Inactive IE error and computer running slow

Status
Not open for further replies.
U

ubaldo2003

Posts: 35   +0
Good Evening,

Mybrowser has been encountering a problem, i try to open a new window and it closes. Plus my computer has been running super slow.

I believe i have malware.

please any advice. thanks

attached please find the malwarebytes log and hijackthis log



MALWAREBYTES

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7038

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

7/6/2011 9:52:55 PM
mbam-log-2011-07-06 (21-52-55).txt

Scan type: Quick scan
Objects scanned: 183295
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:08:04 PM, on 7/6/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\QuickTime\bak\QTTask.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nlssrv32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Application Data\Google\Google Toolbar\Update\gtbDB.tmp.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\913QXZB3\ccsetup308[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 213.203.216.114 marketsamurai.com
O1 - Hosts: 204.9.178.11 typepad.com
O1 - Hosts: 74.113.152.32 istockphoto.com
O1 - Hosts: 208.94.0.38 yfrog.com
O1 - Hosts: 63.309.5.102 virustotal.com
O1 - Hosts: 123.125.50.22 126.com
O1 - Hosts: 24.29.138.10 telegraph.co.uk
O1 - Hosts: 174.36.28.11 SlideShare.com
O1 - Hosts: 213.238.60.190 xing.com
O1 - Hosts: 59.106.98.139 seesaa.net
O1 - Hosts: 184.72.253.170 hootsuite.com
O1 - Hosts: 211.151.146.16 soku.com
O1 - Hosts: 74.208.73.101 qvc.com
O1 - Hosts: 67.221.174.30 tagged.com
O1 - Hosts: 72.32.120.222 metacafe.com
O1 - Hosts: 89.105.6.98 bitdefender.com
O1 - Hosts: 204.11.109.133 tribalfusion.com
O1 - Hosts: 207.154.14.31 tripadvisor.com
O1 - Hosts: 216.52.240.133 ustream.tv
O1 - Hosts: 174.36.244.132 linkwithin.com
O1 - Hosts: 80.82.137.230 thefreedictionary.com
O1 - Hosts: 121.67.203.61 scan.novirusthanks.org
O1 - Hosts: 209.172.34.139 imagevenue.com
O1 - Hosts: 91.206.232.220 booking.com
O1 - Hosts: 118.69.251.6 vnexpress.net
O1 - Hosts: 64.34.110.174 plentyoffish.com
O1 - Hosts: 140.211.166.21 drupal.org
O1 - Hosts: 103.67.101.13 trendmicro.com
O1 - Hosts: 208.85.40.80 pandora.com
O1 - Hosts: 194.116.241.57 softonic.com
O1 - Hosts: 208.83.243.15 match.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BHO Project - {70C6E9DE-F30E-4A40-8A6F-9572C2328320} - C:\Program Files\Object\bho_project.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Program Files\NOS\bin\getPlusUninst_Adobe.exe" /Get1noarp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 9849 bytes
 
Welcome to TechSpot! Normally I would start off by asking you to complete the steps in out preliminary removal thread- and I will do that. But I can see that your hosts have been hijacked, so let's start with that first:

Please reopen HijackThis to 'do system scan only/' Check each of the following, if present:

O1 - Hosts: 204.9.178.11 typepad.com
O1 - Hosts: 74.113.152.32 istockphoto.com
O1 - Hosts: 208.94.0.38 yfrog.com
O1 - Hosts: 63.309.5.102 virustotal.com
O1 - Hosts: 123.125.50.22 126.com
O1 - Hosts: 24.29.138.10 telegraph.co.uk
O1 - Hosts: 174.36.28.11 SlideShare.com
O1 - Hosts: 213.238.60.190 xing.com
O1 - Hosts: 59.106.98.139 seesaa.net
O1 - Hosts: 184.72.253.170 hootsuite.com
O1 - Hosts: 211.151.146.16 soku.com
O1 - Hosts: 74.208.73.101 qvc.com
O1 - Hosts: 67.221.174.30 tagged.com
O1 - Hosts: 72.32.120.222 metacafe.com
O1 - Hosts: 89.105.6.98 bitdefender.com
O1 - Hosts: 204.11.109.133 tribalfusion.com
O1 - Hosts: 207.154.14.31 tripadvisor.com
O1 - Hosts: 216.52.240.133 ustream.tv;O1
O1 - Hosts: 174.36.244.132linkwithinn.com
O1 - Hosts: 80.82.137.230thefreedictionaryy.com
O1 - Hosts: 121.67.203.61 scan.novirusthanks.org
O1 - Hosts: 209.172.34.139imagevenuee.com
O1 - Hosts: 91.206.232.220 booking.com
O1 - Hosts: 118.69.251.6vnexpresss.net
O1 - Hosts: 64.34.110.174plentyoffishh.com
O1 - Hosts: 140.211.166.21drupall.org
O1 - Hosts: 103.67.101.13trendmicroo.com
O1 - Hosts: 208.85.40.80pandoraa.com
O1 - Hosts: 194.116.241.57softonicc.com
O1 - Hosts: 208.83.243.15 match.com
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com

Close all Windows except HijackThis and click on "Fix Checked."
===================================
Open Internet Options through Tools in IE or the Control Panel> select the Security tab> Restricted sites> Sites>tyy[e in the following and click on Add after each:
*.doginhispen.com
*.whataboutadog.com

When finished click on Apply> OK.

Reboot and rescan with HijackThis.
=================================================
  • Hold down Control and click on the following link to open ESETOnlineScann in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such asESETScann. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
========================================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in therunboxx and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double clickcombofixxexee & follow the prompts.
  • ComboFixx will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed,ComboFixx will continue it's malware removal procedures.
  • Follow the prompts to allowComboFixx to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed usingComboFixx, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-clickCombofix'ss window while it is running. That may cause it to stall.
Note 2:ComboFixx may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix preventsautorunn of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=====================================================
Please include the logs for the HijackThis rescan, the Eset online AV scan and Combofix in your next reply.

My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
Thank you for your assistance,

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:52:29 PM, on 7/7/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\QuickTime\bak\QTTask.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\nlssrv32.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 8119 bytes

ESET ONLINE SCAN

C:\Program Files\QuickTime\QTTask.exe a variant of Win32/Zonebac.AB trojan
C:\Qoobox\Quarantine\C\Program Files\Common Files\AOL\1139033798\EE\AOLHostManager.exe.vir a variant of Win32/Zonebac.AB trojan
C:\Qoobox\Quarantine\C\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe.vir a variant of Win32/Zonebac.AB trojan
C:\Qoobox\Quarantine\C\Program Files\HP\HP Software Update\HPWuSchd2.exe.vir a variant of Win32/Zonebac.AB trojan
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\lsass.exe.vir Win32/AutoRun.KP worm
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP3\A0000453.exe a variant of Win32/Zonebac.AB trojan
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP4\A0001087.exe a variant of Win32/Zonebac.AB trojan
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP4\A0001088.exe a variant of Win32/Zonebac.AB trojan
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP4\A0001089.exe a variant of Win32/Zonebac.AB trojan
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP4\A0001091.exe Win32/AutoRun.KP worm
D:\I386\Apps\APP27596\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
D:\I386\Apps\APP27596\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application


COMBOFIX SCAN

ComboFix 11-07-07.03 - Compaq_Owner 07/07/2011 12:23:39.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.564 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Compaq_Owner\Application Data\Setup.exe
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Guest\WINDOWS
c:\program files\Common Files\AOL\1139033798\EE\AOLHostManager.exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
c:\program files\HP\HP Software Update\HPWuSchd2.exe
c:\program files\Object\bho_project.dll
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\lsass.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-06-07 to 2011-07-07 )))))))))))))))))))))))))))))))
.
.
2011-07-07 18:38 . 2011-07-07 18:38 -------- d-----w- c:\windows\ServicePackFiles
2011-07-07 18:37 . 2011-07-07 18:37 -------- d-----w- c:\program files\MSXML 4.0
2011-07-07 05:09 . 2011-07-07 05:09 -------- d-----w- c:\program files\CCleaner
2011-07-07 04:48 . 2011-07-07 04:48 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\program files\Trend Micro
2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-07-07 04:44 . 2011-07-07 04:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-07-07 04:43 . 2011-07-07 04:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alien Skin
2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Alien Skin
2011-07-07 03:10 . 2011-07-07 03:10 -------- d-----w- c:\program files\Alien Skin
2011-07-07 01:35 . 2011-07-07 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2011-07-07 01:35 . 2011-07-07 01:35 -------- d-----w- c:\program files\AOL Games
2011-07-06 23:43 . 2011-07-07 00:18 -------- d-----w- c:\documents and settings\Compaq_Owner\.frostwire5
2011-07-06 23:41 . 2011-07-06 23:44 -------- d-----w- c:\program files\FrostWire 5
2011-07-06 23:41 . 2011-07-06 23:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-06 23:41 . 2011-07-06 23:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-06 22:55 . 2011-07-06 22:56 -------- d-----w- c:\program files\FrostWire
2011-07-06 22:55 . 2011-07-06 23:00 -------- d-----w- c:\program files\Common Files\FreeCause
2011-07-06 22:54 . 2011-07-07 19:27 -------- d-----w- c:\program files\Object
2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-07-06 19:37 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-07-06 19:37 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-07-06 19:37 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-07-06 19:37 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-07-06 19:37 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-07-06 19:37 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-07-06 19:37 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-07-06 04:43 . 2011-07-06 04:43 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IECompatCache
2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
2011-07-06 04:40 . 2011-07-06 04:40 -------- dc-h--w- c:\windows\ie8
2011-07-06 01:59 . 2011-07-06 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
2011-06-24 02:04 . 2011-06-24 02:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Alien Skin
2011-06-24 01:47 . 2009-12-09 21:22 57344 ----a-w- c:\windows\system32\nlssrv32.exe
2011-06-23 22:55 . 2011-07-06 04:29 -------- d-----w- c:\documents and settings\Administrator
2011-06-23 22:32 . 2011-06-23 22:32 1409 ----a-w- c:\windows\QTFont.for
2011-06-23 22:32 . 2011-07-07 03:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Corel
2011-06-23 22:31 . 2011-06-23 22:31 88 --sh--r- c:\windows\system32\DB8EA18C15.sys
2011-06-23 22:31 . 2011-07-07 03:32 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Corel
2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2011-06-23 22:27 . 2011-06-23 22:29 -------- d-----w- c:\program files\Common Files\Corel
2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2011-06-23 21:04 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-23 21:04 . 2011-07-06 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-23 21:04 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 20:59 . 2011-06-23 22:27 -------- d-----w- c:\program files\Corel
2011-06-23 20:59 . 2011-06-23 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InstallShield
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-26 04:08 . 2005-12-21 21:17 3649 ----a-w- c:\windows\viassary-hp.reg
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-11-03 21:03 . 2004-11-03 21:03 125528 c:\program files\Common Files\AOL\1139033798\EE\bak\AOLHostManager.exe
.
2005-12-21 21:01 . 2005-12-21 21:01 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
.
2005-03-04 16:40 . 2005-03-04 16:40 48752 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
.
2004-11-03 07:59 . 2004-11-03 07:59 218240 c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
.
2007-10-03 03:21 . 2007-10-03 03:21 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
.
2005-12-21 21:36 . 2005-09-21 17:41 1605740 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
.
2005-05-12 06:12 . 2005-05-12 06:12 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
.
2007-06-29 13:24 . 2007-06-29 13:24 286720 c:\program files\QuickTime\bak\QTTask.exe
2007-06-29 13:24 . 2007-10-06 01:05 27660 c:\program files\QuickTime\QTTask.exe
.
2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\ctfmon.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-07 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCDrProfiler"="" [N/A]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\bak\QTTask.exe" [2007-06-29 286720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2004-06-24 729088]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-01 28739]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-12-21 36903]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-1 65588]
Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2007-2-13 2392064]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=c:\windows\pss\Compaq Organize.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-16 01:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
c:\program files\Common Files\AOL\1139033798\EE\AOLHostManager.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1139033798\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/23/2011 2:04 PM 366640]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [6/23/2011 6:47 PM 57344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/23/2011 2:04 PM 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2011 9:43 PM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
.
2011-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
TCP: DhcpNameServer = 192.168.7.254
DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-{3BA95526-6AE0-4B87-A62D-17187EF565FC} - c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-07 12:29
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2852)
c:\windows\system32\WININET.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\KeyHook.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-07-07 12:32:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-07 19:32
.
Pre-Run: 165,869,150,208 bytes free
Post-Run: 166,138,941,440 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B385114A2190D2B93C4C588AD0E1A214
 
I don't see any antivirus program.o. The only security program I see is Malwarebytes. Please download, install and update one of the following free antivirus programs:
Avira-AntiVir-Personal-Free-Antivirus
Avast-Free Antivirus
==============================================
Goodness, it's been so long since I've seen this malware, it almost went right over my head! You've had this lingering on your system for quite a while. And you should know that it is most commonly spread with peer-to-peer sharing.

First, I want to advise you that the D:/Autorun.inf deletion in Combofix indicated you may be using an infected flash drive. Are you using a flash drive and is it Drive D? If this is a Yes/Yes, we need to disinfect the flash drive.
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives
  1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  4. Wait until it has finished scanning and then exit the program.
  5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
FileLook::
c:\windows\system32\DB8EA18C15.sys
AWF::
c:\program files\Common Files\AOL\1139033798\EE\bak\AOLHostManager.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier. exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
Folder::
c:\documents and settings\All Users\Application Data\Trymedia
c:\program files\FrostWire 5
c:\documents and settings\Compaq_Owner\.frostwire5
c:\program files\FrostWire
c:\program files\Object
c:\program files\Common Files\FreeCause
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
 
Well it seems like its a really bad infection. this is my sisters computer and she hasnt had internet in a long long time. I just moved in and im trying to make it run a lil better, but it was too much for me.lol..


by the way after my computer was rebooted the HPProduct Assistant installation popped up, and i couldnt cancel it because it kept on poping up.

And about the flash drives i checked the hidden files and the only hidden folders that are on them are Spotlight-v-100 and .trashes on both flash drives

attached find the combofix log

ComboFix 11-07-08.03 - Compaq_Owner 07/08/2011 18:35:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.533 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\Trymedia
c:\documents and settings\All Users\Application Data\Trymedia\data\{8662CB1F-323F-DC2A-6A02-C624BCBB7D2B}
c:\documents and settings\All Users\Application Data\Trymedia\data\{8C4FB579-C531-1771-0F53-C9D7C1302799}
c:\documents and settings\All Users\Application Data\Trymedia\data\{CE511630-6E38-03E0-03FA-6571BCF7AB91}
c:\documents and settings\All Users\Application Data\Trymedia\data\{F89A6F8F-F534-FA16-3728-0DED374545D2}
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Compaq_Owner\.frostwire5
c:\documents and settings\Compaq_Owner\.frostwire5\azureus.lock
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\.certs
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\.keystore
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\2264FC15F0EFFA09D2D7F57C18C78A7CBDB072DC.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\2264FC15F0EFFA09D2D7F57C18C78A7CBDB072DC.dat.bak
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\2264FC15F0EFFA09D2D7F57C18C78A7CBDB072DC\fmfile15.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\cache.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\F95ACCDF2178ABEF7FA31776787D8AA099C0955F.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\F95ACCDF2178ABEF7FA31776787D8AA099C0955F.dat.bak
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\F95ACCDF2178ABEF7FA31776787D8AA099C0955F\fmfile0.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\active\F95ACCDF2178ABEF7FA31776787D8AA099C0955F\fmfile11.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\azureus.config
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\azureus.config.bak
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\azureus.statistics
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\azureus.statistics.bak
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\banips.config
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\banips.config.bak
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\dht\addresses.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\dht\contacts.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\dht\diverse.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\dht\general.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\dht\version.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\downloads.config
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\downloads.config.bak
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\ipfilter.cache
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\logs\debug_1.log
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\net\pm_7018.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\net\pm_default.dat
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\tmp\AZU6922790059681001182.tmp
c:\documents and settings\Compaq_Owner\.frostwire5\azureus\tmp\AZU8990506365801027890.tmp
c:\documents and settings\Compaq_Owner\.frostwire5\frostwire.props
c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\a_lonely_place_for_dying_pt1.jpg
c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\a_lonely_place_for_dying_pt1_overlay.jpg
c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\frostclick_default_overlay.jpg
c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\fw5overlay.jpg
c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\kenton_dunson_overlay.jpg
c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\mouths_cradle_overlay.jpg
c:\documents and settings\Compaq_Owner\.frostwire5\image_cache\static.frostwire.com\images\overlays\sarah_fimm_overlay.jpg
c:\documents and settings\Compaq_Owner\.frostwire5\installation.props
c:\documents and settings\Compaq_Owner\.frostwire5\intent.props
c:\documents and settings\Compaq_Owner\.frostwire5\itunes.props
c:\documents and settings\Compaq_Owner\.frostwire5\itunes_import.js
c:\documents and settings\Compaq_Owner\.frostwire5\questions.props
c:\documents and settings\Compaq_Owner\.frostwire5\seenMessages.dat
c:\documents and settings\Compaq_Owner\.frostwire5\skins.dat
c:\documents and settings\Compaq_Owner\.frostwire5\tables.props
c:\documents and settings\Compaq_Owner\Application Data\Setup.exe
c:\documents and settings\Compaq_Owner\Local Settings\temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Guest\WINDOWS
c:\program files\Common Files\AOL\1139033798\EE\AOLHostManager.exe
c:\program files\Common Files\FreeCause
c:\program files\FrostWire 5
c:\program files\FrostWire 5\commons-logging.jar
c:\program files\FrostWire 5\EULA.txt
c:\program files\FrostWire 5\FrostWire.exe
c:\program files\FrostWire 5\FrostWire.ico
c:\program files\FrostWire 5\FrostWire.jar
c:\program files\FrostWire 5\fwplayer.exe
c:\program files\FrostWire 5\gettext-commons.jar
c:\program files\FrostWire 5\GPL3.txt
c:\program files\FrostWire 5\gson-1.4.jar
c:\program files\FrostWire 5\httpclient-4.0.jar
c:\program files\FrostWire 5\httpcore-4.0.1.jar
c:\program files\FrostWire 5\launch.properties
c:\program files\FrostWire 5\lw-azureus.jar
c:\program files\FrostWire 5\lw-collection.jar
c:\program files\FrostWire 5\lw-common.jar
c:\program files\FrostWire 5\lw-io.jar
c:\program files\FrostWire 5\lw-resources.jar
c:\program files\FrostWire 5\lw-setting.jar
c:\program files\FrostWire 5\messages.jar
c:\program files\FrostWire 5\pmf.ico
c:\program files\FrostWire 5\runRelease.bat
c:\program files\FrostWire 5\splash.jar
c:\program files\FrostWire 5\substance.jar
c:\program files\FrostWire 5\SystemUtilities.dll
c:\program files\FrostWire 5\SystemUtilitiesA.dll
c:\program files\FrostWire 5\themes.jar
c:\program files\FrostWire 5\tray.dll
c:\program files\FrostWire 5\trident.jar
c:\program files\FrostWire 5\Uninstall.exe
c:\program files\FrostWire
c:\program files\FrostWire\App\AppInfo\appicon.ico
c:\program files\FrostWire\App\AppInfo\appinfo.ini
c:\program files\FrostWire\App\DefaultData\FrostWire\frostwire.props
c:\program files\FrostWire\App\DefaultData\FrostWire\installation.props
c:\program files\FrostWire\App\DefaultData\settings\FrostWirePortableSettings.ini
c:\program files\FrostWire\App\frostwire\aopalliance.jar
c:\program files\FrostWire\App\frostwire\clink.jar
c:\program files\FrostWire\App\frostwire\commons-codec-1.3.jar
c:\program files\FrostWire\App\frostwire\commons-logging.jar
c:\program files\FrostWire\App\frostwire\daap.jar
c:\program files\FrostWire\App\frostwire\EULA.txt
c:\program files\FrostWire\App\frostwire\forms.jar
c:\program files\FrostWire\App\frostwire\foxtrot.jar
c:\program files\FrostWire\App\frostwire\FrostWire.exe
c:\program files\FrostWire\App\frostwire\FrostWire.ico
c:\program files\FrostWire\App\frostwire\FrostWire.jar
c:\program files\FrostWire\App\frostwire\gettext-commons.jar
c:\program files\FrostWire\App\frostwire\GPL2.txt
c:\program files\FrostWire\App\frostwire\GPL3.txt
c:\program files\FrostWire\App\frostwire\gson-1.4.jar
c:\program files\FrostWire\App\frostwire\guice-1.0.jar
c:\program files\FrostWire\App\frostwire\hashes
c:\program files\FrostWire\App\frostwire\httpclient-4.0-alpha3.jar
c:\program files\FrostWire\App\frostwire\httpclient-4.0.jar
c:\program files\FrostWire\App\frostwire\httpcore-4.0-beta2.jar
c:\program files\FrostWire\App\frostwire\httpcore-4.0.1.jar
c:\program files\FrostWire\App\frostwire\httpcore-nio-4.0-beta2.jar
c:\program files\FrostWire\App\frostwire\httpcore-nio-4.0.1.jar
c:\program files\FrostWire\App\frostwire\httpcore-niossl-4.0-alpha7.jar
c:\program files\FrostWire\App\frostwire\icu4j.jar
c:\program files\FrostWire\App\frostwire\inspection.props
c:\program files\FrostWire\App\frostwire\jaudiotagger.jar
c:\program files\FrostWire\App\frostwire\jcip-annotations.jar
c:\program files\FrostWire\App\frostwire\jcraft.jar
c:\program files\FrostWire\App\frostwire\jdic.dll
c:\program files\FrostWire\App\frostwire\jdic.jar
c:\program files\FrostWire\App\frostwire\jdic_stub.jar
c:\program files\FrostWire\App\frostwire\jflac.jar
c:\program files\FrostWire\App\frostwire\jl.jar
c:\program files\FrostWire\App\frostwire\jmdns.jar
c:\program files\FrostWire\App\frostwire\jogg.jar
c:\program files\FrostWire\App\frostwire\jorbis.jar
c:\program files\FrostWire\App\frostwire\jython.jar
c:\program files\FrostWire\App\frostwire\launch.properties
c:\program files\FrostWire\App\frostwire\log.txt
c:\program files\FrostWire\App\frostwire\log4j.jar
c:\program files\FrostWire\App\frostwire\log4j.properties
c:\program files\FrostWire\App\frostwire\looks.jar
c:\program files\FrostWire\App\frostwire\lw-all.jar
c:\program files\FrostWire\App\frostwire\lw-azureus.jar
c:\program files\FrostWire\App\frostwire\lw-collection.jar
c:\program files\FrostWire\App\frostwire\lw-common.jar
c:\program files\FrostWire\App\frostwire\lw-http.jar
c:\program files\FrostWire\App\frostwire\lw-io.jar
c:\program files\FrostWire\App\frostwire\lw-mojito.jar
c:\program files\FrostWire\App\frostwire\lw-net.jar
c:\program files\FrostWire\App\frostwire\lw-nio.jar
c:\program files\FrostWire\App\frostwire\lw-resources.jar
c:\program files\FrostWire\App\frostwire\lw-rudp.jar
c:\program files\FrostWire\App\frostwire\lw-security.jar
c:\program files\FrostWire\App\frostwire\lw-setting.jar
c:\program files\FrostWire\App\frostwire\lw-statistic.jar
c:\program files\FrostWire\App\frostwire\messages.jar
c:\program files\FrostWire\App\frostwire\mp3spi.jar
c:\program files\FrostWire\App\frostwire\onion-common.jar
c:\program files\FrostWire\App\frostwire\onion-fec.jar
c:\program files\FrostWire\App\frostwire\pmf.ico
c:\program files\FrostWire\App\frostwire\ProgressTabs.jar
c:\program files\FrostWire\App\frostwire\seenMessages.dat
c:\program files\FrostWire\App\frostwire\splash.jar
c:\program files\FrostWire\App\frostwire\SystemUtilities.dll
c:\program files\FrostWire\App\frostwire\SystemUtilitiesA.dll
c:\program files\FrostWire\App\frostwire\themes.jar
c:\program files\FrostWire\App\frostwire\tray.dll
c:\program files\FrostWire\App\frostwire\tritonus.jar
c:\program files\FrostWire\App\frostwire\Uninstall.exe
c:\program files\FrostWire\App\frostwire\vorbisspi.jar
c:\program files\FrostWire\App\readme.txt
c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\ALIEN_SKIN_EYECANDY_V6.1.1-XForce.torrent
c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\EyeCandy611109.rar.torrent
c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe
c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe.torrent
c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\hostiles.txt.37.zip.torrent
c:\program files\FrostWire\Data\settings\FrostWire\.AppSpecialShare\Tangent.Games.Crystal.Maze.torrent
c:\program files\FrostWire\Data\settings\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
c:\program files\FrostWire\Data\settings\FrostWire\azureus\.lock
c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\0795893ED4082520E89D43D8417237B7AA6B1B9B.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\0795893ED4082520E89D43D8417237B7AA6B1B9B.dat.bak
c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\4258AAA6DF108DDE1EA3E0BB1712DF1D8560D8D2.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\4258AAA6DF108DDE1EA3E0BB1712DF1D8560D8D2.dat.bak
c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\5394A1E98B6F9A95826ACC9815187D8304306E04.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\5394A1E98B6F9A95826ACC9815187D8304306E04.dat.bak
c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\747C9E7929E7F8643417EF0FD6CFE376520927A3.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\747C9E7929E7F8643417EF0FD6CFE376520927A3.dat.bak
c:\program files\FrostWire\Data\settings\FrostWire\azureus\active\cache.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\azureus.config
c:\program files\FrostWire\Data\settings\FrostWire\azureus\azureus.config.bak
c:\program files\FrostWire\Data\settings\FrostWire\azureus\azureus.statistics
c:\program files\FrostWire\Data\settings\FrostWire\azureus\azureus.statistics.bak
c:\program files\FrostWire\Data\settings\FrostWire\azureus\dht\addresses.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\dht\contacts.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\dht\diverse.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\dht\general.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\dht\version.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\downloads.config
c:\program files\FrostWire\Data\settings\FrostWire\azureus\downloads.config.bak
c:\program files\FrostWire\Data\settings\FrostWire\azureus\ipfilter.cache
c:\program files\FrostWire\Data\settings\FrostWire\azureus\net\pm_7018.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\net\pm_default.dat
c:\program files\FrostWire\Data\settings\FrostWire\azureus\torrents\ALIEN_SKIN_EYECANDY_V6.1.1-XForce.torrent
c:\program files\FrostWire\Data\settings\FrostWire\azureus\torrents\EyeCandy611109.rar.torrent
c:\program files\FrostWire\Data\settings\FrostWire\azureus\torrents\frostwire-4.21.8.windows.exe.torrent
c:\program files\FrostWire\Data\settings\FrostWire\azureus\torrents\Tangent.Games.Crystal.Maze.torrent
c:\program files\FrostWire\Data\settings\FrostWire\createtimes.cache
c:\program files\FrostWire\Data\settings\FrostWire\downloads.dat
c:\program files\FrostWire\Data\settings\FrostWire\fileurns.bak
c:\program files\FrostWire\Data\settings\FrostWire\fileurns.cache
c:\program files\FrostWire\Data\settings\FrostWire\frostwire.props
c:\program files\FrostWire\Data\settings\FrostWire\gnutella.net
c:\program files\FrostWire\Data\settings\FrostWire\hostiles.dat
c:\program files\FrostWire\Data\settings\FrostWire\image_cache\static.frostwire.com\images\banners\220x500frostwire_tshirt_blue_pink1.jpg
c:\program files\FrostWire\Data\settings\FrostWire\image_cache\static.frostwire.com\images\banners\220x500frostwire_tshirt_blue_pink2.jpg
c:\program files\FrostWire\Data\settings\FrostWire\installation.props
c:\program files\FrostWire\Data\settings\FrostWire\installer.dat
c:\program files\FrostWire\Data\settings\FrostWire\intent.props
c:\program files\FrostWire\Data\settings\FrostWire\library.dat
c:\program files\FrostWire\Data\settings\FrostWire\mojito.props
c:\program files\FrostWire\Data\settings\FrostWire\overlays.dat
c:\program files\FrostWire\Data\settings\FrostWire\overlays\fw5overlay.jpg
c:\program files\FrostWire\Data\settings\FrostWire\questions.props
c:\program files\FrostWire\Data\settings\FrostWire\responses.cache
c:\program files\FrostWire\Data\settings\FrostWire\seenMessages.dat
c:\program files\FrostWire\Data\settings\FrostWire\spam.dat
c:\program files\FrostWire\Data\settings\FrostWire\tables.props
c:\program files\FrostWire\Data\settings\FrostWire\themes\frostwirePro_theme.fwtp
c:\program files\FrostWire\Data\settings\FrostWire\themes\frostwirePro_theme\theme.txt
c:\program files\FrostWire\Data\settings\FrostWire\themes\frostwirePro_theme\version.txt
c:\program files\FrostWire\Data\settings\FrostWire\version.xml
c:\program files\FrostWire\Data\settings\FrostWirePortableSettings.ini
c:\program files\FrostWire\FrostWire.exe
c:\program files\FrostWire\Other\Help\images\donation_button.png
c:\program files\FrostWire\Other\Help\images\favicon.ico
c:\program files\FrostWire\Other\Help\images\help_background_footer.png
c:\program files\FrostWire\Other\Help\images\help_background_header.png
c:\program files\FrostWire\Other\Help\images\help_logo_top.png
c:\program files\FrostWire\Other\Source\AppSource.txt
c:\program files\FrostWire\Other\Source\frostwire logo.ai
c:\program files\FrostWire\Other\Source\FrostWirePortable.ini
c:\program files\FrostWire\Other\Source\FrostWirePortable.jpg
c:\program files\FrostWire\Other\Source\FrostWirePortable.nsi
c:\program files\FrostWire\Other\Source\License.txt
c:\program files\FrostWire\Other\Source\PortableApps.comInstaller-old.nsi
c:\program files\FrostWire\Other\Source\PortableApps.comInstaller.bmp
c:\program files\FrostWire\Other\Source\PortableApps.comInstaller.nsi
c:\program files\FrostWire\Other\Source\PortableApps.comInstallerLANG_ENGLISH.nsh
c:\program files\FrostWire\Other\Source\ReadINIStrWithDefault.nsh
c:\program files\FrostWire\Other\Source\Readme.txt
c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
c:\program files\HP\HP Software Update\HPWuSchd2.exe
c:\program files\Object
c:\program files\Object\bho_project.dll
c:\program files\Object\ChromeAddon.pem
c:\program files\Object\chromeaddon\._included.js
c:\program files\Object\chromeaddon\background.html
c:\program files\Object\chromeaddon\included.js
c:\program files\Object\chromeaddon\manifest.json
c:\program files\Object\config.ini
c:\program files\Object\facetheme_uninstall.exe
c:\program files\Object\status.txt
c:\program files\Object\status2.txt
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
c:\windows\vb.ini
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
.
.
2011-07-08 23:36 . 2011-07-08 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-08 23:36 . 2011-07-08 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-07-08 23:36 . 2011-07-08 23:36 -------- d-----w- c:\program files\McAfee Security Scan
2011-07-08 23:35 . 2011-07-08 23:35 -------- d-----w- c:\program files\NOS
2011-07-08 23:18 . 2011-07-08 23:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-08 23:16 . 2011-07-08 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2011-07-07 22:39 . 2011-07-07 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-07-07 19:43 . 2011-07-07 19:43 -------- d-----w- c:\program files\ESET
2011-07-07 18:38 . 2011-07-07 18:38 -------- d-----w- c:\windows\ServicePackFiles
2011-07-07 05:09 . 2011-07-07 05:09 -------- d-----w- c:\program files\CCleaner
2011-07-07 04:48 . 2011-07-07 04:48 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\program files\Trend Micro
2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-07-07 04:44 . 2011-07-07 04:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-07-07 04:43 . 2011-07-07 04:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alien Skin
2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Alien Skin
2011-07-07 03:10 . 2011-07-07 03:10 -------- d-----w- c:\program files\Alien Skin
2011-07-07 01:35 . 2011-07-07 01:35 -------- d-----w- c:\program files\AOL Games
2011-07-06 23:41 . 2011-07-06 23:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-06 23:41 . 2011-07-06 23:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-06 04:43 . 2011-07-06 04:43 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IECompatCache
2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
2011-07-06 04:40 . 2011-07-06 04:40 -------- dc-h--w- c:\windows\ie8
2011-07-06 01:59 . 2011-07-06 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
2011-06-24 02:04 . 2011-06-24 02:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Alien Skin
2011-06-24 01:47 . 2009-12-09 21:22 57344 ----a-w- c:\windows\system32\nlssrv32.exe
2011-06-23 22:55 . 2011-07-08 23:18 -------- d-----w- c:\documents and settings\Administrator
2011-06-23 22:32 . 2011-06-23 22:32 1409 ----a-w- c:\windows\QTFont.for
2011-06-23 22:32 . 2011-07-08 23:37 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Corel
2011-06-23 22:31 . 2011-06-23 22:31 88 --sh--r- c:\windows\system32\DB8EA18C15.sys
2011-06-23 22:31 . 2011-07-08 23:29 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Corel
2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2011-06-23 22:27 . 2011-06-23 22:29 -------- d-----w- c:\program files\Common Files\Corel
2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2011-06-23 21:04 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-23 21:04 . 2011-07-06 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-23 21:04 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 20:59 . 2011-06-23 22:27 -------- d-----w- c:\program files\Corel
2011-06-23 20:59 . 2011-06-23 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InstallShield
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-26 04:08 . 2005-12-21 21:17 3649 ----a-w- c:\windows\viassary-hp.reg
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\DB8EA18C15.sys ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 88
Created time: 2011-06-23 22:31
Modified time: 2011-06-23 22:31
MD5: AA7A50CB2911196AD76F8F7D24CB39BA
SHA1: DF7CE408FBDBDDCF1F9A3182724539C83731F4DB
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-03 03:21 . 2007-10-03 03:21 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
.
2007-06-29 13:24 . 2007-06-29 13:24 286720 c:\program files\QuickTime\bak\QTTask.exe
2007-06-29 13:24 . 2007-10-06 01:05 27660 c:\program files\QuickTime\QTTask.exe
.
2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\ctfmon.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-07 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="realsched.exe -osboot" [X]
"PCDrProfiler"="" [N/A]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\bak\QTTask.exe" [2007-06-29 286720]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2004-06-24 729088]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-01 28739]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"="c:\windows\system32\advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-12-21 36903]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-1 65588]
Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2007-2-13 2392064]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=c:\windows\pss\Compaq Organize.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-16 01:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
c:\program files\Common Files\AOL\1139033798\EE\AOLHostManager.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1139033798\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/23/2011 2:04 PM 366640]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [6/23/2011 6:47 PM 57344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/23/2011 2:04 PM 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2011 9:43 PM 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.7.254
DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-facetheme - c:\program files\Object\facetheme_uninstall.exe
AddRemove-FrostWire 5 - c:\program files\FrostWire 5\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-08 18:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2660)
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\KeyHook.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hp\HP Software Update\HPWUCli.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprbUpdate.exe
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\rbSolnUpdateENU.3.3.0.exe
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IXP000.TMP\rbSolnUpdate.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2011-07-08 18:45:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-09 01:45
ComboFix2.txt 2011-07-07 19:32
.
Pre-Run: 162,806,247,424 bytes free
Post-Run: 162,787,098,624 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 3A81CF9B192DFCC6C4A2F244B4A3CA82
 
Catching a Worm! One of these is a legitimate files and the other is a Worm- we just have to find out which is which:


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :file
c:\windows\system32\msiexec.exe
:file
c:\windows\system32\MsiExec.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
=======================================
I have some additional script for you to run, but want to see the results of above first.

Are you noticing any improvement in the system? A lot of files and other entries have been removed. I will make suggestions to take some processes off of the Startup Menu when we finish,
 
Thank you for all your help, my computer is runing a little better but its still slow and by the way i installed avira and i just got a message (Malware found) C:\system volume information\....\A0005276.exe

attached please find the LOG you requested.

SYSTEMLOOK

SystemLook 04.09.10 by jpshortstuff
Log created at 19:24 on 10/07/2011 by Compaq_Owner
Administrator - Elevation successful

========== file ==========

c:\windows\system32\msiexec.exe - File found and opened.
MD5: F5F0146580E7023ADB963879840777F8
Created at 12:00 on 04/08/2004
Modified at 21:45 on 04/05/2005
Size: 78848 bytes
Attributes: --a----
FileDescription: Windows® installer
FileVersion: 3.1.4000.1823
ProductVersion: 3.1.4000.1823
OriginalFilename: msiexec.exe
InternalName: msiexec
ProductName: Windows Installer - Unicode
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

========== file ==========

c:\windows\system32\MsiExec.exe - File found and opened.
MD5: F5F0146580E7023ADB963879840777F8
Created at 12:00 on 04/08/2004
Modified at 21:45 on 04/05/2005
Size: 78848 bytes
Attributes: --a----
FileDescription: Windows® installer
FileVersion: 3.1.4000.1823
ProductVersion: 3.1.4000.1823
OriginalFilename: msiexec.exe
InternalName: msiexec
ProductName: Windows Installer - Unicode
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

-= EOF =-
 
(Malware found) C:\system volume information\....\A0005276.exe
Click to expand...

Not to worry! This is a restore point. It is not active in the system. Unfortunately, AV programs on systems don't know the difference in location! You might also see an entry in the Qoobox. This is where Combofix puts the quarantined files. Also no longer active, also dropped when Combofix is uninstalled, but also may show in system AV scan.

You know what they say>>> "Location, location location!
=====================================================
About the 'Worm': according to System Look, you have 2 valid processes for the Windows Installer running. I am not comfortable with this in view of the type of malware that was on the system. Please do this for me:

Reboot the computer first> then Right click on the Taskbar> Task Manager> Processes tab> see if either or both of these processes are running> note the 2 different spellings:
msiexec.exe
MsiExec.exe

If they are, please note the CPU usage for each and the memory being used for each. Let me know this, taking care to match up the spellings/CPU/Memory figures.
========================================
I'd like you to run the following please:
Download PeperFixand save to the desktop:
  • . Double-click on [peperfix.exe[/b] to run..Follow any online prompts is any given.
  • . Reboot and do the same process again.
===========================================
The run Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
============================================
You do not need to do this now- best we finish the cleaning first. But it shold help the 'slow' problem.
These are starting on boot, then running in the background. Neither needs to start on boot. The program can be accessed anytime through All Programs.

To remove entries from the Startup Menu using the msconfig utility:
  • Click on Start> Run> type in msconfig> enter>
    msconfig_open_xp.gif
  • Click on Selective Startup
  • Choose the Startup tab:
    startup_tab_xp.gif

    All images courtesy NetSquirrel
  • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
  • Uncheck any processes you do not need to start on boot.
    [o]HPWUCli.exe
    [o]All Kodak Easyshare processes, including udate
    [o] LSSrvc.exe
    [o] iTunes.exe
    [o] PSIService.exe
  • Click on Apply> OK when finished.
NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
 
Good Afternoon,

I checked the processes and none of the MsiExec.exe
are runing.

I ran the paperfix and no papers were found.

This is the Hijack LOG

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:38:01 PM, on 7/11/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\QuickTime\bak\QTTask.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nlssrv32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
C:\HiJackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 8610 bytes
 
Let's talk about the antivirus programs:

1. First, there was no antivirus program on the system. So I recommends you install either Avira or Avast NOW.
2. Then I see 2011-07-08 23:36 -------- d-----w- c:\program files\McAfee Security Scan in the Combofix log after you ran the first script.
3. Several replies later, approximately, 7/10, you tell me "and by the way i installed avira "
4. Then I see a Service for McAfee with an earlier install date: McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
=========================================
My 'guess' is that McAfee was already on the system but inactive, possibly because the subscription hadn't been renewed.

The bottom line is that you should have only one, functioning, updated antivirus program on the system.

Which will it be? Uninstall what you're not using/keeping. Reboot the computer when through.
==================================================
Edit: Please run this after you get the AV cleared u:p:
Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
FCopy::
c:\program files\QuickTime\QTTask.exe | c:\program files\QuickTime\bak\QTTask.exe
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
 
ok i deleated Macfee.

Heres the Combofix Log.

ComboFix 11-07-12.07 - Compaq_Owner 07/12/2011 11:37:46.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.492 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\program files\QuickTime\QTTask.exe --> c:\program files\QuickTime\bak\QTTask.exe
.
((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
.
.
2011-07-12 02:36 . 2011-07-12 02:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-07-12 02:33 . 2011-07-12 02:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-07-11 19:36 . 2011-07-11 19:37 -------- d-----w- C:\HiJackthis
2011-07-11 06:00 . 2011-07-11 06:00 -------- d-----w- c:\windows\Sun
2011-07-11 02:29 . 2011-07-11 02:29 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Avira
2011-07-09 19:17 . 2011-07-09 19:23 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-07-09 17:23 . 2011-07-09 17:23 -------- d-----w- c:\program files\MSXML 4.0
2011-07-09 02:13 . 2011-07-09 02:14 -------- d-----w- c:\windows\system32\NtmsData
2011-07-09 02:02 . 2011-07-10 22:41 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-09 02:02 . 2011-07-10 22:41 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-07-09 02:02 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-07-09 02:02 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-07-09 02:02 . 2011-07-09 02:02 -------- d-----w- c:\program files\Avira
2011-07-09 02:02 . 2011-07-09 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-07-08 23:36 . 2011-07-08 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-08 23:35 . 2011-07-08 23:35 -------- d-----w- c:\program files\NOS
2011-07-08 23:18 . 2011-07-08 23:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-08 23:16 . 2011-07-08 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2011-07-07 22:39 . 2011-07-07 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-07-07 19:43 . 2011-07-07 19:43 -------- d-----w- c:\program files\ESET
2011-07-07 18:38 . 2011-07-07 18:38 -------- d-----w- c:\windows\ServicePackFiles
2011-07-07 05:09 . 2011-07-07 05:09 -------- d-----w- c:\program files\CCleaner
2011-07-07 04:48 . 2011-07-07 04:48 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\program files\Trend Micro
2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-07-07 04:44 . 2011-07-07 04:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-07-07 04:43 . 2011-07-07 04:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alien Skin
2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Alien Skin
2011-07-07 03:10 . 2011-07-07 03:10 -------- d-----w- c:\program files\Alien Skin
2011-07-07 01:35 . 2011-07-07 01:35 -------- d-----w- c:\program files\AOL Games
2011-07-06 23:41 . 2011-07-06 23:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-06 23:41 . 2011-07-06 23:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-07-06 19:37 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-07-06 19:37 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-07-06 19:37 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-07-06 19:37 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-07-06 19:37 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-07-06 19:37 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-07-06 19:37 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-07-06 04:43 . 2011-07-06 04:43 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IECompatCache
2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
2011-07-06 04:40 . 2011-07-06 04:40 -------- dc-h--w- c:\windows\ie8
2011-07-06 01:59 . 2011-07-06 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
2011-06-24 02:04 . 2011-06-24 02:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Alien Skin
2011-06-24 01:47 . 2009-12-09 21:22 57344 ----a-w- c:\windows\system32\nlssrv32.exe
2011-06-23 22:55 . 2011-07-08 23:18 -------- d-----w- c:\documents and settings\Administrator
2011-06-23 22:32 . 2011-06-23 22:32 1409 ----a-w- c:\windows\QTFont.for
2011-06-23 22:32 . 2011-07-12 02:48 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Corel
2011-06-23 22:31 . 2011-06-23 22:31 88 --sh--r- c:\windows\system32\DB8EA18C15.sys
2011-06-23 22:31 . 2011-07-12 02:48 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Corel
2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2011-06-23 22:27 . 2011-06-23 22:29 -------- d-----w- c:\program files\Common Files\Corel
2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2011-06-23 21:04 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-23 21:04 . 2011-07-06 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-23 21:04 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 20:59 . 2011-06-23 22:27 -------- d-----w- c:\program files\Corel
2011-06-23 20:59 . 2011-06-23 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InstallShield
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-26 04:08 . 2005-12-21 21:17 3649 ----a-w- c:\windows\viassary-hp.reg
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-07 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="realsched.exe -osboot" [X]
"QuickTime Task"="c:\program files\QuickTime\bak\QTTask.exe" [2007-10-06 27660]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2004-06-24 729088]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-01 28739]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-12-21 36903]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-1 65588]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=c:\windows\pss\Compaq Organize.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-16 01:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1139033798\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/8/2011 7:02 PM 136360]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/23/2011 2:04 PM 366640]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [6/23/2011 6:47 PM 57344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/23/2011 2:04 PM 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2011 9:43 PM 136176]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
Trusted Zone: whataboutadog.com
TCP: DhcpNameServer = 192.168.7.254
DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-HPBootOp - c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1139033798\EE\AOLHostManager.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-12 11:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3904)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-07-12 11:43:58
ComboFix-quarantined-files.txt 2011-07-12 18:43
ComboFix2.txt 2011-07-12 18:29
ComboFix3.txt 2011-07-09 01:45
ComboFix4.txt 2011-07-07 19:32
.
Pre-Run: 161,730,961,408 bytes free
Post-Run: 161,719,103,488 bytes free
.
- - End Of File - - 0AB8F530476EC017716F3E86278A1EF9
 
Sorry for delay- been swamped. Okay, let's see if this will rout the rest of the malware out:

Download The Avenger and save to the desktop.
  • Double click on avenger.exe to run
  • Do not change any of the check box options.
  • Copy everything in the codebox below, and paste it into the Input script here window:
Code: 
Folders to delete:
c:\windows\system32\CatRoot_bak
Files to delete:
c:\windows\system32\DB8EA18C15.sys
  • Now click the Execute button.
  • Click Yes to the prompt to confirm you want to execute.
  • Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
  • Your PC should reboot, if not, reboot it yourself.
  • A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
  • Paste the Avenger log in your next post.

.
 
Good Afternoon,

After the computer rebooting a window- no disk error poped up.
"exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c"


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "c:\windows\system32\CatRoot_bak" deleted successfully.
File "c:\windows\system32\DB8EA18C15.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
 
Thank you so much,

ComboFix 11-07-15.02 - Compaq_Owner 07/15/2011 16:34:05.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.644 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\temp\IadHide5.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-06-15 to 2011-07-15 )))))))))))))))))))))))))))))))
.
.
2011-07-12 02:36 . 2011-07-12 02:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-07-12 02:33 . 2011-07-12 02:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-07-11 19:36 . 2011-07-11 19:37 -------- d-----w- C:\HiJackthis
2011-07-11 06:00 . 2011-07-11 06:00 -------- d-----w- c:\windows\Sun
2011-07-11 02:29 . 2011-07-11 02:29 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Avira
2011-07-09 17:23 . 2011-07-09 17:23 -------- d-----w- c:\program files\MSXML 4.0
2011-07-09 02:13 . 2011-07-13 20:07 -------- d-----w- c:\windows\system32\NtmsData
2011-07-09 02:02 . 2011-07-10 22:41 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-09 02:02 . 2011-07-10 22:41 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-07-09 02:02 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-07-09 02:02 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-07-09 02:02 . 2011-07-09 02:02 -------- d-----w- c:\program files\Avira
2011-07-09 02:02 . 2011-07-09 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-07-08 23:36 . 2011-07-08 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-08 23:35 . 2011-07-08 23:35 -------- d-----w- c:\program files\NOS
2011-07-08 23:18 . 2011-07-08 23:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-08 23:16 . 2011-07-08 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2011-07-07 22:39 . 2011-07-07 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-07-07 19:43 . 2011-07-07 19:43 -------- d-----w- c:\program files\ESET
2011-07-07 18:38 . 2011-07-07 18:38 -------- d-----w- c:\windows\ServicePackFiles
2011-07-07 05:09 . 2011-07-07 05:09 -------- d-----w- c:\program files\CCleaner
2011-07-07 04:48 . 2011-07-07 04:48 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\program files\Trend Micro
2011-07-07 04:48 . 2011-07-07 04:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-07-07 04:44 . 2011-07-07 04:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-07-07 04:43 . 2011-07-07 04:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alien Skin
2011-07-07 03:12 . 2011-07-07 03:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Alien Skin
2011-07-07 03:10 . 2011-07-07 03:10 -------- d-----w- c:\program files\Alien Skin
2011-07-07 01:35 . 2011-07-07 01:35 -------- d-----w- c:\program files\AOL Games
2011-07-06 23:41 . 2011-07-06 23:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-06 23:41 . 2011-07-06 23:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-07-06 19:39 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-07-06 19:37 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-07-06 19:37 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-07-06 19:37 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-07-06 19:37 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-07-06 19:37 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-07-06 19:37 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-07-06 19:37 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-07-06 04:43 . 2011-07-06 04:43 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IECompatCache
2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
2011-07-06 04:42 . 2011-07-06 04:42 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
2011-07-06 04:40 . 2011-07-06 04:40 -------- dc-h--w- c:\windows\ie8
2011-07-06 01:59 . 2011-07-06 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
2011-06-24 02:04 . 2011-06-24 02:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Alien Skin
2011-06-24 01:47 . 2009-12-09 21:22 57344 ----a-w- c:\windows\system32\nlssrv32.exe
2011-06-23 22:55 . 2011-07-08 23:18 -------- d-----w- c:\documents and settings\Administrator
2011-06-23 22:32 . 2011-06-23 22:32 1409 ----a-w- c:\windows\QTFont.for
2011-06-23 22:32 . 2011-07-14 21:32 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Corel
2011-06-23 22:31 . 2011-07-14 21:32 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Corel
2011-06-23 22:31 . 2011-06-23 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2011-06-23 22:27 . 2011-06-23 22:29 -------- d-----w- c:\program files\Common Files\Corel
2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2011-06-23 21:04 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-23 21:04 . 2011-06-23 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-23 21:04 . 2011-07-06 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-23 21:04 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 20:59 . 2011-06-23 22:27 -------- d-----w- c:\program files\Corel
2011-06-23 20:59 . 2011-06-23 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InstallShield
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-26 04:08 . 2005-12-21 21:17 3649 ----a-w- c:\windows\viassary-hp.reg
.
.
((((((((((((((((((((((((((((( SnapShot_2011-07-12_18.25.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-15 23:41 . 2011-07-15 23:41 16384 c:\windows\Temp\Perflib_Perfdata_4cc.dat
- 2005-12-21 21:12 . 2010-12-19 02:09 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2005-12-21 21:12 . 2011-07-12 21:12 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2005-12-21 21:12 . 2010-12-19 02:09 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2005-12-21 21:12 . 2011-07-12 21:12 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2005-12-21 21:12 . 2010-12-19 02:09 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2005-12-21 21:12 . 2011-07-12 21:12 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2005-12-21 21:12 . 2011-07-12 21:12 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2005-12-21 21:12 . 2010-12-19 02:09 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2005-12-21 21:12 . 2011-07-12 21:12 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-12-21 21:12 . 2010-12-19 02:09 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2005-06-25 05:42 . 2011-07-14 19:34 191384 c:\windows\system32\FNTCACHE.DAT
+ 2005-12-21 21:12 . 2011-07-12 21:12 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2005-12-21 21:12 . 2010-12-19 02:09 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2005-12-21 21:12 . 2010-12-19 02:09 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2005-12-21 21:12 . 2011-07-12 21:12 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2005-12-21 21:12 . 2010-12-19 02:09 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2005-12-21 21:12 . 2011-07-12 21:12 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2005-12-21 21:12 . 2010-12-19 02:09 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2005-12-21 21:12 . 2011-07-12 21:12 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2005-12-21 21:12 . 2010-12-19 02:09 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2005-12-21 21:12 . 2011-07-12 21:12 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-05-07 20:50 . 2009-05-07 20:50 295792 c:\windows\Downloaded Program Files\Stproxy.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-07 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="realsched.exe -osboot" [X]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2004-06-24 729088]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-01 28739]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-12-21 36903]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-1 65588]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=c:\windows\pss\Compaq Organize.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-16 01:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1139033798\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/8/2011 7:02 PM 136360]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/23/2011 2:04 PM 366640]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [6/23/2011 6:47 PM 57344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/23/2011 2:04 PM 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2011 9:43 PM 136176]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
.
2011-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-07 04:43]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
TCP: DhcpNameServer = 192.168.7.254
DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-15 16:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3148)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-07-15 16:45:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-15 23:45
ComboFix2.txt 2011-07-12 18:43
ComboFix3.txt 2011-07-12 18:29
ComboFix4.txt 2011-07-09 01:45
ComboFix5.txt 2011-07-15 23:33
.
Pre-Run: 161,526,546,432 bytes free
Post-Run: 161,563,287,552 bytes free
.
- - End Of File - - 64EAFF7B111BF7198C9ADD424A91BC35
 
Well, I was wrong! It's still hiding:
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com

Or one other possibility> You may have a flash drive infection that has reinfected the system. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives
  1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  4. Wait until it has finished scanning and then exit the program.
  5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder. It appears that there are more files, hiding:

Running FindAWF allows us to identify the files that are infected, as well as the backups and then restore the files.

STEP1:
Please download FindAWF to your Desktop.
  • Double-click FindAWF.exe to start the tool.
  • Select "option #1 - Scan for bak folders" by typing 1 and press Enter
  • When the tool has completed, a report will open up in notepad. Copy & paste results into next reply
 
Good Afternoon,

i ran the flashdrive disinfector but i checked the drives under the hidden folders and there is no autorun.inf file


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 07/17/2011
The current time is: 15:21:45.96


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

10/02/2007 08:21 PM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\QUICKT~1\BAK

10/05/2007 06:05 PM 27,660 QTTask.exe.vir
1 File(s) 27,660 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\ERDNT\cache\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
15360 Apr 13 2008 "C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ctfmon.exe"
39408 Jul 6 2011 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
307376 Jul 6 2011 "C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe"
136176 Jul 6 2011 "C:\Program Files\Google\Update\GoogleUpdate.exe"
182768 Jul 6 2011 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
136176 Jul 16 2011 "C:\Program Files\Google\Update\1.3.21.57\GoogleUpdate.exe"
171448 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
589464 May 18 2011 "C:\Program Files\Google\Update\Download\{E0D32F70-31E6-4502-B1CB-909314E7E71B}\GoogleUpdateSetup.exe"
141464 Jun 14 2011 "C:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.21.61\GoogleUpdateB4451148.exe"
27660 Oct 5 2007 "C:\Qoobox\Quarantine\C\Program Files\QuickTime\bak\QTTask.exe.vir"


end of report
 
FindAWF:

STEP 2
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • C:\WINDOWS\system32\bak\ctfmon.exe
      C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier. exe
      C:\Qoobox\Quarantine\C\Program Files\QuickTime\bak\QTTask.exe.vir
      Click to expand...
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.
  • Press 2 then Enter to restore files from bak folders
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.
 
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sun 07/17/2011
The current time is: 19:14:53.12


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

10/02/2007 08:21 PM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\QUICKT~1\BAK

10/05/2007 06:05 PM 27,660 QTTask.exe.vir
1 File(s) 27,660 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\ERDNT\cache\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
15360 Apr 13 2008 "C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ctfmon.exe"
39408 Jul 6 2011 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
307376 Jul 6 2011 "C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe"
136176 Jul 6 2011 "C:\Program Files\Google\Update\GoogleUpdate.exe"
182768 Jul 6 2011 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
136176 Jul 16 2011 "C:\Program Files\Google\Update\1.3.21.57\GoogleUpdate.exe"
171448 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
589464 May 18 2011 "C:\Program Files\Google\Update\Download\{E0D32F70-31E6-4502-B1CB-909314E7E71B}\GoogleUpdateSetup.exe"
141464 Jun 14 2011 "C:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.21.61\GoogleUpdateB4451148.exe"
27660 Oct 5 2007 "C:\Qoobox\Quarantine\C\Program Files\QuickTime\bak\QTTask.exe.vir"


end of report
 
STEP 3
  • In FindAWF, select option 3, by pressing 3 and then enter.
  • This will open the text file folders.txt
  • Copy and paste next list in it:
    Code: 
    C:\WINDOWS\system32\bak\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier. exe
C\Program Files\QuickTime\bak\QTTask.exe.
  • Then close folders.txt and let it save the changes.
  • FindAWF will now remove the bak folders and open a log aferwards.
  • Copy and paste the contents of that log in your next reply
 
Good Morning,


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 07/18/2011
The current time is: 10:37:47.51


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

10/02/2007 08:21 PM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\QUICKT~1\BAK

10/05/2007 06:05 PM 27,660 QTTask.exe.vir
1 File(s) 27,660 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\ERDNT\cache\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
15360 Apr 13 2008 "C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ctfmon.exe"
39408 Jul 6 2011 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
307376 Jul 6 2011 "C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe"
136176 Jul 6 2011 "C:\Program Files\Google\Update\GoogleUpdate.exe"
182768 Jul 6 2011 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
136176 Jul 16 2011 "C:\Program Files\Google\Update\1.3.21.57\GoogleUpdate.exe"
171448 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
589464 May 18 2011 "C:\Program Files\Google\Update\Download\{E0D32F70-31E6-4502-B1CB-909314E7E71B}\GoogleUpdateSetup.exe"
141464 Jun 14 2011 "C:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.21.61\GoogleUpdateB4451148.exe"
27660 Oct 5 2007 "C:\Qoobox\Quarantine\C\Program Files\QuickTime\bak\QTTask.exe.vir"


end of report
 
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.
  • Press 4, then press Enter.
  • You will receive a warning to reset domain zones
  • Press 1 then press Enter.
  • If you have manually included sites in the trusted zones, these will need to be re-inserted.
===========================================
Follow with Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Good Afternoon,

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:08:47 PM, on 7/20/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nlssrv32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 8129 bytes
 
By George, I think we got it! No trusted site or bak file in view! Other than 'slow', how is the system doing.

I'd be interested to know how much RAM is installed.
 
thats good news :)

the system is fine, but like you said its slow and i disabled some programs from the start up menu.

its 2.9 GHz and 960 MB of ram.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
797
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back