Solved Need help with a XP Antivirus infection

[Resolved] Need help with a XP Antivirus infection

I'm trying to help a friend with his sick PC. When I got it, there were pop-ups from XP Antivirus all the time, during boot, when just sitting at the desktop, etc. I've installed SuperAntispyware, Spybot, Malwarebytes, updated and scanned with all 3. They all removed a lot of malware. I've also scanned with his Symantec Antivirus and it removed some more. This machine is far from clean I suspect, although the last boot was the cleanest so far, with no pop-ups. I'm including the DDS logs for someone to have a look;

DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 15:36:38.56 on Thu 03/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.452 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hede0ir2m.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winamp.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\spoolsv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\user.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hede0ir2m.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\spoolsv.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Autobahn\autobahn.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: {a3ba40a2-74f0-42bd-f434-00b15a2c8953} - c:\windows\system32\twvntnhy.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
uRun: [Aim6]
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Remote System Protection] rundll32.exe c:\windows\system32\twvntnhy.dll, HUI_proc
uRun: [uishf9wuifwuh387fh3wufinhjfdwefe] c:\docume~1\hp_adm~1\locals~1\temp\hede0ir2m.exe
uRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\docume~1\hp_adm~1\locals~1\temp\services.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe "
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [<NO NAME>]
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [SpybotDeletingA5231] command.com /c del "c:\documents and settings\hp_administrator\local settings\temp\taskmgr.exe_old "
mRunOnce: [SpybotDeletingC6601] cmd.exe /c del "c:\documents and settings\hp_administrator\local settings\temp\taskmgr.exe_old "
mRunOnce: [SpybotDeletingA8144] command.com /c del "c:\documents and settings\hp_administrator\local settings\temp\services.exe_old "
mRunOnce: [SpybotDeletingC5765] cmd.exe /c del "c:\documents and settings\hp_administrator\local settings\temp\services.exe_old "
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\autobahn.lnk - c:\documents and settings\hp_administrator\local settings\application data\autobahn\autobahn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: 7whfiudhf8s7f3oifhif7syfdhsof: {a3ba40a2-74f0-42bd-f434-00b15a2c8953} - c:\windows\system32\twvntnhy.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli sagujele.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-25 24652]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100304.005\naveng.sys [2010-3-4 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100304.005\navex15.sys [2010-3-4 1324720]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]

=============== Created Last 30 ================

2010-03-04 17:28:09 20000 ----a-w- c:\windows\system32\twvntnhy.dll
2010-03-04 03:00:34 46 ----a-w- c:\windows\system32\p2hhr.bat
2010-03-04 01:31:14 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2010-03-04 01:31:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-04 01:31:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-04 01:31:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-04 01:31:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-04 01:30:31 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-04 01:30:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-04 01:29:52 0 d-----w- c:\program files\SpywareBlaster
2010-03-04 01:01:29 0 d-----w- C:\tmp
2010-02-19 22:35:21 120 ----a-w- c:\windows\Hpapuligejopevo.dat
2010-02-19 22:35:21 0 ----a-w- c:\windows\Uqebo.bin

==================== Find3M ====================

2010-02-09 13:52:23 51336 -c--a-w- c:\docume~1\hp_adm~1\applic~1\GDIPFONTCACHEV1.DAT
2010-02-01 02:17:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-25 16:04:04 3484 ----a-w- c:\windows\system32\tmp.reg
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-11 08:38:55 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2007-12-28 19:02:12 287232 -c--a-w- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 18:59:30 342528 ----a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 21:53:58 63488 ----a-w- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 21:52:44 32768 ----a-w- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 15:30:36 98304 ----a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 15:30:36 315392 ----a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 15:30:36 212992 ----a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 15:30:36 20480 ----a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 15:30:36 19968 ----a-w- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 15:37:17.03 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/6/2007 1:32:17 PM
System Uptime: 3/4/2010 12:26:32 PM (3 hours ago)

Motherboard: ASUSTek Computer INC. | | LEUCITE3
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket 775 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 224 GiB total, 195.473 GiB free.
D: is FIXED (FAT32) - 9 GiB total, 0.425 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player 11.5
AIM 6
Apple Mobile Device Support
Apple Software Update
Autobahn
AutoUpdate
Bonjour
CCScore
Comcast Universal Installer v1.2
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
D1300
D1300_Help
Data Fax SoftModem with SmartCP
Desktop Doctor
DivX
Enhanced Multimedia Keyboard Solution
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
eSupportQFolder
fflink
GemMaster Mystic
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Boot Optimizer
HP Customer Participation Program 7.0
HP DigitalMedia Archive
HP DVD Play 2.1
HP Photosmart and Deskjet 7.0 Software
HP Product Assistant
HP Solution Center 7.0
HP Update
HP Web Helper
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPProductAssistant
HpSdpAppCoreApp
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) Network Connections Drivers
Intel(R) Quick Resume Technology Drivers
Intel® Viivâ„¢ Software
iTunes
Java Auto Updater
Java(TM) 6 Update 18
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
KODAK EASYSHARE Gallery Upload ActiveX Control
LightScribe 1.4.113.1
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
Maple
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.4
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
netbrdg
NETGEAR WG111v3 wireless USB 2.0 adapter
NLOP
OfotoXMI
Otto
PC-Doctor 5 for Windows
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
Realtek High Definition Audio Driver
Registry Mechanic 8.0
Safari
Sandlot Games Client Services
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SHASTA
skin0001
SKINXSDK
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
SpywareBlaster 4.2
staticcr
SUPERAntiSpyware Free Edition
Symantec AntiVirus
tooltips
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VPRINTOL
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WIRELESS

==== Event Viewer Messages From Past Week ========

3/3/2010 7:06:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips ftsata2 intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SAVRT SAVRTPEL SYMTDI Tcpip
3/3/2010 7:06:45 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2010 7:06:45 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2010 7:06:45 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2010 7:06:45 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2010 7:06:45 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2010 7:06:45 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2010 7:00:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/3/2010 6:59:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/3/2010 6:59:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/3/2010 5:44:20 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/3/2010 5:42:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2
3/3/2010 5:41:57 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
3/3/2010 5:40:50 PM, error: SRService [104] - The System Restore initialization process failed.
3/3/2010 10:00:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2 IntelIde ViaIde
3/2/2010 8:58:38 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
2/25/2010 9:28:23 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00223FE0CED4. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

==== End Of File ===========================

 

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

===========


Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

 

Here are the requested logs;

ComboFix 10-03-04.02 - HP_Administrator 03/04/2010 16:38:13.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.437 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{0CEFF1E9-C5A1-44BB-B590-912B0C5037F6}
c:\documents and settings\Administrator\Local Settings\Application Data\{0CEFF1E9-C5A1-44BB-B590-912B0C5037F6}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{0CEFF1E9-C5A1-44BB-B590-912B0C5037F6}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{0CEFF1E9-C5A1-44BB-B590-912B0C5037F6}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{0CEFF1E9-C5A1-44BB-B590-912B0C5037F6}\install.rdf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\HP_Administrator\Application Data\wiaservg.log
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\7xaxj60.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\nyAAaa.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\om51K6.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\XP4Bb238.jpg
c:\program files\Common Files\Uninstall
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\system32\gmq7usn11.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\tmp.reg
c:\windows\system32\twvntnhy.dll
c:\windows\system32\wbem\grpconv.exe
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-04 21:44 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-03-04 01:50 . 2010-03-04 01:50 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-04 01:31 . 2010-03-04 01:31 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-03-04 01:31 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-04 01:31 . 2010-03-04 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 01:31 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-04 01:31 . 2010-03-04 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-04 01:30 . 2010-03-04 03:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-04 01:30 . 2010-03-04 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-04 01:29 . 2010-03-04 01:29 -------- d-----w- c:\program files\SpywareBlaster
2010-03-04 01:01 . 2010-03-04 01:02 -------- d-----w- C:\tmp
2010-03-03 23:59 . 2010-03-03 23:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-19 22:35 . 2010-03-04 02:42 120 ----a-w- c:\windows\Hpapuligejopevo.dat
2010-02-19 22:35 . 2010-03-03 22:41 0 ----a-w- c:\windows\Uqebo.bin
2010-02-19 22:35 . 2010-02-19 22:35 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\{AF0FDC1A-FB22-4D57-88D1-CD62269171F9}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 21:49 . 2007-01-09 13:11 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-04 21:49 . 2009-06-09 17:44 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-04 00:44 . 2009-06-26 23:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-03 22:59 . 2009-02-03 03:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-03 22:44 . 2007-04-12 01:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-27 13:51 . 2009-09-07 18:10 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\NLOP
2010-02-02 01:10 . 2006-11-19 01:00 51336 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 02:18 . 2010-02-01 02:18 -------- d-----w- c:\program files\Common Files\Java
2010-02-01 02:18 . 2010-02-01 02:18 348160 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7621fe4d-n\msvcr71.dll
2010-02-01 02:18 . 2010-02-01 02:18 503808 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7621fe4d-n\msvcp71.dll
2010-02-01 02:18 . 2010-02-01 02:18 61440 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3383700c-n\decora-sse.dll
2010-02-01 02:18 . 2010-02-01 02:18 499712 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7621fe4d-n\jmc.dll
2010-02-01 02:18 . 2010-02-01 02:18 12800 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3383700c-n\decora-d3d.dll
2010-02-01 02:17 . 2010-02-01 02:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-01 02:17 . 2006-11-19 00:27 -------- d-----w- c:\program files\Java
2010-02-01 01:39 . 2010-02-01 00:57 -------- d-----w- c:\program files\Windows Desktop Search
2010-02-01 00:59 . 2010-02-01 00:59 -------- d-----w- c:\program files\Microsoft
2010-02-01 00:57 . 2010-02-01 00:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Windows Desktop Search
2010-02-01 00:04 . 2005-08-30 21:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-01 00:04 . 2010-02-01 00:04 208896 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2010-02-01 00:04 . 2010-02-01 00:04 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2010-02-01 00:04 . 2010-02-01 00:04 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2010-02-01 00:04 . 2010-02-01 00:04 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2010-02-01 00:04 . 2010-02-01 00:04 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2010-02-01 00:04 . 2010-02-01 00:04 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2010-02-01 00:04 . 2010-02-01 00:04 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2010-02-01 00:04 . 2010-02-01 00:04 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2010-02-01 00:04 . 2010-02-01 00:04 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2010-01-31 23:34 . 2010-01-31 15:45 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-31 23:34 . 2007-04-12 01:19 -------- d-----w- c:\program files\Lavasoft
2010-01-31 15:46 . 2010-01-31 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-27 13:59 . 2010-01-27 13:56 -------- d-----w- c:\program files\Maple
2010-01-27 13:57 . 2010-01-27 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Crystal Office
2010-01-25 20:16 . 2010-01-25 16:04 52224 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-25 16:02 . 2010-01-25 14:20 -------- d-----w- c:\program files\AV
2010-01-21 02:36 . 2009-06-16 01:11 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 16:50 . 2004-08-09 21:00 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-09 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-09 21:00 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-09 21:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-10 04:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-10 04:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ftutil2 "= "ftutil2.dll" [2004-06-07 106496]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IAAnotif "= "c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"DMAScheduler "= "c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp "= "c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HP Software Update "= "c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]
"RTHDCPL "= "RTHDCPL.EXE" [2009-02-03 18085888]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-11-18 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-18 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
autobahn.lnk - c:\documents and settings\HP_Administrator\Local Settings\Application Data\Autobahn\autobahn.exe [2009-6-2 710360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-10-31 19:22 50480 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-05-21 02:01 177472 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 19:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2008-07-08 22:41 2828184 ----a-w- c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/15/2009 4:17 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 55024]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 12:13 PM 38144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/25/2007 9:35 AM 24652]
R3 EraserUtilDrvI9;EraserUtilDrvI9;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [3/4/2010 3:33 PM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 7408]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 2:02 PM 287232]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 10:27 PM 124608]
.
Contents of the 'Scheduled Tasks' folder

2010-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKCU-Run-Remote System Protection - c:\windows\system32\gmq7usn11.dll
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 16:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-831057064-4121144163-1626821522-1007\ 9*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"StartMarker "=" "
"cjp4@mindspring.com "= "0,0,0,0,0,0,0,0,0,0|0,1,0,0,0,0,0,0|0,3,0,0,0,0,0,0|0,2,0,0,0,0,0,0,0| "
"QuickPlayOptions "= "0,0,5 "
"LastScreenName "=" "
"LastSatAtTable "=" "
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A3BA40A2-74F0-42BD-F434-00B15A2C8953}\InProcServer32]
@Class= "REG_SZ "
@DACL=(02 0000)
@= "c:\\WINDOWS\\system32\\z0tbqrn.dll "
"ThreadingModel "= "Apartment "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed "= "1 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2408)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\dllhost.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\eHome\ehmsas.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2010-03-04 16:55:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 21:55

Pre-Run: 210,133,336,064 bytes free
Post-Run: 210,139,348,992 bytes free

- - End Of File - - E1130EAC6815774EFB906E55FEA44C4C


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:32 PM, on 3/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Autobahn\autobahn.exe
C:\WINDOWS\explorer.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe
c:\windows\system\hpsysdrv.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe "
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: autobahn.lnk = C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Autobahn\autobahn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9841 bytes

 

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

==

How are things now? Logs look ok from here.

 

Things are much, much better than when I first booted this machine (I'm posting with it now). All the pop-ups are gone and it is running much much faster as well.

 

Let's get rid of Combofix now that we are finished with it.

• Click START then RUN
• Now copy/paste the following bolded text into the Run box and click OK:
  
  ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  
  
• 

====

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.

Check this link for any applicable programs you may have (check under How to Temporarily Disable your Anti-virus).

Click on Accept If your pop "“up blocker blocks any windows from opening.

Click Run on the window that opens.

Windows Vista users you must open the web browser using the Run as Administrator command - accessible from the right-click menu from the browser shortcut.

• The program will launch and then begin downloading the latest definition files.
• When completed, under Scan on the left side, click on My Computer.
• This will start the scan of your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click Report on the left side.
  • Click the Save Report button, and in the Save dialog box, type a name for the scan report file that you want to create and select its type as Text file. Click OK to save the file.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

 

Crunchie,

Here is the Kaspersky scan results;


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, March 7, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, March 07, 2010 11:55:05
Records in database: 3728093
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 98030
Threats found: 21
Infected objects found: 62
Suspicious objects found: 0
Scan duration: 02:46:09


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05740000\4FF42A81.VBN Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05740001\4F7DAD3D.VBN Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05740002\4F7DB06A.VBN Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05740003\4F7DB15E.VBN Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05740004.VBN Infected: Trojan.Win32.Vilsel.trp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05740005.VBN Infected: Trojan.Win32.Vilsel.trp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05740006.VBN Infected: Trojan.Win32.Vilsel.trp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05740007.VBN Infected: Trojan.Win32.Vilsel.trp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05F00000\4DF38294.VBN Infected: Exploit.SWF.Downloader.hm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06EC0000\4EED9D12.VBN Infected: Exploit.SWF.Downloader.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08D00000\4BFAAE59.VBN Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08D00001\4BFAAE6C.VBN Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A200000.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A200002.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C100000.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C100001.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C100003.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C880000\4F8C4BDC.VBN Infected: Trojan-Downloader.Win32.Agent.nze 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C880004\4F8C5C9D.VBN Infected: Trojan.Win32.Monder.cyhj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C880005\4F8C5D1A.VBN Infected: Trojan.Win32.Monder.cyhs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C880006\4F8C6869.VBN Infected: Trojan.Win32.Migotrup.noz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C880009.VBN Infected: Packed.Win32.****.ae 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C88000A.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C88000B.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C88000C.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C88000D.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C88000E.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C88000F.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C880010.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D480000.VBN Infected: Packed.Win32.****.ae 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DA80000.VBN Infected: Trojan.Win32.Cosmu.nle 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DA80001.VBN Infected: Trojan.Win32.Vilsel.uwb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DA80002.VBN Infected: Trojan.Win32.Cosmu.nlf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DA80003.VBN Infected: Trojan.Win32.Vilsel.trp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DA80004.VBN Infected: Trojan.Win32.Vilsel.trp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DA80005.VBN Infected: Trojan.Win32.Vilsel.trp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E880000.VBN Infected: Trojan.Win32.Vilsel.trp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E880001.VBN Infected: Trojan.Win32.Vilsel.trp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E880002.VBN Infected: Trojan.Win32.Vilsel.trp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ED00000.VBN Infected: Packed.Win32.****.ae 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE00000.VBN Infected: Trojan.Win32.Vilsel.trp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\128C0000.VBN Infected: Packed.Win32.****.ae 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16240000\5FA73081.VBN Infected: Exploit.JS.Pdfka.ayz 2
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\2AF80001.VBN Infected: Trojan-Dropper.Win32.Mudrop.fhl 1
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\22\5c244c96-55523279 Infected: Exploit.OSX.Smid.c 1
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\23\d372ed7-62dec380 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\34\63206922-72f7d382 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-7ef5a4fa Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-112cad57 Infected: Exploit.Java.Gimsh.b 1
C:\hp\recovery\wizard\fscommand\AppRecoveryLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\CDLogic_ret.exe Infected: Trojan-Spy.Win32.Agent.bdzz 1
C:\hp\recovery\wizard\fscommand\CreatorLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\RecordnowLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\RestoreLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\RTCDLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\RunLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\SysRecoveryLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\WizardLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll Infected: not-a-virus:AdWare.Win32.WebHancer.x 1
D:\I386\APPS\APP27717\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
D:\I386\APPS\APP27717\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

Selected area has been scanned.

 

Now you need to clear the Java cache. To clear the Java Plug-in cache:

• Click Start > Control Panel.
  
• Double-click the Java icon in the control panel.
  The Java Control Panel appears.
  
  
• Click Settings under Temporary Internet Files.
  The Temporary Files Settings dialog box appears.
  
  
• Click Delete Files.
  The Delete Temporary Files dialog box appears.

Select the option to;

• Delete Files
  
• Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  
• Click OK on Temporary Files Settings window.

====

Can you delete this file manually;

C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll

==

I am not convinced that the rest is a problem. Looks to be part of the HP recovery console.

 

I deleted the java temp files and removed the one file from the wallpaper directory. The machine seems to be running a lot better. Do you see anything else that needs to be done?

 

Maybe delete the items in the Symantec quarantine folder, but other than that, you should be good to go .

 

Sounds great. Thanks very much for the help, it's much appreciated.

 

No worries .