# Solved: Malware: computer recycles the boot



## cloner88 (Jul 14, 2007)

I have an hp m7367c computer that runs with windows XP media center edition 2005. I am experiencing symptoms of malware controlling my computer.
My computer has crashed several times. After I pressed F8 anything I selected was ignored  i.e. I could not select use last known configuration that worked, nor go into safe mode etc. The computer just kept rebooting over and over again showing the blue hp invent screen with selection F10 = system restore. I tried this and did the normal operation of turning on automatic updates. The numerous updates download and install normally, but kb920683, kb923191, and kb828255 fail to install. An IE6 to IE7 (I use Firefox as my default browser) does install. However, then automatic updates attempts to install cumulative security for IE7 kb933256. After restart I get the recycling of boot again, until F10 is pressed. 
Of note is that I am forced to use system restore volume. I cannot select a system restore point. And scariest of all  I did a complete reformat of the computer with my recovery CDs and when all was completed it still went and loaded the system restore volume!
By turning off automatic updates and restating the computer I have gotten an error message relating to the file urldll.dll, which I could not find doing a search.
I am unable to register my reloaded Trend Micro PC-cillin 2007 antivirus software so that the automatic definitions update does not work.
I also looked in the RECYCLER folder and noticed that I have nine recycle bin icons that all begin with S-1-5-21 followed by different sets of numbers  that cannot be a good sign for a single computer user that is not on a network.
Of course I am denied access from examining the system restore volume. I have no clue how to begin getting rid of this malware problem, please HELP! Thanking you in advance for any assistance that you may provide. Cloner88


----------



## cloner88 (Jul 14, 2007)

Here is the HJT log. I believe what is ocurring is hidden from HJT program:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:15 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5700 bytes

cloner88


----------



## cloner88 (Jul 14, 2007)

Bump, please


----------



## Cookiegal (Aug 27, 2003)

Download and install *AVG Anti-Spyware v7.5*. Note to AVG Free anti-virus program users only: This is not the same program as the one you already have, this is an anti-spyware program so please proceed with the instructions. 

After download, double click on the file to launch the install process. 
Choose a language, click "*OK*" and then click "*Next*". 
Read the "_License Agreement_" and click "*I Agree*". 
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "*Next*", then click "*Install*". 
After setup completes, click "*Finish*" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray. 
The main "*Status*" menu will appear. Select "_Change state_" to inactivate '*Resident Shield*' and '*Automatic Updates*'. _As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them._ 
Then right click on AVG Anti-Spyware in the system tray and *uncheck* "*Start with Windows*". 
Connect to the Internet, go back to AVG Anti-Spyware, select the "*Update*" button and click "*Start update*". 
Wait until you see the "_Update successful_" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer. 
Exit AVG Anti-Spyware when done - *DO NOT perform a scan yet*.
*Reboot your computer in SAFE MODE* using the *F8* method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". _(Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them inaccessible for doing a scan. If this happens press Alt + Spacebar. A menu will come open, make sure you select maximize then run the scan. If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)_

*Scan with AVG Anti-Spyware as follows*:
Click on the "*Scanner*" button and choose the "*Settings*" tab.

Under "*How to act?*", click on "*Recommended actions*" and choose "*Quarantine*" to set default action for detected malware. 
Under "*How to Scan? *", "*Possibly unwanted software*", and *What to Scan?*" leave all the default settings. 
Under "*Reports*" select "*Do not automatically generate reports*". 
Click the "*Scan*" tab to return to scanning options. 
Click "*Complete System Scan*" to start. 
When the scan has finished, it should automatically be set to *Quarantine*--if not click on _Recommended Action_ and set it there. 
You will also be presented with a list of infected objects found. Click "*Apply all actions*" to place the files in Quarantine.
_*IMPORTANT!* Do not save the report before you have clicked the :*Apply all actions* button. If you do, the log that is created will indicate "*No action taken*", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button._
Click on "*Save Report*" to view all completed scans. Click on the most recent scan you just performed and select "*Save report as*" - the default file name will be in date/time format as follows: *Report-Scan-20060620-142816.txt*. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ 
Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.
_Note: Close all open windows, programs, and *DO NOT USE the computer while AVG Anti-Spyware is scanning*. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection._

_AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version. We are installing AVG Anti-Spyware with its real-time protection disabled. Once your system is clean you may re-enable it so you can continue using this feature for the remainder of the trial period._

Please go *HERE* to run Panda's ActiveScan
You need to use IE to run this scan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## cloner88 (Jul 14, 2007)

Thank you Cookiegal for your assistance. First I am including a pertinent portion of a SpySweeper log followed by the AVG log, Panda active scan log and finally the HJT log:

2:36 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
2:36 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
2:36 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
2:36 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
2:36 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
2:36 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
2:36 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
2:36 PM: Tamper Detection
11:38 AM: Your spyware definitions have been updated.
Operation: File Access
Target: 
Source: 
11:37 AM: Tamper Detection
11:37 AM: Automated check for program update in progress.
Keylogger: Off
11:36 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
E-mail Attachment: On
11:36 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
11:36 AM: Shield States
11:36 AM: Spyware Definitions: 986
11:35 AM: Spy Sweeper 5.5.7.48 started
11:35 AM: Spy Sweeper 5.5.7.48 started
11:35 AM: | Start of Session, Wednesday, September 12, 2007

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	5:46:07 PM 9/26/2007

+ Scan result:

C:\Documents and Settings\HP_Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Webtrends : Cleaned.

::Report end - Please note program would not let me select quarantine for this cookie.

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\[email protected][1].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\[email protected][2].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\[email protected][1].txt 
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe 
Spyware:Spyware/PeoplePC Not disinfected C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:43 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\RunOnce: [AddRAID] c:\hp\bin\cloaker.exe c:\hp\bin\Add_RAID\AddRAID.cmd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6492 bytes


----------



## Cookiegal (Aug 27, 2003)

Download *ComboFix* and save it to your desktop.

***Note: It is important that it is saved directly to your desktop***


Close any open browsers. 
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. 
Double click on *combofix.exe* and follow the prompts.

When finished, it will produce a report for you. Please post the *C:\ComboFix.txt* along with a *new HijackThis log* for further review.

Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.


----------



## cloner88 (Jul 14, 2007)

Hello - here is the Combofix log that you requested:

ComboFix 07-09-28.1 - HP_Administrator 2007-09-27 11:37:21.1 - NTFSx86 
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1139 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-27 11:36	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-09-26 17:57 d--------	C:\WINDOWS\system32\ActiveScan
2007-09-26 17:01	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\WINDOWS
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Real
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Intuit
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Digital Interactive Systems Corporation
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\ATI
2007-09-26 15:56 d--------	C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-09-26 15:56 d--------	C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2007-09-26 15:56 d--------	C:\WINDOWS\system32\config\systemprofile\Application Data\Real
2007-09-26 15:56 d--------	C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit
2007-09-26 15:56 d--------	C:\WINDOWS\system32\config\systemprofile\Application Data\Digital Interactive Systems Corporation
2007-09-26 15:56 d--------	C:\WINDOWS\system32\config\systemprofile\Application Data\ATI
2007-09-26 15:53	8,704	--a------	C:\WINDOWS\system32\kbdjpn.dll
2007-09-26 15:53	6,144	--a------	C:\WINDOWS\system32\kbd106.dll
2007-09-19 13:15 d--------	C:\Program Files\Trend Micro
2007-09-10 16:17 d--------	C:\Program Files\Lavasoft
2007-09-07 22:12	20,992	--a------	C:\WINDOWS\jestertb.dll
2007-09-07 20:24 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Netscape
2007-09-07 00:05 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Help
2007-09-06 14:12 d--------	C:\Program Files\Yahoo!
2007-09-05 12:40 d--------	C:\Program Files\TIS2007_153_1151
2007-09-05 02:12 d--hs----	C:\Documents and Settings\HP_Administrator\UserData
2007-09-04 22:41 d--------	C:\Program Files\Uniblue
2007-09-04 22:41 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Uniblue
2007-09-04 22:33 d--------	C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-09-04 22:32 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Webroot
2007-09-04 16:14 d--------	C:\Documents and Settings\HP_Administrator\Application Data\HPQ
2007-09-03 00:09 d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-03 00:08 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-09-02 22:10 d--------	C:\Program Files\Windows Defender
2007-09-02 17:27 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-29 20:50 d--------	C:\Program Files\Windows Media Connect 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 18:18	---------	d-a------	C:\Program Files\Common Files\LightScribe
2007-09-26 16:44	---------	d--------	C:\Program Files\Symantec
2007-09-26 16:26	---------	d--------	C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-26 16:00	1925	-rahs----	C:\WINDOWS\system32\drivers\103C_HP_CPC_EL412AA-ABA M7367C_YC_0Pavi_QMXK552_E61NAemMPC2_48_IEMERY_SASUSTek Computer INC._V1.05_B3.17_T060915_WXP2_L409_M1535_J300_7Intel_8Pentium D_93_#070818_N808627DC_Z11C10620_G10027146.MRK
2007-09-19 13:17	---------	d--------	C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-09-10 14:38	---------	d--------	C:\Program Files\Verizon
2007-09-07 01:07	---------	d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-09-04 14:14	---------	d--------	C:\Program Files\Security Task Manager
2007-08-27 16:42	---------	d--------	C:\Program Files\Secunia
2007-08-26 14:48	---------	d--------	C:\Program Files\MSXML 6.0
2007-08-25 15:41	---------	d--------	C:\Program Files\MSBuild
2007-08-25 15:38	---------	d--------	C:\Program Files\Reference Assemblies
2007-08-24 23:41	---------	d--------	C:\Program Files\Realtek
2007-08-24 20:18	---------	d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-18 03:50	---------	d--------	C:\Program Files\Hewlett-Packard
2007-08-18 03:43	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-08-18 03:40	---------	d--------	C:\Program Files\Google
2007-08-18 03:36	---------	d--------	C:\Program Files\PC-Doctor for DOS
2007-08-18 03:36	---------	d--------	C:\Program Files\PC-Doctor 5 for Windows
2007-08-18 03:34	61440	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2007-08-18 03:34	45056	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2007-08-18 03:34	44032	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2007-08-18 03:34	40960	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2007-08-18 03:34	341048	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2007-08-18 03:34	32768	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2007-08-18 03:34	32768	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2007-08-18 03:34	163840	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2007-08-18 03:33	14317	--a------	C:\WINDOWS\system32\CHODDI.SYS
2007-08-18 03:33	118842	-ra------	C:\WINDOWS\HPCPCUninstaller-6.3.2.116-9972322.exe
2007-08-18 03:33	---------	d--------	C:\Program Files\Updates from HP
2007-08-18 03:30	---------	d-a------	C:\Program Files\TurboTax Online
2007-08-18 03:30	---------	d--------	C:\Program Files\Quicken
2007-08-18 03:30	---------	d--------	C:\Program Files\Common Files\Palo Alto Software
2007-08-18 03:30	---------	d--------	C:\Program Files\Common Files\Intuit
2007-08-18 03:30	---------	d--------	C:\Documents and Settings\All Users\Application Data\Intuit
2007-08-18 03:30	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-08-18 03:29	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-08-18 03:29	---------	d--------	C:\Program Files\muvee Technologies
2007-08-18 03:29	---------	d--------	C:\Program Files\Common Files\muvee Technologies
2007-08-18 03:29	---------	d--------	C:\Program Files\Common Files\InstallShield
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft.NET
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft Works
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft ActiveSync
2007-08-18 03:26	---------	d--------	C:\Program Files\Common Files\L&H
2007-08-18 03:25	---------	d--------	C:\Program Files\Microsoft Money 2005
2007-08-18 03:24	---------	d-a------	C:\Program Files\IntelliMoverDemo
2007-08-18 03:23	---------	d--------	C:\Program Files\InterVideo
2007-08-18 03:23	---------	d--------	C:\Program Files\Common Files\InterVideo
2007-08-18 03:22	---------	d--------	C:\Program Files\Sonic
2007-08-18 03:22	---------	d--------	C:\Program Files\Common Files\TiVo Shared
2007-08-18 03:22	---------	d--------	C:\Program Files\Common Files\Roxio Shared
2007-08-18 03:21	---------	d--------	C:\Program Files\WildTangent
2007-08-18 03:18	---------	d--------	C:\Program Files\Common Files\SureThing Shared
2007-08-18 03:18	---------	d--------	C:\Program Files\Common Files\Sonic Shared
2007-08-18 03:18	---------	d--------	C:\Documents and Settings\All Users\Application Data\InstallShield
2007-08-18 03:17	---------	d--------	C:\Program Files\Rhapsody
2007-08-18 03:17	---------	d--------	C:\Program Files\Real
2007-08-18 03:17	---------	d--------	C:\Program Files\Netscape
2007-08-18 03:17	---------	d--------	C:\Program Files\Common Files\xing shared
2007-08-18 03:17	---------	d--------	C:\Program Files\Common Files\Real
2007-08-18 03:17	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Real
2007-08-18 03:16	---------	d--------	C:\Program Files\MSN Encarta Standard
2007-08-18 03:16	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Digital Interactive Systems Corporation
2007-08-18 03:11	---------	d--------	C:\Documents and Settings\All Users\Application Data\HP
2007-08-18 03:10	---------	d--------	C:\Program Files\Common Files\HP
2007-08-18 03:10	---------	d--------	C:\Documents and Settings\All Users\Application Data\Sonic
2007-08-18 03:09	---------	d--------	C:\Program Files\HP
2007-08-18 03:09	---------	d--------	C:\Program Files\Common Files\Hewlett-Packard
2007-08-18 03:07	---------	d--------	C:\Documents and Settings\Administrator\Application Data\ATI
2007-08-18 03:04	---------	d--------	C:\Program Files\Intel
2007-08-18 03:04	---------	d--------	C:\Program Files\ATI Technologies
2007-08-18 02:52	---------	d--------	C:\Documents and Settings\All Users\Application Data\SBSI
2007-08-18 02:49	---------	d--------	C:\Program Files\GemMaster
2007-08-18 02:49	---------	d--------	C:\Program Files\EnglishOtto
2007-08-18 01:20	---------	d--------	C:\Program Files\MSXML 4.0
2007-08-18 00:17	---------	d--------	C:\Documents and Settings\All Users\Application Data\Webroot
2007-08-18 00:10	---------	d--------	C:\Documents and Settings\All Users\Application Data\MSN6
2007-08-18 00:09	---------	d--------	C:\Program Files\PlayLinc
2007-08-18 00:07	---------	d--------	C:\Documents and Settings\All Users\Application Data\Verizon
2007-08-18 00:06	---------	d--------	C:\Program Files\Common Files\Motive
2007-08-18 00:06	---------	d--------	C:\Documents and Settings\All Users\Application Data\Motive
2007-08-18 00:05	---------	d--------	C:\Program Files\VZBB Toolbar
2007-08-17 23:58	---------	d--------	C:\Program Files\Common Files\SupportSoft
2007-08-17 23:03	---------	d--------	C:\Documents and Settings\All Users\Application Data\Google
2007-08-17 22:39	---------	d--------	C:\Program Files\Webroot
2007-08-17 22:39	---------	d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2007-07-19 22:54	1521464	--a------	C:\WINDOWS\WRSetup.dll
2005-05-12 06:36	12288	--a------	C:\WINDOWS\Fonts\RandFont.dll
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 20:56]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 23:19 C:\WINDOWS\arpwrmsg.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 19:30]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-10-02 08:13]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 06:35]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 17:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 06:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-10-02 08:13:42]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 06:23:26]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-10-02 08:13:42]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 06:23:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba9bfa3e-53e6-11da-9f04-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 08:47:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-26 23:00:05 C:\WINDOWS\Tasks\Warranty Reminder 11 Months.job"
- c:\hp\bin\cloaker.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-28 11:39:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-28 11:39:30
.
--- E O F ---


----------



## cloner88 (Jul 14, 2007)

Sorry forgot HJT log. note both programs were run in normal mode and not safe mode.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:19 PM, on 9/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5755 bytes


----------



## Cookiegal (Aug 27, 2003)

Do you use PeoplePC?

Are you still unable to install your anti-virus program?


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal, thank you for your assistance. I have never used PeoplePC. I have not tried to reinstall either spysweeper or trend micro pc-cillin 2007 since communicating with you. I was forced to do the F10 restore volume in order to install the AVG 7.5. I do not have automatic updates turned on either since that will cause the crash and boot recycling. cloner88


----------



## Cookiegal (Aug 27, 2003)

What about the second part of my question?


----------



## cloner88 (Jul 14, 2007)

Answered by editing above. sghould I try to remove PeoplePC folder before uninstall-reinstall of antivirus programs? I also have spybot S&D and AdAware SE. Both would have to be uninstalled then reinstalled too.


----------



## Cookiegal (Aug 27, 2003)

Navigate to this folder and delete it:

C:\Program Files\Online Services\*PeoplePC*

Run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from Kaspersky scan*


----------



## cloner88 (Jul 14, 2007)

Here is the Kaspersky scan log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, September 28, 2007 4:13:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 28/09/2007
Kaspersky Anti-Virus database records: 424361
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 107917
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:11:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log	Object is locked	skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_2163979927_4587520_9457	Object is locked	skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE3.tmp	Object is locked	skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{AF481E78-2C24-45B5-9870-AA58132F5D7E}.TmpSBE	Object is locked	skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds	Object is locked	skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse	Object is locked	skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked	skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hpodvd09.log	Object is locked	skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Perflib_Perfdata_104.dat	Object is locked	skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Perflib_Perfdata_e5c.dat	Object is locked	skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\_hphtra07.log	Object is locked	skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\HP_Administrator\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\hp\bin\KillWind.exe	Infected: not-a-virus:RiskTool.Win32.PsKill.p	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP7\change.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\Prefetch\Layout.ini	Object is locked	skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3FE261C3-CE11-45D1-81BA-2A37A7687AAA}.crmlog	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\ACEEvent.evt	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\Media Ce.evt	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.

Here is the latest HLT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:43 PM, on 9/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5888 bytes


----------



## Cookiegal (Aug 27, 2003)

cloner88 said:


> sghould I try to remove PeoplePC folder before uninstall-reinstall of antivirus programs?


It doesn't matter whether it's before or after.


> I also have spybot S&D and AdAware SE. Both would have to be uninstalled then reinstalled too.


I don't follow. Why?


----------



## cloner88 (Jul 14, 2007)

I removed PeoplePC folder prior to running Kaspersky Scan and HJT logs shown above. I successfully re-installed SpySweeper and TM PC-cillin 2007. Spybot S&D opens with out a re-install. However AdAware SE gives "error message 1810 has occured. Program not online"
so I uninstalled and re-installed to get it to work.


----------



## Cookiegal (Aug 27, 2003)

Are there any problems remaining?


----------



## cloner88 (Jul 14, 2007)

My computer is responding slowly. I have not turned windows update back on. I still have 9 recycle bin icons in the recycler folder, is this something that I should be concerned about?

I ran msconfig and noticed that there is a checked box that has no description under either startup item or command (i.e. blank). Under location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 

Is this normal or the result of malware?


----------



## Cookiegal (Aug 27, 2003)

That's defnitely not normal to so many recycle bins.

Do you recognize this file?

C:\WINDOWS\jestertb.dll


----------



## cloner88 (Jul 14, 2007)

Hello again Cookiegal. Thanks again for your patience and help. I do not know anything about the file jestertb.dll. If it is malware can I delete it to remove it?
Is it associate with other known malware files?


----------



## Cookiegal (Aug 27, 2003)

Go to *Start* - *Search* - *All Files and Folders* and under *More advanced search options*. 
Make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders*.

Next click on *My Computer*. Go to *Tools* - *Folder Options*. Click on the View tab and make sure that *Show hidden files and folders* is checked. Also uncheck *Hide protected operating system files* and *Hide extensions for known file types*. Now click *Apply to all folders*. Click *Apply* then *OK*.

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/
*
C:\WINDOWS\jestertb.dll*

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group select *ALL*
in the *Additional Scans* sections please press select *ALL* 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## cloner88 (Jul 14, 2007)

The online malware scan revealed jestetertb.dll to be infected/malware . Norman Virus Control listed this as W32/Jesta.A The WinPfind3 file is 1.06 Mb total, the forum reply only allows up to 500 Kb attachments so I divided file into parts A, B ,C and D to allow attachment.


----------



## Cookiegal (Aug 27, 2003)

May I see the full report from Jotti please?


----------



## cloner88 (Jul 14, 2007)

The Jotti scan does not have a save function so I copied page into note pad. Here are results:

le to upload & scan: Virus 

Service
Service load: 
0% 100%
File: jestertb.dll
Status: 
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 65dabb831da51500dfa31b40252803e2
Packers detected: 
-
Bit9 reports: File not found
Scanner results
Scan taken on 29 Sep 2007 21:25:02 (GMT)
A-Squared 
Found nothing
AntiVir 
Found nothing
ArcaVir 
Found nothing
Avast 
Found nothing
AVG Antivirus 
Found nothing
BitDefender 
Found nothing
ClamAV 
Found nothing
CPsecure 
Found nothing
Dr.Web 
Found nothing
F-Prot Antivirus 
Found nothing
F-Secure Anti-Virus 
Found nothing
Fortinet 
Found nothing
Kaspersky Anti-Virus 
Found nothing
NOD32 
Found nothing
Norman Virus Control 
Found W32/Jesta.A
Panda Antivirus 
Found nothing
Rising Antivirus 
Found nothing
Sophos Antivirus 
Found nothing
VirusBuster 
Found nothing
VBA32 
Found nothing


----------



## Cookiegal (Aug 27, 2003)

I believe that Norman detection may be a false positive so please do this so someone can examine the file for us:

Go to the forum *here* and upload this (these) file(s):

*C:\WINDOWS\jestertb.dll
*

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.


----------



## cloner88 (Jul 14, 2007)

I have uploaded jestertb.dll to the requested site.


----------



## Cookiegal (Aug 27, 2003)

I'm going to have to ask you to upload the WinpFind3u scan again as they seem to be out of sequence and I can't tell what goes where. Do not cut them off in the middle of a line of information. You seem to have done that and not picked up in the same spot in the next one.

Try cutting off at the end of a heading, such as Win32 Services or Driver Services and then the beginning of Registry or Files Created.... etc.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal, I really appreciate your patience and help. As I attempted to follow your directions I found that from the beginning of the log file up to "Files/folders created within 60 days" was 258 Kb so I made that cutoff point and labeled it part_1_WPF3.txt. However, the 
"within 60 days" section was 778 kb which is above the 500 Kb upload limit. I did notice that the listed files went in alphabetical order twice in succession. Therefore, the section labeled part_2_WPF3.txt begins with the "Files/folders created within 60 days" up to the line beginning as ZPORT4AS.dll, while part_3_WPF3.txt begins with a repeat of the ZPORT4AS.dll line and continues to the end of the log file. I hope I explained this clearly and that this information is now more organized for you to examine. Thanks again, Cloner88


----------



## cloner88 (Jul 14, 2007)

Cookiegal, I re-ran WinPfind3 on Sunday Sep 30 2007 night at 7:30 PM and finish posting files at 7:52 PM. Yet the time stated in part_1_WPF3.txt states October 1 11:37 AM ? I also noticed that several folders in the changes made in the the last 30 days have the October 1 day and time which would be several hours (approximately 17) later than I ran the scan?


----------



## Cookiegal (Aug 27, 2003)

Did you do a repair install or recovery installation back in August?


----------



## cloner88 (Jul 14, 2007)

Yes, I did an install in August using my recovery CD's but after waiting the 5hrs to install everything the computer still forced a boot up from system restore!


----------



## Cookiegal (Aug 27, 2003)

Download GMER from: http://majorgeeks.com/download.php?det=5198

Save it somewhere on your hard drive and unzip it to desktop.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.


----------



## cloner88 (Jul 14, 2007)

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-10-03 13:20:45
Windows 5.1.2600 Service Pack 2

---- User code sections - GMER 1.0.13 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1916] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes [ FF, F9, C3, 83 ]

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F768B742] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F768B742] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F768B000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F76885C2] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F768C5D2] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F768B000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F768B742] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7688000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7688000] bb-run.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_NAMED_PIPE [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLOSE [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ [F79C7AD4] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_WRITE [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_INFORMATION [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_INFORMATION [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_EA [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_EA [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FLUSH_BUFFERS [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_VOLUME_INFORMATION [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_VOLUME_INFORMATION [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DIRECTORY_CONTROL [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FILE_SYSTEM_CONTROL [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CONTROL [F79C7B56] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SHUTDOWN [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_LOCK_CONTROL [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLEANUP [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_MAILSLOT [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_SECURITY [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_SECURITY [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_POWER [F79C7AA0] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SYSTEM_CONTROL [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CHANGE [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_QUOTA [F79C7990] arkbcfltr.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_QUOTA [F79C7990] arkbcfltr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F768B742] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F768B742] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F768B000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F76885C2] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F768C5D2] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F768B000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F768B742] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F7688000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F7688000] bb-run.sys

Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE B9F60400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE B9F60400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ B9F60400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION B9F60400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION B9F60400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION B9F60400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL B9F60400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL B9F60400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL B9F60400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN B9F63C74
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL B9F60400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP B9F60400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP B9F60400
Device \FileSystem\Cdfs \Cdfs FastIoCheckIfPossible B9F63BCE

---- EOF - GMER 1.0.13 ----


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "application" and "system" for recent errors shown in red and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal, thank you for hanging in there on my computer problems. For the system error report I again noticed that the time stamp is advanced from what my computer reads.
SideBySide event errors occured only on 9/29/2007. Also, the error activity was most prevalent on 9/26/2007 at approximately 5:47PM. Cloner88


----------



## Cookiegal (Aug 27, 2003)

Most of the system errors are just because of safe mode boots but I'm going to ask someone else to take a look at the rest of them.


----------



## cloner88 (Jul 14, 2007)

Thank you Cookiegal. The recycle bin icons have increased from 9 to 10.


----------



## Rollin' Rog (Dec 9, 2000)

Well the "System" log shows a number of events relating to the source "sidebyside" -- for example:



> Event Type:	Error
> Event Source:	SideBySide
> Event Category:	None
> Event ID:	32
> ...


The available references for this are not very specific and generally just point to a currently installed program which is damaged or incomplete.

http://www.microsoft.com/technet/su...dVer=5.2&EvtID=59&EvtSrc=SideBySide&LCID=1033
http://www.eventid.net/display.asp?eventid=59&eventno=4228&source=SideBySide&phase=1

I don't know which of your installed programs might be responsible.

If the "sidebyside" errors are not repeating I would ignore them. If they occur daily you would have to take measures to isolate the program causing it.

If it is occuring during installation of programs you may need a .Net Framework updated version.

I believe this is the latest > http://www.microsoft.com/downloads/...cb-4362-4b0d-8edd-aab15c5e04f5&displaylang=en

But in the "applications" log there are a lot of "hangs" -- most associated with your "security" software.

There may be some registry damage causing this -- and if these hangs are repeating it would probably be a good idea to begin removing and reinstalling these applications one by one.

I would also recommend you install this utility which may help with some registry issues:

http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

Finally, as an issue of general maintenance I'd suggest running chkdsk on the drive:

http://www.housing.hawaii.edu/resources/support/chkdsk.htm


----------



## Cookiegal (Aug 27, 2003)

Thanks Rog.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. I too wish to thank you Ron. After I installed and ran UPHCS and booted in normal mode the application errors were eliminated. I just finished running check disk and the system errors appear to be gone also. Do you feel this will allow windows updates to install properly and run (i.e. that malicious code is not the problem)? I still have 10 recycle bin icons, is this the result of malicious software? How can I prevent the build up of these icons? Since the errors are gone do I still need to uninstall/reinstall my security software?


----------



## Cookiegal (Aug 27, 2003)

That's great.  

Do the Recycling bin icons all contain items or are most of them empty?


----------



## cloner88 (Jul 14, 2007)

One recycle bin mimics the one on my desktop. The others are empty.


----------



## Cookiegal (Aug 27, 2003)

I would delete the empty ones and let's see if they continue to be recreated. Have you noticed when they are recreated? (i.e. on reboot)


----------



## cloner88 (Jul 14, 2007)

Correction. I just checked and they all contain the same dummy notepad file that I just deleted. I do not have any idea how or when they were created.
I have booted several times with the number remaining at 9 icons. This is also true for having 10 icons.


----------



## Cookiegal (Aug 27, 2003)

So whenever you delete something, it appears in each one?


----------



## cloner88 (Jul 14, 2007)

That is correct.


----------



## Cookiegal (Aug 27, 2003)

How many user profiles are there on this computer?


----------



## cloner88 (Jul 14, 2007)

I am the only user so should be Administrator and HP_Administrator. How can I obtain this information?


----------



## Cookiegal (Aug 27, 2003)

Go to the Control Panel and click on User Accounts and see what's listed there.


----------



## cloner88 (Jul 14, 2007)

HP_ Administrator and Guess account is turned off.


----------



## Cookiegal (Aug 27, 2003)

Try running this regfix to repair the recycle bin.

http://www.kellys-korner-xp.com/regs_edits/restorerecyclebin.reg

Click on the link and then click "Save" and save it to your desktop then double click the file on your desktop and it to enter into the registry.

Reboot and let me know if anything has changed.


----------



## cloner88 (Jul 14, 2007)

I ran the registry fix provided and rebooted. Again deleted a dummy notepad file and it was in all 10 recycle bins in the recycler folder.


----------



## Rollin' Rog (Dec 9, 2000)

I'm a little confused.

You say these multiple icons are in the "recycler" folder.

You would not normally be seeing the "recycler" folder unless you have unchecked "hide protected system files" in Folder Options > View.

When you do that -- you then will see, in Windows Explorer, both a "recycle bin" folder and a "recycler" folder.

If these entries are in the "recycler" folder -- you can actually delete that and Windows will rebuild it.

Here's how:

Start > run *cmd* and at the command prompt enter:

*rd /s c:\recycler*

You will be prompted to continue by pressing 'y'

After doing that reboot and delete a small text file to the bin. Is it empty now except for that text file and your single ID?


----------



## cloner88 (Jul 14, 2007)

Thank you Rollin Rog and Cookiegal, I now have just one recycle bin icon! The last problem I am having is getting my computer to accept all of the windows security updates without crashing into a recycling of the boot. Is there any indication that combofix repaired this problem?


----------



## Cookiegal (Aug 27, 2003)

We haven't really found any malware other than that file we uploaded to The SpyKiller that we're not sure of. No one has had time to analyze it yet so let's go ahead and rename it for now. If nothing cries out for it after a week or two, you can delete it. Right-click the following file and select "rename":

C:\WINDOWS\*jestertb.dll*

Rename it to:

C:\WINDOWS\*jestertb.dll.bad*

There was the question of the program under the run key that has nothing associated with it. I know what it is and we'll be able to take care of it with ComboFix and since CF is updated very often, let's remove the version of ComboFix that you have and redownload it and post a new log

Download *ComboFix* and save it to your desktop.

***Note: It is important that it is saved directly to your desktop***


Close any open browsers. 
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. 
Double click on *combofix.exe* and follow the prompts.

When finished, it will produce a report for you. Please post the *C:\ComboFix.txt* along with a *new HijackThis log* for further review.

Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. I renamed jestertb.dll to jestertb.dll.bad. However, after shuting down spy sweeper and TM PC-cillin and running Combo fix in normal boot mode the program completed stages 1 through 21 then gave the following message:
cmd.exe - No disk
There is no disk in the drive. Please insert a disk into drive\Device\Harddisk1\DR3

Of the options given 1) try again 2)cancel and 3) continue

Neither "try again" nor "continue" worked. I hit cancel and was program halted.

Do you want HJT log. Should I try rerunning combofix in safe mode?


----------



## Cookiegal (Aug 27, 2003)

Sometimes if you try again it will work. You should be able to click continue and it will complete. If not, you can run it in safe mode.


----------



## cloner88 (Jul 14, 2007)

I have retried several times in both normal and safe modes with the results being the error message shown in post #56 above.


----------



## Cookiegal (Aug 27, 2003)

Try removing it and reinstalling it and see if you still get the same result.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. I was able to run these in normal mode. Attached are the combofix log and the HJT log.


----------



## Cookiegal (Aug 27, 2003)

I'll paste the HijackThis log here for easier viewing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:39 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\PROGRA~1\NETSCAPE\NETSCA~1\PLUGINS\npTrident.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6656 bytes


----------



## Cookiegal (Aug 27, 2003)

And the ComboFix log:

ComboFix 07-10-06 - HP_Administrator 2007-10-06 17:34:42.11 - NTFSx86 
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.784 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-05 12:23	262,144	--a------	C:\WINDOWS\system32\default_user_class.dat
2007-10-05 12:22 d--------	C:\Program Files\UPHClean
2007-10-02 11:34 d--------	C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2007-10-02 01:14 d--------	C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-09-29 12:59 d--------	C:\Program Files\Lavasoft
2007-09-29 11:34	75,088	--a------	C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-29 11:34	36,112	--a------	C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-29 11:34	288,848	--a------	C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-29 11:34	203,024	--a------	C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-29 11:34	111,888	--a------	C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-09-29 11:34	1,126,328	--a------	C:\WINDOWS\system32\drivers\vsapint.sys
2007-09-29 11:34 d--------	C:\Program Files\Trend Micro
2007-09-29 11:30 d--------	C:\Program Files\TIS2007_153_1151
2007-09-29 11:22	23,864	--a------	C:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-29 11:22	21,816	--a------	C:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-29 11:22	20,280	--a------	C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-29 11:22	163,128	--a------	C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-29 11:22	1,521,464	--a------	C:\WINDOWS\WRSetup.dll
2007-09-29 11:22 d--------	C:\Program Files\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\All Users\Application Data\Webroot
2007-09-28 14:46 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-09-28 14:46 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-27 11:36	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-09-26 17:57 d--------	C:\WINDOWS\system32\ActiveScan
2007-09-26 17:01	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\WINDOWS
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Real
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Intuit
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Digital Interactive Systems Corporation
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\ATI
2007-09-26 15:56 d--------	C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-09-26 15:53	8,704	--a------	C:\WINDOWS\system32\kbdjpn.dll
2007-09-26 15:53	6,144	--a------	C:\WINDOWS\system32\kbd106.dll
2007-09-07 20:24 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Netscape
2007-09-07 00:05 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 15:51	---------	d--------	C:\Program Files\Quicken
2007-09-29 12:58	---------	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-09-26 18:18	---------	d-a------	C:\Program Files\Common Files\LightScribe
2007-09-26 16:26	---------	d--------	C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-26 16:00	1925	-rahs----	C:\WINDOWS\system32\drivers\103C_HP_CPC_EL412AA-ABA M7367C_YC_0Pavi_QMXK552_E61NAemMPC2_48_IEMERY_SASUSTek Computer INC._V1.05_B3.17_T060915_WXP2_L409_M1535_J300_7Intel_8Pentium D_93_#070818_N808627DC_Z11C10620_G10027146.MRK
2007-09-19 13:17	---------	d--------	C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-09-10 14:38	---------	d--------	C:\Program Files\Verizon
2007-09-07 21:04	---------	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-07 01:07	---------	d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-09-04 22:41	---------	d--------	C:\Program Files\Uniblue
2007-09-04 22:41	---------	d--------	C:\Documents and Settings\HP_Administrator\Application Data\Uniblue
2007-09-04 16:14	---------	d--------	C:\Documents and Settings\HP_Administrator\Application Data\HPQ
2007-09-04 14:14	---------	d--------	C:\Program Files\Security Task Manager
2007-09-03 03:27	---------	d--------	C:\Program Files\Windows Defender
2007-09-03 00:09	---------	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-29 20:50	---------	d--------	C:\Program Files\Windows Media Connect 2
2007-08-27 16:42	---------	d--------	C:\Program Files\Secunia
2007-08-26 14:48	---------	d--------	C:\Program Files\MSXML 6.0
2007-08-25 15:41	---------	d--------	C:\Program Files\MSBuild
2007-08-25 15:38	---------	d--------	C:\Program Files\Reference Assemblies
2007-08-24 23:41	---------	d--------	C:\Program Files\Realtek
2007-08-24 20:18	---------	d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-18 03:50	---------	d--------	C:\Program Files\Hewlett-Packard
2007-08-18 03:43	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-08-18 03:43	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-08-18 03:36	---------	d--------	C:\Program Files\PC-Doctor for DOS
2007-08-18 03:36	---------	d--------	C:\Program Files\PC-Doctor 5 for Windows
2007-08-18 03:34	61440	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2007-08-18 03:34	45056	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2007-08-18 03:34	44032	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2007-08-18 03:34	40960	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2007-08-18 03:34	341048	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2007-08-18 03:34	32768	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2007-08-18 03:34	32768	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2007-08-18 03:34	163840	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2007-08-18 03:33	14317	--a------	C:\WINDOWS\system32\CHODDI.SYS
2007-08-18 03:33	118842	-ra------	C:\WINDOWS\HPCPCUninstaller-6.3.2.116-9972322.exe
2007-08-18 03:33	---------	d--------	C:\Program Files\Updates from HP
2007-08-18 03:30	---------	d-a------	C:\Program Files\TurboTax Online
2007-08-18 03:30	---------	d--------	C:\Program Files\Common Files\Palo Alto Software
2007-08-18 03:30	---------	d--------	C:\Program Files\Common Files\Intuit
2007-08-18 03:30	---------	d--------	C:\Documents and Settings\All Users\Application Data\Intuit
2007-08-18 03:30	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-08-18 03:30	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-08-18 03:29	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-08-18 03:29	---------	d--------	C:\Program Files\muvee Technologies
2007-08-18 03:29	---------	d--------	C:\Program Files\Common Files\muvee Technologies
2007-08-18 03:29	---------	d--------	C:\Program Files\Common Files\InstallShield
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft.NET
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft Works
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft ActiveSync
2007-08-18 03:26	---------	d--------	C:\Program Files\Common Files\L&H
2007-08-18 03:25	---------	d--------	C:\Program Files\Microsoft Money 2005
2007-08-18 03:24	---------	d-a------	C:\Program Files\IntelliMoverDemo
2007-08-18 03:23	---------	d--------	C:\Program Files\InterVideo
2007-08-18 03:23	---------	d--------	C:\Program Files\Common Files\InterVideo
2007-08-18 03:22	---------	d--------	C:\Program Files\Sonic
2007-08-18 03:22	---------	d--------	C:\Program Files\Common Files\TiVo Shared
2007-08-18 03:22	---------	d--------	C:\Program Files\Common Files\Roxio Shared
2007-08-18 03:21	---------	d--------	C:\Program Files\WildTangent
2007-08-18 03:18	---------	d--------	C:\Program Files\Common Files\SureThing Shared
2007-08-18 03:18	---------	d--------	C:\Program Files\Common Files\Sonic Shared
2007-08-18 03:18	---------	d--------	C:\Documents and Settings\All Users\Application Data\InstallShield
2007-08-18 03:17	---------	d--------	C:\Program Files\Rhapsody
2007-08-18 03:17	---------	d--------	C:\Program Files\Real
2007-08-18 03:17	---------	d--------	C:\Program Files\Netscape
2007-08-18 03:17	---------	d--------	C:\Program Files\Common Files\xing shared
2007-08-18 03:17	---------	d--------	C:\Program Files\Common Files\Real
2007-08-18 03:17	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Real
2007-08-18 03:17	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Real
2007-08-18 03:16	---------	d--------	C:\Program Files\MSN Encarta Standard
2007-08-18 03:16	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Digital Interactive Systems Corporation
2007-08-18 03:16	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Digital Interactive Systems Corporation
2007-08-18 03:11	---------	d--------	C:\Documents and Settings\All Users\Application Data\HP
2007-08-18 03:10	---------	d--------	C:\Program Files\Common Files\HP
2007-08-18 03:10	---------	d--------	C:\Documents and Settings\All Users\Application Data\Sonic
2007-08-18 03:09	---------	d--------	C:\Program Files\HP
2007-08-18 03:09	---------	d--------	C:\Program Files\Common Files\Hewlett-Packard
2007-08-18 03:07	---------	d--------	C:\Documents and Settings\Administrator\Application Data\ATI
2007-08-18 03:07	---------	d--------	C:\Documents and Settings\Administrator\Application Data\ATI
2007-08-18 03:04	---------	d--------	C:\Program Files\Intel
2007-08-18 03:04	---------	d--------	C:\Program Files\ATI Technologies
2007-08-18 02:52	---------	d--------	C:\Documents and Settings\All Users\Application Data\SBSI
2007-08-18 02:49	---------	d--------	C:\Program Files\GemMaster
2007-08-18 02:49	---------	d--------	C:\Program Files\EnglishOtto
2007-08-18 01:20	---------	d--------	C:\Program Files\MSXML 4.0
2007-08-18 00:10	---------	d--------	C:\Documents and Settings\All Users\Application Data\MSN6
2007-08-18 00:09	---------	d--------	C:\Program Files\PlayLinc
2007-08-18 00:07	---------	d--------	C:\Documents and Settings\All Users\Application Data\Verizon
2007-08-18 00:06	---------	d--------	C:\Program Files\Common Files\Motive
2007-08-18 00:06	---------	d--------	C:\Documents and Settings\All Users\Application Data\Motive
2007-08-18 00:05	---------	d--------	C:\Program Files\VZBB Toolbar
2007-08-17 23:58	---------	d--------	C:\Program Files\Common Files\SupportSoft
2007-08-17 23:03	---------	d--------	C:\Documents and Settings\All Users\Application Data\Google
2007-08-07 13:58	8320	--a------	C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56	9344	--a------	C:\WINDOWS\system32\drivers\NSDriver.sys
2005-05-12 06:36	12288	--a------	C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 20:56]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 23:19 C:\WINDOWS\arpwrmsg.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 19:30]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-10-02 08:13]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 06:35]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 17:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 06:12]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-10-02 08:13:42]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 06:23:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba9bfa3e-53e6-11da-9f04-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 08:47:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-26 23:00:05 C:\WINDOWS\Tasks\Warranty Reminder 11 Months.job"
- c:\hp\bin\cloaker.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-06 17:35:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-06 17:36:26
.
--- E O F ---


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the quote box below into it:



> DirLook::
> C:\WINDOWS\system32\config\systemprofile\WINDOWS
> C:\Documents and Settings\HP_Administrator\WINDOWS
> 
> ...


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal thanks for your assistance. After running the script the icon for the start up audio service controld by the program RTHDCPL.EXE which had been loading extremely slowly immediately moved from the end position (6th) of the icons located on the taskbar to the middle (3rd position) without reboot. Here are the logs you requested:

ComboFix 07-10-06 - HP_Administrator 2007-10-06 17:34:42.11 - NTFSx86 
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.784 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-05 12:23	262,144	--a------	C:\WINDOWS\system32\default_user_class.dat
2007-10-05 12:22 d--------	C:\Program Files\UPHClean
2007-10-02 11:34 d--------	C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2007-10-02 01:14 d--------	C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-09-29 12:59 d--------	C:\Program Files\Lavasoft
2007-09-29 11:34	75,088	--a------	C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-29 11:34	36,112	--a------	C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-29 11:34	288,848	--a------	C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-29 11:34	203,024	--a------	C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-29 11:34	111,888	--a------	C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-09-29 11:34	1,126,328	--a------	C:\WINDOWS\system32\drivers\vsapint.sys
2007-09-29 11:34 d--------	C:\Program Files\Trend Micro
2007-09-29 11:30 d--------	C:\Program Files\TIS2007_153_1151
2007-09-29 11:22	23,864	--a------	C:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-29 11:22	21,816	--a------	C:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-29 11:22	20,280	--a------	C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-29 11:22	163,128	--a------	C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-29 11:22	1,521,464	--a------	C:\WINDOWS\WRSetup.dll
2007-09-29 11:22 d--------	C:\Program Files\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\All Users\Application Data\Webroot
2007-09-28 14:46 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-09-28 14:46 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-27 11:36	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-09-26 17:57 d--------	C:\WINDOWS\system32\ActiveScan
2007-09-26 17:01	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\WINDOWS
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Real
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Intuit
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Digital Interactive Systems Corporation
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\ATI
2007-09-26 15:56 d--------	C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-09-26 15:53	8,704	--a------	C:\WINDOWS\system32\kbdjpn.dll
2007-09-26 15:53	6,144	--a------	C:\WINDOWS\system32\kbd106.dll
2007-09-07 20:24 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Netscape
2007-09-07 00:05 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 15:51	---------	d--------	C:\Program Files\Quicken
2007-09-29 12:58	---------	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-09-26 18:18	---------	d-a------	C:\Program Files\Common Files\LightScribe
2007-09-26 16:26	---------	d--------	C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-26 16:00	1925	-rahs----	C:\WINDOWS\system32\drivers\103C_HP_CPC_EL412AA-ABA M7367C_YC_0Pavi_QMXK552_E61NAemMPC2_48_IEMERY_SASUSTek Computer INC._V1.05_B3.17_T060915_WXP2_L409_M1535_J300_7Intel_8Pentium D_93_#070818_N808627DC_Z11C10620_G10027146.MRK
2007-09-19 13:17	---------	d--------	C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-09-10 14:38	---------	d--------	C:\Program Files\Verizon
2007-09-07 21:04	---------	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-07 01:07	---------	d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-09-04 22:41	---------	d--------	C:\Program Files\Uniblue
2007-09-04 22:41	---------	d--------	C:\Documents and Settings\HP_Administrator\Application Data\Uniblue
2007-09-04 16:14	---------	d--------	C:\Documents and Settings\HP_Administrator\Application Data\HPQ
2007-09-04 14:14	---------	d--------	C:\Program Files\Security Task Manager
2007-09-03 03:27	---------	d--------	C:\Program Files\Windows Defender
2007-09-03 00:09	---------	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-29 20:50	---------	d--------	C:\Program Files\Windows Media Connect 2
2007-08-27 16:42	---------	d--------	C:\Program Files\Secunia
2007-08-26 14:48	---------	d--------	C:\Program Files\MSXML 6.0
2007-08-25 15:41	---------	d--------	C:\Program Files\MSBuild
2007-08-25 15:38	---------	d--------	C:\Program Files\Reference Assemblies
2007-08-24 23:41	---------	d--------	C:\Program Files\Realtek
2007-08-24 20:18	---------	d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-18 03:50	---------	d--------	C:\Program Files\Hewlett-Packard
2007-08-18 03:43	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-08-18 03:43	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-08-18 03:36	---------	d--------	C:\Program Files\PC-Doctor for DOS
2007-08-18 03:36	---------	d--------	C:\Program Files\PC-Doctor 5 for Windows
2007-08-18 03:34	61440	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2007-08-18 03:34	45056	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2007-08-18 03:34	44032	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2007-08-18 03:34	40960	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2007-08-18 03:34	341048	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2007-08-18 03:34	32768	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2007-08-18 03:34	32768	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2007-08-18 03:34	163840	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2007-08-18 03:33	14317	--a------	C:\WINDOWS\system32\CHODDI.SYS
2007-08-18 03:33	118842	-ra------	C:\WINDOWS\HPCPCUninstaller-6.3.2.116-9972322.exe
2007-08-18 03:33	---------	d--------	C:\Program Files\Updates from HP
2007-08-18 03:30	---------	d-a------	C:\Program Files\TurboTax Online
2007-08-18 03:30	---------	d--------	C:\Program Files\Common Files\Palo Alto Software
2007-08-18 03:30	---------	d--------	C:\Program Files\Common Files\Intuit
2007-08-18 03:30	---------	d--------	C:\Documents and Settings\All Users\Application Data\Intuit
2007-08-18 03:30	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-08-18 03:30	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-08-18 03:29	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-08-18 03:29	---------	d--------	C:\Program Files\muvee Technologies
2007-08-18 03:29	---------	d--------	C:\Program Files\Common Files\muvee Technologies
2007-08-18 03:29	---------	d--------	C:\Program Files\Common Files\InstallShield
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft.NET
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft Works
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft ActiveSync
2007-08-18 03:26	---------	d--------	C:\Program Files\Common Files\L&H
2007-08-18 03:25	---------	d--------	C:\Program Files\Microsoft Money 2005
2007-08-18 03:24	---------	d-a------	C:\Program Files\IntelliMoverDemo
2007-08-18 03:23	---------	d--------	C:\Program Files\InterVideo
2007-08-18 03:23	---------	d--------	C:\Program Files\Common Files\InterVideo
2007-08-18 03:22	---------	d--------	C:\Program Files\Sonic
2007-08-18 03:22	---------	d--------	C:\Program Files\Common Files\TiVo Shared
2007-08-18 03:22	---------	d--------	C:\Program Files\Common Files\Roxio Shared
2007-08-18 03:21	---------	d--------	C:\Program Files\WildTangent
2007-08-18 03:18	---------	d--------	C:\Program Files\Common Files\SureThing Shared
2007-08-18 03:18	---------	d--------	C:\Program Files\Common Files\Sonic Shared
2007-08-18 03:18	---------	d--------	C:\Documents and Settings\All Users\Application Data\InstallShield
2007-08-18 03:17	---------	d--------	C:\Program Files\Rhapsody
2007-08-18 03:17	---------	d--------	C:\Program Files\Real
2007-08-18 03:17	---------	d--------	C:\Program Files\Netscape
2007-08-18 03:17	---------	d--------	C:\Program Files\Common Files\xing shared
2007-08-18 03:17	---------	d--------	C:\Program Files\Common Files\Real
2007-08-18 03:17	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Real
2007-08-18 03:17	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Real
2007-08-18 03:16	---------	d--------	C:\Program Files\MSN Encarta Standard
2007-08-18 03:16	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Digital Interactive Systems Corporation
2007-08-18 03:16	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Digital Interactive Systems Corporation
2007-08-18 03:11	---------	d--------	C:\Documents and Settings\All Users\Application Data\HP
2007-08-18 03:10	---------	d--------	C:\Program Files\Common Files\HP
2007-08-18 03:10	---------	d--------	C:\Documents and Settings\All Users\Application Data\Sonic
2007-08-18 03:09	---------	d--------	C:\Program Files\HP
2007-08-18 03:09	---------	d--------	C:\Program Files\Common Files\Hewlett-Packard
2007-08-18 03:07	---------	d--------	C:\Documents and Settings\Administrator\Application Data\ATI
2007-08-18 03:07	---------	d--------	C:\Documents and Settings\Administrator\Application Data\ATI
2007-08-18 03:04	---------	d--------	C:\Program Files\Intel
2007-08-18 03:04	---------	d--------	C:\Program Files\ATI Technologies
2007-08-18 02:52	---------	d--------	C:\Documents and Settings\All Users\Application Data\SBSI
2007-08-18 02:49	---------	d--------	C:\Program Files\GemMaster
2007-08-18 02:49	---------	d--------	C:\Program Files\EnglishOtto
2007-08-18 01:20	---------	d--------	C:\Program Files\MSXML 4.0
2007-08-18 00:10	---------	d--------	C:\Documents and Settings\All Users\Application Data\MSN6
2007-08-18 00:09	---------	d--------	C:\Program Files\PlayLinc
2007-08-18 00:07	---------	d--------	C:\Documents and Settings\All Users\Application Data\Verizon
2007-08-18 00:06	---------	d--------	C:\Program Files\Common Files\Motive
2007-08-18 00:06	---------	d--------	C:\Documents and Settings\All Users\Application Data\Motive
2007-08-18 00:05	---------	d--------	C:\Program Files\VZBB Toolbar
2007-08-17 23:58	---------	d--------	C:\Program Files\Common Files\SupportSoft
2007-08-17 23:03	---------	d--------	C:\Documents and Settings\All Users\Application Data\Google
2007-08-07 13:58	8320	--a------	C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56	9344	--a------	C:\WINDOWS\system32\drivers\NSDriver.sys
2005-05-12 06:36	12288	--a------	C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 20:56]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 23:19 C:\WINDOWS\arpwrmsg.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 19:30]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-10-02 08:13]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 06:35]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 17:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 06:12]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-10-02 08:13:42]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 06:23:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba9bfa3e-53e6-11da-9f04-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 08:47:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-26 23:00:05 C:\WINDOWS\Tasks\Warranty Reminder 11 Months.job"
- c:\hp\bin\cloaker.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-06 17:35:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-06 17:36:26
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:20 AM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\PROGRA~1\NETSCAPE\NETSCA~1\PLUGINS\npTrident.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6657 bytes


----------



## Cookiegal (Aug 27, 2003)

That's not the correct log. The log should be called Combofix.txt and should be on your desktop.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. I did a search for combofix* and only found the Combofix.exe on the desktop. I did find C:\Combofix.txt (shown below) and COMBOFIX.EXE-298CB2B3.pf? I found no file on the desktop.

ComboFix 07-10-06 - HP_Administrator 2007-10-07 10:05:07.12 - NTFSx86 
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.813 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-05 12:23	262,144	--a------	C:\WINDOWS\system32\default_user_class.dat
2007-10-05 12:22 d--------	C:\Program Files\UPHClean
2007-10-02 11:34 d--------	C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2007-10-02 01:14 d--------	C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-09-29 12:59 d--------	C:\Program Files\Lavasoft
2007-09-29 11:34	75,088	--a------	C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-29 11:34	36,112	--a------	C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-29 11:34	288,848	--a------	C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-29 11:34	203,024	--a------	C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-29 11:34	111,888	--a------	C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-09-29 11:34	1,126,328	--a------	C:\WINDOWS\system32\drivers\vsapint.sys
2007-09-29 11:34 d--------	C:\Program Files\Trend Micro
2007-09-29 11:30 d--------	C:\Program Files\TIS2007_153_1151
2007-09-29 11:22	23,864	--a------	C:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-29 11:22	21,816	--a------	C:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-29 11:22	20,280	--a------	C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-29 11:22	163,128	--a------	C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-29 11:22	1,521,464	--a------	C:\WINDOWS\WRSetup.dll
2007-09-29 11:22 d--------	C:\Program Files\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Webroot
2007-09-29 11:22 d--------	C:\Documents and Settings\All Users\Application Data\Webroot
2007-09-28 14:46 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-09-28 14:46 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-27 11:36	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-09-26 17:57 d--------	C:\WINDOWS\system32\ActiveScan
2007-09-26 17:01	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\WINDOWS
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Real
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Intuit
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Digital Interactive Systems Corporation
2007-09-26 15:57 d--------	C:\Documents and Settings\HP_Administrator\Application Data\ATI
2007-09-26 15:56 d--------	C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-09-26 15:53	8,704	--a------	C:\WINDOWS\system32\kbdjpn.dll
2007-09-26 15:53	6,144	--a------	C:\WINDOWS\system32\kbd106.dll
2007-09-07 20:24 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Netscape
2007-09-07 00:05 d--------	C:\Documents and Settings\HP_Administrator\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 15:51	---------	d--------	C:\Program Files\Quicken
2007-09-29 12:58	---------	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-09-26 18:18	---------	d-a------	C:\Program Files\Common Files\LightScribe
2007-09-26 16:26	---------	d--------	C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-26 16:00	1925	-rahs----	C:\WINDOWS\system32\drivers\103C_HP_CPC_EL412AA-ABA M7367C_YC_0Pavi_QMXK552_E61NAemMPC2_48_IEMERY_SASUSTek Computer INC._V1.05_B3.17_T060915_WXP2_L409_M1535_J300_7Intel_8Pentium D_93_#070818_N808627DC_Z11C10620_G10027146.MRK
2007-09-19 13:17	---------	d--------	C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-09-10 14:38	---------	d--------	C:\Program Files\Verizon
2007-09-07 21:04	---------	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-07 01:07	---------	d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-09-04 22:41	---------	d--------	C:\Program Files\Uniblue
2007-09-04 22:41	---------	d--------	C:\Documents and Settings\HP_Administrator\Application Data\Uniblue
2007-09-04 16:14	---------	d--------	C:\Documents and Settings\HP_Administrator\Application Data\HPQ
2007-09-04 14:14	---------	d--------	C:\Program Files\Security Task Manager
2007-09-03 03:27	---------	d--------	C:\Program Files\Windows Defender
2007-09-03 00:09	---------	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-29 20:50	---------	d--------	C:\Program Files\Windows Media Connect 2
2007-08-27 16:42	---------	d--------	C:\Program Files\Secunia
2007-08-26 14:48	---------	d--------	C:\Program Files\MSXML 6.0
2007-08-25 15:41	---------	d--------	C:\Program Files\MSBuild
2007-08-25 15:38	---------	d--------	C:\Program Files\Reference Assemblies
2007-08-24 23:41	---------	d--------	C:\Program Files\Realtek
2007-08-24 20:18	---------	d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-18 03:50	---------	d--------	C:\Program Files\Hewlett-Packard
2007-08-18 03:43	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-08-18 03:43	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-08-18 03:36	---------	d--------	C:\Program Files\PC-Doctor for DOS
2007-08-18 03:36	---------	d--------	C:\Program Files\PC-Doctor 5 for Windows
2007-08-18 03:34	61440	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2007-08-18 03:34	45056	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2007-08-18 03:34	44032	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2007-08-18 03:34	40960	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2007-08-18 03:34	341048	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2007-08-18 03:34	32768	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2007-08-18 03:34	32768	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2007-08-18 03:34	163840	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2007-08-18 03:33	14317	--a------	C:\WINDOWS\system32\CHODDI.SYS
2007-08-18 03:33	118842	-ra------	C:\WINDOWS\HPCPCUninstaller-6.3.2.116-9972322.exe
2007-08-18 03:33	---------	d--------	C:\Program Files\Updates from HP
2007-08-18 03:30	---------	d-a------	C:\Program Files\TurboTax Online
2007-08-18 03:30	---------	d--------	C:\Program Files\Common Files\Palo Alto Software
2007-08-18 03:30	---------	d--------	C:\Program Files\Common Files\Intuit
2007-08-18 03:30	---------	d--------	C:\Documents and Settings\All Users\Application Data\Intuit
2007-08-18 03:30	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-08-18 03:30	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-08-18 03:29	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-08-18 03:29	---------	d--------	C:\Program Files\muvee Technologies
2007-08-18 03:29	---------	d--------	C:\Program Files\Common Files\muvee Technologies
2007-08-18 03:29	---------	d--------	C:\Program Files\Common Files\InstallShield
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft.NET
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft Works
2007-08-18 03:26	---------	d--------	C:\Program Files\Microsoft ActiveSync
2007-08-18 03:26	---------	d--------	C:\Program Files\Common Files\L&H
2007-08-18 03:25	---------	d--------	C:\Program Files\Microsoft Money 2005
2007-08-18 03:24	---------	d-a------	C:\Program Files\IntelliMoverDemo
2007-08-18 03:23	---------	d--------	C:\Program Files\InterVideo
2007-08-18 03:23	---------	d--------	C:\Program Files\Common Files\InterVideo
2007-08-18 03:22	---------	d--------	C:\Program Files\Sonic
2007-08-18 03:22	---------	d--------	C:\Program Files\Common Files\TiVo Shared
2007-08-18 03:22	---------	d--------	C:\Program Files\Common Files\Roxio Shared
2007-08-18 03:21	---------	d--------	C:\Program Files\WildTangent
2007-08-18 03:18	---------	d--------	C:\Program Files\Common Files\SureThing Shared
2007-08-18 03:18	---------	d--------	C:\Program Files\Common Files\Sonic Shared
2007-08-18 03:18	---------	d--------	C:\Documents and Settings\All Users\Application Data\InstallShield
2007-08-18 03:17	---------	d--------	C:\Program Files\Rhapsody
2007-08-18 03:17	---------	d--------	C:\Program Files\Real
2007-08-18 03:17	---------	d--------	C:\Program Files\Netscape
2007-08-18 03:17	---------	d--------	C:\Program Files\Common Files\xing shared
2007-08-18 03:17	---------	d--------	C:\Program Files\Common Files\Real
2007-08-18 03:17	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Real
2007-08-18 03:17	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Real
2007-08-18 03:16	---------	d--------	C:\Program Files\MSN Encarta Standard
2007-08-18 03:16	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Digital Interactive Systems Corporation
2007-08-18 03:16	---------	d--------	C:\Documents and Settings\Administrator\Application Data\Digital Interactive Systems Corporation
2007-08-18 03:11	---------	d--------	C:\Documents and Settings\All Users\Application Data\HP
2007-08-18 03:10	---------	d--------	C:\Program Files\Common Files\HP
2007-08-18 03:10	---------	d--------	C:\Documents and Settings\All Users\Application Data\Sonic
2007-08-18 03:09	---------	d--------	C:\Program Files\HP
2007-08-18 03:09	---------	d--------	C:\Program Files\Common Files\Hewlett-Packard
2007-08-18 03:07	---------	d--------	C:\Documents and Settings\Administrator\Application Data\ATI
2007-08-18 03:07	---------	d--------	C:\Documents and Settings\Administrator\Application Data\ATI
2007-08-18 03:04	---------	d--------	C:\Program Files\Intel
2007-08-18 03:04	---------	d--------	C:\Program Files\ATI Technologies
2007-08-18 02:52	---------	d--------	C:\Documents and Settings\All Users\Application Data\SBSI
2007-08-18 02:49	---------	d--------	C:\Program Files\GemMaster
2007-08-18 02:49	---------	d--------	C:\Program Files\EnglishOtto
2007-08-18 01:20	---------	d--------	C:\Program Files\MSXML 4.0
2007-08-18 00:10	---------	d--------	C:\Documents and Settings\All Users\Application Data\MSN6
2007-08-18 00:09	---------	d--------	C:\Program Files\PlayLinc
2007-08-18 00:07	---------	d--------	C:\Documents and Settings\All Users\Application Data\Verizon
2007-08-18 00:06	---------	d--------	C:\Program Files\Common Files\Motive
2007-08-18 00:06	---------	d--------	C:\Documents and Settings\All Users\Application Data\Motive
2007-08-18 00:05	---------	d--------	C:\Program Files\VZBB Toolbar
2007-08-17 23:58	---------	d--------	C:\Program Files\Common Files\SupportSoft
2007-08-17 23:03	---------	d--------	C:\Documents and Settings\All Users\Application Data\Google
2007-08-07 13:58	8320	--a------	C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56	9344	--a------	C:\WINDOWS\system32\drivers\NSDriver.sys
2005-05-12 06:36	12288	--a------	C:\WINDOWS\Fonts\RandFont.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

---- Directory of C:\Documents and Settings\HP_Administrator\WINDOWS ----

---- Directory of C:\WINDOWS\system32\config\systemprofile\WINDOWS ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 20:56]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 23:19 C:\WINDOWS\arpwrmsg.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 19:30]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-10-02 08:13]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 06:35]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 17:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 06:12]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-10-02 08:13:42]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 06:23:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba9bfa3e-53e6-11da-9f04-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 08:47:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-26 23:00:05 C:\WINDOWS\Tasks\Warranty Reminder 11 Months.job"
- c:\hp\bin\cloaker.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 10:07:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 10:07:53
C:\ComboFix2.txt ... 2007-10-06 17:36
.
--- E O F ---


----------



## Cookiegal (Aug 27, 2003)

That was the right one. The folders seem to be empty.

This entry intrigues me. Do you recognize it? It was just installed on September 26th.

C:\WINDOWS\system32\drivers\103C_HP_CPC_EL412AA-ABA M7367C_YC_0Pavi_QMXK552_E61NAemMPC2_48_IEMERY_SASUSTek Computer INC._V1.05_B3.17_T060915_WXP2_L409_M1535_J300_7Intel_8Pentium D_93_#070818_N808627DC_Z11C10620_G10027146.MRK


I looks like it has something to do with HP and/or ASUSTek Computer Inc.


----------



## cloner88 (Jul 14, 2007)

I have not installed any hardware other than my printer a year and a half ago. I have also installed security software. I have no idea what this could be! Is there a way to find out?


----------



## Cookiegal (Aug 27, 2003)

Navigate to the file and right-click on it and select properties. See if there is a version tab and if so, who does it belong to?


----------



## cloner88 (Jul 14, 2007)

There was no version tab. on the Genral tab: MRK file type, opens with unknown application, 1925 bytes read only, hidden box checked and "grayed".


----------



## Cookiegal (Aug 27, 2003)

Let's uploaded for analysis:

Go to the following link and upload that file for analysis and let me know what the results are please:

http://virusscan.jotti.org/

http://www.virustotal.com/flash/index_en.html


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. The reports are shown below. Can this driver be associated with my DSL connection?

Service
Service load: 
0% 100%
File: 103C_HP_CPC_EL412AA-ABA_M7367C_YC_0Pavi_QMXK552_E61NAemMPC2_48_IEMERY_SASUSTek_Computer_INC._V1.05_B3.17_T060915_WXP2_L409_M1535_J300_7Intel_8Pentium_D_93_#070818_N808627DC_Z11C10620_G10027146.MRK
Status: 
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 847fb14b80313f9780d853fa07067207
Packers detected: 
-
Bit9 reports: File not found
Scanner results
Scan taken on 06 Oct 2007 20:07:29 (GMT)
A-Squared 
Found nothing
AntiVir 
Found nothing
ArcaVir 
Found nothing
Avast 
Found nothing
AVG Antivirus 
Found nothing
BitDefender 
Found nothing
ClamAV 
Found nothing
CPsecure 
Found nothing
Dr.Web 
Found nothing
F-Prot Antivirus 
Found nothing
F-Secure Anti-Virus 
Found nothing
Fortinet 
Found nothing
Kaspersky Anti-Virus 
Found nothing
NOD32 
Found nothing
Norman Virus Control 
Found nothing
Panda Antivirus 
Found nothing
Rising Antivirus 
Found nothing
Sophos Antivirus 
Found nothing
VirusBuster 
Found nothing
VBA32 
Found nothing

File 103C_HP_CPC_EL412AA-ABA_M7367C_YC received on 10.06.2007 22:11:55 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 48 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email: 

Antivirus Version Last Update Result
AhnLab-V3	2007.10.6.0	2007.10.05	-
AntiVir	7.6.0.20	2007.10.05	-
Authentium	4.93.8	2007.10.05	-
Avast	4.7.1051.0	2007.10.06	-
AVG	7.5.0.488	2007.10.06	-
BitDefender	7.2	2007.10.06	-
CAT-QuickHeal	9.00	2007.10.06	-
ClamAV	0.91.2	2007.10.06	-
DrWeb	4.44.0.09170	2007.10.06	-
eSafe	7.0.15.0	2007.10.04	-
eTrust-Vet	31.2.5190	2007.10.06	-
Ewido	4.0	2007.10.06	-
FileAdvisor	1	2007.10.06	-
Fortinet	3.11.0.0	2007.10.06	-
F-Prot	4.3.2.48	2007.10.05	-
F-Secure	6.70.13030.0	2007.10.06	-
Ikarus	T3.1.1.12	2007.10.06	-
Kaspersky	7.0.0.125	2007.10.06	-
McAfee	5135	2007.10.05	-
Microsoft	1.2908	2007.10.06	-
NOD32v2	2575	2007.10.06	-
Norman	5.80.02	2007.10.05	-
Panda	9.0.0.4	2007.10.06	-
Prevx1	V2	2007.10.06	-
Rising	19.43.50.00	2007.10.06	-
Sophos	4.22.0	2007.10.06	-
Sunbelt	2.2.907.0	2007.10.06	-
Symantec	10	2007.10.06	-
TheHacker	6.2.6.078	2007.10.06	-
VBA32	3.12.2.4	2007.10.05	-
VirusBuster	4.3.26:9	2007.10.06	-
Webwasher-Gateway	6.0.1	2007.10.05	-
Additional information
File size: 1925 bytes
MD5: 847fb14b80313f9780d853fa07067207
SHA1: 6da868a5f42dbd09c8e95b68749d4a0639a22b4f


----------



## cloner88 (Jul 14, 2007)

Can malware hide as win32time? I get an error when I click update button.

Event Type:	Error
Event Source:	W32Time
Event Category:	None
Event ID:	34
Date: 10/6/2007
Time: 10:42:03 PM
User: N/A
Computer:	INFORMATION
Description:
The time service has detected that the system time needs to be changed by -86402 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.47:123->207.46.130.100:123) is working properly.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

ComboFix changes the time as part of its process but then resets it. Because you had problems running it, it's possible it did not reset. Can you reset it yourself and then synch your time?


----------



## Cookiegal (Aug 27, 2003)

I would also like to have someone take a closer look at this file. It looks out of place to me in the drivers folder with an .mrk file extension.

C:\WINDOWS\system32\drivers\103C_HP_CPC_EL412AA-ABA M7367C_YC_0Pavi_QMXK552_E61NAemMPC2_48_IEMERY_SASUSTek Computer INC._V1.05_B3.17_T060915_WXP2_L409_M1535_J300_7Intel_8Pentium D_93_#070818_N808627DC_Z11C10620_G10027146.MRK

Go to the forum *here* and upload that file please.

ere are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal, I have followed your last directions. I noticed that RTHDCPL.EXE is 14.5 Mb in the default location C:\ However, two more copies exist: one 14.5 Mb in a C:\hp\audio_HD_realtek folder and another that is 15.6 Mb in a C:\Program File\Realtek\InstallShield folder. I checked due to loading behavior change following the last Combofix run.


----------



## Cookiegal (Aug 27, 2003)

Download FindAWF.exe from *here* or *here* and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with the following Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT​
*Select option 1*, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in Notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.


----------



## cloner88 (Jul 14, 2007)

Here is the log that you requested:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 10/07/2007 
The current time is: 19:44:45.48


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *and type in *sigverif *and click OK. Click "Start" to start the scan.

Click on Advanced and selected "Look for other files that are not digitally signed". Under search options select "Scan this file type" then choose "exe". Under "Look in this folder" click on "browse" and select "C" and put a check mark in the box beside "Include subfolders" and click OK. Click "Start" to start the scan.

The scan drops a log into *C:\WINDOWS\SIGVERIF.TXT*. Please post that log here.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. Here is the log that you requested. Since it was was booth larger than 30000 characters and 500 Kb, it had to be split into two parts and submitted as attachments. part_1_sigverif.txt ends with the line: [c:\windows\microsoft.net\framework\v1.0.3705]. part_2_sigverif.txt begins with a repeat of the same line.


----------



## Cookiegal (Aug 27, 2003)

Go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

C:\Program File\Realtek\InstallShield\RTHDCPL.EXE


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal, I tried to follow this direction. However, there is a 10Mb limit on file submission and my up loaded file was 15.6 Mb. Cloner88


----------



## Cookiegal (Aug 27, 2003)

Try this one.

http://www.virustotal.com/flash/index_en.html


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. The virustotal site returned a message that the file was too large.


----------



## Cookiegal (Aug 27, 2003)

Please search again for *RTHDCPL.EXE *and list all instances found - their exact size - and the date they were creaetd please.

There should not be one in the C:\ root.

Be sure all files/folders are unhidden before searching:

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders".
Click "Apply" then "OK".

Go to Start > Search - All Files and Folders and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. Here is the information that you requested:

C:\WINDOWS\RTHDCPL.EXE 14,516 Kb 10/15/2005

C:\WINDOWS\Prefetch\RTHDCPL.EXE-005A5E31.pf 42 Kb 10/9/2007

C:\hp\drivers\audio_HD_realtek\RTHDCPL.exe 14,516 Kb 10/15/2005

C:\Program Files\Realtek\InstallShield\RTHDCPL.exe 15,635 Kb 3/8/2006

C:\Documents and Settings\All Users\Application Data\SecTaskMan\_RTHDCPL9924CF4 1,369 Kb 8/26/2007


----------



## cloner88 (Jul 14, 2007)

Below are the contents of the text found in C:\RHDSetup.log

[ResponseResult]
ResultCode=0
[Install Progress]
Check Operation System Version 
Realtek HD Audio Driver WDM Directory Exist 
Copy Realtek HD Audio Driver from WDM Directory
Execute RTHDCPL.exe -Q to Stop it from C:Windows
Install Realtek HD Audio Audio Driver 
Copy Audio Driver to each correct position from Driver Directory


----------



## Cookiegal (Aug 27, 2003)

I'm not 100% sure about this one and it's not signed but I can't be sure at this point that there's anything wrong with it.

C:\Program Files\Realtek\InstallShield\RTHDCPL.exe

I'm thinking more along the lines of the problem described in this MS article. Does any of this sound familiar to you?

http://support.microsoft.com/kb/935448

Open HijackThis and click on "Config" and then on the "Misc Tools" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. I originally had that problem and was getting an error message concerning 
the DLL. However, I have not seen this message since applying the MS patch for it. I do not know why since I have not turned the security patches back on. Here is the uninstall information that you requested (note Realtek High Definition Audio Driver [4.13 Mb] in this list has a different icon than that found by search function and displayed on the toolbar):

5 Card Slingo from HP Media Center (remove only)
Ad-Aware 2007
Adobe Reader 7.0
Agere Systems PCI-SV92PP Soft Modem
AstroPop Deluxe from HP Media Center (remove only)
ATI Catalyst Control Center
ATI Display Driver
AVG Anti-Spyware 7.5
Barnyard Invasion from HP Media Center (remove only)
Bejeweled 2 Deluxe from HP Media Center (remove only)
Blackhawk Striker 2 from HP Media Center (remove only)
Blasterball 2 from HP Media Center (remove only)
Blasterball 2 Remix from HP Media Center (remove only)
Boggle Supreme from HP Media Center (remove only)
Bookworm Deluxe from HP Media Center (remove only)
Bounce Symphony from HP Media Center (remove only)
Chuzzle Deluxe from HP Media Center (remove only)
Crystal Maze from HP Media Center (remove only)
Customer Experience Enhancement
Family Feud
FATE from HP Media Center (remove only)
GemMaster Mystic
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP Game Console and games
HP Image Zone 5.3
HP Image Zone for Media Center PC
HP Imaging Device Functions 5.3
HP Multimedia Keyboard Software
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP PSC & OfficeJet 5.3.A
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
Insaniquarium Deluxe from HP Media Center (remove only)
Intel Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
InterVideo WinDVD Player
J2SE Runtime Environment 5.0 Update 5
Kaspersky Online Scanner
Lemonade Tycoon 2 from HP Media Center (remove only)
Lexibox Deluxe from HP Media Center (remove only)
Mah Jong Quest from HP Media Center (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Money 2005
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Standard Edition 2003
Microsoft Works
muvee autoProducer 4.5
muvee autoProducer unPlugged 1.2
Netscape Browser (remove only)
Otto
Panda ActiveScan
PC-Doctor 5 for Windows
Polar Bowler from HP Media Center (remove only)
Polar Golfer from HP Media Center (remove only)
Puzzle Express from HP Media Center (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
RealPlayer
Realtek High Definition Audio Driver
Remove IntelliMover Demo
Ricochet Lost Worlds from HP Media Center (remove only)
SCRABBLE from HP Media Center (remove only)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Shooting Stars Pool from HP Media Center (remove only)
Shrek 2 Ogre Bowler from HP Media Center (remove only)
Slingo Deluxe from HP Media Center (remove only)
Snowboard SuperJam from HP Media Center (remove only)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spy Sweeper
Super Granny from HP Media Center (remove only)
Tradewinds from HP Media Center (remove only)
Trend Micro PC-cillin Internet Security 2007
Trend Micro PC-cillin Internet Security 2007
Updates from HP (remove only)
User Profile Hive Cleanup Service
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB908250
Zuma Deluxe from HP Media Center (remove only)


----------



## Cookiegal (Aug 27, 2003)

I'm going to ask some others about this as I'm not sure why there is a difference in size for that particular file.

In the meantime, you can do this.

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

*Ugrading Java*: 

Download the latest version of *Java Runtime Environment (JRE) 6 Update 3*.
Scroll down to where it says "*The Java SE Runtime Environment (JRE) allows end-users to run Java applications.*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* - *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. I had jre 6 update 2 installed but when computer forces me into system restore it turns it off and uses jre 5. I have removed jre5 and jre6 update 2 and installed jre 6 update 3.


----------



## Cookiegal (Aug 27, 2003)

I consulted another moderator and he confirmed that it's normal for that file to be larger than the others because of updates.

Can you give me a summary of what problems remain please?


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. At present I do not want to upload the 81 windows security updates. My computer appears to upload and install them. However, in doing so, internet explorer 6 changes to internet explorer 7. The windows update site then installs KB933256 (cumulative security update for IE7). and asks that a reboot be performed. This is where the cycling of the boot begins. I never reach the desktop. To stop this I have tried to press F8 (safe mode and other options) and make any choice - the computer just recycles the boot. To stop this I can only press F10 (system restore). Yet I cannot choose a system restore point (such as was set by the Combofix program). I am literally forced to use the "hidden" system restore volume. as previously stated, on 8/18/2007 I did a hard disk reformat with the recovery CD's, yet the computer still loaded the system restore volume! I still believe that there is malicious code that is preventing the security patches from being operational. Cloner88


----------



## Cookiegal (Aug 27, 2003)

When installing updates, you aren't forced to upgrade to IE7. You can deselect that one.

We've done several scans for various types of malware and nothing has been found. In my opinion, there is corruption in your operating system that is giving you problems. At this point, I think it might be best to back up your important data and do a complete wipe and reformat.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal, thank you for your continued assistance. I will do a complete wipe and reformat with the recovery CD's, upload the security updates and report back the results.
Cloner88


----------



## Cookiegal (Aug 27, 2003)

Yes, please do let us know how it goes.


----------



## cloner88 (Jul 14, 2007)

Hello Cookiegal. I decided to not reformat the computer, so here is what I did:

I removed any folder that was associated with IE7.

I did a Google search by typing in the phrase "can not install windows update". This gave me this site:

http://support.microsoft.com/kb/822798

I could not do Method 1 because the Edb.log file was in use. Therefore I followed Method 2 (Set the cryptographic services to automatic), Method 3 (Rename the catroot2 folder), and Method 4 ( Reregister DLL files that are associated with cryptographic services). I then turned on automatic update service and all of the files wee successfully installed cumulative security updates for IE6 were installed and I was not prompted to install IE7. When I rebooted there was no recycling of the boot! However, as a precaution, I will wait a a week before marking this thread as closed (the program RTHDCPL.exe still loads extremely slow [approximately 5 min]). Cloner88


----------



## dvk01 (Dec 14, 2002)

Cookiegal said:


> I would also like to have someone take a closer look at this file. It looks out of place to me in the drivers folder with an .mrk file extension.
> 
> C:\WINDOWS\system32\drivers\103C_HP_CPC_EL412AA-ABA M7367C_YC_0Pavi_QMXK552_E61NAemMPC2_48_IEMERY_SASUSTek Computer INC._V1.05_B3.17_T060915_WXP2_L409_M1535_J300_7Intel_8Pentium D_93_#070818_N808627DC_Z11C10620_G10027146.MRK
> 
> ...


That is harmless & is just a rundown on teh computer hardware and contains this 


> CONSTANT,OCA_MRK,FORMAT_REVISION,48
> WMI,Win32_ComputerSystemProduct,Vendor,HP Pavilion 061
> WMI,Win32_ComputerSystemProduct,Name,EL412AA-ABA M7367C
> WMI,Win32_SystemEnclosure,ChassisTypes,3
> ...


----------



## Cookiegal (Aug 27, 2003)

dvk01 said:


> That is harmless & is just a rundown on teh computer hardware and contains this


Thanks Derek. :up:


----------



## Cookiegal (Aug 27, 2003)

cloner88 said:


> Hello Cookiegal. I decided to not reformat the computer, so here is what I did:
> 
> I removed any folder that was associated with IE7.
> 
> ...


That's good. Would you please post a new HijackThis log. Also, don't forget to replace your Java now with the current version.


----------

