# pc health folder deleted



## sancho212 (Jun 17, 2009)

hello everybody im new posting to this forum even though I am not new to this site as I have recurred to thsi helpful website before to fix some problems on my computer that being said here is my actual dilemma. My sister computer is infected by a virus trojans and some spyware as well what's the best way to get rid of those without having to take this to a technician also while trying to remove the "virus" I accidentally removed the pchealth folder I now have learned that this is not a virus but a actual program from windows, how can I get it back? I dont have the windows cd and if i dont have this program back I can run msconfig. any ideas or suggestion would be greatly appreciated.


----------



## sancho212 (Jun 17, 2009)

hello I been reading some of the threads and you seem like a very knowledgable guy can you please help me with my problem(s)? I have several problems with this computer it seems like is all infected from viruses and spyware I been trying to get rid of them with panda and vipre but they dont seem to be working for this one also I have tried to download malwarabyte but for some reason it will only scan and tell me that I have several infections that are bad for my computer but in order to get rid of them I have to pay. please help as I dont know what to do anymore. here is the file of hijackthis hopefully you will be able to help me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:49:01 p.m., on 18/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://latino.aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\HP_Administrator\hthdl.exe \s
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [LifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [eligmini] C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe 0
O4 - HKLM\..\Run: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SBAMTray] c:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [12CFG914-K641-26SF-N31P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0850\vsse32.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Actualizaciones de HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Agregar entrada - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Agregar entrada en Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://xxpequena221984.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-c48dffeb778fd1f7.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/latinojuegos/safari-island/zylomplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/latinojuegos/popcap_loader/popcaploader_v10_es.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Unknown owner - C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\VIRUSfighter\Npm\bin\NJEEVES.EXE (file missing)
O23 - Service: Norman Scanner Engine Service (nsesvc) - Unknown owner - C:\VIRUSfighter\Nse\bin\NSESVC.EXE (file missing)
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - c:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
--
End of file - 12108 bytes


----------



## sancho212 (Jun 17, 2009)

Bump. Can somebody please help me with my problems?


----------



## cybertech (Apr 16, 2002)

Hi, Welcome to TSG!!

Download *ATF Cleaner* by Atribune.


Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button. 

Click *Exit* on the Main menu to close the program.








Download Malwarebytes' Anti-Malware from *Here*.

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.*


----------



## sancho212 (Jun 17, 2009)

cybertech thank you very much for your help so far. I have done as instructed and this is what Anti-Malware came out with. it also said that there were two files that could not be deleted but unfortunately I was reading too fast that I did not write them down and I am not sure if the log on the bottom will say anything about those two files. Please let me know what's next step.

Malwarebytes' Anti-Malware 1.38
Database version: 2310
Windows 5.1.2600 Service Pack 3
19/06/2009 07:15:23 p.m.
mbam-log-2009-06-19 (19-15-23).txt
Scan type: Quick Scan
Objects scanned: 98482
Time elapsed: 11 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 30
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg914-k641-26sf-n31p (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\HP_Administrator\hthdl.exe \s) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
c:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0850 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\drivers\lopzqyvw.sys (Backdoor.Bot) -> Delete on reboot.
c:\RECYCLER\s-1-5-21-0243336031-4052116379-881863308-0850\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\f3PSSavr.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> Delete on reboot.


----------



## cybertech (Apr 16, 2002)

There are two files that needed to be deleted on reboot. I will assume you did restart the machine.

Please post a new hijackthis log.


----------



## sancho212 (Jun 17, 2009)

Thanks once more time for helping cibertech; actually the two files that needed to be deleted were the ones that I told you about that could not be deleted for some reason; the log that I sent you is after rebooting the computer if you still see that they werent deleted then I guess we will need to take a different route to delete these two files.
here is the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:12:43 p.m., on 21/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://latino.aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [LifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [eligmini] C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe 0
O4 - HKLM\..\Run: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SBAMTray] c:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Actualizaciones de HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Agregar entrada - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Agregar entrada en Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://xxpequena221984.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-c48dffeb778fd1f7.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/latinojuegos/safari-island/zylomplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/latinojuegos/popcap_loader/popcaploader_v10_es.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Unknown owner - C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\VIRUSfighter\Npm\bin\NJEEVES.EXE (file missing)
O23 - Service: Norman Scanner Engine Service (nsesvc) - Unknown owner - C:\VIRUSfighter\Nse\bin\NSESVC.EXE (file missing)
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - c:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
--
End of file - 11699 bytes


----------



## cybertech (Apr 16, 2002)

Download ComboFix from one of these locations:

*Link 1*
*Link 2*
*Link 3*

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System










Download the file & save it as it's originally named.

*Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.*

_Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. _











Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.










At the next prompt, click 'Yes' to run the full ComboFix scan.

When the tool is finished, it will produce a report for you.
Please post the *C:\ComboFix.txt* in your next reply.


----------



## sancho212 (Jun 17, 2009)

Hijack here is the combofix log that you asked to post; I am not sure if i did it right after dragging and dropping the windows service package onto combofix and trying to run the combofix program the little windows that is on your post never pop up so i dont know if it was succesfully installed but please let me know if from the log it seems like it didnt so I can do it again.

ComboFix 09-06-20.04 - HP_Administrator 21/06/2009 17:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.591 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\kb913800.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\muzapp.exe
D:\Autorun.inf
D:\Desktop.ini
.
((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.
2009-06-19 23:59 . 2009-06-19 23:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-06-19 23:59 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 23:59 . 2009-06-19 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 23:58 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-19 23:58 . 2009-06-19 23:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 23:47 . 2009-06-18 23:47 -------- d-----w- c:\program files\Trend Micro
2009-06-18 01:57 . 2009-06-18 20:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-18 01:37 . 2009-06-18 20:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-17 22:20 . 2009-06-17 22:20 -------- dc----w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-17 03:12 . 2009-06-17 03:12 -------- d-----w- c:\windows\system32\History
2009-06-17 02:58 . 2008-07-07 20:26 253952 ------w- c:\windows\system32\dllcache\es.dll
2009-06-17 02:25 . 2009-06-17 02:26 -------- d-----w- C:\EmergencyUtils
2009-06-17 02:25 . 2009-06-17 02:25 7875 ----a-w- C:\xp_emergencyutil.zip
2009-06-16 08:16 . 2009-06-17 20:52 -------- d-----w- c:\documents and settings\HP_Administrator\Logs
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\system32\scripting
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\l2schemas
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\system32\en
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\system32\bits
2009-06-16 05:12 . 2009-06-16 05:12 -------- d-----w- c:\windows\ServicePackFiles
2009-06-16 04:15 . 2009-05-13 22:30 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2009-06-16 04:14 . 2009-05-13 22:30 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2009-06-10 11:00 . 2009-06-10 11:00 68392 ----a-w- c:\windows\system32\sbbd.exe
2009-06-03 16:24 . 2009-06-03 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2009-05-28 18:55 . 2009-05-28 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-05-28 18:55 . 2009-05-28 18:55 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sunbelt
2009-05-28 18:53 . 2008-10-09 14:48 202928 ----a-w- c:\windows\system32\drivers\sbtis.sys
2009-05-28 18:52 . 2009-05-28 18:52 -------- d-----w- c:\program files\Sunbelt Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 22:14 . 2009-05-07 16:37 256 ----a-w- c:\windows\system32\pool.bin
2009-06-17 01:56 . 2007-06-25 22:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2009-06-17 01:56 . 2007-05-10 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-17 01:54 . 2007-03-17 20:00 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Netscape
2009-06-17 01:50 . 2006-12-16 15:09 -------- d-----w- c:\program files\Google
2009-06-17 01:49 . 2006-07-31 23:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-16 22:30 . 2007-01-07 01:07 -------- d-----w- c:\program files\MSN Messenger
2009-06-16 08:17 . 2006-07-31 23:23 49736 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 06:45 . 2005-08-31 04:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-16 06:44 . 2009-06-16 06:44 208896 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2009-06-16 06:44 . 2009-06-16 06:44 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-06-16 06:44 . 2009-06-16 06:44 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-06-16 06:44 . 2009-06-16 06:44 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-06-16 06:44 . 2009-06-16 06:44 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-06-16 06:44 . 2009-06-16 06:44 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2009-06-16 06:44 . 2009-06-16 06:44 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-06-16 06:44 . 2009-06-16 06:44 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-06-16 06:44 . 2009-06-16 06:44 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-06-16 04:22 . 2006-07-31 23:23 -------- d-----w- c:\program files\DISC
2009-05-28 18:11 . 2007-01-05 21:49 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Aim
2009-05-28 18:11 . 2007-01-05 21:49 -------- d-----w- c:\program files\AIM
2009-05-28 18:11 . 2006-12-20 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-05-28 16:01 . 2006-12-15 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-20 20:04 . 2009-05-20 20:00 13415464 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Research In Motion\BlackBerry\BlackBerryMediaSyncDM.exe
2009-05-14 22:55 . 2007-03-13 20:02 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-14 16:43 . 2009-05-14 16:43 179 ----a-w- C:\handle.dat
2009-05-14 16:13 . 2009-05-14 16:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2009-05-12 17:55 . 2006-07-31 22:46 -------- d-----w- c:\program files\GemMaster
2009-05-12 17:54 . 2006-07-31 22:46 -------- d-----w- c:\program files\EnglishOtto
2009-05-12 17:46 . 2009-02-06 01:08 -------- d-----w- c:\program files\Ares
2009-05-12 17:44 . 2007-01-04 14:53 -------- d-----w- c:\program files\America Online 9.0e
2009-05-12 17:43 . 2009-02-06 01:08 -------- d-----w- c:\program files\America Online 9.0d
2009-05-12 17:43 . 2009-02-06 01:08 -------- d-----w- c:\program files\America Online 9.0c
2009-05-12 17:43 . 2009-02-06 01:07 -------- d-----w- c:\program files\America Online 9.0b
2009-05-12 17:42 . 2009-02-06 01:07 -------- d-----w- c:\program files\America Online 9.0
2009-05-08 17:31 . 2009-05-06 18:36 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-08 16:05 . 2009-05-08 16:05 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-07 15:32 . 2004-08-10 04:00 345600 ------w- c:\windows\system32\localspl.dll
2009-05-06 20:23 . 2009-02-06 17:59 -------- d-----w- c:\program files\Common Files\Research in Motion
2009-05-06 20:18 . 2009-05-06 20:18 -------- d-----w- c:\program files\Common Files\xing shared
2009-05-06 20:18 . 2006-07-31 23:16 -------- d-----w- c:\program files\Common Files\Real
2009-05-06 20:13 . 2007-12-08 20:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-05-06 18:35 . 2009-05-06 18:20 -------- d-----w- c:\program files\Windows Live
2009-05-06 18:33 . 2009-05-06 18:33 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-05-06 18:31 . 2009-05-06 18:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-05-06 18:21 . 2009-05-06 18:21 -------- d-----w- c:\program files\Microsoft
2009-05-06 18:00 . 2009-05-06 18:00 -------- d-----w- c:\program files\Common Files\Windows Live
2009-04-30 18:56 . 2009-04-30 18:56 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-04-29 04:56 . 2004-08-10 04:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-04-19 03:06 . 2007-04-19 03:06 251 ----a-w- c:\program files\wt3d.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-16 98304]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-15 1838592]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 126976]
"eligmini"="c:\program files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe" [2007-03-16 487424]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2007-08-28 73728]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-26 615696]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-06-10 959784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Actualizaciones de HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-7-31 36903]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-3-25 1545488]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lopzqyvw.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1166284365\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\Program Files\\America Online 9.0c\\waol.exe"=
"c:\\Program Files\\America Online 9.0d\\waol.exe"=
"c:\\Program Files\\America Online 9.0e\\waol.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Common Files\\AOL\\1166284365\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [15/06/2009 11:14 p.m. 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [28/05/2009 01:53 p.m. 202928]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [06/05/2009 01:35 p.m. 55152]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [10/06/2009 06:00 a.m. 980264]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [15/06/2009 11:15 p.m. 69936]
S0 lopzqyvw;lopzqyvw;c:\windows\system32\Drivers\lopzqyvw.sys --> c:\windows\system32\Drivers\lopzqyvw.sys [?]
S2 Ndiskio;Ndiskio;\??\c:\virusfighter\Nse\bin\NDISKIO.SYS --> c:\virusfighter\Nse\bin\NDISKIO.SYS [?]
S3 fsssvc;Windows Live Protección Infantil;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 06:08 p.m. 533360]
S3 nsesvc;Norman Scanner Engine Service;"c:\virusfighter\Nse\bin\NSESVC.EXE" -daemon --> c:\virusfighter\Nse\bin\NSESVC.EXE [?]
S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [07/02/2009 10:23 p.m. 19512]
S3 NVCScheduler;Norman Virus Control Scheduler;c:\virusfighter\Nvc\BIN\NVCSCHED.EXE --> c:\virusfighter\Nvc\BIN\NVCSCHED.EXE [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [30/04/2009 01:56 p.m. 93360]
.
Contents of the 'Scheduled Tasks' folder
2008-08-30 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-12-19 16:06]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-PCDrProfiler - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://latino.aol.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &Search
Trusted Zone: trymedia.com
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/latinojuegos/safari-island/zylomplayer.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 17:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(304)
c:\program files\Sunbelt Software\VIPRE\oehook.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\windows\arservice.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\hp\KBD\kbd.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-06-21 17:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-21 22:19
Pre-Run: 167,698,554,880 bytes free
Post-Run: 167,693,959,168 bytes free
250 --- E O F --- 2009-06-17 03:12


----------



## cybertech (Apr 16, 2002)

Run Malwarebytes again and post the log please.


----------



## sancho212 (Jun 17, 2009)

cybertech here is the new malwarebytes log. malwarebytes says that there were no malicious files. if the computer is clean then how come I still see the virusfighter folder in there and the file that is inside that folder is Nvcse.dll I don't know if there is other step that we need to take to remove this to be honest I dont even know if this is a malicious file but thats what google says. also I am still unable to open msconfig from the run tab. I am sorry if I am sounding a little bit desperate but I am just want to make sure I am doing the stuff that you asked me to do the right way.

Malwarebytes' Anti-Malware 1.38
Database version: 2310
Windows 5.1.2600 Service Pack 3
22/06/2009 03:32:45 p.m.
mbam-log-2009-06-22 (15-32-45).txt
Scan type: Quick Scan
Objects scanned: 96210
Time elapsed: 4 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## cybertech (Apr 16, 2002)

That comes from Norman antivirus.

Looks like you had it installed at one time


> O23 - Service: Norman NJeeves - Unknown owner - C:\VIRUSfighter\Npm\bin\NJEEVES.EXE (file missing)
> O23 - Service: Norman Scanner Engine Service (nsesvc) - Unknown owner - C:\VIRUSfighter\Nse\bin\NSESVC.EXE (file missing)
> O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE (file missing)


What anti-virus product are you going to use now?


----------



## sancho212 (Jun 17, 2009)

Yes, it was installed at one time but we thought it was a virus and thats the reason it was removed. We recently installed Vipre Antivirus+Antispyware it was qualified as one of the best antivirus last year so we went with that I hope we made a good choice; matter of fact I just ran a quick scan and it found Backdoor.Bifrost and Cookie: tracking cookies which I just deleted so can we say that the computer is clean from virus or spyware. I still some more problems with this computer but I think its just updating stuff like drivers.


----------



## sancho212 (Jun 17, 2009)

ooppss I was forgetting so before I came to this forum and received of your great help I was attempting to deleted the virusfighter folder and I couldn't and accidentally deleted the pchealth folder how can I get back that folder do you know or do I have to make a thread on a different room of this forum.


----------



## cybertech (Apr 16, 2002)

*Follow these steps to uninstall Combofix and tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Click Start - Run - and type in:

*services.msc*

Click OK.

In the services window find each of these, one at a time:

*Norman eLogger service 6 (eLoggerSvc6) 
Norman NJeeves
Norman Scanner Engine Service (nsesvc)
Norman Virus Control Scheduler (NVCScheduler)
*

Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. 
Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

You may need to restart the computer but you should be able to delete the folder now.

Go to C:\Windows\inf\pchealth.inf. 
Right-click and choose install. 
Have your XP CD available.

Note: Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

If that fails, since you have HP device look here: http://www.ehow.com/how_4924683_install-hp-pc-health-check.html


----------



## sancho212 (Jun 17, 2009)

cybertech is there any other way to re-install the pchealth folder without the cd? we dont have it anymore.


----------



## sancho212 (Jun 17, 2009)

If that fails, since you have HP device look here: http://www.ehow.com/how_4924683_install-hp-pc-health-check.html[/quote]

Cibertech because we don't have the XP cd anymore I went with this option but to my surprise after I have downloaded and I am ready to install it is saying that I need to logon with administrator priveleges which I don't understand what does it mean by that because I am the administrator of the computer and it never gave me that kind of errors before when I was installing things.

Regarding the virusfighter folder; the 4 programs that you mentioned that I needed to stop and disable, well all of them were already stopped so all I had to do was disable them, I restarted the computer as you suggested so that I could delete the virusfighter folder but even though I have stopped and disable these program I am still unable to delete this folder


----------



## cybertech (Apr 16, 2002)

What happens, what error do you get when you try to delete the folder?


----------



## sancho212 (Jun 17, 2009)

nothing happens, no errors or anything similar; I do click on the folder then right click and then choose delete but nothing happens; the folders blink for less than a second and then comes back on I have restarted the computer assuming that it will be gone by then but nope is still there.

I do however get an error when trying to download the file to retrieve the pchealth folder and is saying that I need to logon with administrator rights.


----------



## cybertech (Apr 16, 2002)

You want to delete this *folder*, correct?

C:\*VIRUSfighter*


----------



## sancho212 (Jun 17, 2009)

yes, that's correct.


----------



## sancho212 (Jun 17, 2009)

I just tried to delete it again and I noticed a notepad opened up with this message I am sure is related to the virusfighter folder and hopefully that will help you figure out how to delete it. here is the log

00000032 C:\VIRUSfighter\Nvc\Bin\Nvcse.dll
00000145 C:\VIRUSfighter\Nvc\Bin
00000145 C:\VIRUSfighter\Nvc
00000145 C:\VIRUSfighter


----------



## cybertech (Apr 16, 2002)

I would suggest deleting the nvcse.dll.
If that works delete the bin folder....
Keep working your way up until you find the problem file.


----------



## sancho212 (Jun 17, 2009)

just tried your suggestion but I received an error that says that "cannot delete Nvcse: access is denied make sure the disk is not full or write-protected and that the file is not currently in use". Maybe it has to do with the same thing that is preventing me to install the pchealt file.


----------



## cybertech (Apr 16, 2002)

Restart the computer in safe mode and try it again.


----------



## sancho212 (Jun 17, 2009)

i just did that but I received the same error. I would like to ask you that if you are certain this is not a virus and is not interfering with any other file then its okay to leave it there I guess but can you please help me with my other problem?


----------



## cybertech (Apr 16, 2002)

Does your machine have an account called "Administrator" ?


----------



## sancho212 (Jun 17, 2009)

Cybertech, the machine has an account called "administrator" when it boots up on normal mode it says HP-administrator, when it boots up on safe mode I have two accounts 1 that says administrator one that says HP-administrator I have tried both but none of them seem to work I have checked the user accounts and both of them have administrator privileges, I even created a new account with admin privileges but I am still unable to install this.


----------



## sancho212 (Jun 17, 2009)

now that I think about even before we did any scans or all that stuff we been doing to the machine I get the below pop ups after booting up on the machine on normal mode; I did not mention anything to you about it because I thought it had something to do with the drivers but could this be related to not be able to install even though I am the administrator

SMSTray.exe -unable to locate component
This application has failed to start because MFC71LU.DLL was not found Re-installing the application may fix this problem.

Updates from HP.exe - Unable to locate component
This application has failed to start because bwsec.dll was not found. Re-installing the application may fix this problem.

could not load the target dll ("c:\Program Files Updates from HP\9972322\6.3.2.116-9972322\program\Backweb.dll",error code 126)


----------



## cybertech (Apr 16, 2002)

Please download a new copy of combofix and post the resulting log.


----------



## sancho212 (Jun 17, 2009)

will do. I have a question though last time after downloading combofix you asked to download another program from this site http://support.microsoft.com/kb/310994

I have not deleted this program as you did not ask me to so my question is should I still drag this program onto combofix once downloaded just like last time or should just run combofix by itself


----------



## cybertech (Apr 16, 2002)

You can skip that part.


----------



## cybertech (Apr 16, 2002)

SMSTray.exe belongs to Samsung Media Studio 5


HP.exe error is being started here: Global Startup Actualizaciones de HP.lnk (C:\Documents and Settings\All Users\Start Menu\Programs\Startup) if you delete the HP.lnk from the startup folder the error will go away.


----------



## sancho212 (Jun 17, 2009)

I know you asked to run a combofix which I will do as soon as I get home but can you please also tell me how to get rid of SMSTray.exe I dont need this program do I? I will uncheck HP.exe error as soon as I can get the msconfig to work


----------



## cybertech (Apr 16, 2002)

You can do the same with SMSTray, use msconfig.


----------



## sancho212 (Jun 17, 2009)

Great!! so it seems like my computer is all fixed except for the pchealth folder that I can get back because is asking to logon as the admin and and the other error that I need to run combofix for; man why did I delete the pchealth folder; do you know of any other way around where I can do this without running msconfig


----------



## cybertech (Apr 16, 2002)

If you have that file from HP downloaded you can right click on the exe and "Run as Administrator"


I'm not sure your machine is clean yet, that is why I want to see a new Combofix run.


----------



## sancho212 (Jun 17, 2009)

here is the new log for combofix; I succesfully deleted the hp.exe and it doesnt pop up anymore but the SMStray even though I deleted as well still pops up. I just noticed that I have no audio at all this gets more and more complicated each time

ComboFix 09-06-26.02 - HP_Administrator 26/06/2009 16:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.615 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.
2009-06-23 01:33 . 2009-06-23 01:33 -------- d-----w- c:\documents and settings\Monica\Application Data\Research In Motion
2009-06-23 01:33 . 2009-06-23 01:33 -------- d-----w- c:\documents and settings\Monica\Application Data\Sunbelt
2009-06-23 01:32 . 2009-06-23 01:32 -------- d-----w- c:\documents and settings\Monica\Application Data\InstallShield
2009-06-23 01:32 . 2009-06-23 01:32 -------- d-----w- c:\documents and settings\Monica\Local Settings\Application Data\Google
2009-06-23 01:20 . 2009-06-23 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-06-22 23:32 . 2009-06-22 23:32 -------- d-----w- C:\swsetup
2009-06-22 23:31 . 2009-06-22 23:32 13263432 ----a-w- c:\program files\sp39516.exe
2009-06-19 23:59 . 2009-06-19 23:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-06-19 23:59 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 23:59 . 2009-06-19 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 23:58 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-19 23:58 . 2009-06-19 23:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 23:47 . 2009-06-18 23:47 -------- d-----w- c:\program files\Trend Micro
2009-06-18 01:57 . 2009-06-18 20:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-18 01:37 . 2009-06-18 20:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-17 22:20 . 2009-06-17 22:20 -------- dc----w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-17 03:12 . 2009-06-17 03:12 -------- d-----w- c:\windows\system32\History
2009-06-17 02:58 . 2008-07-07 20:26 253952 ------w- c:\windows\system32\dllcache\es.dll
2009-06-17 02:25 . 2009-06-17 02:26 -------- d-----w- C:\EmergencyUtils
2009-06-17 02:25 . 2009-06-17 02:25 7875 ----a-w- C:\xp_emergencyutil.zip
2009-06-16 08:16 . 2009-06-17 20:52 -------- d-----w- c:\documents and settings\HP_Administrator\Logs
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\system32\scripting
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\l2schemas
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\system32\en
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\system32\bits
2009-06-16 05:12 . 2009-06-16 05:12 -------- d-----w- c:\windows\ServicePackFiles
2009-06-16 04:15 . 2009-05-13 22:30 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2009-06-16 04:14 . 2009-05-13 22:30 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2009-06-10 11:00 . 2009-06-10 11:00 68392 ----a-w- c:\windows\system32\sbbd.exe
2009-06-03 16:24 . 2009-06-03 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2009-05-28 18:55 . 2009-05-28 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-05-28 18:55 . 2009-05-28 18:55 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sunbelt
2009-05-28 18:53 . 2008-10-09 14:48 202928 ----a-w- c:\windows\system32\drivers\sbtis.sys
2009-05-28 18:52 . 2009-05-28 18:52 -------- d-----w- c:\program files\Sunbelt Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 20:45 . 2009-05-07 16:37 256 ----a-w- c:\windows\system32\pool.bin
2009-06-26 20:27 . 2009-05-14 16:43 179 ----a-w- C:\handle.dat
2009-06-23 22:54 . 2006-12-16 15:09 -------- d-----w- c:\program files\Google
2009-06-23 22:13 . 2007-01-05 21:49 -------- d-----w- c:\program files\AIM
2009-06-23 22:05 . 2006-07-31 22:46 -------- d-----w- c:\program files\GemMaster
2009-06-17 01:56 . 2007-06-25 22:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2009-06-17 01:56 . 2007-05-10 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-17 01:54 . 2007-03-17 20:00 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Netscape
2009-06-17 01:49 . 2006-07-31 23:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-16 22:30 . 2007-01-07 01:07 -------- d-----w- c:\program files\MSN Messenger
2009-06-16 08:17 . 2006-07-31 23:23 49736 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 06:45 . 2005-08-31 04:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-16 06:44 . 2009-06-16 06:44 208896 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2009-06-16 06:44 . 2009-06-16 06:44 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-06-16 06:44 . 2009-06-16 06:44 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-06-16 06:44 . 2009-06-16 06:44 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-06-16 06:44 . 2009-06-16 06:44 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-06-16 06:44 . 2009-06-16 06:44 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2009-06-16 06:44 . 2009-06-16 06:44 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-06-16 06:44 . 2009-06-16 06:44 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-06-16 06:44 . 2009-06-16 06:44 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-06-16 04:22 . 2006-07-31 23:23 -------- d-----w- c:\program files\DISC
2009-05-28 18:11 . 2007-01-05 21:49 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Aim
2009-05-28 18:11 . 2006-12-20 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-05-28 16:01 . 2006-12-15 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-20 20:04 . 2009-05-20 20:00 13415464 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Research In Motion\BlackBerry\BlackBerryMediaSyncDM.exe
2009-05-14 22:55 . 2007-03-13 20:02 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-14 16:13 . 2009-05-14 16:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2009-05-12 17:54 . 2006-07-31 22:46 -------- d-----w- c:\program files\EnglishOtto
2009-05-12 17:46 . 2009-02-06 01:08 -------- d-----w- c:\program files\Ares
2009-05-08 17:31 . 2009-05-06 18:36 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-08 16:05 . 2009-05-08 16:05 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-07 15:32 . 2004-08-10 04:00 345600 ------w- c:\windows\system32\localspl.dll
2009-05-06 20:23 . 2009-02-06 17:59 -------- d-----w- c:\program files\Common Files\Research in Motion
2009-05-06 20:18 . 2009-05-06 20:18 -------- d-----w- c:\program files\Common Files\xing shared
2009-05-06 20:18 . 2006-07-31 23:16 -------- d-----w- c:\program files\Common Files\Real
2009-05-06 20:13 . 2007-12-08 20:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-05-06 18:35 . 2009-05-06 18:20 -------- d-----w- c:\program files\Windows Live
2009-05-06 18:33 . 2009-05-06 18:33 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-05-06 18:31 . 2009-05-06 18:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-05-06 18:21 . 2009-05-06 18:21 -------- d-----w- c:\program files\Microsoft
2009-05-06 18:00 . 2009-05-06 18:00 -------- d-----w- c:\program files\Common Files\Windows Live
2009-04-30 18:56 . 2009-04-30 18:56 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-04-29 04:56 . 2004-08-10 04:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-04-19 03:06 . 2007-04-19 03:06 251 ----a-w- c:\program files\wt3d.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-16 98304]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 126976]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2007-08-28 73728]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-26 615696]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-06-10 959784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
c:\documents and settings\Monica\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-7-31 27136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-3-25 1545488]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lopzqyvw.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1166284365\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Common Files\\AOL\\1166284365\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [16/06/2009 12:14 a.m. 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [28/05/2009 02:53 p.m. 202928]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [06/05/2009 02:35 p.m. 55152]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [16/06/2009 12:15 a.m. 69936]
S0 lopzqyvw;lopzqyvw;c:\windows\system32\Drivers\lopzqyvw.sys --> c:\windows\system32\Drivers\lopzqyvw.sys [?]
S2 Ndiskio;Ndiskio;\??\c:\virusfighter\Nse\bin\NDISKIO.SYS --> c:\virusfighter\Nse\bin\NDISKIO.SYS [?]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [10/06/2009 07:00 a.m. 980264]
S3 fsssvc;Windows Live Protección Infantil;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 07:08 p.m. 533360]
S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [07/02/2009 11:23 p.m. 19512]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [30/04/2009 02:56 p.m. 93360]
S4 nsesvc;Norman Scanner Engine Service;"c:\virusfighter\Nse\bin\NSESVC.EXE" -daemon --> c:\virusfighter\Nse\bin\NSESVC.EXE [?]
S4 NVCScheduler;Norman Virus Control Scheduler;c:\virusfighter\Nvc\BIN\NVCSCHED.EXE --> c:\virusfighter\Nvc\BIN\NVCSCHED.EXE [?]
.
Contents of the 'Scheduled Tasks' folder
2008-08-30 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-12-19 16:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &Search
Trusted Zone: trymedia.com
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/latinojuegos/safari-island/zylomplayer.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-26 17:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(940)
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-26 17:04
ComboFix-quarantined-files.txt 2009-06-26 21:03
ComboFix2.txt 2009-06-21 22:20
Pre-Run: 171,107,139,584 bytes free
Post-Run: 171,090,984,960 bytes free
207 --- E O F --- 2009-06-17 03:12


----------



## sancho212 (Jun 17, 2009)

Regarding the SMStray.exe I just went to C:\Program Files\Samsung\Samsung Media Studio 5 found it there and deleted I hope I dont need that in the near future.


----------



## cybertech (Apr 16, 2002)

Open Notepad and copy and paste the text in the code box below into it:

```
KILLALL::
Folder::
c:\virusfighter
Driver::
lopzqyvw
Ndiskio
nsesvc
NVCScheduler
```
Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. It may ask to reboot. Post the contents of c:\Combofix.txt in your next reply together with a new HijackThis log.


----------



## sancho212 (Jun 17, 2009)

here is the combofix log.

ComboFix 09-06-26.02 - HP_Administrator 26/06/2009 18:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.615 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\virusfighter
c:\virusfighter\Nvc\Bin\Nvcse.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_LOPZQYVW
-------\Legacy_NDISKIO
-------\Legacy_NSESVC
-------\Legacy_NVCSCHEDULER
-------\Service_lopzqyvw
-------\Service_Ndiskio
-------\Service_nsesvc
-------\Service_NVCScheduler

((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.
2009-06-26 22:22 . 2009-06-26 22:22 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Downloaded Installations
2009-06-26 22:21 . 2009-06-26 22:22 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GetRightToGo
2009-06-26 22:09 . 2006-05-16 22:04 2879488 ------w- c:\windows\SkyTel.exe
2009-06-26 22:09 . 2006-07-22 11:40 143360 ------w- c:\windows\system32\RtlCPAPI.dll
2009-06-26 22:09 . 2005-07-15 20:48 40960 ------w- c:\windows\system32\ChCfg.exe
2009-06-26 22:08 . 2009-06-26 22:08 -------- d-----w- c:\program files\Realtek
2009-06-26 22:08 . 2005-04-17 02:20 487424 ------w- c:\windows\RtlExUpd.dll
2009-06-26 21:02 . 2009-06-26 21:02 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-23 01:33 . 2009-06-23 01:33 -------- d-----w- c:\documents and settings\Monica\Application Data\Research In Motion
2009-06-23 01:33 . 2009-06-23 01:33 -------- d-----w- c:\documents and settings\Monica\Application Data\Sunbelt
2009-06-23 01:32 . 2009-06-23 01:32 -------- d-----w- c:\documents and settings\Monica\Application Data\InstallShield
2009-06-23 01:32 . 2009-06-23 01:32 -------- d-----w- c:\documents and settings\Monica\Local Settings\Application Data\Google
2009-06-23 01:20 . 2009-06-23 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-06-22 23:32 . 2009-06-22 23:32 -------- d-----w- C:\swsetup
2009-06-22 23:31 . 2009-06-22 23:32 13263432 ----a-w- c:\program files\sp39516.exe
2009-06-19 23:59 . 2009-06-19 23:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-06-19 23:59 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 23:59 . 2009-06-19 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 23:58 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-19 23:58 . 2009-06-19 23:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 23:47 . 2009-06-18 23:47 -------- d-----w- c:\program files\Trend Micro
2009-06-18 01:57 . 2009-06-18 20:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-18 01:37 . 2009-06-18 20:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-17 22:20 . 2009-06-17 22:20 -------- dc----w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-17 03:12 . 2009-06-17 03:12 -------- d-----w- c:\windows\system32\History
2009-06-17 02:58 . 2008-07-07 20:26 253952 ------w- c:\windows\system32\dllcache\es.dll
2009-06-17 02:25 . 2009-06-17 02:26 -------- d-----w- C:\EmergencyUtils
2009-06-17 02:25 . 2009-06-17 02:25 7875 ----a-w- C:\xp_emergencyutil.zip
2009-06-16 08:16 . 2009-06-17 20:52 -------- d-----w- c:\documents and settings\HP_Administrator\Logs
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\system32\scripting
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\l2schemas
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\system32\en
2009-06-16 06:40 . 2009-06-16 06:40 -------- d-----w- c:\windows\system32\bits
2009-06-16 05:12 . 2009-06-16 05:12 -------- d-----w- c:\windows\ServicePackFiles
2009-06-16 04:15 . 2009-05-13 22:30 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2009-06-16 04:14 . 2009-05-13 22:30 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2009-06-10 11:00 . 2009-06-10 11:00 68392 ----a-w- c:\windows\system32\sbbd.exe
2009-06-03 16:24 . 2009-06-03 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2009-05-28 18:55 . 2009-05-28 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-05-28 18:55 . 2009-05-28 18:55 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sunbelt
2009-05-28 18:53 . 2008-10-09 14:48 202928 ----a-w- c:\windows\system32\drivers\sbtis.sys
2009-05-28 18:52 . 2009-05-28 18:52 -------- d-----w- c:\program files\Sunbelt Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 22:41 . 2009-05-07 16:37 256 ----a-w- c:\windows\system32\pool.bin
2009-06-26 22:30 . 2006-07-31 23:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 20:27 . 2009-05-14 16:43 179 ----a-w- C:\handle.dat
2009-06-23 22:54 . 2006-12-16 15:09 -------- d-----w- c:\program files\Google
2009-06-23 22:13 . 2007-01-05 21:49 -------- d-----w- c:\program files\AIM
2009-06-23 22:05 . 2006-07-31 22:46 -------- d-----w- c:\program files\GemMaster
2009-06-17 01:56 . 2007-06-25 22:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2009-06-17 01:56 . 2007-05-10 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-17 01:54 . 2007-03-17 20:00 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Netscape
2009-06-16 22:30 . 2007-01-07 01:07 -------- d-----w- c:\program files\MSN Messenger
2009-06-16 08:17 . 2006-07-31 23:23 49736 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 06:45 . 2005-08-31 04:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-16 06:44 . 2009-06-16 06:44 208896 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2009-06-16 06:44 . 2009-06-16 06:44 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-06-16 06:44 . 2009-06-16 06:44 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-06-16 06:44 . 2009-06-16 06:44 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-06-16 06:44 . 2009-06-16 06:44 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-06-16 06:44 . 2009-06-16 06:44 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2009-06-16 06:44 . 2009-06-16 06:44 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-06-16 06:44 . 2009-06-16 06:44 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-06-16 06:44 . 2009-06-16 06:44 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-06-16 04:22 . 2006-07-31 23:23 -------- d-----w- c:\program files\DISC
2009-05-28 18:11 . 2007-01-05 21:49 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Aim
2009-05-28 18:11 . 2006-12-20 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-05-28 16:01 . 2006-12-15 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-20 20:04 . 2009-05-20 20:00 13415464 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Research In Motion\BlackBerry\BlackBerryMediaSyncDM.exe
2009-05-14 22:55 . 2007-03-13 20:02 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-14 16:13 . 2009-05-14 16:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2009-05-12 17:54 . 2006-07-31 22:46 -------- d-----w- c:\program files\EnglishOtto
2009-05-12 17:46 . 2009-02-06 01:08 -------- d-----w- c:\program files\Ares
2009-05-08 17:31 . 2009-05-06 18:36 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-08 16:05 . 2009-05-08 16:05 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-07 15:32 . 2004-08-10 04:00 345600 ------w- c:\windows\system32\localspl.dll
2009-05-06 20:23 . 2009-02-06 17:59 -------- d-----w- c:\program files\Common Files\Research in Motion
2009-05-06 20:18 . 2009-05-06 20:18 -------- d-----w- c:\program files\Common Files\xing shared
2009-05-06 20:18 . 2006-07-31 23:16 -------- d-----w- c:\program files\Common Files\Real
2009-05-06 20:13 . 2007-12-08 20:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-05-06 18:35 . 2009-05-06 18:20 -------- d-----w- c:\program files\Windows Live
2009-05-06 18:33 . 2009-05-06 18:33 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-05-06 18:31 . 2009-05-06 18:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-05-06 18:21 . 2009-05-06 18:21 -------- d-----w- c:\program files\Microsoft
2009-05-06 18:00 . 2009-05-06 18:00 -------- d-----w- c:\program files\Common Files\Windows Live
2009-04-30 18:56 . 2009-04-30 18:56 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-04-29 04:56 . 2004-08-10 04:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-04-19 03:06 . 2007-04-19 03:06 251 ----a-w- c:\program files\wt3d.ini
.
((((((((((((((((((((((((((((( [email protected]_21.02.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-26 22:09 . 2006-05-04 23:22 86016 c:\windows\system32\ReinstallBackups\0019\DriverFiles\SOUNDMAN.EXE
+ 2009-06-26 22:09 . 2008-04-14 00:12 23552  c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\wdmaud.drv
+ 2009-06-26 22:09 . 2008-04-13 18:45 49408 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\stream.sys
+ 2009-06-26 22:09 . 2008-04-13 18:45 60160 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\drmk.sys
+ 2009-06-26 22:09 . 2005-05-04 01:43 69632 c:\windows\system32\ReinstallBackups\0019\DriverFiles\ALCMTR.EXE
+ 2004-08-10 11:00 . 2008-04-13 17:45 49408 c:\windows\system32\drivers\stream.sys
- 2004-08-10 11:00 . 2008-04-13 18:45 49408 c:\windows\system32\drivers\stream.sys
+ 2006-07-31 23:04 . 2008-04-13 17:45 60160 c:\windows\system32\drivers\drmk.sys
- 2006-07-31 23:04 . 2008-04-13 18:45 60160 c:\windows\system32\drivers\drmk.sys
+ 2004-08-10 11:00 . 2008-04-13 17:45 49408 c:\windows\system32\dllcache\stream.sys
+ 2006-07-31 23:04 . 2008-04-13 17:45 60160 c:\windows\system32\dllcache\drmk.sys
+ 2009-06-26 21:02 . 2008-10-16 20:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-26 21:02 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-26 21:02 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-26 21:02 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-26 21:02 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-26 21:02 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-26 21:02 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-26 21:02 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-26 21:02 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-26 21:02 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2006-07-31 23:04 . 2006-07-21 20:14 86016 c:\windows\SoundMan.exe
- 2006-07-31 23:04 . 2006-05-04 23:22 86016 c:\windows\SOUNDMAN.EXE
+ 2009-06-26 22:25 . 2009-06-26 22:25 77824 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\b7d0905caa48ed49a6144b61e7fb36a0\Microsoft.Vsa.ni.dll
+ 2009-06-26 22:25 . 2009-06-26 22:25 58880 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\b0db4e584e2e774babbc9ceb8112852b\DriversHQ.DriverDetective.ExceptionLogging.ni.dll
+ 2009-06-26 22:25 . 2009-06-26 22:25 69632 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\381dd87432a9884fa9dc84aa5ef201c5\DriversHQ.DriverDetective.Client.DirectX.ni.dll
+ 2006-07-31 23:04 . 2005-05-03 22:43 69632 c:\windows\Alcmtr.exe
- 2006-07-31 23:04 . 2005-05-04 01:43 69632 c:\windows\ALCMTR.EXE
+ 2009-06-26 22:09 . 2008-04-14 00:11 4096 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\ksuser.dll
- 2006-07-31 23:04 . 2008-04-14 00:11 4096 c:\windows\system32\ksuser.dll
+ 2006-07-31 23:04 . 2008-04-13 23:11 4096 c:\windows\system32\ksuser.dll
+ 2006-07-31 23:04 . 2008-04-13 23:11 4096 c:\windows\system32\dllcache\ksuser.dll
+ 2006-07-31 23:04 . 2006-07-22 11:40 143360 c:\windows\system32\RTCOM\RTLCPAPI.dll
+ 2006-07-31 23:04 . 2006-07-21 20:18 270336 c:\windows\system32\RTCOM\RTCOMDLL.dll
- 2006-07-31 23:04 . 2006-06-06 22:46 270336 c:\windows\system32\RTCOM\RTCOMDLL.dll
+ 2009-06-26 22:09 . 2006-03-10 00:45 364544 c:\windows\system32\ReinstallBackups\0019\DriverFiles\RtlUpd.exe
+ 2009-06-26 22:09 . 2005-11-01 01:17 135168 c:\windows\system32\ReinstallBackups\0019\DriverFiles\RTLCPAPI.dll
+ 2009-06-26 22:09 . 2006-06-06 22:46 270336 c:\windows\system32\ReinstallBackups\0019\DriverFiles\RTCOMDLL.dll
+ 2009-06-26 22:09 . 2008-04-13 19:19 146048 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\portcls.sys
+ 2009-06-26 22:09 . 2008-04-13 19:16 141056 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\ks.sys
+ 2004-03-17 00:58 . 2008-04-13 18:19 146048 c:\windows\system32\drivers\portcls.sys
- 2004-03-17 00:58 . 2008-04-13 19:19 146048 c:\windows\system32\drivers\portcls.sys
- 2004-08-10 11:00 . 2008-04-13 19:16 141056 c:\windows\system32\drivers\ks.sys
+ 2004-08-10 11:00 . 2008-04-13 18:16 141056 c:\windows\system32\drivers\ks.sys
+ 2004-03-17 00:58 . 2008-04-13 18:19 146048 c:\windows\system32\dllcache\portcls.sys
+ 2004-08-10 11:00 . 2008-04-13 18:16 141056 c:\windows\system32\dllcache\ks.sys
+ 2009-06-26 21:02 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-26 21:02 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-26 21:02 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-26 21:02 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-26 21:02 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-26 21:02 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-26 21:02 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-26 21:02 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-26 21:02 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-26 21:02 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2006-07-31 23:04 . 2006-03-09 21:45 364544 c:\windows\RtlUpd.exe
- 2006-07-31 23:04 . 2006-03-10 00:45 364544 c:\windows\RtlUpd.exe
+ 2009-06-26 22:25 . 2009-06-26 22:25 139264 c:\windows\assembly\NativeImages_v2.0.50727_32\XPBurnComponent\d64d2fba932dad42b3c9dd12018004bb\XPBurnComponent.ni.dll
+ 2009-06-26 22:25 . 2009-06-26 22:25 356352 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\7ace34d11754ba49834df3fe56eec090\Microsoft.Practices.ObjectBuilder.ni.dll
+ 2009-06-26 22:25 . 2009-06-26 22:25 167936 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\6a1fc0ec66021541998f2ae4eb21c084\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.ni.dll
+ 2009-06-26 22:25 . 2009-06-26 22:25 368640 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\114ca691cc8c5a46944b507b17e8b0fc\Microsoft.Practices.EnterpriseLibrary.Common.ni.dll
+ 2009-06-26 22:25 . 2009-06-26 22:25 253952 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\9a2ef1e4d251b147a1115e57801d2a16\Microsoft.ApplicationBlocks.Updater.ni.dll
+ 2009-06-26 22:25 . 2009-06-26 22:25 225280 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\e880c85ddbf6294f974cbc62b47a358b\DriversHQ.DriverDetective.Client.Communication.ni.dll
+ 2009-06-26 22:25 . 2009-06-26 22:25 180224 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\d54d2092da025343ac8e87dcdeca8280\DriversHQ.DriverDetective.Common.ni.dll
+ 2009-06-26 22:09 . 2006-05-04 23:35 9709568 c:\windows\system32\ReinstallBackups\0019\DriverFiles\RTLCPL.EXE
+ 2009-06-26 22:09 . 2006-06-14 18:04 4299264 c:\windows\system32\ReinstallBackups\0019\DriverFiles\RtkHDAud.sys
+ 2009-06-26 22:09 . 2006-06-10 01:25 2158592 c:\windows\system32\ReinstallBackups\0019\DriverFiles\MicCal.exe
+ 2009-06-26 22:09 . 2006-05-04 23:26 2808832 c:\windows\system32\ReinstallBackups\0019\DriverFiles\ALCWZRD.EXE
+ 2006-07-31 23:04 . 2006-07-24 20:15 4353024 c:\windows\system32\drivers\RtkHDAud.Sys
+ 2009-06-26 21:02 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-26 21:02 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-26 21:02 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-26 21:02 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
- 2006-07-31 23:04 . 2006-05-04 23:35 9709568 c:\windows\RTLCPL.EXE
+ 2006-07-31 23:04 . 2006-05-04 20:35 9709568 c:\windows\RTLCPL.exe
+ 2006-07-31 23:04 . 2006-06-28 18:00 2158592 c:\windows\MicCal.exe
- 2006-07-31 23:04 . 2006-06-10 01:25 2158592 c:\windows\MicCal.exe
+ 2009-06-26 22:25 . 2009-06-26 22:25 1060864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\a1bb65570427364dbe5f56e9c0b4e911\System.Management.ni.dll
+ 2009-06-26 22:25 . 2009-06-26 22:25 2441216 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\ea3050eaf32fbc49ba56f84e1dda8089\Microsoft.JScript.ni.dll
+ 2009-06-26 22:25 . 2009-06-26 22:25 2215936 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\1ce410cc2d3ada49bae95d73e0ab64f6\DriversHQ.DriverDetective.Client.ni.exe
+ 2006-07-31 23:04 . 2006-05-04 20:26 2808832 c:\windows\alcwzrd.exe
- 2006-07-31 23:04 . 2006-05-04 23:26 2808832 c:\windows\ALCWZRD.EXE
+ 2009-06-26 22:09 . 2006-06-14 03:05 16239616 c:\windows\system32\ReinstallBackups\0019\DriverFiles\RTHDCPL.EXE
+ 2006-07-31 23:04 . 2006-07-21 20:56 16261632 c:\windows\RTHDCPL.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-16 98304]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2007-08-28 73728]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-26 615696]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-06-10 959784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-07-21 16261632]
c:\documents and settings\Monica\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-7-31 27136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-3-25 1545488]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1166284365\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Common Files\\AOL\\1166284365\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [16/06/2009 12:14 a.m. 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [28/05/2009 02:53 p.m. 202928]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [06/05/2009 02:35 p.m. 55152]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [10/06/2009 07:00 a.m. 980264]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [16/06/2009 12:15 a.m. 69936]
S3 fsssvc;Windows Live Protección Infantil;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 07:08 p.m. 533360]
S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [07/02/2009 11:23 p.m. 19512]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [30/04/2009 02:56 p.m. 93360]
.
Contents of the 'Scheduled Tasks' folder
2008-08-30 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-12-19 16:06]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SMSTray - c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe
SafeBoot-lopzqyvw.sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &Search
Trusted Zone: trymedia.com
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/latinojuegos/safari-island/zylomplayer.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-26 18:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2284)
c:\program files\Sunbelt Software\VIPRE\oehook.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\windows\arservice.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Research in Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\Research in Motion\USB Drivers\BbDevMgr.exe
.
**************************************************************************
.
Completion time: 2009-06-26 18:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-26 22:47
ComboFix2.txt 2009-06-26 21:04
ComboFix3.txt 2009-06-21 22:20
Pre-Run: 170,708,762,624 bytes free
Post-Run: 170,751,467,520 bytes free
340 --- E O F --- 2009-06-17 03:12


----------



## sancho212 (Jun 17, 2009)

here is the HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:52:28 p.m., on 26/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
c:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\explorer.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SBAMTray] c:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Agregar entrada - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Agregar entrada en Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://xxpequena221984.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-c48dffeb778fd1f7.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/latinojuegos/safari-island/zylomplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - c:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
--
End of file - 10252 bytes


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)

*Close all applications and browser windows before you click "fix checked".*

How is the machine now?


----------



## sancho212 (Jun 17, 2009)

Thank you very much for your great help cybertech - I have doned as instructed and the computer seems to run way better then before it runs way better since the first time we installed combofix. The only two problems that are left (hopefully thats it) is getting back the pchealth folder and gettting the audio back to the machine I have checked the device manager and all the drivers seem to be running properly, regarding the pchealth folder I thougt that when we got rid of the virusfighter folder it would let us install the hp active support library but I am still getting the same erros that I need to login with admin rights.


----------



## cybertech (Apr 16, 2002)

cybertech said:


> If you have that file from HP downloaded you can right click on the exe and "Run as Administrator"


Did you try "Run as Administrator"?


----------



## sancho212 (Jun 17, 2009)

Yes, but it said the same thing.


----------



## cybertech (Apr 16, 2002)

And it says the same thing if you log onto the Administrator account?


----------



## sancho212 (Jun 17, 2009)

I have only two account on this computer (on normal mode) and both of them have admin rights.


----------



## sancho212 (Jun 17, 2009)

I just restart the machine on safe mode and I logged in with the administrator account that doesnt show up on normal mode and I tried to run the program as admin and I received the following message

C:\Program Files\sp39516.exe
A device attached to the system is not functioning

Hopefully this message will help you figure out whats the best route to take on this issue.


----------



## sancho212 (Jun 17, 2009)

ok this thing is really going crazy now that I am trying to run the folder as a admin its telling me that the access is denied and this is on normal mode. I have restarted the machine twice and I received the same error everytime I tried to run this as an admin.


----------



## cybertech (Apr 16, 2002)

I'm guessing but perhaps if you disable "Family Safety Filter Driver" it will work.


----------



## sancho212 (Jun 17, 2009)

and how would I disable that?


----------



## cybertech (Apr 16, 2002)

Uninstall the program.


----------



## sancho212 (Jun 17, 2009)

uninstall what program? if you mean the HP active support library I don't think I can't uninstall that because I haven't been able to install it's just been downloaded to the machine but not installed yet due to the message I get and if you mean the "Family Safety Filter Driver" I don't know where this file is located.


----------



## sancho212 (Jun 17, 2009)

OK I think what the problem is I just tried to install HP active support libray from a different place and it said that to install HP active support library I need to have windows vista installled in the machine; so could it be that's the reason we are getting all these errors because I have windows xp and not vista.


----------



## cybertech (Apr 16, 2002)

Run HijackThis and click on "Config" and then on the "Misc Tools" button. 
If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". 
Click on the "Open Uninstall Manager" button. 
Click the "Save List" button. 
Copy and paste that list here.


----------



## sancho212 (Jun 17, 2009)

Please see below

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
Adobe Shockwave Player
Agere Systems PCI-SV92PP Soft Modem
AOL Deskbar
Ares 2.0.9
Ares Tube 3.0
BlackBerry Desktop Software 4.7
BlackBerry Desktop Software 4.7
CardRd81
CCScore
Choice Guard
CR2
Critical Update for Windows Media Player 11 (KB959772)
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
DISCover
DivX
Easy Internet Sign-up
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
Galería fotográfica de Windows Live
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
HP Boot Optimizer
HP DVD Play 2.1
HP Extended Capabilities 6.1
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP Product Assistant
HP PSC & OfficeJet 6.1.A
HP Solution Center and Imaging Support Tools 6.1
HP Update
HP Web Helper
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) SE Runtime Environment 6 Update 1
Junk Mail filter update
kgcbase
KSU
Lame ACM MP3 Codec
LG USB Drivers
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft LifeCam
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003 60 days trial
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSN
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
My HP Games
My HP Games
Notifier
NVIDIA Drivers
OfotoXMI
OTtBP
OTtBPSDK
Otto
Quicken 2006
QuickTime
Rainbow Fish
RealPlayer
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Samsung Media Studio
Sandlot Games Client Services
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Segoe UI
SFR
SHASTA
SKIN0001
SKINXSDK
Snowy the Bear Adventure - Demo
Sonic Express Labeler
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
staticcr
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Updates from HP (remove only)
Viewpoint Media Player
VPRINTOL
VZAccess Manager for RIM
WildTangent Web Driver
Windows Imaging Component
Windows Live Asistente para el inicio de sesión
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Protección Infantil
Windows Live Sync
Windows Live Toolbar
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WIRELESS
XviD MPEG-4 Video Codec


----------



## cybertech (Apr 16, 2002)

Go to add/remove programs and remove these:

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) SE Runtime Environment 6 Update 1


----------



## sancho212 (Jun 17, 2009)

I sucessfully removed Java(TM) SE Runtime Environment 6 Update 1 but I am getting a "FATAL ERROR DURING INSTALLATION" for the two remaining and can't remove them


----------



## cybertech (Apr 16, 2002)

Try running System File Checker, sfc /scannow have your XP CD available.


----------



## sancho212 (Jun 17, 2009)

Is there any other workaround for this? I don't have the XP cd anymore; to be honest I don't even know what did I do to it.


----------



## cybertech (Apr 16, 2002)

What kind of machine is this? Did it come with a recovery partition?


----------



## sancho212 (Jun 17, 2009)

This is an HP Pavillion model A1600N. My sister bought this machine like 2 or 3 years ago but she is so clueless that probably threw all the cd's manuals that came with it.


----------



## cybertech (Apr 16, 2002)

You can get manuals and info from the hp site. 

http://h10032.www1.hp.com/ctg/Manual/c00757358.pdf

Look at page 19


> Repairing
> Software Problems
> Your PC uses the operating system and installed
> software programs during normal operation. If
> ...


It appears you do have a system recovery image so try running sfc /scannow to see if it will work. If not just stop the process.


----------



## sancho212 (Jun 17, 2009)

I guess I did not have a system recovery image after all I wasn't able to do a scf /scannow. have we ran out of options here? if so I will close this thread as solved.


----------



## cybertech (Apr 16, 2002)

There is also the option "Contact HP Support to purchase a set of System
Recovery discs."


----------



## sancho212 (Jun 17, 2009)

ok, I will try to contact them. but first let me ask what is the purpose of all this; are we still trying to remove a virus/malware or we all doing all this to retrieve the pchealth program and the audio back to the machine.


----------



## cybertech (Apr 16, 2002)

All of that. In fact when you get the system recovery discs I would use them! 

Back up your important data and reload the machine to factory specs.


----------



## sancho212 (Jun 17, 2009)

cybertech oh I am glad you are online for some reason my computer got infected again I did not visit any weird websites or download anthing out of the ordinary I made sure my AV was up to date but I still got infected I dont even know how it happened the only thing that I remember downloading was itunes. here is a copy of the hijackthis log. by the way I am still working on the recovery discs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:36:07 p.m., on 07/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\b.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\c.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\windows\ld12.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\win.exe
C:\windows\pp10.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\WINDOWS\fonts\services.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Messenger\wlcsdk.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\mscllwi.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\msywa.exe
O1 - Hosts: www.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SBAMTray] c:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\win.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\b.exe
O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msxgs.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Agregar entrada - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Agregar entrada en Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://xxpequena221984.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-c48dffeb778fd1f7.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/latinojuegos/safari-island/zylomplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30E1166D-5F3A-470B-B4A3-9C2C6A7E6285}: NameServer = 66.174.95.44 66.174.92.14
O20 - AppInit_DLLs: ,C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\23618359631mxx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device (apple mobile device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio Bonjour (bonjour service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servicio del iPod (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - c:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 12629 bytes


----------



## cybertech (Apr 16, 2002)

Delete your old version of Combofix and download it again from one of these locations:

*Link 1*
*Link 2*

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System










Download the file & save it as it's originally named.

*Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.*

_Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. _











Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.










At the next prompt, click 'Yes' to run the full ComboFix scan.

When the tool is finished, it will produce a report for you.
Please post the *C:\ComboFix.txt* in your next reply.


----------



## sancho212 (Jun 17, 2009)

cybertech I was not able to unistall combofix due to the following message W32.virus.exe. is there any other way I can delete this I have the XP cd available now.


----------



## cybertech (Apr 16, 2002)

Don't uninstall it just delete the folder or executable.


----------



## sancho212 (Jun 17, 2009)

cibertech I am unable to re-install combofix and I am also unable to update and run malwarebite please see the new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:52:30 p.m., on 09/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\win.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\b.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Windows Live\Messenger\wlcsdk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Toolbar\wltuser.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\mscllwi.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\msywa.exe
O1 - Hosts: www.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SBAMTray] c:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\win.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\b.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Agregar entrada - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Agregar entrada en Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://xxpequena221984.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-c48dffeb778fd1f7.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/latinojuegos/safari-island/zylomplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30E1166D-5F3A-470B-B4A3-9C2C6A7E6285}: NameServer = 66.174.95.44 69.78.96.14
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device (apple mobile device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio Bonjour (bonjour service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servicio del iPod (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - c:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 12292 bytes


----------



## cybertech (Apr 16, 2002)

*Click here* to download *Dr.Web CureIt* and save it to your desktop.

Doubleclick the *drweb-cureit.exe* file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the *green arrow* at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:








If so, click it and then click the next icon right below and select *Move incurable* as you'll see in next image:








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click *file* and choose *save report list*
Save the report to your desktop. The report will be called *DrWeb.csv*
Close Dr.Web Cureit.
*Reboot* your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.


----------

