AE0-4B87-A62D-17187EF565FC} - c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-07 12:29
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(568)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(2852)
    c:\windows\system32\WININET.dll
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
    c:\windows\system32\ieframe.dll
    c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\KeyHook.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\HPZipm12.exe
    c:\windows\system32\PSIService.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-07 12:32:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-07 19:32
    .
    Pre-Run: 165,869,150,208 bytes free
    Post-Run: 166,138,941,440 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - B385114A2190D2B93C4C588AD0E1A214
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't see any antivirus program.o. The only security program I see is Malwarebytes. Please download, install and update one of the following free antivirus programs:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast-Free Antivirus
    ==============================================
    Goodness, it's been so long since I've seen this malware, it almost went right over my head! You've had this lingering on your system for quite a while. And you should know that it is most commonly spread with peer-to-peer sharing.

    First, I want to advise you that the D:/Autorun.inf deletion in Combofix indicated you may be using an infected flash drive. Are you using a flash drive and is it Drive D? If this is a Yes/Yes, we need to disinfect the flash drive.
    You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    FileLook::
    c:\windows\system32\DB8EA18C15.sys
    AWF::
    c:\program files\Common Files\AOL\1139033798\EE\bak\AOLHostManager.exe
    c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
    c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
    c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
    c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier. exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
    c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
    Folder::
    c:\documents and settings\All Users\Application Data\Trymedia
    c:\program files\FrostWire 5
    c:\documents and settings\Compaq_Owner\.frostwire5
    c:\program files\FrostWire
    c:\program files\Object
    c:\program files\Common Files\FreeCause
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\FrostWire 5\\FrostWire.exe"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
     
  5. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    Well it seems like its a really bad infection. this is my sisters computer and she hasnt had internet in a long long time. I just moved in and im trying to make it run a lil better, but it was too much for me.lol..


    by the way after my computer was rebooted the HPProduct Assistant installation popped up, and i couldnt cancel it because it kept on poping up.

    And about the flash drives i checked the hidden files and the only hidden folders that are on them are Spotlight-v-100 and .trashes on both flash drives

    attached find the combofix log

    ComboFix 11-07-08.03 - Compaq_Owner 07/08/2011 18:35:53.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.533 [GMT -7:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\All Users\Application Data\Trymedia
    c:\documents and settings\All Users\Application Data\Trymedia\data\{8662CB1F-323F-DC2A-6A02-C624BCBB7D2B}
    c:\documents and settings\All Users\Application Data\Trymedia\data\{8C4FB579-C531-1771-0F53-C9D7C1302799}
    c:\documents and settings\All Users\Application Data\Trymedia\data\{CE511630-6E38-03E0-03FA-6571BCF7AB91}
    c:\documents and settings\All Users\Application Data\Trymedia\data\{F89A6F8F-F534-FA16-3728-0DED374545D2}
    c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
    c:\documents and settings\Compaq_Owner\.frostwire5
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus.lock
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\.certs
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\.keystore
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\2264FC15F0EFFA09D2D7F57C18C78A7CBDB072DC.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\2264FC15F0EFFA09D2D7F57C18C78A7CBDB072DC.dat.bak
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\2264FC15F0EFFA09D2D7F57C18C78A7CBDB072DC\fmfile15.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\cache.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\F95ACCDF2178ABEF7FA31776787D8AA099C0955F.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\F95ACCDF2178ABEF7FA31776787D8AA099C0955F.dat.bak
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\F95ACCDF2178ABEF7FA31776787D8AA099C0955F\fmfile0.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\F95ACCDF2178ABEF7FA31776787D8AA099C0955F\fmfile11.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\azureus.config
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\azureus.config.bak
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\azureus.statistics
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\azureus.statistics.bak
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\banips.config
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\banips.config.bak
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\dht\addresses.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\dht\contacts.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\dht\diverse.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\dht\general.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\dht\version.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\downloads.config
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\downloads.config.bak
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\ipfilter.cache
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\logs\debug_1.log
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\net\pm_7018.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\net\pm_default.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\tmp\AZU6922790059681001182.tmp
    c:\documents and settings\Compaq_Owner\.frostwire5\azureus\tmp\AZU8990506365801027890.tmp
    c:\documents and settings\Compaq_Owner\.frostwire5\frostwire.props
    c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\a_lonely_place_for_dying_pt1.jpg
    c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\a_lonely_place_for_dying_pt1_overlay.jpg
    c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\frostclick_default_overlay.jpg
    c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\fw5overlay.jpg
    c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\kenton_dunson_overlay.jpg
    c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\mouths_cradle_overlay.jpg
    c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\sarah_fimm_overlay.jpg
    c:\documents and settings\Compaq_Owner\.frostwire5\installation.props
    c:\documents and settings\Compaq_Owner\.frostwire5\intent.props
    c:\documents and settings\Compaq_Owner\.frostwire5\itunes.props
    c:\documents and settings\Compaq_Owner\.frostwire5\itunes_import.js
    c:\documents and settings\Compaq_Owner\.frostwire5\questions.props
    c:\documents and settings\Compaq_Owner\.frostwire5\seenMessages.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\skins.dat
    c:\documents and settings\Compaq_Owner\.frostwire5\tables.props
    c:\documents and settings\Compaq_Owner\Application Data\Setup.exe
    c:\documents and settings\Compaq_Owner\Local Settings\temp\IadHide5.dll
    c:\documents and settings\Compaq_Owner\WINDOWS
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\Guest\WINDOWS
    c:\program files\Common Files\AOL\1139033798\EE\AOLHostManager.exe
    c:\program files\Common Files\FreeCause
    c:\program files\FrostWire 5
    c:\program files\FrostWire 5\commons-logging.jar
    c:\program files\FrostWire 5\EULA.txt
    c:\program files\FrostWire 5\FrostWire.exe
    c:\program files\FrostWire 5\FrostWire.ico
    c:\program files\FrostWire 5\FrostWire.jar
    c:\program files\FrostWire 5\fwplayer.exe
    c:\program files\FrostWire 5\gettext-commons.jar
    c:\program files\FrostWire 5\GPL3.txt
    c:\program files\FrostWire 5\gson-1.4.jar
    c:\program files\FrostWire 5\httpclient-4.0.jar
    c:\program files\FrostWire 5\httpcore-4.0.1.jar
    c:\program files\FrostWire 5\launch.properties
    c:\program files\FrostWire 5\lw-azureus.jar
    c:\program files\FrostWire 5\lw-collection.jar
    c:\program files\FrostWire 5\lw-common.jar
    c:\program files\FrostWire 5\lw-io.jar
    c:\program files\FrostWire 5\lw-resources.jar
    c:\program files\FrostWire 5\lw-setting.jar
    c:\program files\FrostWire 5\messages.jar
    c:\program files\FrostWire 5\pmf.ico
    c:\program files\FrostWire 5\runRelease.bat
    c:\program files\FrostWire 5\splash.jar
    c:\program files\FrostWire 5\substance.jar
    c:\program files\FrostWire 5\SystemUtilities.dll
    c:\program files\FrostWire 5\SystemUtilitiesA.dll
    c:\program files\FrostWire 5\themes.jar
    c:\program files\FrostWire 5\tray.dll
    c:\program files\FrostWire 5\trident.jar
    c:\program files\FrostWire 5\Uninstall.exe
    c:\program files\FrostWire
    c:\program files\FrostWire\App\AppInfo\appicon.ico
    c:\program files\FrostWire\App\AppInfo\appinfo.ini
    c:\program files\FrostWire\App\DefaultData\FrostWire\frostwire.props
    c:\program files\FrostWire\App\DefaultData\FrostWire\installation.props
    c:\program files\FrostWire\App\DefaultData\settings\FrostWirePortableSettings.ini
    c:\program files\FrostWire\App\frostwire\aopalliance.jar
    c:\program files\FrostWire\App\frostwire\clink.jar
    c:\program files\FrostWire\App\frostwire\commons-codec-1.3.jar
    c:\program files\FrostWire\App\frostwire\commons-logging.jar
    c:\program files\FrostWire\App\frostwire\daap.jar
    c:\program files\FrostWire\App\frostwire\EULA.txt
    c:\program files\FrostWire\App\frostwire\forms.jar
    c:\program files\FrostWire\App\frostwire\foxtrot.jar
    c:\program files\FrostWire\App\frostwire\FrostWire.exe
    c:\program files\FrostWire\App\frostwire\FrostWire.ico
    c:\program files\FrostWire\App\frostwire\FrostWire.jar
    c:\program files\FrostWire\App\frostwire\gettext-commons.jar
    c:\program files\FrostWire\App\frostwire\GPL2.txt
    c:\program files\FrostWire\App\frostwire\GPL3.txt
    c:\program files\FrostWire\App\frostwire\gson-1.4.jar
    c:\program files\FrostWire\App\frostwire\guice-1.0.jar
    c:\program files\FrostWire\App\frostwire\hashes
    c:\program files\FrostWire\App\frostwire\httpclient-4.0-alpha3.jar
    c:\program files\FrostWire\App\frostwire\httpclient-4.0.jar
    c:\program files\FrostWire\App\frostwire\httpcore-4.0-beta2.jar
    c:\program files\FrostWire\App\frostwire\httpcore-4.0.1.jar
    c:\program files\FrostWire\App\frostwire\httpcore-nio-4.0-beta2.jar
    c:\program files\FrostWire\App\frostwire\httpcore-nio-4.0.1.jar
    c:\program files\FrostWire\App\frostwire\httpcore-niossl-4.0-alpha7.jar
    c:\program files\FrostWire\App\frostwire\icu4j.jar
    c:\program files\FrostWire\App\frostwire\inspection.props
    c:\program files\FrostWire\App\frostwire\jaudiotagger.jar
    c:\program files\FrostWire\App\frostwire\jcip-annotations.jar
    c:\program files\FrostWire\App\frostwire\jcraft.jar
    c:\program files\FrostWire\App\frostwire\jdic.dll
    c:\program files\FrostWire\App\frostwire\jdic.jar
    c:\program files\FrostWire\App\frostwire\jdic_stub.jar
    c:\program files\FrostWire\App\frostwire\jflac.jar
    c:\program files\FrostWire\App\frostwire\jl.jar
    c:\program files\FrostWire\App\frostwire\jmdns.jar
    c:\program files\FrostWire\App\frostwire\jogg.jar
    c:\program files\FrostWire\App\frostwire\jorbis.jar
    c:\program files\FrostWire\App\frostwire\jython.jar
    c:\program files\FrostWire\App\frostwire\launch.properties
    c:\program files\FrostWire\App\frostwire\log.txt
    c:\program files\FrostWire\App\frostwire\log4j.jar
    c:\program files\FrostWire\App\frostwire\log4j.properties
    c:\program files\FrostWire\App\frostwire\looks.jar
    c:\program files\FrostWire\App\frostwire\lw-all.jar
    c:\program files\FrostWire\App\frostwire\lw-azureus.jar
    c:\program files\FrostWire\App\frostwire\lw-collection.jar
    c:\program files\FrostWire\App\frostwire\lw-common.jar
    c:\program files\FrostWire\App\frostwire\lw-http.jar
    c:\program files\FrostWire\App\frostwire\lw-io.jar
    c:\program files\FrostWire\App\frostwire\lw-mojito.jar
    c:\program files\FrostWire\App\frostwire\lw-net.jar
    c:\program files\FrostWire\App\frostwire\lw-nio.jar
    c:\program files\FrostWire\App\frostwire\lw-resources.jar
    c:\program files\FrostWire\App\frostwire\lw-rudp.jar
    c:\program files\FrostWire\App\frostwire\lw-security.jar
    c:\program files\FrostWire\App\frostwire\lw-setting.jar
    c:\program files\FrostWire\App\frostwire\lw-statistic.jar
    c:\program files\FrostWire\App\frostwire\messages.jar
    c:\program files\FrostWire\App\frostwire\mp3spi.jar
    c:\program files\FrostWire\App\frostwire\onion-common.jar
    c:\program files\FrostWire\App\frostwire\onion-fec.jar
    c:\program files\FrostWire\App\frostwire\pmf.ico
    c:\program files\FrostWire\App\frostwire\ProgressTabs.jar
    c:\program files\FrostWire\App\frostwire\seenMessages.dat
    c:\program files\FrostWire\App\frostwire\splash.jar
    c:\program files\FrostWire\App\frostwire\SystemUtilities.dll
    c:\program files\FrostWire\App\frostwire\SystemUtilitiesA.dll
    c:\program files\FrostWire\App\frostwire\themes.jar
    c:\program files\FrostWire\App\frostwire\tray.dll
    c:\program files\FrostWire\App\frostwire\tritonus.jar
    c:\program files\FrostWire\App\frostwire\Uninstall.exe
    c:\program files\FrostWire\App\frostwire\vorbisspi.jar
    c:\program files\FrostWire\App\readme.txt
    c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\ALIEN_SKIN_EYECANDY_V6.1.1-XForce.torrent
    c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\EyeCandy611109.rar.torrent
    c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe
    c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe.torrent
    c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\hostiles.txt.37.zip.torrent
    c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\Tangent.Games.Crystal.Maze.torrent
    c:\program files\FrostWire\Data\settings\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\.lock
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\0795893ED4082520E89D43D8417237B7AA6B1B9B.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\0795893ED4082520E89D43D8417237B7AA6B1B9B.dat.bak
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\4258AAA6DF108DDE1EA3E0BB1712DF1D8560D8D2.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\4258AAA6DF108DDE1EA3E0BB1712DF1D8560D8D2.dat.bak
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\5394A1E98B6F9A95826ACC9815187D8304306E04.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\5394A1E98B6F9A95826ACC9815187D8304306E04.dat.bak
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\747C9E7929E7F8643417EF0FD6CFE376520927A3.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\747C9E7929E7F8643417EF0FD6CFE376520927A3.dat.bak
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\cache.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\azureus.config
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\azureus.config.bak
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\azureus.statistics
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\azureus.statistics.bak
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\dht\addresses.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\dht\contacts.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\dht\diverse.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\dht\general.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\dht\version.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\downloads.config
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\downloads.config.bak
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\ipfilter.cache
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\net\pm_7018.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\net\pm_default.dat
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\torrents\ALIEN_SKIN_EYECANDY_V6.1.1-XForce.torrent
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\torrents\EyeCandy611109.rar.torrent
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\torrents\frostwire-4.21.8.windows.exe.torrent
    c:\program files\FrostWire\Data\settings\FrostWire\azureus\torrents\Tangent.Games.Crystal.Maze.torrent
    c:\program files\FrostWire\Data\settings\FrostWire\createtimes.cache
    c:\program files\FrostWire\Data\settings\FrostWire\downloads.dat
    c:\program files\FrostWire\Data\settings\FrostWire\fileurns.bak
    c:\program files\FrostWire\Data\settings\FrostWire\fileurns.cache
    c:\program files\FrostWire\Data\settings\FrostWire\frostwire.props
    c:\program files\FrostWire\Data\settings\FrostWire\gnutella.net
    c:\program files\FrostWire\Data\settings\FrostWire\hostiles.dat
    c:\program files\FrostWire\Data\settings\FrostWire\image_cache\static.frostwire.com\images\banners\220x500frostwire_tshirt_blue_pink1.jpg
    c:\program files\FrostWire\Data\settings\FrostWire\image_cache\static.frostwire.com\images\banners\220x500frostwire_tshirt_blue_pink2.jpg
    c:\program files\FrostWire\Data\settings\FrostWire\installation.props
    c:\program files\FrostWire\Data\settings\FrostWire\installer.dat
    c:\program files\FrostWire\Data\settings\FrostWire\intent.props
    c:\program files\FrostWire\Data\settings\FrostWire\library.dat
    c:\program files\FrostWire\Data\settings\FrostWire\mojito.props
    c:\program files\FrostWire\Data\settings\FrostWire\overlays.dat
    c:\program files\FrostWire\Data\settings\FrostWire\overlays\fw5overlay.jpg
    c:\program files\FrostWire\Data\settings\FrostWire\questions.props
    c:\program files\FrostWire\Data\settings\FrostWire\responses.cache
    c:\program files\FrostWire\Data\settings\FrostWire\seenMessages.dat
    c:\program files\FrostWire\Data\settings\FrostWire\spam.dat
    c:\program files\FrostWire\Data\settings\FrostWire\tables.props
    c:\program files\FrostWire\Data\settings\FrostWire\themes\frostwirePro_theme.fwtp
    c:\program files\FrostWire\Data\settings\FrostWire\themes\frostwirePro_theme\theme.txt
    c:\program files\FrostWire\Data\settings\FrostWire\themes\frostwirePro_theme\version.txt
    c:\program files\FrostWire\Data\settings\FrostWire\version.xml
    c:\program files\FrostWire\Data\settings\FrostWirePortableSettings.ini
    c:\program files\FrostWire\FrostWire.exe
    c:\program files\FrostWire\Other\Help\images\donation_button.png
    c:\program files\FrostWire\Other\Help\images\favicon.ico
    c:\program files\FrostWire\Other\Help\images\help_background_footer.png
    c:\program files\FrostWire\Other\Help\images\help_background_header.png
    c:\program files\FrostWire\Other\Help\images\help_logo_top.png
    c:\program files\FrostWire\Other\Source\AppSource.txt
    c:\program files\FrostWire\Other\Source\frostwire logo.ai
    c:\program files\FrostWire\Other\Source\FrostWirePortable.ini
    c:\program files\FrostWire\Other\Source\FrostWirePortable.jpg
    c:\program files\FrostWire\Other\Source\FrostWirePortable.nsi
    c:\program files\FrostWire\Other\Source\License.txt
    c:\program files\FrostWire\Other\Source\PortableApps.comInstaller-old.nsi
    c:\program files\FrostWire\Other\Source\PortableApps.comInstaller.bmp
    c:\program files\FrostWire\Other\Source\PortableApps.comInstaller.nsi
    c:\program files\FrostWire\Other\Source\PortableApps.comInstallerLANG_ENGLISH.nsh
    c:\program files\FrostWire\Other\Source\ReadINIStrWithDefault.nsh
    c:\program files\FrostWire\Other\Source\Readme.txt
    c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    c:\program files\HP\HP Software Update\HPWuSchd2.exe
    c:\program files\Object
    c:\program files\Object\bho_project.dll
    c:\program files\Object\ChromeAddon.pem
    c:\program files\Object\chromeaddon\._included.js
    c:\program files\Object\chromeaddon\background.html
    c:\program files\Object\chromeaddon\included.js
    c:\program files\Object\chromeaddon\manifest.json
    c:\program files\Object\config.ini
    c:\program files\Object\facetheme_uninstall.exe
    c:\program files\Object\status.txt
    c:\program files\Object\status2.txt
    c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
    c:\windows\system32\config\systemprofile\WINDOWS
    c:\windows\system32\ps2.bat
    c:\windows\vb.ini
    D:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-08 23:36 . 2011-07-08 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-08 23:36 . 2011-07-08 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
    2011-07-08 23:36 . 2011-07-08 23:36 -------- d-----w- c:\program files\McAfee Security Scan
    2011-07-08 23:35 . 2011-07-08 23:35 -------- d-----w- c:\program files\NOS
    2011-07-08 23:18 . 2011-07-08 23:18 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-07-08 23:16 . 2011-07-08 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2011-07-07 22:39 . 2011-07-07 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2011-07-07 19:43 . 2011-07-07 19:43 -------- d-----w- c:\program files\ESET
    2011-07-07 18:38 . 2011-07-07 18:38 -------- d-----w- c:\windows\ServicePackFiles
    2011-07-07 05:09 . 2011-07-07 05:09 -------- d-----w- c:\program files\CCleaner
    2011-07-07 04:48 . 2011-07-07 04:48 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\program files\Trend Micro
    2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2011-07-07 04:44 . 2011-07-07 04:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-07-07 04:43 . 2011-07-07 04:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alien Skin
    2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Alien Skin
    2011-07-07 03:10 . 2011-07-07 03:10 -------- d-----w- c:\program files\Alien Skin
    2011-07-07 01:35 . 2011-07-07 01:35 -------- d-----w- c:\program files\AOL Games
    2011-07-06 23:41 . 2011-07-06 23:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-06 23:41 . 2011-07-06 23:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-06 04:43 . 2011-07-06 04:43 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IECompatCache
    2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
    2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
    2011-07-06 04:40 . 2011-07-06 04:40 -------- dc-h--w- c:\windows\ie8
    2011-07-06 01:59 . 2011-07-06 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
    2011-06-24 02:04 . 2011-06-24 02:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Alien Skin
    2011-06-24 01:47 . 2009-12-09 21:22 57344 ----a-w- c:\windows\system32\nlssrv32.exe
    2011-06-23 22:55 . 2011-07-08 23:18 -------- d-----w- c:\documents and settings\Administrator
    2011-06-23 22:32 . 2011-06-23 22:32 1409 ----a-w- c:\windows\QTFont.for
    2011-06-23 22:32 . 2011-07-08 23:37 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Corel
    2011-06-23 22:31 . 2011-06-23 22:31 88 --sh--r- c:\windows\system32\DB8EA18C15.sys
    2011-06-23 22:31 . 2011-07-08 23:29 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Corel
    2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
    2011-06-23 22:27 . 2011-06-23 22:29 -------- d-----w- c:\program files\Common Files\Corel
    2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
    2011-06-23 21:04 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-06-23 21:04 . 2011-07-06 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-23 21:04 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-23 20:59 . 2011-06-23 22:27 -------- d-----w- c:\program files\Corel
    2011-06-23 20:59 . 2011-06-23 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InstallShield
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-26 04:08 . 2005-12-21 21:17 3649 ----a-w- c:\windows\viassary-hp.reg
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\system32\DB8EA18C15.sys ---
    Company: ------
    File Description: ------
    File Version: ------
    Product Name: ------
    Copyright: ------
    Original Filename: ------
    File size: 88
    Created time: 2011-06-23 22:31
    Modified time: 2011-06-23 22:31
    MD5: AA7A50CB2911196AD76F8F7D24CB39BA
    SHA1: DF7CE408FBDBDDCF1F9A3182724539C83731F4DB
    .
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-03 03:21 . 2007-10-03 03:21 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
    .
    2007-06-29 13:24 . 2007-06-29 13:24 286720 c:\program files\QuickTime\bak\QTTask.exe
    2007-06-29 13:24 . 2007-10-06 01:05 27660 c:\program files\QuickTime\QTTask.exe
    .
    2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
    2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\ctfmon.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-07 39408]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="realsched.exe -osboot" [X]
    "PCDrProfiler"="" [N/A]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [N/A]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [N/A]
    "QuickTime Task"="c:\program files\QuickTime\bak\QTTask.exe" [2007-06-29 286720]
    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
    "Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2004-06-24 729088]
    "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-01 28739]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0"="c:\windows\system32\advpack.dll" [2009-03-08 128512]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-12-21 36903]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-1 65588]
    Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2007-2-13 2392064]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
    backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
    path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
    backup=c:\windows\pss\Compaq Organize.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
    2007-03-16 01:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    c:\program files\Common Files\AOL\1139033798\EE\AOLHostManager.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ccSetMgr"=2 (0x2)
    "ccPwdSvc"=3 (0x3)
    "ccProxy"=2 (0x2)
    "ccEvtMgr"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1139033798\\EE\\AOLServiceHost.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/23/2011 2:04 PM 366640]
    R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [6/23/2011 6:47 PM 57344]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/23/2011 2:04 PM 22712]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2011 9:43 PM 136176]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
    .
    2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.7.254
    DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    AddRemove-facetheme - c:\program files\Object\facetheme_uninstall.exe
    AddRemove-FrostWire 5 - c:\program files\FrostWire 5\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-08 18:42
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(568)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(2660)
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
    c:\windows\system32\ieframe.dll
    c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\KeyHook.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\HPZipm12.exe
    c:\windows\system32\PSIService.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Hp\HP Software Update\HPWUCli.exe
    c:\program files\HP\Digital Imaging\Product Assistant\bin\hprbUpdate.exe
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\rbSolnUpdateENU.3.3.0.exe
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IXP000.TMP\rbSolnUpdate.exe
    c:\windows\system32\msiexec.exe
    c:\windows\system32\MsiExec.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-08 18:45:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-09 01:45
    ComboFix2.txt 2011-07-07 19:32
    .
    Pre-Run: 162,806,247,424 bytes free
    Post-Run: 162,787,098,624 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 3A81CF9B192DFCC6C4A2F244B4A3CA82
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Catching a Worm! One of these is a legitimate files and the other is a Worm- we just have to find out which is which:


    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :file
      c:\windows\system32\msiexec.exe
      :file
      c:\windows\system32\MsiExec.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    =======================================
    I have some additional script for you to run, but want to see the results of above first.

    Are you noticing any improvement in the system? A lot of files and other entries have been removed. I will make suggestions to take some processes off of the Startup Menu when we finish,
     
  7. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    Thank you for all your help, my computer is runing a little better but its still slow and by the way i installed avira and i just got a message (Malware found) C:\system volume information\....\A0005276.exe

    attached please find the LOG you requested.

    SYSTEMLOOK

    SystemLook 04.09.10 by jpshortstuff
    Log created at 19:24 on 10/07/2011 by Compaq_Owner
    Administrator - Elevation successful

    ========== file ==========

    c:\windows\system32\msiexec.exe - File found and opened.
    MD5: F5F0146580E7023ADB963879840777F8
    Created at 12:00 on 04/08/2004
    Modified at 21:45 on 04/05/2005
    Size: 78848 bytes
    Attributes: --a----
    FileDescription: Windows® installer
    FileVersion: 3.1.4000.1823
    ProductVersion: 3.1.4000.1823
    OriginalFilename: msiexec.exe
    InternalName: msiexec
    ProductName: Windows Installer - Unicode
    CompanyName: Microsoft Corporation
    LegalCopyright: © Microsoft Corporation. All rights reserved.

    ========== file ==========

    c:\windows\system32\MsiExec.exe - File found and opened.
    MD5: F5F0146580E7023ADB963879840777F8
    Created at 12:00 on 04/08/2004
    Modified at 21:45 on 04/05/2005
    Size: 78848 bytes
    Attributes: --a----
    FileDescription: Windows® installer
    FileVersion: 3.1.4000.1823
    ProductVersion: 3.1.4000.1823
    OriginalFilename: msiexec.exe
    InternalName: msiexec
    ProductName: Windows Installer - Unicode
    CompanyName: Microsoft Corporation
    LegalCopyright: © Microsoft Corporation. All rights reserved.

    -= EOF =-
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Not to worry! This is a restore point. It is not active in the system. Unfortunately, AV programs on systems don't know the difference in location! You might also see an entry in the Qoobox. This is where Combofix puts the quarantined files. Also no longer active, also dropped when Combofix is uninstalled, but also may show in system AV scan.

    You know what they say>>> "Location, location location!
    =====================================================
    About the 'Worm': according to System Look, you have 2 valid processes for the Windows Installer running. I am not comfortable with this in view of the type of malware that was on the system. Please do this for me:

    Reboot the computer first> then Right click on the Taskbar> Task Manager> Processes tab> see if either or both of these processes are running> note the 2 different spellings:
    msiexec.exe
    MsiExec.exe


    If they are, please note the CPU usage for each and the memory being used for each. Let me know this, taking care to match up the spellings/CPU/Memory figures.
    ========================================
    I'd like you to run the following please:
    Download PeperFixand save to the desktop:
    • . Double-click on [peperfix.exe[/b] to run..Follow any online prompts is any given.
    • . Reboot and do the same process again.
    ===========================================
    The run Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ============================================
    You do not need to do this now- best we finish the cleaning first. But it shold help the 'slow' problem.
    These are starting on boot, then running in the background. Neither needs to start on boot. The program can be accessed anytime through All Programs.

    To remove entries from the Startup Menu using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes you do not need to start on boot.
      [o]HPWUCli.exe
      [o]All Kodak Easyshare processes, including udate
      [o] LSSrvc.exe
      [o] iTunes.exe
      [o] PSIService.exe
    • Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
     
  9. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    Good Afternoon,

    I checked the processes and none of the MsiExec.exe
    are runing.

    I ran the paperfix and no papers were found.

    This is the Hijack LOG

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:38:01 PM, on 7/11/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\QuickTime\bak\QTTask.exe
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nlssrv32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe
    C:\HiJackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Personal Coach.lnk = ?
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
    O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

    --
    End of file - 8610 bytes
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's talk about the antivirus programs:

    1. First, there was no antivirus program on the system. So I recommends you install either Avira or Avast NOW.
    2. Then I see 2011-07-08 23:36 -------- d-----w- c:\program files\McAfee Security Scan in the Combofix log after you ran the first script.
    3. Several replies later, approximately, 7/10, you tell me "and by the way i installed avira "
    4. Then I see a Service for McAfee with an earlier install date: McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    =========================================
    My 'guess' is that McAfee was already on the system but inactive, possibly because the subscription hadn't been renewed.

    The bottom line is that you should have only one, functioning, updated antivirus program on the system.

    Which will it be? Uninstall what you're not using/keeping. Reboot the computer when through.
    ==================================================
    Edit: Please run this after you get the AV cleared u:p:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    
    FCopy::
    c:\program files\QuickTime\QTTask.exe | c:\program files\QuickTime\bak\QTTask.exe
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
     
  11. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    ok i deleated Macfee.

    Heres the Combofix Log.

    ComboFix 11-07-12.07 - Compaq_Owner 07/12/2011 11:37:46.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.492 [GMT -7:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\program files\QuickTime\QTTask.exe --> c:\program files\QuickTime\bak\QTTask.exe
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-12 02:36 . 2011-07-12 02:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
    2011-07-12 02:33 . 2011-07-12 02:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-07-11 19:36 . 2011-07-11 19:37 -------- d-----w- C:\HiJackthis
    2011-07-11 06:00 . 2011-07-11 06:00 -------- d-----w- c:\windows\Sun
    2011-07-11 02:29 . 2011-07-11 02:29 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Avira
    2011-07-09 19:17 . 2011-07-09 19:23 -------- d-----w- c:\windows\system32\CatRoot_bak
    2011-07-09 17:23 . 2011-07-09 17:23 -------- d-----w- c:\program files\MSXML 4.0
    2011-07-09 02:13 . 2011-07-09 02:14 -------- d-----w- c:\windows\system32\NtmsData
    2011-07-09 02:02 . 2011-07-10 22:41 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-07-09 02:02 . 2011-07-10 22:41 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-07-09 02:02 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-07-09 02:02 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-07-09 02:02 . 2011-07-09 02:02 -------- d-----w- c:\program files\Avira
    2011-07-09 02:02 . 2011-07-09 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-07-08 23:36 . 2011-07-08 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-08 23:35 . 2011-07-08 23:35 -------- d-----w- c:\program files\NOS
    2011-07-08 23:18 . 2011-07-08 23:18 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-07-08 23:16 . 2011-07-08 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2011-07-07 22:39 . 2011-07-07 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2011-07-07 19:43 . 2011-07-07 19:43 -------- d-----w- c:\program files\ESET
    2011-07-07 18:38 . 2011-07-07 18:38 -------- d-----w- c:\windows\ServicePackFiles
    2011-07-07 05:09 . 2011-07-07 05:09 -------- d-----w- c:\program files\CCleaner
    2011-07-07 04:48 . 2011-07-07 04:48 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\program files\Trend Micro
    2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2011-07-07 04:44 . 2011-07-07 04:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-07-07 04:43 . 2011-07-07 04:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alien Skin
    2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Alien Skin
    2011-07-07 03:10 . 2011-07-07 03:10 -------- d-----w- c:\program files\Alien Skin
    2011-07-07 01:35 . 2011-07-07 01:35 -------- d-----w- c:\program files\AOL Games
    2011-07-06 23:41 . 2011-07-06 23:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-06 23:41 . 2011-07-06 23:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
    2011-07-06 19:37 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2011-07-06 19:37 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
    2011-07-06 19:37 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-07-06 19:37 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2011-07-06 19:37 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
    2011-07-06 19:37 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2011-07-06 19:37 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
    2011-07-06 04:43 . 2011-07-06 04:43 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IECompatCache
    2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
    2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
    2011-07-06 04:40 . 2011-07-06 04:40 -------- dc-h--w- c:\windows\ie8
    2011-07-06 01:59 . 2011-07-06 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
    2011-06-24 02:04 . 2011-06-24 02:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Alien Skin
    2011-06-24 01:47 . 2009-12-09 21:22 57344 ----a-w- c:\windows\system32\nlssrv32.exe
    2011-06-23 22:55 . 2011-07-08 23:18 -------- d-----w- c:\documents and settings\Administrator
    2011-06-23 22:32 . 2011-06-23 22:32 1409 ----a-w- c:\windows\QTFont.for
    2011-06-23 22:32 . 2011-07-12 02:48 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Corel
    2011-06-23 22:31 . 2011-06-23 22:31 88 --sh--r- c:\windows\system32\DB8EA18C15.sys
    2011-06-23 22:31 . 2011-07-12 02:48 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Corel
    2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
    2011-06-23 22:27 . 2011-06-23 22:29 -------- d-----w- c:\program files\Common Files\Corel
    2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
    2011-06-23 21:04 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-06-23 21:04 . 2011-07-06 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-23 21:04 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-23 20:59 . 2011-06-23 22:27 -------- d-----w- c:\program files\Corel
    2011-06-23 20:59 . 2011-06-23 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InstallShield
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-26 04:08 . 2005-12-21 21:17 3649 ----a-w- c:\windows\viassary-hp.reg
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-07 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="realsched.exe -osboot" [X]
    "QuickTime Task"="c:\program files\QuickTime\bak\QTTask.exe" [2007-10-06 27660]
    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
    "Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2004-06-24 729088]
    "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-01 28739]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    "Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-12-21 36903]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-1 65588]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
    backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
    backup=c:\windows\pss\Personal Coach.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
    path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
    backup=c:\windows\pss\Compaq Organize.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
    2007-03-16 01:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ccSetMgr"=2 (0x2)
    "ccPwdSvc"=3 (0x3)
    "ccProxy"=2 (0x2)
    "ccEvtMgr"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1139033798\\EE\\AOLServiceHost.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/8/2011 7:02 PM 136360]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/23/2011 2:04 PM 366640]
    R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [6/23/2011 6:47 PM 57344]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/23/2011 2:04 PM 22712]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2011 9:43 PM 136176]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
    .
    2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
    Trusted Zone: whataboutadog.com
    TCP: DhcpNameServer = 192.168.7.254
    DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-PCDrProfiler - (no file)
    HKLM-Run-HPBootOp - c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
    MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1139033798\EE\AOLHostManager.exe
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-12 11:42
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(564)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(3904)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-07-12 11:43:58
    ComboFix-quarantined-files.txt 2011-07-12 18:43
    ComboFix2.txt 2011-07-12 18:29
    ComboFix3.txt 2011-07-09 01:45
    ComboFix4.txt 2011-07-07 19:32
    .
    Pre-Run: 161,730,961,408 bytes free
    Post-Run: 161,719,103,488 bytes free
    .
    - - End Of File - - 0AB8F530476EC017716F3E86278A1EF9
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay- been swamped. Okay, let's see if this will rout the rest of the malware out:

    Download The Avenger and save to the desktop.
    • Double click on avenger.exe to run
    • Do not change any of the check box options.
    • Copy everything in the codebox below, and paste it into the Input script here window:
    Code:
    
    Folders to delete:
    c:\windows\system32\CatRoot_bak
    Files to delete:
    c:\windows\system32\DB8EA18C15.sys
    
    
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    • Paste the Avenger log in your next post.

    .
     
  13. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    Good Afternoon,

    After the computer rebooting a window- no disk error poped up.
    "exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c"


    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    Folder "c:\windows\system32\CatRoot_bak" deleted successfully.
    File "c:\windows\system32\DB8EA18C15.sys" deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Looks like we got it! Please update and run a new scan with Combofix.
     
  15. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    Thank you so much,

    ComboFix 11-07-15.02 - Compaq_Owner 07/15/2011 16:34:05.4.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.644 [GMT -7:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
    c:\documents and settings\Compaq_Owner\Local Settings\temp\IadHide5.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-15 to 2011-07-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-12 02:36 . 2011-07-12 02:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
    2011-07-12 02:33 . 2011-07-12 02:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-07-11 19:36 . 2011-07-11 19:37 -------- d-----w- C:\HiJackthis
    2011-07-11 06:00 . 2011-07-11 06:00 -------- d-----w- c:\windows\Sun
    2011-07-11 02:29 . 2011-07-11 02:29 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Avira
    2011-07-09 17:23 . 2011-07-09 17:23 -------- d-----w- c:\program files\MSXML 4.0
    2011-07-09 02:13 . 2011-07-13 20:07 -------- d-----w- c:\windows\system32\NtmsData
    2011-07-09 02:02 . 2011-07-10 22:41 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-07-09 02:02 . 2011-07-10 22:41 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-07-09 02:02 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-07-09 02:02 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-07-09 02:02 . 2011-07-09 02:02 -------- d-----w- c:\program files\Avira
    2011-07-09 02:02 . 2011-07-09 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-07-08 23:36 . 2011-07-08 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-08 23:35 . 2011-07-08 23:35 -------- d-----w- c:\program files\NOS
    2011-07-08 23:18 . 2011-07-08 23:18 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-07-08 23:16 . 2011-07-08 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2011-07-07 22:39 . 2011-07-07 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2011-07-07 19:43 . 2011-07-07 19:43 -------- d-----w- c:\program files\ESET
    2011-07-07 18:38 . 2011-07-07 18:38 -------- d-----w- c:\windows\ServicePackFiles
    2011-07-07 05:09 . 2011-07-07 05:09 -------- d-----w- c:\program files\CCleaner
    2011-07-07 04:48 . 2011-07-07 04:48 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\program files\Trend Micro
    2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2011-07-07 04:44 . 2011-07-07 04:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-07-07 04:43 . 2011-07-07 04:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alien Skin
    2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Alien Skin
    2011-07-07 03:10 . 2011-07-07 03:10 -------- d-----w- c:\program files\Alien Skin
    2011-07-07 01:35 . 2011-07-07 01:35 -------- d-----w- c:\program files\AOL Games
    2011-07-06 23:41 . 2011-07-06 23:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-06 23:41 . 2011-07-06 23:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
    2011-07-06 19:37 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2011-07-06 19:37 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
    2011-07-06 19:37 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-07-06 19:37 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2011-07-06 19:37 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
    2011-07-06 19:37 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2011-07-06 19:37 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
    2011-07-06 04:43 . 2011-07-06 04:43 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IECompatCache
    2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
    2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
    2011-07-06 04:40 . 2011-07-06 04:40 -------- dc-h--w- c:\windows\ie8
    2011-07-06 01:59 . 2011-07-06 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
    2011-06-24 02:04 . 2011-06-24 02:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Alien Skin
    2011-06-24 01:47 . 2009-12-09 21:22 57344 ----a-w- c:\windows\system32\nlssrv32.exe
    2011-06-23 22:55 . 2011-07-08 23:18 -------- d-----w- c:\documents and settings\Administrator
    2011-06-23 22:32 . 2011-06-23 22:32 1409 ----a-w- c:\windows\QTFont.for
    2011-06-23 22:32 . 2011-07-14 21:32 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Corel
    2011-06-23 22:31 . 2011-07-14 21:32 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Corel
    2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
    2011-06-23 22:27 . 2011-06-23 22:29 -------- d-----w- c:\program files\Common Files\Corel
    2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
    2011-06-23 21:04 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-06-23 21:04 . 2011-07-06 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-23 21:04 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-23 20:59 . 2011-06-23 22:27 -------- d-----w- c:\program files\Corel
    2011-06-23 20:59 . 2011-06-23 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InstallShield
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-26 04:08 . 2005-12-21 21:17 3649 ----a-w- c:\windows\viassary-hp.reg
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-07-12_18.25.10 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-07-15 23:41 . 2011-07-15 23:41 16384 c:\windows\Temp\Perflib_Perfdata_4cc.dat
    - 2005-12-21 21:12 . 2010-12-19 02:09 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    + 2005-12-21 21:12 . 2011-07-12 21:12 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    - 2005-12-21 21:12 . 2010-12-19 02:09 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    + 2005-12-21 21:12 . 2011-07-12 21:12 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    - 2005-12-21 21:12 . 2010-12-19 02:09 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    + 2005-12-21 21:12 . 2011-07-12 21:12 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    + 2005-12-21 21:12 . 2011-07-12 21:12 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    - 2005-12-21 21:12 . 2010-12-19 02:09 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    + 2005-12-21 21:12 . 2011-07-12 21:12 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    - 2005-12-21 21:12 . 2010-12-19 02:09 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    + 2005-06-25 05:42 . 2011-07-14 19:34 191384 c:\windows\system32\FNTCACHE.DAT
    + 2005-12-21 21:12 . 2011-07-12 21:12 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    - 2005-12-21 21:12 . 2010-12-19 02:09 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    - 2005-12-21 21:12 . 2010-12-19 02:09 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    + 2005-12-21 21:12 . 2011-07-12 21:12 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    - 2005-12-21 21:12 . 2010-12-19 02:09 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    + 2005-12-21 21:12 . 2011-07-12 21:12 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    - 2005-12-21 21:12 . 2010-12-19 02:09 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    + 2005-12-21 21:12 . 2011-07-12 21:12 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    - 2005-12-21 21:12 . 2010-12-19 02:09 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    + 2005-12-21 21:12 . 2011-07-12 21:12 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    + 2009-05-07 20:50 . 2009-05-07 20:50 295792 c:\windows\Downloaded Program Files\Stproxy.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-07 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="realsched.exe -osboot" [X]
    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
    "Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2004-06-24 729088]
    "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-01 28739]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    "Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-12-21 36903]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-1 65588]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
    backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
    backup=c:\windows\pss\Personal Coach.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
    path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
    backup=c:\windows\pss\Compaq Organize.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
    2007-03-16 01:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ccSetMgr"=2 (0x2)
    "ccPwdSvc"=3 (0x3)
    "ccProxy"=2 (0x2)
    "ccEvtMgr"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1139033798\\EE\\AOLServiceHost.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/8/2011 7:02 PM 136360]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/23/2011 2:04 PM 366640]
    R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [6/23/2011 6:47 PM 57344]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/23/2011 2:04 PM 22712]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2011 9:43 PM 136176]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
    .
    2011-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
    Trusted Zone: doginhispen.com
    Trusted Zone: whataboutadog.com
    TCP: DhcpNameServer = 192.168.7.254
    DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-15 16:42
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(564)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(3148)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\program files\Microsoft Office\OFFICE11\msohev.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\HPZipm12.exe
    c:\windows\system32\PSIService.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-15 16:45:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-15 23:45
    ComboFix2.txt 2011-07-12 18:43
    ComboFix3.txt 2011-07-12 18:29
    ComboFix4.txt 2011-07-09 01:45
    ComboFix5.txt 2011-07-15 23:33
    .
    Pre-Run: 161,526,546,432 bytes free
    Post-Run: 161,563,287,552 bytes free
    .
    - - End Of File - - 64EAFF7B111BF7198C9ADD424A91BC35
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well, I was wrong! It's still hiding:
    Trusted Zone: doginhispen.com
    Trusted Zone: whataboutadog.com


    Or one other possibility> You may have a flash drive infection that has reinfected the system. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder. It appears that there are more files, hiding:

    Running FindAWF allows us to identify the files that are infected, as well as the backups and then restore the files.

    STEP1:
    Please download FindAWF to your Desktop.
    • Double-click FindAWF.exe to start the tool.
    • Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    • When the tool has completed, a report will open up in notepad. Copy & paste results into next reply
     
  17. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    Good Afternoon,

    i ran the flashdrive disinfector but i checked the drives under the hidden folders and there is no autorun.inf file


    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: Sun 07/17/2011
    The current time is: 15:21:45.96


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\QUICKT~1\BAK

    0 File(s) 0 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 05:00 AM 15,360 ctfmon.exe
    1 File(s) 15,360 bytes

    Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

    10/02/2007 08:21 PM 171,448 GoogleToolbarNotifier.exe
    1 File(s) 171,448 bytes

    Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\QUICKT~1\BAK

    10/05/2007 06:05 PM 27,660 QTTask.exe.vir
    1 File(s) 27,660 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\ERDNT\cache\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    15360 Apr 13 2008 "C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ctfmon.exe"
    39408 Jul 6 2011 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    307376 Jul 6 2011 "C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe"
    136176 Jul 6 2011 "C:\Program Files\Google\Update\GoogleUpdate.exe"
    182768 Jul 6 2011 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
    136176 Jul 16 2011 "C:\Program Files\Google\Update\1.3.21.57\GoogleUpdate.exe"
    171448 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
    589464 May 18 2011 "C:\Program Files\Google\Update\Download\{E0D32F70-31E6-4502-B1CB-909314E7E71B}\GoogleUpdateSetup.exe"
    141464 Jun 14 2011 "C:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.21.61\GoogleUpdateB4451148.exe"
    27660 Oct 5 2007 "C:\Qoobox\Quarantine\C\Program Files\QuickTime\bak\QTTask.exe.vir"


    end of report
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    FindAWF:

    STEP 2
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
    • Press 2 then Enter to restore files from bak folders
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for .bak folder
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please copy and paste the contents of the AWF.txt file in your next reply.
     
  19. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    Find AWF report by noahdfear ©2006
    Version 1.40
    Option 2 run successfully

    The current date is: Sun 07/17/2011
    The current time is: 19:14:53.12


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\QUICKT~1\BAK

    0 File(s) 0 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 05:00 AM 15,360 ctfmon.exe
    1 File(s) 15,360 bytes

    Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

    10/02/2007 08:21 PM 171,448 GoogleToolbarNotifier.exe
    1 File(s) 171,448 bytes

    Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\QUICKT~1\BAK

    10/05/2007 06:05 PM 27,660 QTTask.exe.vir
    1 File(s) 27,660 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\ERDNT\cache\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    15360 Apr 13 2008 "C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ctfmon.exe"
    39408 Jul 6 2011 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    307376 Jul 6 2011 "C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe"
    136176 Jul 6 2011 "C:\Program Files\Google\Update\GoogleUpdate.exe"
    182768 Jul 6 2011 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
    136176 Jul 16 2011 "C:\Program Files\Google\Update\1.3.21.57\GoogleUpdate.exe"
    171448 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
    589464 May 18 2011 "C:\Program Files\Google\Update\Download\{E0D32F70-31E6-4502-B1CB-909314E7E71B}\GoogleUpdateSetup.exe"
    141464 Jun 14 2011 "C:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.21.61\GoogleUpdateB4451148.exe"
    27660 Oct 5 2007 "C:\Qoobox\Quarantine\C\Program Files\QuickTime\bak\QTTask.exe.vir"


    end of report
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    STEP 3
    • In FindAWF, select option 3, by pressing 3 and then enter.
    • This will open the text file folders.txt
    • Copy and paste next list in it:
      Code:
      C:\WINDOWS\system32\bak\ctfmon.exe
      C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier. exe
      C\Program Files\QuickTime\bak\QTTask.exe.
      
      
    • Then close folders.txt and let it save the changes.
    • FindAWF will now remove the bak folders and open a log aferwards.
    • Copy and paste the contents of that log in your next reply
     
  21. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    Good Morning,


    Find AWF report by noahdfear ©2006
    Version 1.40
    Option 3 run successfully

    The current date is: Mon 07/18/2011
    The current time is: 10:37:47.51


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\QUICKT~1\BAK

    0 File(s) 0 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 05:00 AM 15,360 ctfmon.exe
    1 File(s) 15,360 bytes

    Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

    10/02/2007 08:21 PM 171,448 GoogleToolbarNotifier.exe
    1 File(s) 171,448 bytes

    Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\QUICKT~1\BAK

    10/05/2007 06:05 PM 27,660 QTTask.exe.vir
    1 File(s) 27,660 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\ERDNT\cache\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    15360 Apr 13 2008 "C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ctfmon.exe"
    39408 Jul 6 2011 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    307376 Jul 6 2011 "C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe"
    136176 Jul 6 2011 "C:\Program Files\Google\Update\GoogleUpdate.exe"
    182768 Jul 6 2011 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
    136176 Jul 16 2011 "C:\Program Files\Google\Update\1.3.21.57\GoogleUpdate.exe"
    171448 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
    589464 May 18 2011 "C:\Program Files\Google\Update\Download\{E0D32F70-31E6-4502-B1CB-909314E7E71B}\GoogleUpdateSetup.exe"
    141464 Jun 14 2011 "C:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.21.61\GoogleUpdateB4451148.exe"
    27660 Oct 5 2007 "C:\Qoobox\Quarantine\C\Program Files\QuickTime\bak\QTTask.exe.vir"


    end of report
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
    • Press 4, then press Enter.
    • You will receive a warning to reset domain zones
    • Press 1 then press Enter.
    • If you have manually included sites in the trusted zones, these will need to be re-inserted.
    ===========================================
    Follow with Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  23. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    Good Afternoon,

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:08:47 PM, on 7/20/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nlssrv32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
    O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

    --
    End of file - 8129 bytes
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    By George, I think we got it! No trusted site or bak file in view! Other than 'slow', how is the system doing.

    I'd be interested to know how much RAM is installed.
     
  25. ubaldo2003

    ubaldo2003 TS Rookie Topic Starter Posts: 35

    thats good news :)

    the system is fine, but like you said its slow and i disabled some programs from the start up menu.

    its 2.9 GHz and 960 MB of ram.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...