Internet Security 2010 Infection

**gmjackson44** · **gmjackson44** on 10th January 2010, 12:03 am

Hello,

My laptop has been infected by Internet Security 2010. I have gotten control back of the computer by turning task manager back on and killing the processes used by the infection. I have installed the two javas dowloads, new adobe, and run windows update. Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:33 PM, on 1/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Symantec AntiVirus\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
C:\Program Files\CrashPlan\CrashPlanService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\cvsnt\cvsservice.exe
C:\Program Files\cvsnt\cvslock.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\DOCUME~1\smigrego\LOCALS~1\Temp\e5x54dg.exe
C:\DOCUME~1\smigrego\LOCALS~1\Temp\win.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\CrashPlan\CrashPlanTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Xpress Mail\Professional Editon\XpressMailDesktopClient.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.portal.hp.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://athp.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autocache.hp.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O1 - Hosts: Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35 "EPSON Stylus CX4800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\system32\ali.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IDA] c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [COEMsgDisplay] c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [GetITIcon] C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [GetIT] C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [LREC75DND7] C:\DOCUME~1\smigrego\LOCALS~1\Temp\c.exe
O4 - HKCU\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\smigrego\LOCALS~1\Temp\e5x54dg.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\smigrego\LOCALS~1\Temp\win.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: CrashPlan Tray.lnk = C:\Program Files\CrashPlan\CrashPlanTray.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: WinZip Quick Pick.lnk = ?
O4 - Global Startup: Xpress Mail Professional Edition.lnk = C:\Program Files\Xpress Mail\Professional Editon\XpressMailDesktopClient.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra 'Tools' menuitem: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://*.compaq.com
O15 - Trusted Zone: *.cpqcorp.net
O15 - Trusted Zone: http://*.dcu.org
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://*.dec.com
O15 - Trusted Zone: http://*.hpe-learning.com
O15 - Trusted Zone: *.hpqcorp.net
O15 - Trusted Zone: *.hpshopping.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://*.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms33 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab
O16 - DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms35 Class) - https://na.webaccess.hp.com/vRoom_Cab/,DanaInfo=www.rooms.hp.com,SSL+WebHPVCInstall35.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169809900876
O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://10.64.176.27:8080/qcbin/Spider90.ocx
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://na.webaccess.hp.com/client/T26L10NSP49EP30/webex/,DanaInfo=initiate.webex.com,SSL+ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://na.webaccess.hp.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll, ,visegobu.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - SmithMicro Inc. - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CrashPlan Backup Service (CrashPlanService) - Code 42 Software - C:\Program Files\CrashPlan\CrashPlanService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CVSNT (CVS) - GNU - C:\Program Files\cvsnt\cvsservice.exe
O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:\Program Files\cvsnt\cvslock.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 18226 bytes

**Belahzur** · **Belahzur** on 10th January 2010, 1:52 am

Hello.

Please download the LSPfix from here: LSPFix
Unzip it to the Desktop (Important!!) and run it. Check the box that says "I know what I'm doing", and then select each instance of "helper32.dll" in the left-hand panel and click >> button to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.

Open HijackThis
Choose "Do a system scan only"
Check the boxes in front of these lines:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O1 - Hosts: Copyright (c) 1993-1999 Microsoft Corp.
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKCU\..\Run: [LREC75DND7] C:\DOCUME~1\smigrego\LOCALS~1\Temp\c.exe
O4 - HKCU\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\smigrego\LOCALS~1\Temp\e5x54dg.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\smigrego\LOCALS~1\Temp\win.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll, ,visegobu.dll
Press "Fix Checked"
Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

**gmjackson44** · **gmjackson44** on 10th January 2010, 3:04 am

Thanks Belahzur.

Here are the contents of the Malwarebytes log:

Malwarebytes' Anti-Malware 1.44
Database version: 3531
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/9/2010 10:00:16 PM
mbam-log-2010-01-09 (22-00-16).txt

Scan type: Quick Scan
Objects scanned: 128730
Time elapsed: 10 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\LREC75DND7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\E8WECRKKMV (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dtvcpsgd7.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gokeduzo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kisebuyu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mimovone.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\xcpcyo.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\smigrego\Local Settings\Temp\1171621846.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\smigrego\Local Settings\Temp\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\smigrego\Local Settings\Temp\3241309302.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\smigrego\Local Settings\Temp\3339550688.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\smigrego\Local Settings\Temp\3555614376.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\smigrego\Local Settings\Temp\373457092.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\smigrego\Local Settings\Temp\debug.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\smigrego\Local Settings\Temp\us7qmn8.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\smigrego\Local Settings\Temp\2013845718.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\smigrego\Local Settings\Temp\802493982.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\smigrego\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\smigrego\Local Settings\Temp\dfgdgdfgrgdgfdrdfs.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IS15.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

**Belahzur** · **Belahzur** on 10th January 2010, 7:29 pm

Hello.

Download combofix from here
Link 1
Link 2

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV.
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

**gmjackson44** · **gmjackson44** on 10th January 2010, 8:20 pm

ComboFix 10-01-04.01 - smigrego 01/10/2010 14:57:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1329 [GMT -5:00]
Running from: c:\documents and settings\smigrego\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\data\dl_equipment.txt
c:\data\view.txt
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\smigrego\Desktop\Internet Security 2010.lnk
c:\windows\Install.txt
c:\windows\system32\15690.exe
c:\windows\system32\16598.exe
c:\windows\system32\17712.exe
c:\windows\system32\18467.exe
c:\windows\system32\20230.exe
c:\windows\system32\21987.exe
c:\windows\system32\2253.exe
c:\windows\system32\2303.exe
c:\windows\system32\2310.exe
c:\windows\system32\2324.exe
c:\windows\system32\26465.exe
c:\windows\system32\26851.exe
c:\windows\system32\26928.exe
c:\windows\system32\28194.exe
c:\windows\system32\28817.exe
c:\windows\system32\3046.exe
c:\windows\system32\31020.exe
c:\windows\system32\31548.exe
c:\windows\system32\4291.exe
c:\windows\system32\4786.exe
c:\windows\system32\4796.exe
c:\windows\system32\5316.exe
c:\windows\system32\6334.exe
c:\windows\system32\684.exe
c:\windows\system32\7244.exe
c:\windows\system32\8094.exe
c:\windows\system32\Install.txt
c:\windows\Tasks\emijydrv.job

c:\windows\system32\DRIVERS\iaStor.sys . . . is infected!!

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_SSHNAS
-------\Legacy_WINSTS

((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-10 20:05 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-10 20:05 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-09 23:51 . 2010-01-09 23:51 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-09 23:49 . 2010-01-09 23:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-09 23:49 . 2010-01-09 23:49 -------- d-----w- c:\documents and settings\Default User\Application Data\Juniper Networks
2010-01-09 23:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 07:05 . 2010-01-09 23:51 -------- d-----w- c:\documents and settings\smigrego\Local Settings\Application Data\nos
2010-01-09 07:05 . 2010-01-10 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-09 06:30 . 2010-01-09 06:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-09 04:26 . 2010-01-09 04:29 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-01-08 16:04 . 2010-01-08 16:04 -------- d-----w- c:\program files\GetITFixes
2010-01-08 07:27 . 2010-01-08 07:27 -------- d-----w- c:\program files\Trend Micro
2010-01-07 23:50 . 2010-01-07 23:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-01-06 23:17 . 2010-01-06 23:17 -------- d-----w- C:\spoolerlogs
2010-01-06 23:09 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 23:09 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 21:30 . 2010-01-06 21:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-06 19:24 . 2010-01-06 19:31 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-06 05:54 . 2010-01-07 09:12 -------- d-sh--w- c:\documents and settings\smigrego\.COMMgr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 17:17 . 2007-04-20 16:13 268800 ------w- c:\windows\system32\drivers\iaStor.sys
2010-01-10 02:48 . 2009-10-24 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 02:48 . 2010-01-10 02:48 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-09 23:51 . 2008-05-20 14:38 -------- d-----w- c:\documents and settings\smigrego\Application Data\HPAppData
2010-01-09 23:50 . 2007-01-26 16:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-09 23:49 . 2008-03-26 16:31 -------- d-----w- c:\program files\Google
2010-01-09 23:49 . 2010-01-09 07:05 1975408 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en32_signed.exe
2010-01-09 23:43 . 2010-01-09 23:43 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{5DBB7712-F0C4-5028-736C-558679203AAF}-smss32.exe
2010-01-09 19:28 . 2010-01-09 19:28 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{4715E641-2F82-EE93-C6FB-A28AFB7F6C48}-smss32.exe
2010-01-09 07:33 . 2010-01-09 07:33 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{0558C1F9-03CF-5CF1-3226-B91C4313EC58}-smss32.exe
2010-01-09 07:05 . 2010-01-09 07:05 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-09 06:32 . 2007-01-26 15:59 -------- d-----w- c:\program files\Java
2010-01-09 06:15 . 2010-01-09 06:15 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{149A5678-9634-D037-22DF-271AE35E02CA}-smss32.exe
2010-01-09 03:41 . 2010-01-09 03:41 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{F7B05C94-7867-5DF4-D1F6-F9B949207D17}-smss32.exe
2010-01-09 00:06 . 2010-01-09 00:06 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{C00D58E0-3D64-B5D2-7757-2A3D25AA578C}-smss32.exe
2010-01-08 21:04 . 2010-01-08 21:04 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{7E9B6BE1-6B19-24E1-0534-C23D5EE9FE84}-smss32.exe
2010-01-08 19:23 . 2010-01-08 19:23 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{FCBF0855-D5A2-8050-A245-FC4CAE94655A}-smss32.exe
2010-01-08 18:35 . 2007-01-26 16:18 -------- d-----w- c:\program files\symantec antivirus
2010-01-08 17:35 . 2010-01-08 17:35 24580 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{831B347A-E14F-AFAB-A60C-39652E985A7E}-notepad.exe
2010-01-08 08:10 . 2010-01-08 08:10 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{DEC5F7AE-B8FD-D748-F66E-BE720FCF392D}-smss32.exe
2010-01-08 04:34 . 2007-01-26 14:51 -------- d-----w- c:\program files\Hewlett-Packard
2009-12-10 05:07 . 2008-03-25 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-02 15:25 . 2009-04-07 14:25 -------- d-----w- c:\program files\CrashPlan
2009-11-21 15:51 . 1980-01-01 00:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2010-01-09 23:51 38784 ----a-w- c:\documents and settings\smigrego\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-20 11:08 . 2010-01-09 23:50 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-29 05:38 . 1980-01-01 00:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 1980-01-01 00:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 1980-01-01 00:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 1980-01-01 00:00 270336 ----a-w- c:\windows\system32\oakley.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-04-17 95536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX4800 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 131072]
"IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-12 26624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-07-08 115560]
"AGRSMMSG"="AGRSMMSG.exe" [2006-01-30 88203]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2006-01-17 53248]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-14 172032]
"GetITIcon"="c:\program files\Hewlett-Packard\GetITIcon\GetITShell.exe" [2009-05-05 864256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-04-17 54576]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"GetIT"="c:\program files\Hewlett-Packard\GetIT\GetIT.exe" [2007-12-04 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-09 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-8-11 1459392]
CrashPlan Tray.lnk - c:\program files\CrashPlan\CrashPlanTray.exe [2009-11-6 217088]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-3-24 184320]
WinZip Quick Pick.lnk - c:\windows\Installer\{9FDF923E-DB53-41E4-8CE6-8DEB8301C12E}\Icon_WZQKPICK.EXE [2008-3-24 65536]
Xpress Mail Professional Edition.lnk - c:\program files\Xpress Mail\Professional Editon\XpressMailDesktopClient.exe [2009-7-1 3082352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^smigrego^Start Menu^Programs^Startup^HP.OutlookUtility.TaskbarNotifier.lnk]
path=c:\documents and settings\smigrego\Start Menu\Programs\Startup\HP.OutlookUtility.TaskbarNotifier.lnk
backup=c:\windows\pss\HP.OutlookUtility.TaskbarNotifier.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadUIShell.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"=
"c:\\Program Files\\symantec antivirus\\Smc.exe"=
"c:\\Program Files\\symantec antivirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\CrashPlan\\CrashPlanService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE\\coetl32.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\hpswp_clipbook.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=

R1 NEOFLTR_610_13733;Juniper Networks TDI Filter Driver (NEOFLTR_610_13733);c:\windows\system32\drivers\NEOFLTR_610_13733.sys [11/26/2008 9:56 PM 64160]
R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [6/26/2007 5:06 PM 53248]
R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [5/12/2004 5:51 PM 143360]
R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\HPAVAD~1\avChgSvc.exe [10/17/2008 4:24 PM 238080]
R2 CrashPlanService;CrashPlan Backup Service;c:\program files\CrashPlan\CrashPlanService.exe [2/2/2009 9:10 PM 150016]
R2 CVS;CVSNT;c:\program files\cvsnt\cvsservice.exe [8/19/2004 3:39 AM 35328]
R2 radexecd;HP OVCM Notify Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2/20/2007 1:59 PM 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [3/22/2007 5:19 PM 172205]
R2 Radstgms;HP OVCM MSI Redirector;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [3/20/2007 12:03 PM 315570]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/25/2008 1:18 PM 24652]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [1/26/2007 11:05 AM 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [1/26/2007 11:05 AM 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [4/6/2007 11:46 AM 13647]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [6/28/2007 8:19 PM 10161]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/16/2009 11:52 AM 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [4/10/2007 1:17 PM 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/10/2007 1:17 PM 36608]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [8/3/2007 9:31 AM 23424]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [1/19/2008 12:43 AM 19840]
S0 cisndo;cisndo;c:\windows\system32\drivers\rxlso.sys --> c:\windows\system32\drivers\rxlso.sys [?]
S0 xcpcyo;xcpcyo; [x]
S1 ahonxsvs;ahonxsvs;\??\c:\windows\system32\drivers\ahonxsvs.sys --> c:\windows\system32\drivers\ahonxsvs.sys [?]
S1 bccsykjh;bccsykjh;\??\c:\windows\system32\drivers\bccsykjh.sys --> c:\windows\system32\drivers\bccsykjh.sys [?]
S1 cgsjtvse;cgsjtvse;\??\c:\windows\system32\drivers\cgsjtvse.sys --> c:\windows\system32\drivers\cgsjtvse.sys [?]
S1 cmpwodfd;cmpwodfd;\??\c:\windows\system32\drivers\cmpwodfd.sys --> c:\windows\system32\drivers\cmpwodfd.sys [?]
S1 cvetctjx;cvetctjx;\??\c:\windows\system32\drivers\cvetctjx.sys --> c:\windows\system32\drivers\cvetctjx.sys [?]
S1 cyffsfbr;cyffsfbr;\??\c:\windows\system32\drivers\cyffsfbr.sys --> c:\windows\system32\drivers\cyffsfbr.sys [?]
S1 elkcnahb;elkcnahb;\??\c:\windows\system32\drivers\elkcnahb.sys --> c:\windows\system32\drivers\elkcnahb.sys [?]
S1 enipttla;enipttla;\??\c:\windows\system32\drivers\enipttla.sys --> c:\windows\system32\drivers\enipttla.sys [?]
S1 eurdnxjr;eurdnxjr;\??\c:\windows\system32\drivers\eurdnxjr.sys --> c:\windows\system32\drivers\eurdnxjr.sys [?]
S1 fxgsanni;fxgsanni;\??\c:\windows\system32\drivers\fxgsanni.sys --> c:\windows\system32\drivers\fxgsanni.sys [?]
S1 grcqgdwc;grcqgdwc;\??\c:\windows\system32\drivers\grcqgdwc.sys --> c:\windows\system32\drivers\grcqgdwc.sys [?]
S1 gvaclqww;gvaclqww;\??\c:\windows\system32\drivers\gvaclqww.sys --> c:\windows\system32\drivers\gvaclqww.sys [?]
S1 hicrzubn;hicrzubn;\??\c:\windows\system32\drivers\hicrzubn.sys --> c:\windows\system32\drivers\hicrzubn.sys [?]
S1 hkdzxxfg;hkdzxxfg;\??\c:\windows\system32\drivers\hkdzxxfg.sys --> c:\windows\system32\drivers\hkdzxxfg.sys [?]
S1 hnsjkkni;hnsjkkni;\??\c:\windows\system32\drivers\hnsjkkni.sys --> c:\windows\system32\drivers\hnsjkkni.sys [?]
S1 ibrxfqoh;ibrxfqoh;\??\c:\windows\system32\drivers\ibrxfqoh.sys --> c:\windows\system32\drivers\ibrxfqoh.sys [?]
S1 jdqhzybe;jdqhzybe;\??\c:\windows\system32\drivers\jdqhzybe.sys --> c:\windows\system32\drivers\jdqhzybe.sys [?]
S1 jqnoydld;jqnoydld;\??\c:\windows\system32\drivers\jqnoydld.sys --> c:\windows\system32\drivers\jqnoydld.sys [?]
S1 jvwisrdd;jvwisrdd;\??\c:\windows\system32\drivers\jvwisrdd.sys --> c:\windows\system32\drivers\jvwisrdd.sys [?]
S1 kajxnpsl;kajxnpsl;\??\c:\windows\system32\drivers\kajxnpsl.sys --> c:\windows\system32\drivers\kajxnpsl.sys [?]
S1 kixjvkbz;kixjvkbz;\??\c:\windows\system32\drivers\kixjvkbz.sys --> c:\windows\system32\drivers\kixjvkbz.sys [?]
S1 lkjxuyis;lkjxuyis;\??\c:\windows\system32\drivers\lkjxuyis.sys --> c:\windows\system32\drivers\lkjxuyis.sys [?]
S1 llutzada;llutzada;\??\c:\windows\system32\drivers\llutzada.sys --> c:\windows\system32\drivers\llutzada.sys [?]
S1 mexzkeqy;mexzkeqy;\??\c:\windows\system32\drivers\mexzkeqy.sys --> c:\windows\system32\drivers\mexzkeqy.sys [?]
S1 mxyltugm;mxyltugm;\??\c:\windows\system32\drivers\mxyltugm.sys --> c:\windows\system32\drivers\mxyltugm.sys [?]
S1 pgfcbbmo;pgfcbbmo;\??\c:\windows\system32\drivers\pgfcbbmo.sys --> c:\windows\system32\drivers\pgfcbbmo.sys [?]
S1 pqcsnwaw;pqcsnwaw;\??\c:\windows\system32\drivers\pqcsnwaw.sys --> c:\windows\system32\drivers\pqcsnwaw.sys [?]
S1 prxrthzn;prxrthzn;\??\c:\windows\system32\drivers\prxrthzn.sys --> c:\windows\system32\drivers\prxrthzn.sys [?]
S1 puojxdro;puojxdro;\??\c:\windows\system32\drivers\puojxdro.sys --> c:\windows\system32\drivers\puojxdro.sys [?]
S1 qwmmazyp;qwmmazyp;\??\c:\windows\system32\drivers\qwmmazyp.sys --> c:\windows\system32\drivers\qwmmazyp.sys [?]
S1 rkzfeuof;rkzfeuof;\??\c:\windows\system32\drivers\rkzfeuof.sys --> c:\windows\system32\drivers\rkzfeuof.sys [?]
S1 rojhwzlg;rojhwzlg;\??\c:\windows\system32\drivers\rojhwzlg.sys --> c:\windows\system32\drivers\rojhwzlg.sys [?]
S1 sdbhtaia;sdbhtaia;\??\c:\windows\system32\drivers\sdbhtaia.sys --> c:\windows\system32\drivers\sdbhtaia.sys [?]
S1 szvvgpkk;szvvgpkk;\??\c:\windows\system32\drivers\szvvgpkk.sys --> c:\windows\system32\drivers\szvvgpkk.sys [?]
S1 tmushnuh;tmushnuh;\??\c:\windows\system32\drivers\tmushnuh.sys --> c:\windows\system32\drivers\tmushnuh.sys [?]
S1 vdiwhfbm;vdiwhfbm;\??\c:\windows\system32\drivers\vdiwhfbm.sys --> c:\windows\system32\drivers\vdiwhfbm.sys [?]
S1 vglekhpj;vglekhpj;\??\c:\windows\system32\drivers\vglekhpj.sys --> c:\windows\system32\drivers\vglekhpj.sys [?]
S1 wckltgey;wckltgey;\??\c:\windows\system32\drivers\wckltgey.sys --> c:\windows\system32\drivers\wckltgey.sys [?]
S1 wfeyshfo;wfeyshfo;\??\c:\windows\system32\drivers\wfeyshfo.sys --> c:\windows\system32\drivers\wfeyshfo.sys [?]
S1 xekyvppv;xekyvppv;\??\c:\windows\system32\drivers\xekyvppv.sys --> c:\windows\system32\drivers\xekyvppv.sys [?]
S1 xluzfwyb;xluzfwyb;\??\c:\windows\system32\drivers\xluzfwyb.sys --> c:\windows\system32\drivers\xluzfwyb.sys [?]
S1 ypxmhujq;ypxmhujq;\??\c:\windows\system32\drivers\ypxmhujq.sys --> c:\windows\system32\drivers\ypxmhujq.sys [?]
S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [6/28/2007 8:18 PM 27008]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 9:07 PM 113152]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/8/2008 12:45 PM 23888]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 SmartUSB;SmartReader-USB;c:\windows\system32\drivers\SmartUSB.sys [1/26/2007 11:05 AM 17024]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 1:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 1:36 PM 142976]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{922E8525-AC7E-4294-ACAA-43712D4423C0}]
2007-04-06 18:36 188416 ----a-w- c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9AC2D554-AC12-4F1F-AAB9-E6363ADE5381}]
2007-04-06 18:36 188416 ----a-w- c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B7B3E9B3-FB14-4927-894B-E9124509AF5A}]
2008-04-14 00:12 78848 ----a-w- c:\windows\system32\msiexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C99D666B-62E4-461B-A346-9375D55AB9BC}]
2007-04-06 18:36 188416 ----a-w- c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-10 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 21:35]

2010-01-10 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job
- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 21:35]

2010-01-10 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 22:06]

2010-01-10 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
- c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-24 05:27]

2010-01-10 c:\windows\Tasks\IDA{DDC3038B-D87C-4DE6-AD88-05C6E3962FA0}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\SWConnSI.dll [2008-07-01 21:27]

2010-01-10 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [2008-09-07 21:13]

2010-01-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://athp.hp.com/
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
Trusted Zone: compaq.com
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: cpqcorp.net
Trusted Zone: dcu.org
Trusted Zone: dec.com
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: hp.com
Trusted Zone: hpe-learning.com
Trusted Zone: hpqcorp.net
Trusted Zone: hpshopping.com
Trusted Zone: tandem.com
Trusted Zone: tandem.com\ie.config
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: tandem.com\ie.config
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://10.64.176.27:8080/qcbin/Spider90.ocx
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 15:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1804)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1860)
c:\windows\system32\setuid.dll

- - - - - - - > 'explorer.exe'(5484)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Symantec AntiVirus\SNAC.EXE
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\cvsnt\cvslock.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\vssvc.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\windows\AGRSMMSG.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\WinZip\WZQKPICK.EXE
c:\program files\Xpress Mail\Professional Editon\Connection.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2010-01-10 15:17:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-10 20:17

Pre-Run: 12,736,950,272 bytes free
Post-Run: 13,386,260,480 bytes free

- - End Of File - - 9C585E014BD09A47EA26E261F59BE9A6

**Belahzur** · **Belahzur** on 10th January 2010, 8:39 pm

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:filefind iastor.sys
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

**gmjackson44** · **gmjackson44** on 10th January 2010, 9:12 pm

SystemLook v1.0 by jpshortstuff (10.01.10)
Log created at 16:08 on 10/01/2010 by smigrego (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\hp\drivers\hdd\IASTOR.SYS --a--- 268800 bytes [18:17 10/04/2007] [20:31 02/10/2006] DC3B6AD2EAA99C53B82E6FBCA3630138
C:\WINDOWS\system32\drivers\iaStor.sys ------ 268800 bytes [16:13 20/04/2007] [17:17 10/01/2010] 9D1F5A94922B51F256995D8D09A2B215

-=End Of File=-

**Belahzur** · **Belahzur** on 10th January 2010, 9:27 pm

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
C:\hp\drivers\hdd\IASTOR.SYS | C:\WINDOWS\system32\drivers\iaStor.sys

Driver::
cisndo
xcpcyo
ahonxsvs
bccsykjh
cgsjtvse
cmpwodfd
cvetctjx
cyffsfbr
elkcnahb
enipttla
eurdnxjr
fxgsanni
grcqgdwc
gvaclqww
hicrzubn
hkdzxxfg
hnsjkkni
ibrxfqoh
jdqhzybe
jqnoydld
jvwisrdd
kajxnpsl
kixjvkbz
lkjxuyis
llutzada
mexzkeqy
mxyltugm
pgfcbbmo
pqcsnwaw
prxrthzn
puojxdro
qwmmazyp
rkzfeuof
rojhwzlg
sdbhtaia
szvvgpkk
tmushnuh
vdiwhfbm
vglekhpj
wckltgey
wfeyshfo
xekyvppv
xluzfwyb
ypxmhujq
ndisdrv
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

**gmjackson44** · **gmjackson44** on 10th January 2010, 9:59 pm

ComboFix 10-01-04.01 - smigrego 01/10/2010 16:41:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1239 [GMT -5:00]
Running from: c:\documents and settings\smigrego\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\smigrego\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\hp\drivers\hdd\IASTOR.SYS --> c:\windows\system32\drivers\iaStor.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISDRV
-------\Legacy_XCPCYO
-------\Service_ahonxsvs
-------\Service_bccsykjh
-------\Service_cgsjtvse
-------\Service_cisndo
-------\Service_cmpwodfd
-------\Service_cvetctjx
-------\Service_cyffsfbr
-------\Service_elkcnahb
-------\Service_enipttla
-------\Service_eurdnxjr
-------\Service_fxgsanni
-------\Service_grcqgdwc
-------\Service_gvaclqww
-------\Service_hicrzubn
-------\Service_hkdzxxfg
-------\Service_hnsjkkni
-------\Service_ibrxfqoh
-------\Service_jdqhzybe
-------\Service_jqnoydld
-------\Service_jvwisrdd
-------\Service_kajxnpsl
-------\Service_kixjvkbz
-------\Service_lkjxuyis
-------\Service_llutzada
-------\Service_mexzkeqy
-------\Service_mxyltugm
-------\Service_ndisdrv
-------\Service_pgfcbbmo
-------\Service_pqcsnwaw
-------\Service_prxrthzn
-------\Service_puojxdro
-------\Service_qwmmazyp
-------\Service_rkzfeuof
-------\Service_rojhwzlg
-------\Service_sdbhtaia
-------\Service_szvvgpkk
-------\Service_tmushnuh
-------\Service_vdiwhfbm
-------\Service_vglekhpj
-------\Service_wckltgey
-------\Service_wfeyshfo
-------\Service_xcpcyo
-------\Service_xekyvppv
-------\Service_xluzfwyb
-------\Service_ypxmhujq

((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-10 21:39 . 2010-01-10 21:40 -------- d-----w- C:\32788R22FWJFW
2010-01-10 20:05 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-10 20:05 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-10 19:49 . 2010-01-10 20:17 -------- d-----w- C:\Combo-Fix
2010-01-09 23:51 . 2010-01-09 23:51 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-09 23:49 . 2010-01-09 23:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-09 23:49 . 2010-01-09 23:49 -------- d-----w- c:\documents and settings\Default User\Application Data\Juniper Networks
2010-01-09 23:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 07:05 . 2010-01-09 23:51 -------- d-----w- c:\documents and settings\smigrego\Local Settings\Application Data\nos
2010-01-09 07:05 . 2010-01-10 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-09 06:30 . 2010-01-09 06:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-09 04:26 . 2010-01-09 04:29 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-01-08 16:04 . 2010-01-08 16:04 -------- d-----w- c:\program files\GetITFixes
2010-01-08 07:27 . 2010-01-08 07:27 -------- d-----w- c:\program files\Trend Micro
2010-01-07 23:50 . 2010-01-07 23:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-01-06 23:17 . 2010-01-06 23:17 -------- d-----w- C:\spoolerlogs
2010-01-06 23:09 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 23:09 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 21:30 . 2010-01-06 21:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-06 19:24 . 2010-01-06 19:31 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-06 05:54 . 2010-01-07 09:12 -------- d-sh--w- c:\documents and settings\smigrego\.COMMgr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 02:48 . 2009-10-24 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 02:48 . 2010-01-10 02:48 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-09 23:51 . 2008-05-20 14:38 -------- d-----w- c:\documents and settings\smigrego\Application Data\HPAppData
2010-01-09 23:50 . 2007-01-26 16:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-09 23:49 . 2008-03-26 16:31 -------- d-----w- c:\program files\Google
2010-01-09 23:49 . 2010-01-09 07:05 1975408 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en32_signed.exe
2010-01-09 23:43 . 2010-01-09 23:43 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{5DBB7712-F0C4-5028-736C-558679203AAF}-smss32.exe
2010-01-09 19:28 . 2010-01-09 19:28 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{4715E641-2F82-EE93-C6FB-A28AFB7F6C48}-smss32.exe
2010-01-09 07:33 . 2010-01-09 07:33 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{0558C1F9-03CF-5CF1-3226-B91C4313EC58}-smss32.exe
2010-01-09 07:05 . 2010-01-09 07:05 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-09 06:32 . 2007-01-26 15:59 -------- d-----w- c:\program files\Java
2010-01-09 06:15 . 2010-01-09 06:15 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{149A5678-9634-D037-22DF-271AE35E02CA}-smss32.exe
2010-01-09 03:41 . 2010-01-09 03:41 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{F7B05C94-7867-5DF4-D1F6-F9B949207D17}-smss32.exe
2010-01-09 00:06 . 2010-01-09 00:06 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{C00D58E0-3D64-B5D2-7757-2A3D25AA578C}-smss32.exe
2010-01-08 21:04 . 2010-01-08 21:04 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{7E9B6BE1-6B19-24E1-0534-C23D5EE9FE84}-smss32.exe
2010-01-08 19:23 . 2010-01-08 19:23 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{FCBF0855-D5A2-8050-A245-FC4CAE94655A}-smss32.exe
2010-01-08 18:35 . 2007-01-26 16:18 -------- d-----w- c:\program files\symantec antivirus
2010-01-08 17:35 . 2010-01-08 17:35 24580 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{831B347A-E14F-AFAB-A60C-39652E985A7E}-notepad.exe
2010-01-08 08:10 . 2010-01-08 08:10 29696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{DEC5F7AE-B8FD-D748-F66E-BE720FCF392D}-smss32.exe
2010-01-08 04:34 . 2007-01-26 14:51 -------- d-----w- c:\program files\Hewlett-Packard
2009-12-10 05:07 . 2008-03-25 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-02 15:25 . 2009-04-07 14:25 -------- d-----w- c:\program files\CrashPlan
2009-11-21 15:51 . 1980-01-01 00:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2010-01-09 23:51 38784 ----a-w- c:\documents and settings\smigrego\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-20 11:08 . 2010-01-09 23:50 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-29 05:38 . 1980-01-01 00:00 667136 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 1980-01-01 00:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 1980-01-01 00:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 1980-01-01 00:00 270336 ----a-w- c:\windows\system32\oakley.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-04-17 95536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX4800 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 131072]
"IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-12 26624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-07-08 115560]
"AGRSMMSG"="AGRSMMSG.exe" [2006-01-30 88203]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2006-01-17 53248]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-14 172032]
"GetITIcon"="c:\program files\Hewlett-Packard\GetITIcon\GetITShell.exe" [2009-05-05 864256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-04-17 54576]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"GetIT"="c:\program files\Hewlett-Packard\GetIT\GetIT.exe" [2007-12-04 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-09 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-8-11 1459392]
CrashPlan Tray.lnk - c:\program files\CrashPlan\CrashPlanTray.exe [2009-11-6 217088]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-3-24 184320]
WinZip Quick Pick.lnk - c:\windows\Installer\{9FDF923E-DB53-41E4-8CE6-8DEB8301C12E}\Icon_WZQKPICK.EXE [2008-3-24 65536]
Xpress Mail Professional Edition.lnk - c:\program files\Xpress Mail\Professional Editon\XpressMailDesktopClient.exe [2009-7-1 3082352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^smigrego^Start Menu^Programs^Startup^HP.OutlookUtility.TaskbarNotifier.lnk]
path=c:\documents and settings\smigrego\Start Menu\Programs\Startup\HP.OutlookUtility.TaskbarNotifier.lnk
backup=c:\windows\pss\HP.OutlookUtility.TaskbarNotifier.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadUIShell.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"=
"c:\\Program Files\\symantec antivirus\\Smc.exe"=
"c:\\Program Files\\symantec antivirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\CrashPlan\\CrashPlanService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE\\coetl32.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\hpswp_clipbook.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=

R1 NEOFLTR_610_13733;Juniper Networks TDI Filter Driver (NEOFLTR_610_13733);c:\windows\system32\drivers\NEOFLTR_610_13733.sys [11/26/2008 9:56 PM 64160]
R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [6/26/2007 5:06 PM 53248]
R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [5/12/2004 5:51 PM 143360]
R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\HPAVAD~1\avChgSvc.exe [10/17/2008 4:24 PM 238080]
R2 CrashPlanService;CrashPlan Backup Service;c:\program files\CrashPlan\CrashPlanService.exe [2/2/2009 9:10 PM 150016]
R2 CVS;CVSNT;c:\program files\cvsnt\cvsservice.exe [8/19/2004 3:39 AM 35328]
R2 radexecd;HP OVCM Notify Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2/20/2007 1:59 PM 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [3/22/2007 5:19 PM 172205]
R2 Radstgms;HP OVCM MSI Redirector;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [3/20/2007 12:03 PM 315570]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/25/2008 1:18 PM 24652]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [1/26/2007 11:05 AM 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [1/26/2007 11:05 AM 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [4/6/2007 11:46 AM 13647]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [6/28/2007 8:19 PM 10161]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/16/2009 11:52 AM 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [4/10/2007 1:17 PM 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/10/2007 1:17 PM 36608]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [8/3/2007 9:31 AM 23424]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [1/19/2008 12:43 AM 19840]
S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [6/28/2007 8:18 PM 27008]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 9:07 PM 113152]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/8/2008 12:45 PM 23888]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?]
S3 SmartUSB;SmartReader-USB;c:\windows\system32\drivers\SmartUSB.sys [1/26/2007 11:05 AM 17024]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 1:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 1:36 PM 142976]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{922E8525-AC7E-4294-ACAA-43712D4423C0}]
2007-04-06 18:36 188416 ----a-w- c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9AC2D554-AC12-4F1F-AAB9-E6363ADE5381}]
2007-04-06 18:36 188416 ----a-w- c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B7B3E9B3-FB14-4927-894B-E9124509AF5A}]
2008-04-14 00:12 78848 ----a-w- c:\windows\system32\msiexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C99D666B-62E4-461B-A346-9375D55AB9BC}]
2007-04-06 18:36 188416 ----a-w- c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-10 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 21:35]

2010-01-10 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job
- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 21:35]

2010-01-10 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 22:06]

2010-01-10 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
- c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-24 05:27]

2010-01-10 c:\windows\Tasks\IDA{DDC3038B-D87C-4DE6-AD88-05C6E3962FA0}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\SWConnSI.dll [2008-07-01 21:27]

2010-01-10 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [2008-09-07 21:13]

2010-01-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://athp.hp.com/
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
Trusted Zone: compaq.com
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: cpqcorp.net
Trusted Zone: dcu.org
Trusted Zone: dec.com
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: hp.com
Trusted Zone: hpe-learning.com
Trusted Zone: hpqcorp.net
Trusted Zone: hpshopping.com
Trusted Zone: tandem.com
Trusted Zone: tandem.com\ie.config
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: tandem.com\ie.config
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://10.64.176.27:8080/qcbin/Spider90.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 16:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1804)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1860)
c:\windows\system32\setuid.dll

- - - - - - - > 'explorer.exe'(4784)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Symantec AntiVirus\SNAC.EXE
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\cvsnt\cvslock.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\vssvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\windows\AGRSMMSG.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\WinZip\WZQKPICK.EXE
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2010-01-10 16:56:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-10 21:56
ComboFix2.txt 2010-01-10 20:17

Pre-Run: 13,363,138,560 bytes free
Post-Run: 13,327,261,696 bytes free

- - End Of File - - 1FEB1DDFF8CEA58D92D13629E337842C

**Belahzur** · **Belahzur** on 10th January 2010, 10:18 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?