My Anti Spyware

by **golferdude** » Sat May 09, 2009 3:39 pm

viruses and dns changers i can't remove. this my first post please help, I have attached the hijack file.

by **golferdude** » Sat May 09, 2009 4:33 pm

sorry let me try to attach again.My problem is 6 or 8 dns changers and 2 or three bho root viruses.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:37 AM, on 5/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\reader_s.exe
C:\windows\ld08.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\windows\pp06.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\JOHN\LOCALS~1\Temp\lmvn3i.exe
C:\DOCUME~1\JOHN\LOCALS~1\Temp\lmvn3i.exe
C:\Documents and Settings\JOHN\reader_s.exe
C:\WINDOWS\system32\SYS32DLL.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\JOHN\LOCALS~1\Temp\lmvn3i.exe
C:\DOCUME~1\JOHN\LOCALS~1\Temp\lmvn3i.exe
C:\DOCUME~1\JOHN\LOCALS~1\Temp\lmvn3i.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\SYS32DLL.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anywebcam.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [] C:\DOCUME~1\JOHN\LOCALS~1\Temp\lmvn3i.exe
O4 - HKCU\..\Run: [uidenhiufgsduiazghs] C:\DOCUME~1\JOHN\LOCALS~1\Temp\lmvn3i.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\JOHN\reader_s.exe
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - S-1-5-18 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\towamusi.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 8148 bytes

by **patrik** » Sun May 10, 2009 2:51 pm

Hello golferdude, welcome to the Myantispyware forum.

Run HijackThis. Click "Do a system scan only" button.
Now select the following entries by placing a tick in the left hand check box, if still present:

Code: Select all: O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe O4 - HKCU\..\Run: [uidenhiufgsduiazghs] C:\DOCUME~1\JOHN\LOCALS~1\Temp\lmvn3i.exe O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\JOHN\reader_s.exe O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\towamusi.dll

Once you have selected all entries, close all running programs then click once on the "fix checked" button.
Reboot your computer.

Download and install Malwarebytes Anti-malware (MBAM).
Run, perform Quick Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad (save the log to your desktop) and you may be prompted to Restart.

Download RSIT by random/random from here and save it to your desktop.

* Double click on RSIT.exe to run RSIT.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open.

Post back with MBAM log + both RSIT logs. Post each log in separate post.

by **golferdude** » Sun May 10, 2009 8:40 pm

Here is the Malware log.

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

5/10/2009 3:33:27 PM
mbam-log-2009-05-10 (15-33-26).txt

Scan type: Quick Scan
Objects scanned: 64306
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

by **golferdude** » Sun May 10, 2009 8:42 pm

Here is the rsit log.

Logfile of random's system information tool 1.06 (written by random/random)
Run by JOHN at 2009-05-10 15:34:53
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 63 GB (83%) free of 75 GB
Total RAM: 1022 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:55 PM, on 5/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JOHN\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\JOHN.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anywebcam.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5782 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478d38-c3f9-4efb-9b51-7695eca05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-06-19 729178]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-12-01 344064]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-08-01 233534]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2005-12-22 405504]
""= []
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-12-13 507904]
"ControlCenter2.0"=C:\Program Files\Brother\ControlCenter2\brctrcen.exe [2005-07-22 933888]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2005-12-12 94208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Documents and Settings\JOHN\Start Menu\Programs\Startup
Adobe Media Player.lnk - C:\Program Files\Adobe Media Player\Adobe Media Player.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-12-01 47104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\towamusi.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-05-10 15:34:53 ----D---- C:\rsit
2009-05-10 14:46:29 ----A---- C:\WINDOWS\st_1242009663.exe
2009-05-10 14:46:29 ----A---- C:\WINDOWS\st_1242008859.exe
2009-05-10 14:05:12 ----D---- C:\Program Files\anywebcam
2009-05-10 13:43:11 ----D---- C:\Documents and Settings\JOHN\Application Data\Mozilla
2009-05-10 13:42:55 ----D---- C:\Program Files\Mozilla Firefox
2009-05-10 13:26:35 ----A---- C:\WINDOWS\st_1242012221.exe
2009-05-10 13:26:33 ----A---- C:\WINDOWS\st_1241989527.exe
2009-05-10 10:52:37 ----D---- C:\WINDOWS\system32\199638
2009-05-10 10:34:31 ----A---- C:\WINDOWS\st_1241975444.exe
2009-05-10 10:34:30 ----A---- C:\WINDOWS\st_1242000188.exe
2009-05-10 09:11:35 ----A---- C:\log2.txt
2009-05-10 09:11:35 ----A---- C:\log1.txt
2009-05-10 09:05:23 ----D---- C:\Documents and Settings\JOHN\Application Data\True Sword
2009-05-10 09:00:18 ----D---- C:\Program Files\True Sword 5
2009-05-09 17:49:57 ----A---- C:\WINDOWS\system32\SYS32DLL.exe
2009-05-09 17:49:53 ----D---- C:\WINDOWS\system32\796525
2009-05-09 17:41:36 ----D---- C:\Documents and Settings\All Users\Application Data\Gtek
2009-05-09 17:41:34 ----D---- C:\Documents and Settings\JOHN\Application Data\GTek
2009-05-09 17:41:07 ----A---- C:\WINDOWS\st_1241934067.exe
2009-05-09 17:41:06 ----A---- C:\WINDOWS\st_1241941271.exe
2009-05-09 16:16:29 ----A---- C:\WINDOWS\system32\junk.exe
2009-05-09 15:53:09 ----A---- C:\WINDOWS\st_1241916822.exe
2009-05-09 15:53:08 ----A---- C:\WINDOWS\st_1241920649.exe
2009-05-09 13:24:56 ----A---- C:\WINDOWS\st_1241905486.exe
2009-05-09 13:24:55 ----A---- C:\WINDOWS\st_1241898879.exe
2009-05-09 10:14:11 ----D---- C:\Program Files\Trend Micro
2009-05-09 09:26:42 ----A---- C:\WINDOWS\system32\bxx.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\sdd.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\r24.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\p1.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\dz1.txt
2009-05-09 09:25:33 ----A---- C:\WINDOWS\system32\lxserv4.dll
2009-05-08 20:18:26 ----D---- C:\Program Files\Pokie Magic Games
2009-05-08 20:15:44 ----D---- C:\Documents and Settings\JOHN\Application Data\GetRightToGo
2009-05-08 19:50:54 ----A---- C:\WINDOWS\st_1241846298.exe
2009-05-08 19:50:53 ----A---- C:\WINDOWS\st_1241852299.exe
2009-05-08 17:20:01 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-08 17:06:29 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-05-08 16:41:02 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-05-08 16:13:25 ----D---- C:\Documents and Settings\JOHN\Application Data\Yahoo!
2009-05-08 16:13:25 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2009-05-08 16:10:56 ----D---- C:\Program Files\Yahoo!
2009-05-08 15:32:31 ----D---- C:\Program Files\SmartPopupBlocker
2009-05-08 10:56:09 ----A---- C:\WINDOWS\st_1241830580.exe
2009-05-08 10:56:08 ----A---- C:\WINDOWS\st_1241811257.exe
2009-05-08 09:07:41 ----H---- C:\WINDOWS\pp06.exe
2009-05-08 08:59:21 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2009-05-07 17:56:08 ----A---- C:\ywko.exe
2009-05-07 17:55:36 ----A---- C:\prylxoqb.exe
2009-05-07 17:50:00 ----H---- C:\WINDOWS\ld08.exe
2009-05-07 17:49:51 ----A---- C:\WINDOWS\system32\reader_s.exe
2009-05-07 17:48:13 ----A---- C:\utomb.exe
2009-05-05 22:07:17 ----D---- C:\Documents and Settings\All Users\Application Data\Slapdash Games
2009-05-03 22:36:07 ----SH---- C:\WINDOWS\system32\ilitomuy.ini
2009-05-03 07:06:44 ----SH---- C:\WINDOWS\system32\utagehud.ini
2009-05-02 18:26:23 ----SH---- C:\WINDOWS\system32\unitison.ini
2009-04-23 20:43:54 ----D---- C:\Program Files\10 Days Under The Sea
2009-04-23 20:40:04 ----D---- C:\Program Files\Haunted Hotel
2009-04-21 19:51:11 ----D---- C:\Program Files\Fishing Craze
2009-04-19 18:01:17 ----A---- C:\WINDOWS\TaxACT05.ini
2009-04-19 18:01:12 ----D---- C:\Program Files\2nd Story Software
2009-04-13 20:30:31 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-13 20:30:31 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-13 20:30:31 ----A---- C:\WINDOWS\system32\java.exe
2009-04-13 19:48:08 ----D---- C:\WINDOWS\system32\Adobe
2009-04-13 17:43:46 ----D---- C:\Documents and Settings\JOHN\Application Data\JewelMatch2
2009-04-13 17:42:56 ----D---- C:\Program Files\Jewel Match 2
2009-04-13 17:38:51 ----D---- C:\Program Files\Lost Secrets - Bermuda Triangle

======List of files/folders modified in the last 1 months======

2009-05-10 15:33:40 ----D---- C:\WINDOWS\Temp
2009-05-10 15:00:28 ----D---- C:\WINDOWS
2009-05-10 14:54:19 ----ASH---- C:\hpqp.ini
2009-05-10 14:54:18 ----A---- C:\XP_TV.ini
2009-05-10 14:53:17 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-10 14:05:12 ----D---- C:\Program Files
2009-05-10 13:31:53 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-10 13:24:11 ----HD---- C:\WINDOWS\inf
2009-05-10 11:01:05 ----D---- C:\WINDOWS\system32\drivers
2009-05-10 10:52:37 ----D---- C:\WINDOWS\system32
2009-05-10 09:27:27 ----SHD---- C:\WINDOWS\Installer
2009-05-10 09:27:27 ----HD---- C:\Config.Msi
2009-05-09 21:12:57 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-05-09 17:47:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-09 17:45:52 ----D---- C:\WINDOWS\system32\Restore
2009-05-09 12:18:50 ----SD---- C:\Documents and Settings\JOHN\Application Data\Microsoft
2009-05-09 09:41:52 ----D---- C:\Documents and Settings
2009-05-09 09:25:34 ----D---- C:\WINDOWS\system32\wbem
2009-05-08 17:09:34 ----SD---- C:\WINDOWS\Tasks
2009-05-08 09:57:14 ----D---- C:\WINDOWS\WinSxS
2009-05-08 09:08:45 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-08 09:03:13 ----D---- C:\SYSTEM.SAV
2009-05-08 09:01:43 ----D---- C:\Program Files\Quicken
2009-05-08 09:01:32 ----A---- C:\WINDOWS\QUICKEN.INI
2009-05-08 08:59:20 ----RSD---- C:\WINDOWS\Fonts
2009-05-08 08:58:17 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-08 08:57:12 ----D---- C:\WINDOWS\Help
2009-05-08 08:55:30 ----D---- C:\WINDOWS\Registration
2009-05-08 08:55:09 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-08 08:39:57 ----D---- C:\hp
2009-05-08 08:39:56 ----AD---- C:\WINDOWS\system32\pcintro
2009-05-08 08:34:38 ----D---- C:\Program Files\HPQ
2009-05-08 08:33:46 ----D---- C:\Program Files\music_now
2009-05-08 08:33:02 ----D---- C:\Program Files\HP Rhapsody
2009-05-08 07:23:08 ----D---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2009-05-07 17:56:03 ----D---- C:\WINDOWS\Prefetch
2009-05-07 17:55:15 ----SHD---- C:\RECYCLER
2009-05-07 17:48:46 ----A---- C:\WINDOWS\system32\user32.DLL
2009-05-07 17:47:59 ----A---- C:\WINDOWS\setuplog.txt
2009-05-04 19:35:12 ----ASH---- C:\WINDOWS\system32\lawalipe.dll
2009-05-03 07:06:43 ----ASH---- C:\WINDOWS\system32\narayufo.dll
2009-05-02 18:26:12 ----ASH---- C:\WINDOWS\system32\vazozaso.exe
2009-04-13 20:30:28 ----D---- C:\Program Files\Java
2009-04-13 20:10:51 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-04-13 20:05:30 ----D---- C:\swsetup
2009-04-13 20:02:48 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-13 19:49:14 ----D---- C:\Documents and Settings\JOHN\Application Data\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-16 13059]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-12-01 1412608]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-11-28 424320]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camc6aud.sys [2005-08-02 38016]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camc6hal.sys [2005-08-02 349312]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2005-08-22 1035008]
R3 HSFHWATI;HSFHWATI; C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 231424]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2005-09-30 78720]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-06-19 190400]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-09-20 162432]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-08-22 718464]
S1 b8c0eff6;b8c0eff6; C:\WINDOWS\System32\drivers\b8c0eff6.sys []
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 slabbus;CP2101 USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\slabbus.sys [2004-03-25 52384]
S3 slabser;CP2101 USB to UART Bridge Controller Drivers; C:\WINDOWS\system32\DRIVERS\slabser.sys [2004-03-25 84512]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-12-01 393216]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-11 57344]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2005-12-22 98304]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-11-15 73728]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------

by **golferdude** » Sun May 10, 2009 11:11 pm

I finally could download malware update and it found 43 items. I deleted all of them. None of them were DNS changers. what can I run to protect me from media player items i might download? here is rsit now.

Logfile of random's system information tool 1.06 (written by random/random)
Run by JOHN at 2009-05-10 18:07:35
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 63 GB (83%) free of 75 GB
Total RAM: 1022 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:36 PM, on 5/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\JOHN\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\JOHN.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anywebcam.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5584 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478d38-c3f9-4efb-9b51-7695eca05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-06-19 729178]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-12-01 344064]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-08-01 233534]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2005-12-22 405504]
""= []
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-12-13 507904]
"ControlCenter2.0"=C:\Program Files\Brother\ControlCenter2\brctrcen.exe [2005-07-22 933888]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2005-12-12 94208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Documents and Settings\JOHN\Start Menu\Programs\Startup
Adobe Media Player.lnk - C:\Program Files\Adobe Media Player\Adobe Media Player.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-12-01 47104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\towamusi.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-05-10 15:34:53 ----D---- C:\rsit
2009-05-10 14:05:12 ----D---- C:\Program Files\anywebcam
2009-05-10 13:43:11 ----D---- C:\Documents and Settings\JOHN\Application Data\Mozilla
2009-05-10 13:42:55 ----D---- C:\Program Files\Mozilla Firefox
2009-05-10 10:52:37 ----D---- C:\WINDOWS\system32\199638
2009-05-10 09:11:35 ----A---- C:\log2.txt
2009-05-10 09:11:35 ----A---- C:\log1.txt
2009-05-10 09:05:23 ----D---- C:\Documents and Settings\JOHN\Application Data\True Sword
2009-05-10 09:00:18 ----D---- C:\Program Files\True Sword 5
2009-05-09 17:41:36 ----D---- C:\Documents and Settings\All Users\Application Data\Gtek
2009-05-09 17:41:34 ----D---- C:\Documents and Settings\JOHN\Application Data\GTek
2009-05-09 10:14:11 ----D---- C:\Program Files\Trend Micro
2009-05-09 09:26:42 ----A---- C:\WINDOWS\system32\bxx.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\sdd.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\r24.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\p1.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\dz1.txt
2009-05-09 09:25:33 ----A---- C:\WINDOWS\system32\lxserv4.dll
2009-05-08 20:18:26 ----D---- C:\Program Files\Pokie Magic Games
2009-05-08 20:15:44 ----D---- C:\Documents and Settings\JOHN\Application Data\GetRightToGo
2009-05-08 17:20:01 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-08 17:06:29 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-05-08 16:41:02 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-05-08 16:13:25 ----D---- C:\Documents and Settings\JOHN\Application Data\Yahoo!
2009-05-08 16:13:25 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2009-05-08 16:10:56 ----D---- C:\Program Files\Yahoo!
2009-05-08 15:32:31 ----D---- C:\Program Files\SmartPopupBlocker
2009-05-08 08:59:21 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2009-05-05 22:07:17 ----D---- C:\Documents and Settings\All Users\Application Data\Slapdash Games
2009-05-03 22:36:07 ----SH---- C:\WINDOWS\system32\ilitomuy.ini
2009-05-03 07:06:44 ----SH---- C:\WINDOWS\system32\utagehud.ini
2009-05-02 18:26:23 ----SH---- C:\WINDOWS\system32\unitison.ini
2009-04-23 20:43:54 ----D---- C:\Program Files\10 Days Under The Sea
2009-04-23 20:40:04 ----D---- C:\Program Files\Haunted Hotel
2009-04-21 19:51:11 ----D---- C:\Program Files\Fishing Craze
2009-04-19 18:01:17 ----A---- C:\WINDOWS\TaxACT05.ini
2009-04-19 18:01:12 ----D---- C:\Program Files\2nd Story Software
2009-04-13 20:30:31 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-13 20:30:31 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-13 20:30:31 ----A---- C:\WINDOWS\system32\java.exe
2009-04-13 19:48:08 ----D---- C:\WINDOWS\system32\Adobe
2009-04-13 17:43:46 ----D---- C:\Documents and Settings\JOHN\Application Data\JewelMatch2
2009-04-13 17:42:56 ----D---- C:\Program Files\Jewel Match 2
2009-04-13 17:38:51 ----D---- C:\Program Files\Lost Secrets - Bermuda Triangle

======List of files/folders modified in the last 1 months======

2009-05-10 17:38:37 ----D---- C:\WINDOWS\Temp
2009-05-10 17:38:30 ----D---- C:\WINDOWS
2009-05-10 17:38:30 ----ASH---- C:\hpqp.ini
2009-05-10 17:38:30 ----A---- C:\XP_TV.ini
2009-05-10 17:37:55 ----D---- C:\WINDOWS\system32\drivers
2009-05-10 17:37:13 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-10 17:36:22 ----D---- C:\WINDOWS\system32
2009-05-10 17:31:37 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-10 14:05:12 ----D---- C:\Program Files
2009-05-10 13:31:53 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-10 13:24:11 ----HD---- C:\WINDOWS\inf
2009-05-10 09:27:27 ----SHD---- C:\WINDOWS\Installer
2009-05-10 09:27:27 ----HD---- C:\Config.Msi
2009-05-09 21:12:57 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-05-09 17:47:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-09 17:45:52 ----D---- C:\WINDOWS\system32\Restore
2009-05-09 12:18:50 ----SD---- C:\Documents and Settings\JOHN\Application Data\Microsoft
2009-05-09 09:41:52 ----D---- C:\Documents and Settings
2009-05-09 09:25:34 ----D---- C:\WINDOWS\system32\wbem
2009-05-08 17:09:34 ----SD---- C:\WINDOWS\Tasks
2009-05-08 09:57:14 ----D---- C:\WINDOWS\WinSxS
2009-05-08 09:08:45 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-08 09:03:13 ----D---- C:\SYSTEM.SAV
2009-05-08 09:01:43 ----D---- C:\Program Files\Quicken
2009-05-08 09:01:32 ----A---- C:\WINDOWS\QUICKEN.INI
2009-05-08 08:59:20 ----RSD---- C:\WINDOWS\Fonts
2009-05-08 08:58:17 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-08 08:57:12 ----D---- C:\WINDOWS\Help
2009-05-08 08:55:30 ----D---- C:\WINDOWS\Registration
2009-05-08 08:55:09 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-08 08:39:57 ----D---- C:\hp
2009-05-08 08:39:56 ----AD---- C:\WINDOWS\system32\pcintro
2009-05-08 08:34:38 ----D---- C:\Program Files\HPQ
2009-05-08 08:33:46 ----D---- C:\Program Files\music_now
2009-05-08 08:33:02 ----D---- C:\Program Files\HP Rhapsody
2009-05-08 07:23:08 ----D---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2009-05-07 17:56:03 ----D---- C:\WINDOWS\Prefetch
2009-05-07 17:55:15 ----SHD---- C:\RECYCLER
2009-05-07 17:48:46 ----A---- C:\WINDOWS\system32\user32.DLL
2009-05-07 17:47:59 ----A---- C:\WINDOWS\setuplog.txt
2009-05-04 19:35:12 ----ASH---- C:\WINDOWS\system32\lawalipe.dll
2009-05-03 07:06:43 ----ASH---- C:\WINDOWS\system32\narayufo.dll
2009-05-02 18:26:12 ----ASH---- C:\WINDOWS\system32\vazozaso.exe
2009-04-13 20:30:28 ----D---- C:\Program Files\Java
2009-04-13 20:10:51 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-04-13 20:05:30 ----D---- C:\swsetup
2009-04-13 20:02:48 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-13 19:49:14 ----D---- C:\Documents and Settings\JOHN\Application Data\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-16 13059]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-12-01 1412608]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-11-28 424320]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camc6aud.sys [2005-08-02 38016]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camc6hal.sys [2005-08-02 349312]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2005-08-22 1035008]
R3 HSFHWATI;HSFHWATI; C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 231424]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2005-09-30 78720]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-06-19 190400]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-09-20 162432]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-08-22 718464]
S1 b8c0eff6;b8c0eff6; C:\WINDOWS\System32\drivers\b8c0eff6.sys []
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 slabbus;CP2101 USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\slabbus.sys [2004-03-25 52384]
S3 slabser;CP2101 USB to UART Bridge Controller Drivers; C:\WINDOWS\system32\DRIVERS\slabser.sys [2004-03-25 84512]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-12-01 393216]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-11 57344]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2005-12-22 98304]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-11-15 73728]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------

by **patrik** » Mon May 11, 2009 2:13 pm

Run HijackThis. Click "Do a system scan only" button.
Now select the following entries by placing a tick in the left hand check box, if still present:

Code: Select all: R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

Once you have selected all entries, close all running programs then click once on the "fix checked" button.
Reboot your computer.

Please download OTmoveIt3 by OldTimer from here.
Run OTmoveIt3, copy,then paste the following text in "Paste Instructions for Items to be Moved" window (under the yellow bar):

Code: Select all: :Processes explorer.exe :reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00 :Commands [emptytemp] [start explorer] [Reboot]

Click the red Moveit! button. When the tool is finished, it will produce a report for you. If you are asked to reboot the machine choose Yes. Afterwards, Windows restarts, and opens the log generated by the OTmoveIt3 so you can see the results. If it does not automatically open, then click Start -> Run, type notepad and press Enter. Click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present.

Please scan your computer with Kaspersky Online Scanner. Save a scan report to your desktop.

Make a fresh RSIT log

Post back with OTMoveIt log + Kaspersky online scanner report + RSIT log (only log.txt).

by **golferdude** » Tue May 12, 2009 1:32 am

Here is Kaspersky looks like it found 2. And RSIT.

KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 11, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, May 12, 2009 01:44:18
Records in database: 2164954
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 75367
Threat name 2
Infected objects 2
Suspicious objects 0
Duration of the scan 01:03:42

File name Threat name Threats count
C:\WINDOWS\system32\lxserv4.dll Infected: Trojan-Downloader.Win32.BHO.lzs 1
C:\WINDOWS\system32\wbem\grpconv.exe Infected: Trojan.Win32.Inject.yrx 1
The selected area was scanned.

Logfile of random's system information tool 1.06 (written by random/random)
Run by JOHN at 2009-05-11 20:27:47
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 62 GB (83%) free of 75 GB
Total RAM: 1022 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:53 PM, on 5/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\JOHN\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\JOHN.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anywebcam.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6113 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478d38-c3f9-4efb-9b51-7695eca05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-06-19 729178]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-12-01 344064]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-08-01 233534]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2005-12-22 405504]
""= []
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-12-13 507904]
"ControlCenter2.0"=C:\Program Files\Brother\ControlCenter2\brctrcen.exe [2005-07-22 933888]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2005-12-12 94208]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Documents and Settings\JOHN\Start Menu\Programs\Startup
Adobe Media Player.lnk - C:\Program Files\Adobe Media Player\Adobe Media Player.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-12-01 47104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-05-11 18:50:41 ----D---- C:\_OTMoveIt
2009-05-11 18:46:57 ----D---- C:\Avenger
2009-05-11 18:46:57 ----A---- C:\avenger.txt
2009-05-10 20:31:58 ----D---- C:\Program Files\Microsoft Silverlight
2009-05-10 20:00:08 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-05-10 18:28:04 ----D---- C:\Program Files\Avira
2009-05-10 18:28:04 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-05-10 15:34:53 ----D---- C:\rsit
2009-05-10 14:05:12 ----D---- C:\Program Files\anywebcam
2009-05-10 13:43:11 ----D---- C:\Documents and Settings\JOHN\Application Data\Mozilla
2009-05-10 13:42:55 ----D---- C:\Program Files\Mozilla Firefox
2009-05-10 10:52:37 ----D---- C:\WINDOWS\system32\199638
2009-05-10 09:11:35 ----A---- C:\log2.txt
2009-05-10 09:11:35 ----A---- C:\log1.txt
2009-05-10 09:05:23 ----D---- C:\Documents and Settings\JOHN\Application Data\True Sword
2009-05-10 09:00:18 ----D---- C:\Program Files\True Sword 5
2009-05-09 17:41:36 ----D---- C:\Documents and Settings\All Users\Application Data\Gtek
2009-05-09 17:41:34 ----D---- C:\Documents and Settings\JOHN\Application Data\GTek
2009-05-09 10:14:11 ----D---- C:\Program Files\Trend Micro
2009-05-09 09:26:42 ----A---- C:\WINDOWS\system32\bxx.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\sdd.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\r24.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\p1.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\dz1.txt
2009-05-09 09:25:33 ----A---- C:\WINDOWS\system32\lxserv4.dll
2009-05-08 20:18:26 ----D---- C:\Program Files\Pokie Magic Games
2009-05-08 20:15:44 ----D---- C:\Documents and Settings\JOHN\Application Data\GetRightToGo
2009-05-08 17:20:01 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-08 17:06:29 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-05-08 16:41:02 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-05-08 16:13:25 ----D---- C:\Documents and Settings\JOHN\Application Data\Yahoo!
2009-05-08 16:13:25 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2009-05-08 16:10:56 ----D---- C:\Program Files\Yahoo!
2009-05-08 15:32:31 ----D---- C:\Program Files\SmartPopupBlocker
2009-05-08 08:59:21 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2009-05-05 22:07:17 ----D---- C:\Documents and Settings\All Users\Application Data\Slapdash Games
2009-05-03 22:36:07 ----SH---- C:\WINDOWS\system32\ilitomuy.ini
2009-05-03 07:06:44 ----SH---- C:\WINDOWS\system32\utagehud.ini
2009-05-02 18:26:23 ----SH---- C:\WINDOWS\system32\unitison.ini
2009-04-23 20:43:54 ----D---- C:\Program Files\10 Days Under The Sea
2009-04-23 20:40:04 ----D---- C:\Program Files\Haunted Hotel
2009-04-21 19:51:11 ----D---- C:\Program Files\Fishing Craze
2009-04-19 18:01:17 ----A---- C:\WINDOWS\TaxACT05.ini
2009-04-19 18:01:12 ----D---- C:\Program Files\2nd Story Software
2009-04-13 20:30:31 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-13 20:30:31 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-13 20:30:31 ----A---- C:\WINDOWS\system32\java.exe
2009-04-13 19:48:08 ----D---- C:\WINDOWS\system32\Adobe
2009-04-13 17:43:46 ----D---- C:\Documents and Settings\JOHN\Application Data\JewelMatch2
2009-04-13 17:42:56 ----D---- C:\Program Files\Jewel Match 2
2009-04-13 17:38:51 ----D---- C:\Program Files\Lost Secrets - Bermuda Triangle

======List of files/folders modified in the last 1 months======

2009-05-11 20:04:36 ----D---- C:\WINDOWS\Temp
2009-05-11 18:53:16 ----D---- C:\WINDOWS
2009-05-11 18:53:16 ----ASH---- C:\hpqp.ini
2009-05-11 18:53:13 ----A---- C:\XP_TV.ini
2009-05-11 18:52:39 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-11 18:51:27 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-11 18:46:57 ----D---- C:\WINDOWS\system32\drivers
2009-05-10 20:34:37 ----SHD---- C:\WINDOWS\Installer
2009-05-10 20:34:37 ----HD---- C:\Config.Msi
2009-05-10 20:31:58 ----D---- C:\Program Files
2009-05-10 20:12:00 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-10 20:11:57 ----HD---- C:\WINDOWS\inf
2009-05-10 20:00:08 ----D---- C:\WINDOWS\system32
2009-05-10 20:00:08 ----D---- C:\WINDOWS\Debug
2009-05-10 19:11:12 ----D---- C:\WINDOWS\system32\wbem
2009-05-10 18:24:41 ----D---- C:\WINDOWS\WinSxS
2009-05-10 17:31:37 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-09 21:12:57 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-05-09 17:47:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-09 17:45:52 ----D---- C:\WINDOWS\system32\Restore
2009-05-09 12:18:50 ----SD---- C:\Documents and Settings\JOHN\Application Data\Microsoft
2009-05-09 09:41:52 ----D---- C:\Documents and Settings
2009-05-08 17:09:34 ----SD---- C:\WINDOWS\Tasks
2009-05-08 09:03:13 ----D---- C:\SYSTEM.SAV
2009-05-08 09:01:43 ----D---- C:\Program Files\Quicken
2009-05-08 09:01:32 ----A---- C:\WINDOWS\QUICKEN.INI
2009-05-08 08:59:20 ----RSD---- C:\WINDOWS\Fonts
2009-05-08 08:58:17 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-08 08:57:12 ----D---- C:\WINDOWS\Help
2009-05-08 08:55:30 ----D---- C:\WINDOWS\Registration
2009-05-08 08:55:09 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-08 08:39:57 ----D---- C:\hp
2009-05-08 08:39:56 ----AD---- C:\WINDOWS\system32\pcintro
2009-05-08 08:34:38 ----D---- C:\Program Files\HPQ
2009-05-08 08:33:46 ----D---- C:\Program Files\music_now
2009-05-08 08:33:02 ----D---- C:\Program Files\HP Rhapsody
2009-05-08 07:23:08 ----D---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2009-05-07 17:56:03 ----D---- C:\WINDOWS\Prefetch
2009-05-07 17:55:15 ----SHD---- C:\RECYCLER
2009-05-07 17:48:46 ----A---- C:\WINDOWS\system32\user32.DLL
2009-05-07 17:47:59 ----A---- C:\WINDOWS\setuplog.txt
2009-04-13 20:30:28 ----D---- C:\Program Files\Java
2009-04-13 20:10:51 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-04-13 20:05:30 ----D---- C:\swsetup
2009-04-13 20:02:48 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-13 19:49:14 ----D---- C:\Documents and Settings\JOHN\Application Data\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-02-13 28376]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-03-24 55640]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-16 13059]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-12-01 1412608]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-11-28 424320]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camc6aud.sys [2005-08-02 38016]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camc6hal.sys [2005-08-02 349312]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2005-08-22 1035008]
R3 HSFHWATI;HSFHWATI; C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 231424]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2005-09-30 78720]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-06-19 190400]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-09-20 162432]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-08-22 718464]
S1 b8c0eff6;b8c0eff6; C:\WINDOWS\System32\drivers\b8c0eff6.sys []
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 slabbus;CP2101 USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\slabbus.sys [2004-03-25 52384]
S3 slabser;CP2101 USB to UART Bridge Controller Drivers; C:\WINDOWS\system32\DRIVERS\slabser.sys [2004-03-25 84512]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-04-01 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-03-02 185089]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-12-01 393216]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-11 57344]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2005-12-22 98304]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-11-15 73728]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------

by **golferdude** » Tue May 12, 2009 1:45 am

Sorry forgot the oldtimer.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Notification Packages"|hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00 /E : value set successfully!
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\JOHN\LOCALS~1\Temp\hsperfdata_JOHN\3904 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\JOHN\LOCALS~1\Temp\etilqs_44sjlYDvEUNy21jKRCmE scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\JOHN\LOCALS~1\Temp\~DF9B13.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\JOHN\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_e8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\~DFCB8F.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\JOHN\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk4nd7ey.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\JOHN\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk4nd7ey.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\JOHN\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk4nd7ey.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\JOHN\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk4nd7ey.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\JOHN\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk4nd7ey.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05112009_203814

Files moved on Reboot...
File C:\DOCUME~1\JOHN\LOCALS~1\Temp\hsperfdata_JOHN\3904 not found!
File C:\DOCUME~1\JOHN\LOCALS~1\Temp\etilqs_44sjlYDvEUNy21jKRCmE not found!
File C:\DOCUME~1\JOHN\LOCALS~1\Temp\~DF9B13.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_e8.dat not found!
C:\WINDOWS\temp\~DFCB8F.tmp moved successfully.
C:\Documents and Settings\JOHN\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk4nd7ey.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\JOHN\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk4nd7ey.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\JOHN\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk4nd7ey.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\JOHN\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk4nd7ey.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\JOHN\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk4nd7ey.default\urlclassifier3.sqlite moved successfully.

by **patrik** » Tue May 12, 2009 2:08 pm

Run OTmoveIt3, copy,then paste the following text in "Paste Instructions for Items to be Moved" window (under the yellow bar):

Code: Select all: :Processes explorer.exe :reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers] "%Windir%\explorer.exe"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "RunGrpConv"=- :files C:\WINDOWS\system32\lxserv4.dll C:\WINDOWS\system32\wbem\grpconv.exe C:\WINDOWS\system32\bxx.txt C:\WINDOWS\system32\sdd.txt C:\WINDOWS\system32\r24.txt C:\WINDOWS\system32\p1.txt C:\WINDOWS\system32\dz1.txt :Commands [emptytemp] [start explorer] [Reboot]

Click the red Moveit! button. When the tool is finished, it will produce a report for you. If you are asked to reboot the machine choose Yes. Afterwards, Windows restarts, and opens the log generated by the OTmoveIt3 so you can see the results. If it does not automatically open, then click Start -> Run, type notepad and press Enter. Click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present.

Make a fresh RSIT log and Kaspersky online scan report.

Post back with OTMoveIt log + RSIT log + Kaspersky online scan report.

by **golferdude** » Tue May 12, 2009 10:39 pm

Old timer gets locked up after process explorer exe kill.

by **patrik** » Wed May 13, 2009 3:05 pm

ok.
Anyway, post here a fresh RSIT log.

by **golferdude** » Wed May 13, 2009 10:47 pm

Here it is thanks.

Logfile of random's system information tool 1.06 (written by random/random)
Run by JOHN at 2009-05-13 17:46:47
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 62 GB (83%) free of 75 GB
Total RAM: 1022 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:58 PM, on 5/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\JOHN\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\JOHN.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anywebcam.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6149 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478d38-c3f9-4efb-9b51-7695eca05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-06-19 729178]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-12-01 344064]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-08-01 233534]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2005-12-22 405504]
""= []
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-12-13 507904]
"ControlCenter2.0"=C:\Program Files\Brother\ControlCenter2\brctrcen.exe [2005-07-22 933888]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2005-12-12 94208]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Documents and Settings\JOHN\Start Menu\Programs\Startup
Adobe Media Player.lnk - C:\Program Files\Adobe Media Player\Adobe Media Player.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-12-01 47104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-05-11 18:50:41 ----D---- C:\_OTMoveIt
2009-05-11 18:46:57 ----D---- C:\Avenger
2009-05-11 18:46:57 ----A---- C:\avenger.txt
2009-05-10 20:31:58 ----D---- C:\Program Files\Microsoft Silverlight
2009-05-10 20:00:08 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-05-10 18:28:04 ----D---- C:\Program Files\Avira
2009-05-10 18:28:04 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-05-10 15:34:53 ----D---- C:\rsit
2009-05-10 14:05:12 ----D---- C:\Program Files\anywebcam
2009-05-10 13:43:11 ----D---- C:\Documents and Settings\JOHN\Application Data\Mozilla
2009-05-10 13:42:55 ----D---- C:\Program Files\Mozilla Firefox
2009-05-10 10:52:37 ----D---- C:\WINDOWS\system32\199638
2009-05-10 09:11:35 ----A---- C:\log2.txt
2009-05-10 09:11:35 ----A---- C:\log1.txt
2009-05-10 09:05:23 ----D---- C:\Documents and Settings\JOHN\Application Data\True Sword
2009-05-10 09:00:18 ----D---- C:\Program Files\True Sword 5
2009-05-09 17:41:36 ----D---- C:\Documents and Settings\All Users\Application Data\Gtek
2009-05-09 17:41:34 ----D---- C:\Documents and Settings\JOHN\Application Data\GTek
2009-05-09 10:14:11 ----D---- C:\Program Files\Trend Micro
2009-05-09 09:26:42 ----A---- C:\WINDOWS\system32\bxx.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\sdd.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\r24.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\p1.txt
2009-05-09 09:26:41 ----A---- C:\WINDOWS\system32\dz1.txt
2009-05-09 09:25:33 ----A---- C:\WINDOWS\system32\lxserv4.dll
2009-05-08 20:18:26 ----D---- C:\Program Files\Pokie Magic Games
2009-05-08 20:15:44 ----D---- C:\Documents and Settings\JOHN\Application Data\GetRightToGo
2009-05-08 17:20:01 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-08 17:06:29 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-05-08 16:41:02 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-05-08 16:13:25 ----D---- C:\Documents and Settings\JOHN\Application Data\Yahoo!
2009-05-08 16:13:25 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2009-05-08 16:10:56 ----D---- C:\Program Files\Yahoo!
2009-05-08 15:32:31 ----D---- C:\Program Files\SmartPopupBlocker
2009-05-08 08:59:21 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2009-05-05 22:07:17 ----D---- C:\Documents and Settings\All Users\Application Data\Slapdash Games
2009-05-03 22:36:07 ----SH---- C:\WINDOWS\system32\ilitomuy.ini
2009-05-03 07:06:44 ----SH---- C:\WINDOWS\system32\utagehud.ini
2009-05-02 18:26:23 ----SH---- C:\WINDOWS\system32\unitison.ini
2009-04-23 20:43:54 ----D---- C:\Program Files\10 Days Under The Sea
2009-04-23 20:40:04 ----D---- C:\Program Files\Haunted Hotel
2009-04-21 19:51:11 ----D---- C:\Program Files\Fishing Craze
2009-04-19 18:01:17 ----A---- C:\WINDOWS\TaxACT05.ini
2009-04-19 18:01:12 ----D---- C:\Program Files\2nd Story Software

======List of files/folders modified in the last 1 months======

2009-05-13 17:46:56 ----D---- C:\WINDOWS\Prefetch
2009-05-13 17:46:11 ----D---- C:\WINDOWS\Temp
2009-05-13 17:45:54 ----ASH---- C:\hpqp.ini
2009-05-12 17:54:07 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-12 17:53:54 ----D---- C:\WINDOWS
2009-05-12 17:53:54 ----A---- C:\XP_TV.ini
2009-05-12 17:05:03 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-11 20:49:17 ----D---- C:\WINDOWS\system32\wbem
2009-05-11 18:46:57 ----D---- C:\WINDOWS\system32\drivers
2009-05-10 20:34:37 ----SHD---- C:\WINDOWS\Installer
2009-05-10 20:34:37 ----HD---- C:\Config.Msi
2009-05-10 20:31:58 ----D---- C:\Program Files
2009-05-10 20:12:00 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-10 20:11:57 ----HD---- C:\WINDOWS\inf
2009-05-10 20:00:08 ----D---- C:\WINDOWS\system32
2009-05-10 20:00:08 ----D---- C:\WINDOWS\Debug
2009-05-10 18:24:41 ----D---- C:\WINDOWS\WinSxS
2009-05-10 17:31:37 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-09 21:12:57 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-05-09 17:47:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-09 17:45:52 ----D---- C:\WINDOWS\system32\Restore
2009-05-09 12:18:50 ----SD---- C:\Documents and Settings\JOHN\Application Data\Microsoft
2009-05-09 09:41:52 ----D---- C:\Documents and Settings
2009-05-08 17:09:34 ----SD---- C:\WINDOWS\Tasks
2009-05-08 09:03:13 ----D---- C:\SYSTEM.SAV
2009-05-08 09:01:43 ----D---- C:\Program Files\Quicken
2009-05-08 09:01:32 ----A---- C:\WINDOWS\QUICKEN.INI
2009-05-08 08:59:20 ----RSD---- C:\WINDOWS\Fonts
2009-05-08 08:58:17 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-08 08:57:12 ----D---- C:\WINDOWS\Help
2009-05-08 08:55:30 ----D---- C:\WINDOWS\Registration
2009-05-08 08:55:09 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-08 08:39:57 ----D---- C:\hp
2009-05-08 08:39:56 ----AD---- C:\WINDOWS\system32\pcintro
2009-05-08 08:34:38 ----D---- C:\Program Files\HPQ
2009-05-08 08:33:46 ----D---- C:\Program Files\music_now
2009-05-08 08:33:02 ----D---- C:\Program Files\HP Rhapsody
2009-05-08 07:23:08 ----D---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2009-05-07 17:55:15 ----SHD---- C:\RECYCLER
2009-05-07 17:48:46 ----A---- C:\WINDOWS\system32\user32.DLL
2009-05-07 17:47:59 ----A---- C:\WINDOWS\setuplog.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-02-13 28376]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-03-24 55640]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-16 13059]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-12-01 1412608]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-11-28 424320]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camc6aud.sys [2005-08-02 38016]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camc6hal.sys [2005-08-02 349312]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2005-08-22 1035008]
R3 HSFHWATI;HSFHWATI; C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 231424]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2005-09-30 78720]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-06-19 190400]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-09-20 162432]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-08-22 718464]
S1 b8c0eff6;b8c0eff6; C:\WINDOWS\System32\drivers\b8c0eff6.sys []
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 slabbus;CP2101 USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\slabbus.sys [2004-03-25 52384]
S3 slabser;CP2101 USB to UART Bridge Controller Drivers; C:\WINDOWS\system32\DRIVERS\slabser.sys [2004-03-25 84512]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-04-01 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-03-02 185089]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-12-01 393216]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-11 57344]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2005-12-22 98304]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-11-15 73728]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------

by **patrik** » Thu May 14, 2009 12:58 pm

If you have previously downloaded ComboFix, please delete that version now.
Download Combofix from here. Close any open browsers. Double click on combofix.exe and follow the prompts.

Post back with combofix log.

by **golferdude** » Thu May 14, 2009 10:30 pm

Here it is mycomputer would not boot up unless I chose last good configuration.

ComboFix 09-05-14.03 - JOHN 05/14/2009 17:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.480 [GMT -5:00]
Running from: c:\documents and settings\JOHN\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\JOHN\Application Data\wiaserva.log
c:\windows\system32\dz1.txt
c:\windows\system32\ilitomuy.ini
c:\windows\system32\p1.txt
c:\windows\system32\r24.txt
c:\windows\system32\sdd.txt
c:\windows\system32\uninstall.exe
c:\windows\system32\unitison.ini
c:\windows\system32\utagehud.ini

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it

.
((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.

2009-05-11 23:50 . 2009-05-11 23:50 -------- d-----w C:\_OTMoveIt
2009-05-11 01:31 . 2009-05-11 01:31 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-11 01:00 . 2009-05-11 01:12 -------- d-----w c:\windows\system32\CatRoot_bak
2009-05-10 23:28 . 2009-05-10 23:28 -------- d-----w c:\program files\Avira
2009-05-10 23:28 . 2009-05-10 23:28 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-10 20:34 . 2009-05-10 20:34 -------- d-----w C:\rsit
2009-05-10 19:05 . 2009-05-10 19:05 -------- d-----w c:\program files\anywebcam
2009-05-10 18:43 . 2009-05-10 18:43 0 ----a-w c:\windows\nsreg.dat
2009-05-10 18:43 . 2009-05-10 18:43 -------- d-----w c:\documents and settings\JOHN\Local Settings\Application Data\Mozilla
2009-05-10 15:52 . 2009-05-10 20:12 -------- d-----w c:\windows\system32\199638
2009-05-10 14:05 . 2009-05-10 14:05 -------- d-----w c:\documents and settings\JOHN\Application Data\True Sword
2009-05-10 14:00 . 2009-05-10 14:33 -------- d-----w c:\program files\True Sword 5
2009-05-09 22:41 . 2009-05-09 22:41 -------- d-----w c:\documents and settings\All Users\Application Data\Gtek
2009-05-09 22:41 . 2009-05-09 22:41 -------- d-----w c:\documents and settings\JOHN\Application Data\GTek
2009-05-09 15:22 . 2009-05-09 15:22 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-05-09 15:14 . 2009-05-09 15:14 -------- d-----w c:\program files\Trend Micro
2009-05-09 14:42 . 2009-05-09 14:42 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-09 01:18 . 2009-05-09 01:18 -------- d-----w c:\program files\Pokie Magic Games
2009-05-09 01:15 . 2009-05-09 01:18 -------- d-----w c:\documents and settings\JOHN\Application Data\GetRightToGo
2009-05-08 22:06 . 2009-05-10 14:27 -------- dc----w c:\windows\system32\DRVSTORE
2009-05-08 21:41 . 2009-05-10 14:27 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-08 21:16 . 2009-05-08 21:16 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-05-08 21:13 . 2009-05-08 21:13 -------- d-----w c:\documents and settings\JOHN\Application Data\Yahoo!
2009-05-08 21:13 . 2009-05-08 21:13 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-08 21:10 . 2009-05-08 21:11 -------- d-----w c:\program files\Yahoo!
2009-05-08 20:32 . 2009-05-08 21:12 -------- d-----w c:\program files\SmartPopupBlocker
2009-05-08 14:58 . 2009-03-24 21:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-08 13:59 . 2009-05-08 13:59 -------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-05-06 03:07 . 2009-05-06 03:07 -------- d-----w c:\documents and settings\All Users\Application Data\Slapdash Games
2009-05-06 03:07 . 2009-05-06 03:07 -------- d-----w c:\documents and settings\JOHN\Local Settings\Application Data\Slapdash Games
2009-04-24 01:43 . 2009-05-08 00:10 -------- d-----w c:\program files\10 Days Under The Sea
2009-04-24 01:40 . 2009-04-24 02:31 -------- d-----w c:\program files\Haunted Hotel
2009-04-22 01:08 . 2009-04-22 01:08 4096 ----a-w c:\windows\d3dx.dat
2009-04-22 00:51 . 2009-04-22 00:52 -------- d-----w c:\program files\Fishing Craze
2009-04-19 23:01 . 2009-04-19 23:01 -------- d-----w c:\program files\2nd Story Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 22:21 . 2004-08-04 20:00 577024 ----a-w c:\windows\system32\user32.dll
2009-05-14 22:17 . 2004-08-04 20:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-12 01:41 . 2009-01-17 15:59 51520 ----a-w c:\documents and settings\JOHN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 22:31 . 2009-01-18 16:34 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-08 14:01 . 2009-01-17 16:28 -------- d-----w c:\program files\Quicken
2009-05-08 13:58 . 2009-01-17 15:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-08 13:46 . 2009-01-17 16:10 87222 ----a-w c:\windows\hpqins69.dat
2009-05-08 13:39 . 2009-01-17 16:05 1618 --sha-r c:\windows\system32\drivers\103C_HP_NTBK_Pavilion dv8000 (ET831UA#ABA)_YN_0Pavi_QCND6120SD6_EU_46_I309B_SHP_V49.38_BF.33_T060224_WXH2_L409_M1023_J80_7AMD_8Turion 64 Technology ML-32_91.79_#090117_N10EC8139_(ET831UA#ABA)_XMOBILE_CN10_Z10024378.MRK
2009-05-08 13:34 . 2009-01-17 16:01 -------- d-----w c:\program files\HPQ
2009-05-08 13:33 . 2009-01-17 16:00 -------- d-----w c:\program files\music_now
2009-05-08 13:33 . 2009-01-17 15:55 -------- d-----w c:\program files\HP Rhapsody
2009-04-14 01:30 . 2009-01-17 16:32 -------- d-----w c:\program files\Java
2009-04-13 22:43 . 2009-04-13 22:42 -------- d-----w c:\program files\Jewel Match 2
2009-04-13 22:39 . 2009-04-13 22:38 -------- d-----w c:\program files\Lost Secrets - Bermuda Triangle
2009-04-06 20:32 . 2009-01-18 16:35 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-01-18 16:35 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-29 23:07 . 2009-03-23 06:06 -------- d-----w c:\program files\Hidden Expedition - Everest
2009-03-29 03:43 . 2009-02-17 02:03 -------- d-----w c:\program files\Phantom EFX
2009-03-29 01:05 . 2009-03-23 05:17 -------- d-----w c:\program files\Hidden Expedition - Amazon
2009-03-28 16:33 . 2009-03-23 05:19 -------- d-----w c:\program files\Hidden Expedition - Titanic
2009-03-23 06:00 . 2009-03-23 05:59 -------- d-----w c:\program files\Yard Sale Hidden Treasures - Sunnyville
2009-03-23 05:06 . 2009-03-23 05:06 -------- d-----w c:\program files\bfgclient
2009-03-22 05:01 . 2009-01-17 16:48 -------- d-----w c:\program files\F-Secure Internet Security
2009-03-20 11:28 . 2009-02-07 14:36 -------- d-----w c:\program files\SG2
2009-03-18 01:23 . 2009-03-18 01:23 -------- d-----w c:\program files\AVG
2009-03-09 10:19 . 2009-01-17 17:06 410984 ----a-w c:\windows\system32\deploytk.dll
.
Infected c:\windows\system32\user32.dll hex repaired

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-02 344064]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-07-23 933888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\JOHN\Start Menu\Programs\Startup\
Adobe Media Player.lnk - c:\config.msi\9d23f.rbf [2009-5-13 261120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2009-1-18 802816]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/10/2009 6:28 PM 108289]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1/17/2009 10:56 AM 231424]
S0 zsqlskf;zsqlskf;c:\windows\system32\drivers\qcoe.sys --> c:\windows\system32\drivers\qcoe.sys [?]
S1 b8c0eff6;b8c0eff6;c:\windows\system32\drivers\b8c0eff6.sys --> c:\windows\system32\drivers\b8c0eff6.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.anywebcam.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
FF - ProfilePath - c:\documents and settings\JOHN\Application Data\Mozilla\Firefox\Profiles\jk4nd7ey.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.anywebcam.com/home
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 17:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?1?7?1??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3960)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HPQ\shared\HpqToaster.exe
.
**************************************************************************
.
Completion time: 2009-05-14 17:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-14 22:28

Pre-Run: 65,313,005,568 bytes free
Post-Run: 65,448,452,096 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

179

My Anti Spyware

viruses and dns changers i can't remove

viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Re: viruses and dns changers i can't remove

Who is online