Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help! AntiVermins 2.1 infection!

Started by Metesh , Dec 24 2006 04:04 PM

  • This topic is locked This topic is locked

#1
Metesh
Posted 24 December 2006 - 04:04 PM

Metesh

    Member

  • Member
  • PipPip
  • 22 posts
I have what appeas to be an AntVermins infection. Please help me to remove this...here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 22:03:59, on 24/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\csrss.exe
C:\Program Files\Video ActiveX Object\isamonitor.exe
C:\Program Files\Video ActiveX Object\pmsngr.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Video ActiveX Object\pmmon.exe
C:\Program Files\AntiVermins\AntiVermins.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.6962\GoogleToolbarNotifier.exe
C:\Program Files\Video ActiveX Object\isamini.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program Files\Common Files\Sony Shared\GMR\GMRMan.exe
C:\WINDOWS\inet20126\free.exe
C:\WINDOWS\inet20126\wpcem.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...sp?Ext=disabled
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - C:\Program Files\Video ActiveX Object\isaddon.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.6962\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\245636171.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



Many Thanks
  • 0

Advertisements

#2
Metesh
Posted 24 December 2006 - 05:01 PM

Metesh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi there,

I searched 'AntiVermins' on your forums and downloaded SmitFraudFix and did a cleanup as recommended in several cases. My homepage that used to say Security Centre etc is now back to normal and I don't get anymore of those popups telling me I'm infectd with this and that.

A recent AVG scan showed several trojans such as Trojan.Agent and Trojan.LdPinch.bhp and some tracking cookies (log to follow). Could you show me how to get rid of all these once and for all?

Thanks,

Metesh
  • 0

#3
Metesh
Posted 24 December 2006 - 06:11 PM

Metesh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Here is the AVG log, obviously still some activity present....

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:56:10 24/12/2006

+ Scan result:



C:\RECYCLER\S-1-5-21-2291141122-3531658770-1440498216-1007\Dc84.exe -> Downloader.CWS.j : No action taken.
C:\WINDOWS\inet20126\services.exe -> Downloader.CWS.j : No action taken.
C:\Documents and Settings\HP_Owner\Desktop\hijackthis\backups\backup-20061224-215354-305.dll -> Hijacker.Agent.hz : No action taken.
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP1\A0001066.dll -> Hijacker.Agent.hz : No action taken.
C:\Documents and Settings\HP_Owner\wpcem.exe -> Logger.Agent.pr : No action taken.
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP1\A0001067.exe -> Logger.Agent.pr : No action taken.
C:\WINDOWS\inet20126\svchost.exe -> Logger.Agent.pr : No action taken.
C:\WINDOWS\inet20126\svchost.exe.bak -> Logger.Agent.pr : No action taken.
C:\WINDOWS\inet20126\wpcem.exe -> Logger.Agent.pr : No action taken.
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP1\A0001069.exe -> Proxy.Agent.jw : No action taken.
C:\WINDOWS\inet20126\OEM.exe -> Proxy.Agent.jw : No action taken.
C:\WINDOWS\inet20126\OEM.exe.bak -> Proxy.Agent.jw : No action taken.
C:\RECYCLER\S-1-5-21-2291141122-3531658770-1440498216-1007\Dc92\backups\backups.zip/backups/rpcc.dll -> Proxy.Dlena.be : No action taken.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@enhance[2].txt -> TrackingCookie.Enhance : No action taken.
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP1\A0001065.exe -> Trojan.Agent.ws : No action taken.
C:\WINDOWS\inet20126\free.exe -> Trojan.Agent.ws : No action taken.
C:\WINDOWS\inet20126\free.exe.bak -> Trojan.Agent.ws : No action taken.
C:\WINDOWS\loader39078000.exe -> Trojan.Agent.zq : No action taken.
[1880] VM_13140000 -> Trojan.Agent.zq : No action taken.
C:\WINDOWS\inet20126\mmx563.exe -> Trojan.Conycspa.i : No action taken.
C:\WINDOWS\inet20126\mmx896.exe -> Trojan.Conycspa.i : No action taken.
C:\WINDOWS\inet20126\mmx905.exe -> Trojan.Conycspa.i : No action taken.
C:\Program Files\AOL 9.0a\download\update.exe -> Trojan.LdPinch.bhp : No action taken.
C:\WINDOWS\csrss.exe -> Trojan.LdPinch.bhp : No action taken.
[1932] C:\WINDOWS\csrss.exe -> Trojan.LdPinch.bhp : No action taken.


::Report end
  • 0

#4
Metesh
Posted 24 December 2006 - 06:19 PM

Metesh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
A recent HJT log, 245636171.exe still there though

Logfile of HijackThis v1.99.1
Scan saved at 00:19:11, on 25/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.6962\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program Files\Common Files\Sony Shared\GMR\GMRMan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\HP_Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...sp?Ext=disabled
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.6962\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\245636171.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • 0

#5
MFDnSC
Posted 24 December 2006 - 07:04 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Download http://downloads.and...Tools/SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
· Restart your computer
· After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
· Instead of Windows loading as normal, the Advanced Options Menu should appear;
· Select the first option, to run Windows in Safe Mode, then press Enter.
· Choose your usual account.
· Open the extracted SDFix folder and double click RunThis.bat to start the script.
· Type Y to begin the cleanup process.
· It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
· Press any Key and it will restart the PC.
· When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
· Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
· Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
==================

1. Download this file :

http://download.blee...Bs/combofix.exe
http://www.techsuppo...ls/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#6
Metesh
Posted 24 December 2006 - 07:51 PM

Metesh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
The report.txt:


SDFix: Version 1.52
****************

25/12/2006 - 1:43:00.59

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:


File Path:



Starting Registry Repairs...
Killing PID 132 'smss.exe'
Killing PID 224 'winlogon.exe'

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\gkjnr.conf
C:\WINDOWS\system32\drivers\etc\hosts.tim
C:\WINDOWS\system32\rpcc.dll

Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\yahoo!\\messenger\\ypager.exe\""="C:\\Program Files\\yahoo!\\messenger\\ypager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\wupdate.dll
C:\WINDOWS\48505F4F7D11766B_ie-hook.dll
C:\23427.exe
C:\36240.exe
C:\5638.exe
C:\91472.exe
C:\Documents and Settings\HP_Owner\Local Settings\Temp\245636171.exe
C:\Program Files\AOL 9.0\aolphx.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\AOL 9.0\RBM.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0a\aolphx.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\AOL 9.0a\RBM.exe
C:\Program Files\THQ\Dawn Of War\Disk1CheckW40k.EXE
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL2010.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL2759.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3923.tmp
C:\Documents and Settings\HP_Owner\Desktop\~WRL0001.tmp
C:\Documents and Settings\HP_Owner\Desktop\~WRL0333.tmp
C:\Documents and Settings\HP_Owner\Desktop\~WRL2017.tmp
C:\Documents and Settings\HP_Owner\Desktop\~WRL2193.tmp
C:\Documents and Settings\HP_Owner\Desktop\~WRL2374.tmp
C:\Documents and Settings\HP_Owner\Desktop\~WRL2852.tmp
C:\Documents and Settings\HP_Owner\Desktop\~WRL3590.tmp
C:\Documents and Settings\HP_Owner\Desktop\~WRL3697.tmp
C:\Documents and Settings\HP_Owner\Desktop\~WRL3994.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL0047.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL0069.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL0200.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL0321.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL0348.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL0539.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL0934.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL1074.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL1079.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL1110.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL1113.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL1500.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL1565.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL1579.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL1661.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL1989.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL2111.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL2499.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL2885.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL2924.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL3077.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL3331.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL3346.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL3459.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL3549.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL3562.tmp
C:\Documents and Settings\HP_Owner\My Documents\~WRL3892.tmp
C:\Imperial Year 1\~WRL0001.tmp
C:\Imperial Year 1\~WRL0003.tmp
C:\Imperial Year 1\~WRL0004.tmp
C:\Imperial Year 1\~WRL0005.tmp
C:\Imperial Year 1\~WRL0019.tmp
C:\Imperial Year 1\~WRL0020.tmp
C:\Imperial Year 1\~WRL0063.tmp
C:\Imperial Year 1\~WRL0092.tmp
C:\Imperial Year 1\~WRL0126.tmp
C:\Imperial Year 1\~WRL0200.tmp
C:\Imperial Year 1\~WRL0201.tmp
C:\Imperial Year 1\~WRL0251.tmp
C:\Imperial Year 1\~WRL0385.tmp
C:\Imperial Year 1\~WRL0442.tmp
C:\Imperial Year 1\~WRL0448.tmp
C:\Imperial Year 1\~WRL0461.tmp
C:\Imperial Year 1\~WRL0493.tmp
C:\Imperial Year 1\~WRL0526.tmp
C:\Imperial Year 1\~WRL0541.tmp
C:\Imperial Year 1\~WRL0584.tmp
C:\Imperial Year 1\~WRL0725.tmp
C:\Imperial Year 1\~WRL0752.tmp
C:\Imperial Year 1\~WRL0784.tmp
C:\Imperial Year 1\~WRL0793.tmp
C:\Imperial Year 1\~WRL0800.tmp
C:\Imperial Year 1\~WRL0880.tmp
C:\Imperial Year 1\~WRL0922.tmp
C:\Imperial Year 1\~WRL1031.tmp
C:\Imperial Year 1\~WRL1056.tmp
C:\Imperial Year 1\~WRL1159.tmp
C:\Imperial Year 1\~WRL1169.tmp
C:\Imperial Year 1\~WRL1175.tmp
C:\Imperial Year 1\~WRL1186.tmp
C:\Imperial Year 1\~WRL1213.tmp
C:\Imperial Year 1\~WRL1237.tmp
C:\Imperial Year 1\~WRL1285.tmp
C:\Imperial Year 1\~WRL1292.tmp
C:\Imperial Year 1\~WRL1311.tmp
C:\Imperial Year 1\~WRL1398.tmp
C:\Imperial Year 1\~WRL1425.tmp
C:\Imperial Year 1\~WRL1498.tmp
C:\Imperial Year 1\~WRL1508.tmp
C:\Imperial Year 1\~WRL1523.tmp
C:\Imperial Year 1\~WRL1524.tmp
C:\Imperial Year 1\~WRL1527.tmp
C:\Imperial Year 1\~WRL1546.tmp
C:\Imperial Year 1\~WRL1551.tmp
C:\Imperial Year 1\~WRL1606.tmp
C:\Imperial Year 1\~WRL1620.tmp
C:\Imperial Year 1\~WRL1648.tmp
C:\Imperial Year 1\~WRL1678.tmp
C:\Imperial Year 1\~WRL1728.tmp
C:\Imperial Year 1\~WRL1746.tmp
C:\Imperial Year 1\~WRL1850.tmp
C:\Imperial Year 1\~WRL1874.tmp
C:\Imperial Year 1\~WRL1907.tmp
C:\Imperial Year 1\~WRL1971.tmp
C:\Imperial Year 1\~WRL2014.tmp
C:\Imperial Year 1\~WRL2017.tmp
C:\Imperial Year 1\~WRL2036.tmp
C:\Imperial Year 1\~WRL2111.tmp
C:\Imperial Year 1\~WRL2114.tmp
C:\Imperial Year 1\~WRL2115.tmp
C:\Imperial Year 1\~WRL2118.tmp
C:\Imperial Year 1\~WRL2125.tmp
C:\Imperial Year 1\~WRL2154.tmp
C:\Imperial Year 1\~WRL2225.tmp
C:\Imperial Year 1\~WRL2227.tmp
C:\Imperial Year 1\~WRL2322.tmp
C:\Imperial Year 1\~WRL2370.tmp
C:\Imperial Year 1\~WRL2417.tmp
C:\Imperial Year 1\~WRL2437.tmp
C:\Imperial Year 1\~WRL2464.tmp
C:\Imperial Year 1\~WRL2492.tmp
C:\Imperial Year 1\~WRL2507.tmp
C:\Imperial Year 1\~WRL2514.tmp
C:\Imperial Year 1\~WRL2545.tmp
C:\Imperial Year 1\~WRL2583.tmp
C:\Imperial Year 1\~WRL2736.tmp
C:\Imperial Year 1\~WRL2757.tmp
C:\Imperial Year 1\~WRL2815.tmp
C:\Imperial Year 1\~WRL2835.tmp
C:\Imperial Year 1\~WRL2960.tmp
C:\Imperial Year 1\~WRL3037.tmp
C:\Imperial Year 1\~WRL3046.tmp
C:\Imperial Year 1\~WRL3053.tmp
C:\Imperial Year 1\~WRL3080.tmp
C:\Imperial Year 1\~WRL3141.tmp
C:\Imperial Year 1\~WRL3267.tmp
C:\Imperial Year 1\~WRL3299.tmp
C:\Imperial Year 1\~WRL3301.tmp
C:\Imperial Year 1\~WRL3392.tmp
C:\Imperial Year 1\~WRL3407.tmp
C:\Imperial Year 1\~WRL3417.tmp
C:\Imperial Year 1\~WRL3479.tmp
C:\Imperial Year 1\~WRL3493.tmp
C:\Imperial Year 1\~WRL3509.tmp
C:\Imperial Year 1\~WRL3524.tmp
C:\Imperial Year 1\~WRL3595.tmp
C:\Imperial Year 1\~WRL3600.tmp
C:\Imperial Year 1\~WRL3613.tmp
C:\Imperial Year 1\~WRL3618.tmp
C:\Imperial Year 1\~WRL3673.tmp
C:\Imperial Year 1\~WRL3705.tmp
C:\Imperial Year 1\~WRL3822.tmp
C:\Imperial Year 1\~WRL3834.tmp
C:\Imperial Year 1\~WRL3884.tmp
C:\Imperial Year 1\~WRL3914.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Cardiovascular Notes\~WRL1839.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL0056.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL0240.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL0637.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL0760.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL1035.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL1260.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL2209.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL2847.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL3011.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL3637.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL3662.tmp
C:\Imperial Year 1\Year 1 Notes\Notes\1st Year Medicine at Imperial!!\2nd Term Respiratory Notes\~WRL4039.tmp
C:\Imperial Year 2\Nik's Notes\4th & 5th Term MCD\~WRL0004.tmp
C:\Imperial Year 2\Nik's Notes\4th & 5th Term MCD\~WRL2686.tmp
C:\Imperial Year 2\Nik's Notes\4th & 5th Term Pharmacology & Therapeutics\~WRL3635.tmp
C:\Imperial Year 2\Nik's Notes\4th Term Endocrinology\~WRL0002.tmp
C:\Program Files\InterActual\InterActual Player\iti3A.tmp
C:\Work\~WRL0003.tmp
C:\Work\~WRL0343.tmp
C:\Work\~WRL0430.tmp
C:\Work\~WRL0434.tmp
C:\Work\~WRL0948.tmp
C:\Work\~WRL0987.tmp
C:\Work\~WRL1224.tmp
C:\Work\~WRL1248.tmp
C:\Work\~WRL1281.tmp
C:\Work\~WRL1858.tmp
C:\Work\~WRL1995.tmp
C:\Work\~WRL2704.tmp
C:\Work\~WRL2779.tmp
C:\Work\~WRL3207.tmp
C:\Work\~WRL3869.tmp
C:\Work\~WRL4040.tmp

FINISHED!



The new HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 01:49:09, on 25/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.6962\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program Files\Common Files\Sony Shared\GMR\GMRMan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...sp?Ext=disabled
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.6962\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


The Combofix log:

HP_Owner - 06-12-25 1:50:14.78 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\HP_Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-25 to 2006-12-25 ))))))))))))))))))))))))))))))))))


2006-12-25 01:37 <DIR> d-------- C:\SDFix
2006-12-24 22:33 1,668 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-24 21:55 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-24 21:55 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-24 21:55 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-24 21:55 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-24 21:55 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-24 21:55 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-24 20:53 20,992 --a------ C:\WINDOWS\system32\cthkpcv.dll
2006-12-23 00:34 12,800 --a------ C:\WINDOWS\ugjl.exe
2006-12-19 23:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2006-12-15 18:31 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2006-12-15 18:23 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2006-12-15 18:23 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2006-12-15 18:23 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2006-12-15 18:23 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2006-12-15 18:23 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2006-12-15 18:23 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2006-12-15 18:23 <DIR> d-------- C:\Drivers
2006-12-13 18:11 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\DivX
2006-12-05 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-11-25 12:08 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-11-25 11:53 <DIR> d-------- C:\Program Files\THQ


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-24 21:30 81920 --a------ C:\WINDOWS\system32\Packet.dll
2006-12-24 21:30 61440 --a------ C:\WINDOWS\system32\WanPacket.dll
2006-12-24 21:30 53299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2006-12-24 21:30 32512 --a------ C:\WINDOWS\system32\drivers\npf.sys
2006-12-24 21:30 233472 --a------ C:\WINDOWS\system32\wpcap.dll
2006-12-22 00:24 -------- d-------- C:\Program Files\QuickTime
2006-12-19 23:43 -------- d-------- C:\Program Files\MSN Messenger
2006-12-15 18:23 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-09 16:12 -------- d-------- C:\Program Files\DivX
2006-12-09 15:03 -------- d---s---- C:\Documents and Settings\HP_Owner\Application Data\Microsoft
2006-12-05 22:26 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Adobe
2006-12-05 22:25 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-05 22:25 -------- d-------- C:\Program Files\Adobe
2006-11-29 14:45 -------- d-------- C:\Program Files\Yahoo!
2006-11-25 11:53 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-25 11:53 -------- d-------- C:\Program Files\Common Files
2006-11-23 22:39 -------- d-------- C:\Program Files\RegistryFix
2006-11-23 17:05 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-22 23:34 -------- d-------- C:\Program Files\Google
2006-11-22 23:00 -------- d-------- C:\Program Files\Max Payne
2006-11-21 18:20 8704 ---h----- C:\91472.exe
2006-11-20 19:05 105 ---h----- C:\23427.exe
2006-11-19 16:26 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\TrojanHunter
2006-11-19 16:23 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-11-19 16:18 -------- d-------- C:\Program Files\Symantec
2006-11-19 15:02 -------- d-------- C:\Program Files\Webroot
2006-11-19 15:01 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Webroot
2006-11-18 23:21 16 ---h----- C:\5638.exe
2006-11-17 00:04 14336 ---h----- C:\36240.exe
2006-11-17 00:03 43008 ---h----- C:\wupdate.dll
2006-11-15 21:01 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-11-15 21:01 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-11-15 21:01 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-11-15 21:01 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-11-15 20:56 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-11-15 20:56 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-11-15 20:56 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-11-15 20:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-11-15 20:56 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-11-15 20:56 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-11-15 20:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-11-15 20:56 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-11-15 20:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-11-15 20:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-11-15 20:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-11-15 20:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-11-15 20:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-11-15 20:36 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-11-13 03:07 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2006-11-12 02:49 -------- d-------- C:\Program Files\Windows Media Player
2006-11-12 02:49 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-11-12 02:05 98304 --a------ C:\WINDOWS\system32\wmpband.dll
2006-11-08 20:30 -------- d-------- C:\Program Files\Microsoft Office
2006-11-08 18:49 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-05 22:58 -------- d-------- C:\Program Files\ewido anti-malware
2006-11-05 00:57 12528 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-11-03 00:42 -------- d-------- C:\Program Files\EasyRecorder
2006-11-03 00:38 -------- d-------- C:\Program Files\Sony
2006-11-03 00:38 -------- d-------- C:\Program Files\CAPCOM
2006-11-03 00:35 -------- d-------- C:\Program Files\Antivirus
2006-11-03 00:17 -------- d-------- C:\Program Files\EA GAMES
2006-11-03 00:15 -------- d-a------ C:\Program Files\PC-Doctor for Windows
2006-11-03 00:15 -------- d-------- C:\Program Files\Messenger
2006-11-03 00:15 -------- d-------- C:\Program Files\LimeWire
2006-11-03 00:15 -------- d-------- C:\Program Files\GameSpy Arcade
2006-11-03 00:15 -------- d-------- C:\Program Files\AOL 9.0a
2006-11-03 00:15 -------- d-------- C:\Program Files\AOL 9.0
2006-11-02 23:47 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-02 23:46 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-11-02 23:46 -------- d-------- C:\Program Files\Common Files\Designer
2006-11-02 04:37 -------- d-------- C:\Program Files\Windows NT
2006-11-02 04:37 -------- d-------- C:\Program Files\Outlook Express
2006-11-02 04:37 -------- d-------- C:\Program Files\NetMeeting
2006-11-02 04:37 -------- d-------- C:\Program Files\Movie Maker
2006-11-02 04:37 -------- d-------- C:\Program Files\Internet Explorer
2006-11-02 04:37 -------- d-------- C:\Program Files\Common Files\System
2006-11-02 04:37 -------- d-------- C:\Program Files\Common Files\Services
2006-11-02 00:01 -------- d-------- C:\Program Files\Belkin
2006-11-01 22:57 15781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys
2006-11-01 22:57 -------- d-------- C:\Program Files\Microsoft.NET
2006-11-01 22:13 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-11-01 22:03 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Intervideo
2006-11-01 22:03 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
2006-11-01 17:09 21568 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2006-11-01 17:09 21056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-11-01 17:09 20544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2006-11-01 17:09 128064 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2006-11-01 10:25 -------- d-------- C:\Program Files\KalOnlineEng
2006-10-25 23:29 -------- d-------- C:\Program Files\Grisoft
2006-10-18 22:58 8704 --------- C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 22:58 8704 --------- C:\WINDOWS\system32\uwdf.exe
2006-10-18 22:47 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 22:47 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-10-18 22:47 767488 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 22:47 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-10-18 22:47 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 22:47 63488 --------- C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 22:47 629760 --------- C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 22:47 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 22:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 22:47 535040 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 22:47 429056 --------- C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 22:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 22:47 4096 --------- C:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 22:47 4096 --------- C:\WINDOWS\system32\WMVADVD.dll
2006-10-18 22:47 4096 --------- C:\WINDOWS\system32\wdfapi.dll
2006-10-18 22:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 22:47 35840 --------- C:\WINDOWS\system32\wpdconns.dll
2006-10-18 22:47 356352 --------- C:\WINDOWS\system32\wpdsp.dll
2006-10-18 22:47 348672 --------- C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 22:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 22:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 22:47 317440 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 22:47 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 22:47 276992 --------- C:\WINDOWS\system32\audiodev.dll
2006-10-18 22:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 22:47 2603008 --------- C:\WINDOWS\system32\WpdShext.dll
2006-10-18 22:47 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 22:47 259072 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 22:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 22:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 22:47 222208 --a------ C:\WINDOWS\system32\WMASF.dll
2006-10-18 22:47 212992 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-10-18 22:47 211456 --a------ C:\WINDOWS\system32\qasf.dll
2006-10-18 22:47 199168 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 22:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 22:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 22:47 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 22:47 1574912 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 22:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 22:47 154624 --------- C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 22:47 1543680 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 22:47 1382912 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 22:47 133632 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 22:47 1329152 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 22:47 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 22:47 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-10-18 22:47 1117696 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-10-18 22:47 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 21:47 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47 8231936 --a------ C:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-10-18 21:47 613376 --------- C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 314880 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47 295936 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 242688 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47 204288 --------- C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47 1661440 --------- C:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 21:00 249856 --------- C:\WINDOWS\system32\drmupgds.exe
2006-10-18 21:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-06 21:49 737280 --a------ C:\WINDOWS\iun6002.exe
2006-10-02 15:28 312128 --------- C:\WINDOWS\system32\msdelta.dll
2006-09-28 20:13 95344 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-09-28 18:56 55808 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-09-28 18:56 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-09-28 18:56 165376 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-09-28 18:56 146432 --------- C:\WINDOWS\system32\WudfHost.exe
2006-09-25 17:58 23856 --a------ C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.6962\\GoogleToolbarNotifier.exe\""
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"bcmwltry"="bcmwltry.exe"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"CONNECTScheduler"="\"C:\\Program Files\\Sony\\CONNECTAutoUpdate\\CONNECTScheduler.exe\" /RUN_SCHEDULER"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}"="buprestidae"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask1"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask1.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Schedule"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\WebReg 20061216222330.job

Completion time: 06-12-25 1:51:06.06
C:\ComboFix.txt ... 06-12-25 01:51


Thanks!! That dodgy entry in HJT log seems to be gone!
  • 0

#7
MFDnSC
Posted 24 December 2006 - 08:13 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Clean Posted Image

Turn off restore points, boot, turn them back on – here’s how

http://service1.syma...src=sec_doc_nam
  • 0

#8
Metesh
Posted 24 December 2006 - 08:28 PM

Metesh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Many thanks for your help once again! And Merry Christmas! :whistling:
  • 0

#9
MFDnSC
Posted 24 December 2006 - 08:29 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP