Solved Another One...XP Viruses and Admin Rights Revoked

[Resolved] Another One...XP Viruses and Admin Rights Revoked

Greetings,

I noticed that several others have had similiar issues. In a nutshell, my computer is running really slow, my admin rights were revoked, control panel removed and a number of virus and spyware items were detected/quarantined by several scanning tools I use (Norton Antivirus Corp Ed v10 and Trend Micro Security Suite 2007).

Based on the previous posts, i was able to reenable control panel by editing the registry.

Ran a scan with Hijack This and wanted to post the log to confirm if additional viruses and such were still on the machine (I suspect there are).

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:37 AM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINNT\Explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\avp.exe
C:\WINNT\mgrs.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINNT\lsass.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ISS\Proventia Desktop\blackice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Web Buying\v1.8.6\wbuninst.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\shell.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {65D96C87-4B7A-4850-B7F5-9C2006918572} - C:\WINNT\system32\ssqpq.dll (file missing)
O2 - BHO: (no name) - {850A2070-A633-4F24-A5B5-4B17BF4AC6B6} - C:\Program Files\Windows Media Player\menozug4444.dll (file missing)
O2 - BHO: (no name) - {A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D} - C:\WINNT\system32\byxxwvu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O2 - BHO: (no name) - {E3D9F817-33AA-1828-D828-4BE679F55BE3} - C:\WINNT\system32\phwlkzo.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\Helper9.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [runner1] C:\WINNT\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [avp] C:\WINNT\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe "
O4 - HKLM\..\Run: [Printer] C:\WINNT\system32\printer.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [lsass] C:\WINNT\lsass.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Proventia Desktop Agent.lnk = ?
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1196610191405
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196610974905
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINNT\system32\wowfx.dll
O20 - Winlogon Notify: byxxwvu - C:\WINNT\SYSTEM32\byxxwvu.dll
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\rtejehdabev.html

--
End of file - 9353 bytes

 

Welcome to WindowsBBS jason0902

Your suspicions are correct. Several actives infections that I can see.

Download ComboFix by sUBs from here, saving the file to your desktop.

It's best to physically disconnect your internet at this point (until the tool completes) and disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Let me know which, if any, of the sites listed in your trusted zone are legitimate? I'm suspecting they are all rogue additions.

 

Thanks! The trusted zone sites were not added by me so they are indeed rogue additions.

Here is the Combo.exe log:

ComboFix 07-12-31.4 - Jason B Harleston 2007-12-31 12:49:25.1 - NTFSx86
Running from: C:\Documents and Settings\Jason B Harleston\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\dobe~1\netdde .exe
C:\Program Files\Common Files\dobe~1\netdde.exe
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~1\wuauclt.exe
C:\Program Files\folder.js\
C:\Program Files\Helper
C:\Program Files\Helper\Helper9.dll
C:\Program Files\ini.ini\
C:\Program Files\lsass.exe
C:\Program Files\Outlook Express\rtejehdabev.html
C:\Program Files\Ultimate Cleaner
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.6\wbuninst.exe
C:\Program Files\web buying\v1.8.6\webbuying .exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINNT\avp.exe
C:\WINNT\Casino.ico
C:\WINNT\Free Online Dating.ico
C:\WINNT\lsass.exe
C:\WINNT\mantec~1
C:\WINNT\mgrs.exe
C:\WINNT\Spyware Remover.ico
C:\WINNT\system32\byxxwvu.dll
C:\WINNT\system32\ddcawwv.dll
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\core.sys
C:\WINNT\system32\lmllm.ini
C:\WINNT\system32\lmllm.ini2
C:\WINNT\system32\pac.txt
C:\WINNT\system32\qpqss.ini
C:\WINNT\system32\qpqss.ini2
C:\WINNT\system32\qrutv.ini
C:\WINNT\system32\qrutv.ini2
C:\WINNT\system32\wapiicom.exe
C:\WINNT\system32\wowfx.dll
C:\WINNT\system32\z1
C:\WINNT\system32\z1\aroblcidr31z.exe
C:\WINNT\wbun.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 12:36 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2007-12-30 23:56 . 2007-12-30 23:56 0 --a------ C:\WINNT\nsreg.dat
2007-12-30 13:19 . 2007-12-30 13:19 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-30 11:52 . 2006-08-21 04:14 128,896 -----c--- C:\WINNT\system32\dllcache\fltmgr.sys
2007-12-30 11:52 . 2006-08-21 04:14 23,040 -----c--- C:\WINNT\system32\dllcache\fltmc.exe
2007-12-30 11:52 . 2006-08-21 07:21 16,896 -----c--- C:\WINNT\system32\dllcache\fltlib.dll
2007-12-30 11:11 . 2007-11-14 02:26 450,560 -----c--- C:\WINNT\system32\dllcache\jscript.dll
2007-12-30 10:55 . 2006-06-22 05:47 181,248 -----c--- C:\WINNT\system32\dllcache\rasmans.dll
2007-12-30 10:53 . 2006-12-14 08:45 981,760 -----c--- C:\WINNT\system32\dllcache\mfc42u.dll
2007-12-30 10:51 . 2007-05-17 06:28 549,376 -----c--- C:\WINNT\system32\dllcache\oleaut32.dll
2007-12-30 10:50 . 2007-02-05 15:17 185,344 -----c--- C:\WINNT\system32\dllcache\upnphost.dll
2007-12-30 10:49 . 2006-04-20 06:51 359,808 -----c--- C:\WINNT\system32\dllcache\tcpip.sys
2007-12-30 10:44 . 2007-03-08 08:47 1,843,584 -----c--- C:\WINNT\system32\dllcache\win32k.sys
2007-12-30 10:44 . 2007-03-08 10:36 577,536 -----c--- C:\WINNT\system32\dllcache\user32.dll
2007-12-30 10:44 . 2007-03-08 10:36 281,600 -----c--- C:\WINNT\system32\dllcache\gdi32.dll
2007-12-30 10:44 . 2007-03-08 10:36 40,960 -----c--- C:\WINNT\system32\dllcache\mf3216.dll
2007-12-30 10:42 . 2006-11-27 09:54 539,136 -----c--- C:\WINNT\system32\dllcache\msftedit.dll
2007-12-30 10:42 . 2006-11-27 09:54 433,152 -----c--- C:\WINNT\system32\dllcache\riched20.dll
2007-12-30 10:41 . 2007-10-29 17:43 1,287,680 -----c--- C:\WINNT\system32\dllcache\quartz.dll
2007-12-30 10:39 . 2006-10-12 06:09 256,512 -----c--- C:\WINNT\system32\dllcache\agentsvr.exe
2007-12-30 10:39 . 2006-10-12 09:02 57,344 -----c--- C:\WINNT\system32\dllcache\agentdpv.dll
2007-12-30 10:39 . 2006-10-12 09:02 42,496 -----c--- C:\WINNT\system32\dllcache\agentdp2.dll
2007-12-30 10:37 . 2007-07-09 08:09 584,192 -----c--- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-12-30 10:37 . 2007-02-09 06:10 574,464 -----c--- C:\WINNT\system32\dllcache\ntfs.sys
2007-12-30 10:37 . 2006-03-16 19:38 28,672 --a------ C:\WINNT\system32\verclsid.exe
2007-12-30 10:36 . 2007-04-16 10:52 984,576 -----c--- C:\WINNT\system32\dllcache\kernel32.dll
2007-12-30 10:35 . 2006-05-05 04:41 453,120 -----c--- C:\WINNT\system32\dllcache\mrxsmb.sys
2007-12-30 10:35 . 2006-05-05 04:47 174,592 -----c--- C:\WINNT\system32\dllcache\rdbss.sys
2007-12-29 20:59 . 2007-09-17 14:31 1,126,072 --a------ C:\WINNT\system32\drivers\vsapint.sys
2007-12-29 20:59 . 2006-12-29 01:53 288,848 --a------ C:\WINNT\system32\drivers\TM_CFW.sys
2007-12-29 20:59 . 2007-09-17 14:40 202,768 --a------ C:\WINNT\system32\drivers\tmxpflt.sys
2007-12-29 20:59 . 2006-12-29 01:53 111,888 --a------ C:\WINNT\system32\drivers\tm_mbd_c.sys
2007-12-29 20:59 . 2006-12-29 01:53 75,088 --a------ C:\WINNT\system32\drivers\tmtdi.sys
2007-12-29 20:59 . 2007-09-17 14:40 35,856 --a------ C:\WINNT\system32\drivers\tmpreflt.sys
2007-12-29 20:58 . 2007-12-29 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-29 20:57 . 2007-12-31 10:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 20:52 . 2007-12-29 20:52 0 --a------ C:\WINNT\vpc32.INI
2007-12-29 16:35 . 2007-12-29 17:20 18,432 --a------ C:\WINNT\avp .exe
2007-12-29 16:20 . 2005-09-17 00:20 108,168 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2007-12-29 16:20 . 2005-09-17 00:20 87,768 --a------ C:\WINNT\system32\S32EVNT1.DLL
2007-12-29 16:18 . 2007-12-31 14:46 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-12-29 16:18 . 2007-12-29 16:21 <DIR> d-------- C:\Program Files\Symantec
2007-12-29 16:18 . 2007-12-30 15:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-29 16:16 . 2007-12-29 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-29 16:12 . 2005-09-23 07:29 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-12-29 16:07 . 2007-12-31 01:16 26,624 --a------ C:\WINNT\lsass .exe
2007-12-29 16:07 . 2007-12-29 17:29 18,432 --a------ C:\WINNT\avp .exe
2007-12-29 15:58 . 2007-12-29 15:58 <DIR> d-------- C:\WINNT\system32\pp1
2007-12-29 15:58 . 2007-12-31 01:38 <DIR> d-------- C:\WINNT\system32\mr9
2007-12-29 15:58 . 2007-12-29 16:06 <DIR> d-------- C:\WINNT\system32\cc9
2007-12-29 15:58 . 2007-12-29 16:01 <DIR> d-------- C:\WINNT\system32\ardCo01
2007-12-29 15:58 . 2007-12-29 15:58 <DIR> d-------- C:\WINNT\system32\aj2
2007-12-29 15:58 . 2007-12-29 16:06 <DIR> d--hs---- C:\WINNT\SmFzb24gQiBIYXJsZXN0b24
2007-12-29 15:58 . 2007-12-29 15:58 <DIR> d-------- C:\Temp\cEeer12
2007-12-29 15:58 . 2007-12-31 13:45 <DIR> d-------- C:\Temp
2007-12-29 15:58 . 2007-12-29 15:58 39,936 --a------ C:\WINNT\mrofinu572.exe.tmp
2007-12-23 02:49 . 2007-12-23 03:02 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-12-20 22:12 . 2007-12-20 22:13 <DIR> d-------- C:\Program Files\Google
2007-12-16 08:50 . 2007-12-16 08:50 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-16 08:49 . 2007-12-16 08:49 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-16 08:48 . 2007-12-16 08:48 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-16 08:48 . 2004-10-04 18:26 51,120 -ra------ C:\WINNT\system32\drivers\HPZid412.sys
2007-12-16 08:48 . 2004-10-04 18:26 16,496 -ra------ C:\WINNT\system32\drivers\HPZipr12.sys
2007-12-16 08:47 . 2004-08-03 23:08 31,616 --a------ C:\WINNT\system32\drivers\usbccgp.sys
2007-12-16 08:47 . 2004-08-03 23:08 31,616 --a--c--- C:\WINNT\system32\dllcache\usbccgp.sys
2007-12-16 08:47 . 2004-08-03 23:01 25,856 --a------ C:\WINNT\system32\drivers\usbprint.sys
2007-12-16 08:47 . 2004-08-03 23:01 25,856 --a--c--- C:\WINNT\system32\dllcache\usbprint.sys
2007-12-16 08:47 . 2004-10-04 18:26 21,744 -ra------ C:\WINNT\system32\drivers\HPZius12.sys
2007-12-16 08:45 . 2007-12-16 08:50 <DIR> d-------- C:\Program Files\HP
2007-12-16 08:43 . 2007-12-16 08:51 69,372 --a------ C:\WINNT\hpoins05.dat
2007-12-16 08:43 . 2004-12-14 10:39 19,696 --------- C:\WINNT\hpomdl05.dat
2007-12-09 07:26 . 2007-07-30 19:19 271,224 --a------ C:\WINNT\system32\mucltui.dll
2007-12-09 07:26 . 2007-07-30 19:19 30,072 --a------ C:\WINNT\system32\mucltui.dll.mui
2007-12-02 13:19 . 2007-12-29 02:58 <DIR> d-------- C:\Program Files\IGZones
2007-12-02 11:56 . 2007-12-02 11:58 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-02 11:22 . 2007-12-02 11:51 316,640 --a------ C:\WINNT\WMSysPr9.prx
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\WINNT\ServicePackFiles
2007-12-02 11:17 . 2004-08-04 00:56 2,897,920 --a------ C:\WINNT\system32\xpsp2res.dll
2007-12-02 11:15 . 2004-07-17 11:40 19,528 --a------ C:\WINNT\002397_.tmp
2007-12-02 11:13 . 2007-12-02 11:13 <DIR> d-------- C:\WINNT\EHome
2007-12-02 11:03 . 2004-08-04 00:56 614,912 --a------ C:\WINNT\system32\h323msp.dll
2007-12-02 11:03 . 2004-08-04 00:56 331,264 --a------ C:\WINNT\system32\ipnathlp.dll
2007-12-02 11:03 . 2004-08-04 00:56 265,728 --a------ C:\WINNT\system32\h323.tsp
2007-12-02 11:03 . 2004-08-04 00:56 77,312 --a------ C:\WINNT\system32\browser.dll
2007-12-02 11:03 . 2007-03-08 10:36 40,960 --a------ C:\WINNT\system32\mf3216.dll
2007-12-02 11:00 . 2004-08-04 00:56 239,104 --a------ C:\WINNT\system32\srrstr.dll
2007-12-02 10:58 . 2007-12-02 11:02 <DIR> d--h-c--- C:\WINNT\$xpsp1hfm$
2007-12-02 10:55 . 2007-12-31 00:19 <DIR> d--h----- C:\WINNT\$hf_mig$
2007-12-02 10:46 . 2007-12-02 10:46 <DIR> d-------- C:\WINNT\system32\bits
2007-12-02 10:45 . 2004-08-04 00:56 438,784 --a------ C:\WINNT\system32\xpob2res.dll
2007-12-02 10:45 . 2004-08-04 00:56 351,232 --a------ C:\WINNT\system32\winhttp.dll
2007-12-02 10:45 . 2004-08-04 00:56 18,944 --a------ C:\WINNT\system32\qmgrprxy.dll
2007-12-02 10:45 . 2004-08-04 00:56 8,192 --a------ C:\WINNT\system32\bitsprx2.dll
2007-12-02 10:45 . 2004-08-04 00:56 7,168 --a------ C:\WINNT\system32\bitsprx3.dll
2007-12-02 10:44 . 2007-07-30 19:19 549,720 --a------ C:\WINNT\system32\wuapi.dll
2007-12-02 10:44 . 2007-07-30 19:19 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-12-02 10:44 . 2007-07-30 19:19 216,408 --a------ C:\WINNT\system32\wuaucpl.cpl
2007-12-02 10:44 . 2007-07-30 19:19 43,352 --a------ C:\WINNT\system32\wups2.dll
2007-12-02 10:44 . 2007-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2007-12-02 10:44 . 2007-07-30 19:18 33,624 --a------ C:\WINNT\system32\wups.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 21:09 76 ----a-w C:\Program Files\ini.ini
2007-12-02 16:01 155,995 ----a-w C:\WINNT\java\Packages\YM4D7NDB.ZIP
2007-11-27 06:02 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-27 06:01 558,142 ----a-w C:\WINNT\java\Packages\B5VPFRDR.ZIP
2007-11-27 06:01 271 --sh--w C:\Program Files\desktop.ini
2007-11-27 06:01 21,952 ---h--w C:\Program Files\folder.htt
2007-11-25 14:17 --------- d-----w C:\Documents and Settings\Jason B. Harleston\Application Data\My Games
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINNT\system32\wmasf.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2007-06-14 09:22 2,231 ----a-w C:\Program Files\folder.js
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2005-08-02 21:46 187,904 --sha-r C:\WINNT\SmFzb24gQiBIYXJsZXN0b24\asappsrv.dll
.

Code:

----a-w            68,856 2007-12-29 21:35:33  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w            49,152 2007-12-29 21:35:14  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           271,672 2007-12-29 21:35:06  C:\Program Files\iTunes\iTunesHelper .exe
----a-w         1,667,584 2007-12-29 21:35:39  C:\Program Files\Messenger\msmsgs .exe
----a-w           282,624 2007-12-29 22:29:29  C:\Program Files\QuickTime\qttask .exe
----a-w            18,432 2007-12-29 22:20:40  C:\WINNT\avp  .exe
----a-w            18,432 2007-12-29 22:29:41  C:\WINNT\avp .exe
----a-w            26,624 2007-12-31 06:16:35  C:\WINNT\lsass .exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65D96C87-4B7A-4850-B7F5-9C2006918572}]
C:\WINNT\system32\ssqpq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{850A2070-A633-4F24-A5B5-4B17BF4AC6B6}]
C:\Program Files\Windows Media Player\menozug4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3D9F817-33AA-1828-D828-4BE679F55BE3}]
C:\WINNT\system32\phwlkzo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2007-12-29 17:20 1667584]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-30 15:52 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [2004-08-04 00:56 143360 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon "= "C:\WINNT\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-30 15:52 271672]
"SoundMan "= "SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINNT\soundman.exe]
"NvMediaCenter "= "C:\WINNT\System32\NvMcTray.dll" [2006-10-22 12:22 86016]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-12-30 15:52 49152]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-30 15:52 48752]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-12-30 15:51 85744]
"pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-12-30 16:03 3429904]
"MSConfig "= "C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 00:56 214528]
"tscuninstall "= "C:\WINNT\system32\tscupgrd.exe" [2004-08-03 22:59 44544]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Reboot.exe [2004-10-01 01:01:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Clnvz]
C:\WINNT\??mantec\r?ndll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINNT\system32\mllml.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsass]
C:\WINNT\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsft Windows Adapter 5.1.3013]
C:\Documents and Settings\Jason B Harleston\Application Data\bchmzrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncmw]
C:\PROGRA~1\COMMON~1\RACLE~1\wuauclt.exe -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINNT\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.6\webbuying.exe

R2 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Program Files\ISS\Proventia Desktop\vpatch.exe [2006-06-12 19:28]
R3 MakoNT;MakoNT;C:\WINNT\system32\drivers\MakoNT.sys [2006-06-12 19:28]
R3 rap;rap;C:\WINNT\system32\drivers\RapDrv.sys [2006-06-12 19:28]
R4 black;black;C:\WINNT\system32\drivers\BlackCat.sys [2006-06-12 19:28]

*Newly Created Service* - CORE
.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 14:11:01 C:\WINNT\Tasks\WebReg officejet 7200 series.job "
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 14:49:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 14:58:18
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 19:57:59
.
2007-12-30 19:36:30 --- E O F ---


And here is the second hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:50 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {65D96C87-4B7A-4850-B7F5-9C2006918572} - C:\WINNT\system32\ssqpq.dll (file missing)
O2 - BHO: (no name) - {850A2070-A633-4F24-A5B5-4B17BF4AC6B6} - C:\Program Files\Windows Media Player\menozug4444.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O2 - BHO: (no name) - {E3D9F817-33AA-1828-D828-4BE679F55BE3} - C:\WINNT\system32\phwlkzo.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe "
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Proventia Desktop Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1196610191405
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196610974905
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 8208 bytes

 

Scan again with HijackThis and place a check next to all of the O15 - Trusted Zone entries, then click Fix Checked. Close HijackThis.


Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINNT\mrofinu572.exe.tmp
Folder::
C:\WINNT\system32\pp1
C:\WINNT\system32\mr9
C:\WINNT\system32\cc9
C:\WINNT\system32\ardCo01
C:\WINNT\system32\aj2
C:\WINNT\SmFzb24gQiBIYXJsZXN0b24
C:\Temp\cEeer12
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65D96C87-4B7A-4850-B7F5-9C2006918572}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{850A2070-A633-4F24-A5B5-4B17BF4AC6B6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3D9F817-33AA-1828-D828-4BE679F55BE3}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Clnvz]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsass]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsft Windows Adapter 5.1.3013]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncmw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Once you've posted the ComboFix log, download RenV.exe and save it to your desktop.

• Double click to run it.
• Post the log it produces along with a new HijackThis log.

 

Thanks again!!

I have already noticed improvements in my PC's speed.

Combo Fix log is below:

ComboFix 07-12-31.4 - Jason B Harleston 2007-12-31 22:40:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.539 [GMT -5:00]
Running from: C:\Documents and Settings\Jason B Harleston\Desktop\ComboFix.exe
Command switches used :: F:\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\folder.js\
C:\Program Files\ini.ini\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE


((((((((((((((((((((((((( Files Created from 2007-12-01 to 2008-01-01 )))))))))))))))))))))))))))))))
.

2007-12-31 12:36 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2007-12-30 23:56 . 2007-12-30 23:56 0 --a------ C:\WINNT\nsreg.dat
2007-12-30 13:19 . 2007-12-30 13:19 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-30 11:52 . 2006-08-21 04:14 128,896 -----c--- C:\WINNT\system32\dllcache\fltmgr.sys
2007-12-30 11:52 . 2006-08-21 04:14 23,040 -----c--- C:\WINNT\system32\dllcache\fltmc.exe
2007-12-30 11:52 . 2006-08-21 07:21 16,896 -----c--- C:\WINNT\system32\dllcache\fltlib.dll
2007-12-30 11:11 . 2007-11-14 02:26 450,560 -----c--- C:\WINNT\system32\dllcache\jscript.dll
2007-12-30 10:55 . 2006-06-22 05:47 181,248 -----c--- C:\WINNT\system32\dllcache\rasmans.dll
2007-12-30 10:53 . 2006-12-14 08:45 981,760 -----c--- C:\WINNT\system32\dllcache\mfc42u.dll
2007-12-30 10:51 . 2007-05-17 06:28 549,376 -----c--- C:\WINNT\system32\dllcache\oleaut32.dll
2007-12-30 10:50 . 2007-02-05 15:17 185,344 -----c--- C:\WINNT\system32\dllcache\upnphost.dll
2007-12-30 10:49 . 2006-04-20 06:51 359,808 -----c--- C:\WINNT\system32\dllcache\tcpip.sys
2007-12-30 10:44 . 2007-03-08 08:47 1,843,584 -----c--- C:\WINNT\system32\dllcache\win32k.sys
2007-12-30 10:44 . 2007-03-08 10:36 577,536 -----c--- C:\WINNT\system32\dllcache\user32.dll
2007-12-30 10:44 . 2007-03-08 10:36 281,600 -----c--- C:\WINNT\system32\dllcache\gdi32.dll
2007-12-30 10:44 . 2007-03-08 10:36 40,960 -----c--- C:\WINNT\system32\dllcache\mf3216.dll
2007-12-30 10:42 . 2006-11-27 09:54 539,136 -----c--- C:\WINNT\system32\dllcache\msftedit.dll
2007-12-30 10:42 . 2006-11-27 09:54 433,152 -----c--- C:\WINNT\system32\dllcache\riched20.dll
2007-12-30 10:41 . 2007-10-29 17:43 1,287,680 -----c--- C:\WINNT\system32\dllcache\quartz.dll
2007-12-30 10:39 . 2006-10-12 06:09 256,512 -----c--- C:\WINNT\system32\dllcache\agentsvr.exe
2007-12-30 10:39 . 2006-10-12 09:02 57,344 -----c--- C:\WINNT\system32\dllcache\agentdpv.dll
2007-12-30 10:39 . 2006-10-12 09:02 42,496 -----c--- C:\WINNT\system32\dllcache\agentdp2.dll
2007-12-30 10:37 . 2007-07-09 08:09 584,192 -----c--- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-12-30 10:37 . 2007-02-09 06:10 574,464 -----c--- C:\WINNT\system32\dllcache\ntfs.sys
2007-12-30 10:37 . 2006-03-16 19:38 28,672 --a------ C:\WINNT\system32\verclsid.exe
2007-12-30 10:36 . 2007-04-16 10:52 984,576 -----c--- C:\WINNT\system32\dllcache\kernel32.dll
2007-12-30 10:35 . 2006-05-05 04:41 453,120 -----c--- C:\WINNT\system32\dllcache\mrxsmb.sys
2007-12-30 10:35 . 2006-05-05 04:47 174,592 -----c--- C:\WINNT\system32\dllcache\rdbss.sys
2007-12-29 20:59 . 2007-09-17 14:31 1,126,072 --a------ C:\WINNT\system32\drivers\vsapint.sys
2007-12-29 20:59 . 2006-12-29 01:53 288,848 --a------ C:\WINNT\system32\drivers\TM_CFW.sys
2007-12-29 20:59 . 2007-09-17 14:40 202,768 --a------ C:\WINNT\system32\drivers\tmxpflt.sys
2007-12-29 20:59 . 2006-12-29 01:53 111,888 --a------ C:\WINNT\system32\drivers\tm_mbd_c.sys
2007-12-29 20:59 . 2006-12-29 01:53 75,088 --a------ C:\WINNT\system32\drivers\tmtdi.sys
2007-12-29 20:59 . 2007-09-17 14:40 35,856 --a------ C:\WINNT\system32\drivers\tmpreflt.sys
2007-12-29 20:58 . 2007-12-29 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-29 20:57 . 2007-12-31 10:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 20:52 . 2007-12-29 20:52 0 --a------ C:\WINNT\vpc32.INI
2007-12-29 16:35 . 2007-12-29 17:20 18,432 --a------ C:\WINNT\avp .exe
2007-12-29 16:20 . 2005-09-17 00:20 108,168 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2007-12-29 16:20 . 2005-09-17 00:20 87,768 --a------ C:\WINNT\system32\S32EVNT1.DLL
2007-12-29 16:18 . 2007-12-31 22:50 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-12-29 16:18 . 2007-12-29 16:21 <DIR> d-------- C:\Program Files\Symantec
2007-12-29 16:18 . 2007-12-30 15:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-29 16:16 . 2007-12-29 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-29 16:12 . 2005-09-23 07:29 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-12-29 16:07 . 2007-12-31 01:16 26,624 --a------ C:\WINNT\lsass .exe
2007-12-29 16:07 . 2007-12-29 17:29 18,432 --a------ C:\WINNT\avp .exe
2007-12-29 15:58 . 2007-12-29 15:58 <DIR> d-------- C:\WINNT\system32\pp1
2007-12-29 15:58 . 2007-12-31 01:38 <DIR> d-------- C:\WINNT\system32\mr9
2007-12-29 15:58 . 2007-12-29 16:06 <DIR> d-------- C:\WINNT\system32\cc9
2007-12-29 15:58 . 2007-12-29 16:01 <DIR> d-------- C:\WINNT\system32\ardCo01
2007-12-29 15:58 . 2007-12-29 15:58 <DIR> d-------- C:\WINNT\system32\aj2
2007-12-29 15:58 . 2007-12-29 16:06 <DIR> d--hs---- C:\WINNT\SmFzb24gQiBIYXJsZXN0b24
2007-12-29 15:58 . 2007-12-29 15:58 <DIR> d-------- C:\Temp\cEeer12
2007-12-29 15:58 . 2007-12-31 13:45 <DIR> d-------- C:\Temp
2007-12-29 15:58 . 2007-12-29 15:58 39,936 --a------ C:\WINNT\mrofinu572.exe.tmp
2007-12-23 02:49 . 2007-12-23 03:02 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-12-20 22:12 . 2007-12-20 22:13 <DIR> d-------- C:\Program Files\Google
2007-12-16 08:50 . 2007-12-16 08:50 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-16 08:49 . 2007-12-16 08:49 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-16 08:48 . 2007-12-16 08:48 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-16 08:48 . 2004-10-04 18:26 51,120 -ra------ C:\WINNT\system32\drivers\HPZid412.sys
2007-12-16 08:48 . 2004-10-04 18:26 16,496 -ra------ C:\WINNT\system32\drivers\HPZipr12.sys
2007-12-16 08:47 . 2004-08-03 23:08 31,616 --a------ C:\WINNT\system32\drivers\usbccgp.sys
2007-12-16 08:47 . 2004-08-03 23:08 31,616 --a--c--- C:\WINNT\system32\dllcache\usbccgp.sys
2007-12-16 08:47 . 2004-08-03 23:01 25,856 --a------ C:\WINNT\system32\drivers\usbprint.sys
2007-12-16 08:47 . 2004-08-03 23:01 25,856 --a--c--- C:\WINNT\system32\dllcache\usbprint.sys
2007-12-16 08:47 . 2004-10-04 18:26 21,744 -ra------ C:\WINNT\system32\drivers\HPZius12.sys
2007-12-16 08:45 . 2007-12-16 08:50 <DIR> d-------- C:\Program Files\HP
2007-12-16 08:43 . 2007-12-16 08:51 69,372 --a------ C:\WINNT\hpoins05.dat
2007-12-16 08:43 . 2004-12-14 10:39 19,696 --------- C:\WINNT\hpomdl05.dat
2007-12-09 07:26 . 2007-07-30 19:19 271,224 --a------ C:\WINNT\system32\mucltui.dll
2007-12-09 07:26 . 2007-07-30 19:19 30,072 --a------ C:\WINNT\system32\mucltui.dll.mui
2007-12-02 13:19 . 2007-12-29 02:58 <DIR> d-------- C:\Program Files\IGZones
2007-12-02 11:56 . 2007-12-02 11:58 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-02 11:22 . 2007-12-02 11:51 316,640 --a------ C:\WINNT\WMSysPr9.prx
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\WINNT\ServicePackFiles
2007-12-02 11:17 . 2004-08-04 00:56 2,897,920 --a------ C:\WINNT\system32\xpsp2res.dll
2007-12-02 11:15 . 2004-07-17 11:40 19,528 --a------ C:\WINNT\002397_.tmp
2007-12-02 11:13 . 2007-12-02 11:13 <DIR> d-------- C:\WINNT\EHome
2007-12-02 11:03 . 2004-08-04 00:56 614,912 --a------ C:\WINNT\system32\h323msp.dll
2007-12-02 11:03 . 2004-08-04 00:56 331,264 --a------ C:\WINNT\system32\ipnathlp.dll
2007-12-02 11:03 . 2004-08-04 00:56 265,728 --a------ C:\WINNT\system32\h323.tsp
2007-12-02 11:03 . 2004-08-04 00:56 77,312 --a------ C:\WINNT\system32\browser.dll
2007-12-02 11:03 . 2007-03-08 10:36 40,960 --a------ C:\WINNT\system32\mf3216.dll
2007-12-02 11:00 . 2004-08-04 00:56 239,104 --a------ C:\WINNT\system32\srrstr.dll
2007-12-02 10:58 . 2007-12-02 11:02 <DIR> d--h-c--- C:\WINNT\$xpsp1hfm$
2007-12-02 10:55 . 2007-12-31 00:19 <DIR> d--h----- C:\WINNT\$hf_mig$
2007-12-02 10:46 . 2007-12-02 10:46 <DIR> d-------- C:\WINNT\system32\bits
2007-12-02 10:45 . 2004-08-04 00:56 438,784 --a------ C:\WINNT\system32\xpob2res.dll
2007-12-02 10:45 . 2004-08-04 00:56 351,232 --a------ C:\WINNT\system32\winhttp.dll
2007-12-02 10:45 . 2004-08-04 00:56 18,944 --a------ C:\WINNT\system32\qmgrprxy.dll
2007-12-02 10:45 . 2004-08-04 00:56 8,192 --a------ C:\WINNT\system32\bitsprx2.dll
2007-12-02 10:45 . 2004-08-04 00:56 7,168 --a------ C:\WINNT\system32\bitsprx3.dll
2007-12-02 10:44 . 2007-07-30 19:19 549,720 --a------ C:\WINNT\system32\wuapi.dll
2007-12-02 10:44 . 2007-07-30 19:19 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-12-02 10:44 . 2007-07-30 19:19 216,408 --a------ C:\WINNT\system32\wuaucpl.cpl
2007-12-02 10:44 . 2007-07-30 19:19 43,352 --a------ C:\WINNT\system32\wups2.dll
2007-12-02 10:44 . 2007-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2007-12-02 10:44 . 2007-07-30 19:18 33,624 --a------ C:\WINNT\system32\wups.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 20:50 --------- d-----w C:\Program Files\iTunes
2007-12-30 16:00 --------- d-----w C:\Program Files\QuickTime
2007-12-29 21:09 76 ----a-w C:\Program Files\ini.ini
2007-12-02 16:01 155,995 ----a-w C:\WINNT\java\Packages\YM4D7NDB.ZIP
2007-12-02 15:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-01 19:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-29 04:17 --------- d-----w C:\Documents and Settings\Jason B Harleston\Application Data\Apple Computer
2007-11-29 04:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-29 04:16 --------- d-----w C:\Program Files\iPod
2007-11-29 04:16 --------- d-----w C:\Program Files\Apple Software Update
2007-11-29 04:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-28 01:48 --------- d-----w C:\Program Files\GetData
2007-11-27 09:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-27 08:02 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 08:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-27 07:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-27 07:26 --------- d-----w C:\Program Files\Realtek AC97
2007-11-27 06:02 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-27 06:01 558,142 ----a-w C:\WINNT\java\Packages\B5VPFRDR.ZIP
2007-11-27 06:01 271 --sh--w C:\Program Files\desktop.ini
2007-11-27 06:01 21,952 ---h--w C:\Program Files\folder.htt
2007-11-27 01:05 --------- d-----w C:\Program Files\Accessories
2007-11-25 14:17 --------- d-----w C:\Documents and Settings\Jason B. Harleston\Application Data\My Games
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINNT\system32\wmasf.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2007-06-14 09:22 2,231 ----a-w C:\Program Files\folder.js
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2005-08-02 21:46 187,904 --sha-r C:\WINNT\SmFzb24gQiBIYXJsZXN0b24\asappsrv.dll
.

Code:

----a-w            68,856 2007-12-29 21:35:33  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w            49,152 2007-12-29 21:35:14  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           271,672 2007-12-29 21:35:06  C:\Program Files\iTunes\iTunesHelper .exe
----a-w         1,667,584 2007-12-29 21:35:39  C:\Program Files\Messenger\msmsgs .exe
----a-w           282,624 2007-12-29 22:29:29  C:\Program Files\QuickTime\qttask .exe
----a-w            18,432 2007-12-29 22:20:40  C:\WINNT\avp  .exe
----a-w            18,432 2007-12-29 22:29:41  C:\WINNT\avp .exe
----a-w            26,624 2007-12-31 06:16:35  C:\WINNT\lsass .exe

((((((((((((((((((((((((((((( snapshot@2007-12-31_14.55.13.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE
+ 2007-12-31 20:46:18 22,444 ----a-w C:\WINNT\SoftwareDistribution\EventCache\{A0F8FF34-FAAB-4770-8AF4-292DFE6E6A45}.bin
+ 2007-12-31 20:46:19 6,736 ----a-w C:\WINNT\SoftwareDistribution\EventCache\{A6FC25FE-1407-4588-AD32-047AB4E446CD}.bin
- 2007-12-31 19:47:41 41,918 ----a-w C:\WINNT\system32\perfc009.dat
+ 2008-01-01 03:52:38 41,918 ----a-w C:\WINNT\system32\perfc009.dat
- 2007-12-31 19:47:41 317,000 ----a-w C:\WINNT\system32\perfh009.dat
+ 2008-01-01 03:52:38 317,000 ----a-w C:\WINNT\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65D96C87-4B7A-4850-B7F5-9C2006918572}]
C:\WINNT\system32\ssqpq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{850A2070-A633-4F24-A5B5-4B17BF4AC6B6}]
C:\Program Files\Windows Media Player\menozug4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3D9F817-33AA-1828-D828-4BE679F55BE3}]
C:\WINNT\system32\phwlkzo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2007-12-29 17:20 1667584]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-30 15:52 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [2004-08-04 00:56 143360 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon "= "C:\WINNT\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-30 15:52 271672]
"SoundMan "= "SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINNT\soundman.exe]
"NvMediaCenter "= "C:\WINNT\System32\NvMcTray.dll" [2006-10-22 12:22 86016]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-12-30 15:52 49152]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-30 15:52 48752]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-12-30 15:51 85744]
"pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-12-30 16:03 3429904]
"MSConfig "= "C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 00:56 214528]
"tscuninstall "= "C:\WINNT\system32\tscupgrd.exe" [2004-08-03 22:59 44544]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Reboot.exe [2004-10-01 01:01:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Clnvz]
C:\WINNT\??mantec\r?ndll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINNT\system32\mllml.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsass]
C:\WINNT\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsft Windows Adapter 5.1.3013]
C:\Documents and Settings\Jason B Harleston\Application Data\bchmzrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncmw]
C:\PROGRA~1\COMMON~1\RACLE~1\wuauclt.exe -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINNT\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.6\webbuying.exe

R2 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Program Files\ISS\Proventia Desktop\vpatch.exe [2006-06-12 19:28]
R3 MakoNT;MakoNT;C:\WINNT\system32\drivers\MakoNT.sys [2006-06-12 19:28]
R3 rap;rap;C:\WINNT\system32\drivers\RapDrv.sys [2006-06-12 19:28]
R4 black;black;C:\WINNT\system32\drivers\BlackCat.sys [2006-06-12 19:28]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 14:11:01 C:\WINNT\Tasks\WebReg officejet 7200 series.job "
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 22:54:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 23:01:17 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-01 04:01:07
C:\qoobox\ComboFix2.txt 2007-12-31 19:58:23
.
2007-12-30 19:36:30 --- E O F ---


And here is the RenV log:

Code:

Ran on Mon 12/31/2007 - 23:18:06.42

----a-w            68,856 2007-12-29 21:35:33  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w            49,152 2007-12-29 21:35:14  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           271,672 2007-12-29 21:35:06  C:\Program Files\iTunes\iTunesHelper .exe
----a-w         1,667,584 2007-12-29 21:35:39  C:\Program Files\Messenger\msmsgs .exe
----a-w           282,624 2007-12-29 22:29:29  C:\Program Files\QuickTime\qttask .exe
----a-w            18,432 2007-12-29 22:20:40  C:\WINNT\avp  .exe
----a-w            18,432 2007-12-29 22:29:41  C:\WINNT\avp .exe
----a-w            26,624 2007-12-31 06:16:35  C:\WINNT\lsass .exe

 Entries:                8  (8)
 Directories:            0  Files:             8
 Bytes:          2,403,376  Blocks:        4,695

 

It doesn't appear as though the CFScript was executed properly. Please repeat the instructions in my last reply for creating and saving the script to your desktop, then drag-n-drop the script onto ComboFix.exe. The CFScript.txt must be saved with the contents of the code box.
Post the new log when it completes.

 

Sorry about that. Here's the updated log... I'll post the other log momentarily.

ComboFix 07-12-31.4 - Jason B Harleston 2008-01-01 1:42:26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.462 [GMT -5:00]
Running from: C:\Documents and Settings\Jason B Harleston\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jason B Harleston\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINNT\mrofinu572.exe.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\folder.js\
C:\Program Files\ini.ini\
C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\WINNT\mrofinu572.exe.tmp
C:\WINNT\SmFzb24gQiBIYXJsZXN0b24
C:\WINNT\SmFzb24gQiBIYXJsZXN0b24\asappsrv.dll
C:\WINNT\system32\aj2
C:\WINNT\system32\aj2\bumebrpl5.exe
C:\WINNT\system32\ardCo01
C:\WINNT\system32\cc9
C:\WINNT\system32\mr9
C:\WINNT\system32\pp1
C:\WINNT\system32\pp1\upzdrvr1.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-01 to 2008-01-01 )))))))))))))))))))))))))))))))
.

2007-12-31 12:36 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2007-12-30 23:56 . 2007-12-30 23:56 0 --a------ C:\WINNT\nsreg.dat
2007-12-30 13:19 . 2007-12-30 13:19 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-30 11:52 . 2006-08-21 04:14 128,896 -----c--- C:\WINNT\system32\dllcache\fltmgr.sys
2007-12-30 11:52 . 2006-08-21 04:14 23,040 -----c--- C:\WINNT\system32\dllcache\fltmc.exe
2007-12-30 11:52 . 2006-08-21 07:21 16,896 -----c--- C:\WINNT\system32\dllcache\fltlib.dll
2007-12-30 11:11 . 2007-11-14 02:26 450,560 -----c--- C:\WINNT\system32\dllcache\jscript.dll
2007-12-30 10:55 . 2006-06-22 05:47 181,248 -----c--- C:\WINNT\system32\dllcache\rasmans.dll
2007-12-30 10:53 . 2006-12-14 08:45 981,760 -----c--- C:\WINNT\system32\dllcache\mfc42u.dll
2007-12-30 10:51 . 2007-05-17 06:28 549,376 -----c--- C:\WINNT\system32\dllcache\oleaut32.dll
2007-12-30 10:50 . 2007-02-05 15:17 185,344 -----c--- C:\WINNT\system32\dllcache\upnphost.dll
2007-12-30 10:49 . 2006-04-20 06:51 359,808 -----c--- C:\WINNT\system32\dllcache\tcpip.sys
2007-12-30 10:44 . 2007-03-08 08:47 1,843,584 -----c--- C:\WINNT\system32\dllcache\win32k.sys
2007-12-30 10:44 . 2007-03-08 10:36 577,536 -----c--- C:\WINNT\system32\dllcache\user32.dll
2007-12-30 10:44 . 2007-03-08 10:36 281,600 -----c--- C:\WINNT\system32\dllcache\gdi32.dll
2007-12-30 10:44 . 2007-03-08 10:36 40,960 -----c--- C:\WINNT\system32\dllcache\mf3216.dll
2007-12-30 10:42 . 2006-11-27 09:54 539,136 -----c--- C:\WINNT\system32\dllcache\msftedit.dll
2007-12-30 10:42 . 2006-11-27 09:54 433,152 -----c--- C:\WINNT\system32\dllcache\riched20.dll
2007-12-30 10:41 . 2007-10-29 17:43 1,287,680 -----c--- C:\WINNT\system32\dllcache\quartz.dll
2007-12-30 10:39 . 2006-10-12 06:09 256,512 -----c--- C:\WINNT\system32\dllcache\agentsvr.exe
2007-12-30 10:39 . 2006-10-12 09:02 57,344 -----c--- C:\WINNT\system32\dllcache\agentdpv.dll
2007-12-30 10:39 . 2006-10-12 09:02 42,496 -----c--- C:\WINNT\system32\dllcache\agentdp2.dll
2007-12-30 10:37 . 2007-07-09 08:09 584,192 -----c--- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-12-30 10:37 . 2007-02-09 06:10 574,464 -----c--- C:\WINNT\system32\dllcache\ntfs.sys
2007-12-30 10:37 . 2006-03-16 19:38 28,672 --a------ C:\WINNT\system32\verclsid.exe
2007-12-30 10:36 . 2007-04-16 10:52 984,576 -----c--- C:\WINNT\system32\dllcache\kernel32.dll
2007-12-30 10:35 . 2006-05-05 04:41 453,120 -----c--- C:\WINNT\system32\dllcache\mrxsmb.sys
2007-12-30 10:35 . 2006-05-05 04:47 174,592 -----c--- C:\WINNT\system32\dllcache\rdbss.sys
2007-12-29 20:59 . 2007-09-17 14:31 1,126,072 --a------ C:\WINNT\system32\drivers\vsapint.sys
2007-12-29 20:59 . 2006-12-29 01:53 288,848 --a------ C:\WINNT\system32\drivers\TM_CFW.sys
2007-12-29 20:59 . 2007-09-17 14:40 202,768 --a------ C:\WINNT\system32\drivers\tmxpflt.sys
2007-12-29 20:59 . 2006-12-29 01:53 111,888 --a------ C:\WINNT\system32\drivers\tm_mbd_c.sys
2007-12-29 20:59 . 2006-12-29 01:53 75,088 --a------ C:\WINNT\system32\drivers\tmtdi.sys
2007-12-29 20:59 . 2007-09-17 14:40 35,856 --a------ C:\WINNT\system32\drivers\tmpreflt.sys
2007-12-29 20:58 . 2007-12-29 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-29 20:57 . 2007-12-31 10:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 20:52 . 2007-12-29 20:52 0 --a------ C:\WINNT\vpc32.INI
2007-12-29 16:35 . 2007-12-29 17:20 18,432 --a------ C:\WINNT\avp .exe
2007-12-29 16:20 . 2005-09-17 00:20 108,168 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2007-12-29 16:20 . 2005-09-17 00:20 87,768 --a------ C:\WINNT\system32\S32EVNT1.DLL
2007-12-29 16:18 . 2007-12-31 22:50 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-12-29 16:18 . 2007-12-29 16:21 <DIR> d-------- C:\Program Files\Symantec
2007-12-29 16:18 . 2007-12-30 15:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-29 16:16 . 2007-12-29 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-29 16:12 . 2005-09-23 07:29 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-12-29 16:07 . 2007-12-31 01:16 26,624 --a------ C:\WINNT\lsass .exe
2007-12-29 16:07 . 2007-12-29 17:29 18,432 --a------ C:\WINNT\avp .exe
2007-12-29 15:58 . 2008-01-01 01:49 <DIR> d-------- C:\Temp
2007-12-23 02:49 . 2007-12-23 03:02 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-12-20 22:12 . 2007-12-20 22:13 <DIR> d-------- C:\Program Files\Google
2007-12-16 08:50 . 2007-12-16 08:50 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-16 08:49 . 2007-12-16 08:49 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-16 08:48 . 2007-12-16 08:48 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-16 08:48 . 2004-10-04 18:26 51,120 -ra------ C:\WINNT\system32\drivers\HPZid412.sys
2007-12-16 08:48 . 2004-10-04 18:26 16,496 -ra------ C:\WINNT\system32\drivers\HPZipr12.sys
2007-12-16 08:47 . 2004-08-03 23:08 31,616 --a------ C:\WINNT\system32\drivers\usbccgp.sys
2007-12-16 08:47 . 2004-08-03 23:08 31,616 --a--c--- C:\WINNT\system32\dllcache\usbccgp.sys
2007-12-16 08:47 . 2004-08-03 23:01 25,856 --a------ C:\WINNT\system32\drivers\usbprint.sys
2007-12-16 08:47 . 2004-08-03 23:01 25,856 --a--c--- C:\WINNT\system32\dllcache\usbprint.sys
2007-12-16 08:47 . 2004-10-04 18:26 21,744 -ra------ C:\WINNT\system32\drivers\HPZius12.sys
2007-12-16 08:45 . 2007-12-16 08:50 <DIR> d-------- C:\Program Files\HP
2007-12-16 08:43 . 2007-12-16 08:51 69,372 --a------ C:\WINNT\hpoins05.dat
2007-12-16 08:43 . 2004-12-14 10:39 19,696 --------- C:\WINNT\hpomdl05.dat
2007-12-09 07:26 . 2007-07-30 19:19 271,224 --a------ C:\WINNT\system32\mucltui.dll
2007-12-09 07:26 . 2007-07-30 19:19 30,072 --a------ C:\WINNT\system32\mucltui.dll.mui
2007-12-02 13:19 . 2007-12-29 02:58 <DIR> d-------- C:\Program Files\IGZones
2007-12-02 11:56 . 2007-12-02 11:58 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-02 11:22 . 2007-12-02 11:51 316,640 --a------ C:\WINNT\WMSysPr9.prx
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\WINNT\ServicePackFiles
2007-12-02 11:17 . 2004-08-04 00:56 2,897,920 --a------ C:\WINNT\system32\xpsp2res.dll
2007-12-02 11:15 . 2004-07-17 11:40 19,528 --a------ C:\WINNT\002397_.tmp
2007-12-02 11:13 . 2007-12-02 11:13 <DIR> d-------- C:\WINNT\EHome
2007-12-02 11:03 . 2004-08-04 00:56 614,912 --a------ C:\WINNT\system32\h323msp.dll
2007-12-02 11:03 . 2004-08-04 00:56 331,264 --a------ C:\WINNT\system32\ipnathlp.dll
2007-12-02 11:03 . 2004-08-04 00:56 265,728 --a------ C:\WINNT\system32\h323.tsp
2007-12-02 11:03 . 2004-08-04 00:56 77,312 --a------ C:\WINNT\system32\browser.dll
2007-12-02 11:03 . 2007-03-08 10:36 40,960 --a------ C:\WINNT\system32\mf3216.dll
2007-12-02 11:00 . 2004-08-04 00:56 239,104 --a------ C:\WINNT\system32\srrstr.dll
2007-12-02 10:58 . 2007-12-02 11:02 <DIR> d--h-c--- C:\WINNT\$xpsp1hfm$
2007-12-02 10:55 . 2007-12-31 00:19 <DIR> d--h----- C:\WINNT\$hf_mig$
2007-12-02 10:46 . 2007-12-02 10:46 <DIR> d-------- C:\WINNT\system32\bits
2007-12-02 10:45 . 2004-08-04 00:56 438,784 --a------ C:\WINNT\system32\xpob2res.dll
2007-12-02 10:45 . 2004-08-04 00:56 351,232 --a------ C:\WINNT\system32\winhttp.dll
2007-12-02 10:45 . 2004-08-04 00:56 18,944 --a------ C:\WINNT\system32\qmgrprxy.dll
2007-12-02 10:45 . 2004-08-04 00:56 8,192 --a------ C:\WINNT\system32\bitsprx2.dll
2007-12-02 10:45 . 2004-08-04 00:56 7,168 --a------ C:\WINNT\system32\bitsprx3.dll
2007-12-02 10:44 . 2007-07-30 19:19 549,720 --a------ C:\WINNT\system32\wuapi.dll
2007-12-02 10:44 . 2007-07-30 19:19 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-12-02 10:44 . 2007-07-30 19:19 216,408 --a------ C:\WINNT\system32\wuaucpl.cpl
2007-12-02 10:44 . 2007-07-30 19:19 43,352 --a------ C:\WINNT\system32\wups2.dll
2007-12-02 10:44 . 2007-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2007-12-02 10:44 . 2007-07-30 19:18 33,624 --a------ C:\WINNT\system32\wups.dll
2007-12-02 10:44 . 2007-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2007-12-02 10:44 . 2007-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2007-12-02 10:44 . 2007-07-30 19:18 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2007-12-02 10:30 . 2004-08-04 00:56 159,232 --a------ C:\WINNT\system32\ptpusd.dll
2007-12-02 10:30 . 2004-08-03 22:58 15,104 --a------ C:\WINNT\system32\drivers\usbscan.sys
2007-12-02 10:30 . 2001-08-17 22:36 5,632 --a------ C:\WINNT\system32\ptpusb.dll
2007-12-02 10:13 . 2007-12-02 10:13 0 --a------ C:\WINNT\OpPrintServer.INI
2007-12-02 10:12 . 2007-12-02 10:16 <DIR> d-------- C:\Program Files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 20:50 --------- d-----w C:\Program Files\iTunes
2007-12-30 16:00 --------- d-----w C:\Program Files\QuickTime
2007-12-29 21:09 76 ----a-w C:\Program Files\ini.ini
2007-12-02 16:01 155,995 ----a-w C:\WINNT\java\Packages\YM4D7NDB.ZIP
2007-12-02 15:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-01 19:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-29 04:17 --------- d-----w C:\Documents and Settings\Jason B Harleston\Application Data\Apple Computer
2007-11-29 04:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-29 04:16 --------- d-----w C:\Program Files\iPod
2007-11-29 04:16 --------- d-----w C:\Program Files\Apple Software Update
2007-11-29 04:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-28 01:48 --------- d-----w C:\Program Files\GetData
2007-11-27 09:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-27 08:02 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 08:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-27 07:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-27 07:26 --------- d-----w C:\Program Files\Realtek AC97
2007-11-27 06:02 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-27 06:01 558,142 ----a-w C:\WINNT\java\Packages\B5VPFRDR.ZIP
2007-11-27 06:01 271 --sh--w C:\Program Files\desktop.ini
2007-11-27 06:01 21,952 ---h--w C:\Program Files\folder.htt
2007-11-27 01:05 --------- d-----w C:\Program Files\Accessories
2007-11-25 14:17 --------- d-----w C:\Documents and Settings\Jason B. Harleston\Application Data\My Games
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINNT\system32\wmasf.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2007-06-14 09:22 2,231 ----a-w C:\Program Files\folder.js
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
.

Code:

----a-w            68,856 2007-12-29 21:35:33  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w            49,152 2007-12-29 21:35:14  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           271,672 2007-12-29 21:35:06  C:\Program Files\iTunes\iTunesHelper .exe
----a-w         1,667,584 2007-12-29 21:35:39  C:\Program Files\Messenger\msmsgs .exe
----a-w           282,624 2007-12-29 22:29:29  C:\Program Files\QuickTime\qttask .exe
----a-w            18,432 2007-12-29 22:20:40  C:\WINNT\avp  .exe
----a-w            18,432 2007-12-29 22:29:41  C:\WINNT\avp .exe
----a-w            26,624 2007-12-31 06:16:35  C:\WINNT\lsass .exe

((((((((((((((((((((((((((((( snapshot@2007-12-31_14.55.13.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE
+ 2007-12-31 20:46:18 22,444 ----a-w C:\WINNT\SoftwareDistribution\EventCache\{A0F8FF34-FAAB-4770-8AF4-292DFE6E6A45}.bin
+ 2007-12-31 20:46:19 6,736 ----a-w C:\WINNT\SoftwareDistribution\EventCache\{A6FC25FE-1407-4588-AD32-047AB4E446CD}.bin
- 2007-12-31 19:47:41 41,918 ----a-w C:\WINNT\system32\perfc009.dat
+ 2008-01-01 03:52:38 41,918 ----a-w C:\WINNT\system32\perfc009.dat
- 2007-12-31 19:47:41 317,000 ----a-w C:\WINNT\system32\perfh009.dat
+ 2008-01-01 03:52:38 317,000 ----a-w C:\WINNT\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2007-12-29 17:20 1667584]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-30 15:52 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [2004-08-04 00:56 143360 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon "= "C:\WINNT\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-30 15:52 271672]
"SoundMan "= "SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINNT\soundman.exe]
"NvMediaCenter "= "C:\WINNT\System32\NvMcTray.dll" [2006-10-22 12:22 86016]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-12-30 15:52 49152]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-30 15:52 48752]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-12-30 15:51 85744]
"pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-12-30 16:03 3429904]
"MSConfig "= "C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 00:56 214528]
"tscuninstall "= "C:\WINNT\system32\tscupgrd.exe" [2004-08-03 22:59 44544]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Reboot.exe [2004-10-01 01:01:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINNT\system32\spoolvs.exe

R2 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Program Files\ISS\Proventia Desktop\vpatch.exe [2006-06-12 19:28]
R3 MakoNT;MakoNT;C:\WINNT\system32\drivers\MakoNT.sys [2006-06-12 19:28]
R3 rap;rap;C:\WINNT\system32\drivers\RapDrv.sys [2006-06-12 19:28]
R4 black;black;C:\WINNT\system32\drivers\BlackCat.sys [2006-06-12 19:28]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 14:11:01 C:\WINNT\Tasks\WebReg officejet 7200 series.job "
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 01:50:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 1:54:17
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-01 06:54:10
C:\qoobox\ComboFix2.txt 2008-01-01 04:01:18
C:\qoobox\ComboFix3.txt 2007-12-31 19:58:23
.
2007-12-30 19:36:30 --- E O F ---

 

Here is the updated RenV log file...

Code:

Ran on Tue 01/01/2008 -  1:58:08.20

----a-w            68,856 2007-12-29 21:35:33  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w            49,152 2007-12-29 21:35:14  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           271,672 2007-12-29 21:35:06  C:\Program Files\iTunes\iTunesHelper .exe
----a-w         1,667,584 2007-12-29 21:35:39  C:\Program Files\Messenger\msmsgs .exe
----a-w           282,624 2007-12-29 22:29:29  C:\Program Files\QuickTime\qttask .exe
----a-w            18,432 2007-12-29 22:20:40  C:\WINNT\avp  .exe
----a-w            18,432 2007-12-29 22:29:41  C:\WINNT\avp .exe
----a-w            26,624 2007-12-31 06:16:35  C:\WINNT\lsass .exe

 Entries:                8  (8)
 Directories:            0  Files:             8
 Bytes:          2,403,376  Blocks:        4,695

And here is the updated HJT log.....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:48 AM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe "
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Proventia Desktop Agent.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1196610191405
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196610974905
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 7363 bytes

 

Much better! Now, drag the log.txt created by RenV onto RenV.exe and drop it. RenV will run and produce a new log. Post the log please.

 

Done! Here is the log:

Code:

Ran on Tue 01/01/2008 - 13:05:00.09

 Entries:                0  (0)
 Directories:            0  Files:             0
 Bytes:                  0  Blocks:            0

 

Great!

Now I'd like to take another look at things using another tool. Please download Deckard's System Scanner (dss.exe) and save it to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of both logs. You may need to put them in separate posts due to character count limitations per post.

 

Done.. Main.txt log is below:

Deckard's System Scanner v20071014.68
Run by Jason B Harleston on 2008-01-01 16:22:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-01-01 21:23:00 UTC - RP40 - Deckard's System Scanner Restore Point
5: 2008-01-01 07:45:13 UTC - RP39 - Software Distribution Service 3.0
4: 2008-01-01 06:41:14 UTC - RP38 - ComboFix created restore point
3: 2008-01-01 03:38:42 UTC - RP37 - ComboFix created restore point
2: 2007-12-31 20:44:03 UTC - RP36 - System Checkpoint


-- First Restore Point --
1: 2007-12-31 17:55:45 UTC - RP35 - ComboFix created restore point


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jason B Harleston.exe) -----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:21 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ISS\Proventia Desktop\blackice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wscntfy.exe
C:\Documents and Settings\Jason B Harleston\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jason B Harleston.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe "
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Proventia Desktop Agent.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1196610191405
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196610974905
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 7236 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071231-223507-143 O15 - Trusted Zone: *.gomyhit.com (HKLM)
backup-20071231-223507-146 O15 - Trusted Zone: *.virusschlacht.com (HKLM)
backup-20071231-223507-334 O15 - Trusted Zone: *.amaena.com
backup-20071231-223507-374 O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
backup-20071231-223507-500 O15 - Trusted Zone: *.gomyhit.com
backup-20071231-223507-532 O15 - Trusted Zone: *.onerateld.com
backup-20071231-223507-573 O15 - Trusted Zone: *.imageservr.com (HKLM)
backup-20071231-223507-620 O15 - Trusted Zone: *.avsystemcare.com (HKLM)
backup-20071231-223507-660 O15 - Trusted Zone: *.virusschlacht.com
backup-20071231-223507-666 O15 - Trusted Zone: *.trustedantivirus.com
backup-20071231-223507-709 O15 - Trusted Zone: *.imagesrvr.com
backup-20071231-223507-720 O15 - Trusted Zone: *.avsystemcare.com
backup-20071231-223507-733 O15 - Trusted Zone: *.onerateld.com (HKLM)
backup-20071231-223507-798 O15 - Trusted Zone: *.safetydownload.com (HKLM)
backup-20071231-223507-799 O15 - Trusted Zone: *.safetydownload.com
backup-20071231-223507-815 O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20071231-223507-876 O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
backup-20071231-223507-883 O15 - Trusted Zone: *.amaena.com (HKLM)
backup-20071231-223507-895 O15 - Trusted Zone: *.imageservr.com
backup-20071231-223507-998 O15 - Trusted Zone: *.storageguardsoft.com

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 MakoNT - c:\winnt\system32\drivers\makont.sys <Not Verified; Internet Security Systems, Inc.; ISS Proventia>
R3 rap - c:\winnt\system32\drivers\rapdrv.sys <Not Verified; Internet Security Systems, Inc.; ISS Proventia>
R4 black - c:\winnt\system32\drivers\blackcat.sys <Not Verified; Internet Security Systems, Inc.; ISS Proventia Host>

S3 catchme - c:\docume~1\jasonb~1\locals~1\temp\catchme.sys (file missing)
S4 Parallel (Parallel class driver) - c:\winnt\system32\drivers\parallel.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BlackICE - "c:\program files\iss\proventia desktop\blackd.exe" <Not Verified; Internet Security Systems, Inc.; ISS Proventia>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 RapApp - c:\program files\iss\proventia desktop\rapapp.exe <Not Verified; Internet Security Systems, Inc.; ISS Proventia>
R2 VPatch (ISS Buffer Overflow Exploit Prevention) - c:\program files\iss\proventia desktop\vpatch.exe <Not Verified; Internet Security Systems, Inc.; ISS Proventia>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-31 09:11:01 328 --a------ C:\WINNT\Tasks\WebReg officejet 7200 series.job


-- Files created between 2007-12-01 and 2008-01-01 -----------------------------

2008-01-01 13:04:59 26624 --a------ C:\WINNT\lsass.exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module>
2008-01-01 13:04:59 18432 --a------ C:\WINNT\avp.exe <Not Verified; MskVip Ltd.; Antivirus Project (AVP) spyware removal module>
2007-12-31 01:34:42 0 d-------- C:\WINNT\system32\appmgmt
2007-12-30 23:56:38 0 --a------ C:\WINNT\nsreg.dat
2007-12-30 23:55:39 0 d-------- C:\Documents and Settings\Jason B Harleston\Application Data\Mozilla
2007-12-30 13:19:34 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-30 11:54:47 0 d-------- C:\WINNT\system32\PreInstall
2007-12-30 11:13:33 0 d-------- C:\WINNT\pss
2007-12-29 21:26:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-12-29 21:26:32 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-12-29 20:58:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-29 20:57:23 0 d-------- C:\Program Files\Trend Micro
2007-12-29 16:18:44 0 d-------- C:\Program Files\Symantec
2007-12-29 16:18:07 0 d-------- C:\Program Files\Symantec AntiVirus
2007-12-29 16:18:07 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-29 16:16:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-29 16:05:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2007-12-29 16:04:46 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Google
2007-12-29 16:04:27 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2007-12-29 15:58:08 0 d-------- C:\Temp
2007-12-23 02:49:32 0 d-------- C:\Program Files\GameSpy Arcade
2007-12-21 23:01:14 2190 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2007-12-20 22:13:49 0 d-------- C:\Documents and Settings\Jason B Harleston\Application Data\Google
2007-12-20 22:13:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-12-20 22:12:47 0 d-------- C:\Program Files\Google
2007-12-16 08:50:16 0 d-------- C:\Program Files\Common Files\HP
2007-12-16 08:49:31 0 d-------- C:\Program Files\Hewlett-Packard
2007-12-16 08:48:51 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-16 08:45:03 0 d-------- C:\Program Files\HP
2007-12-16 08:43:08 19696 -----n--- C:\WINNT\hpomdl05.dat
2007-12-16 08:43:08 69372 --a------ C:\WINNT\hpoins05.dat
2007-12-03 01:26:06 0 d-------- C:\Documents and Settings\Jason B Harleston\Application Data\Adobe
2007-12-02 13:19:46 0 d-------- C:\Program Files\IGZones
2007-12-02 12:01:59 0 d-------- C:\Documents and Settings\Jason B Harleston\Application Data\WinRAR
2007-12-02 11:56:48 0 d-------- C:\Program Files\Microsoft Games
2007-12-02 11:50:27 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2007-12-02 11:47:51 0 d-------- C:\WINNT\Prefetch
2007-12-02 11:21:25 0 d-------- C:\WINNT\peernet
2007-12-02 11:21:24 0 d-------- C:\WINNT\provisioning
2007-12-02 11:19:40 0 d-------- C:\WINNT\ServicePackFiles
2007-12-02 11:15:38 0 d-------- C:\WINNT\system32\ReinstallBackups
2007-12-02 11:13:06 0 d-------- C:\WINNT\EHome
2007-12-02 11:01:31 171280 --a------ C:\WINNT\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:31 139536 --a------ C:\WINNT\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:31 46352 --a------ C:\WINNT\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:31 6550 --a------ C:\WINNT\jautoexp.dat
2007-12-02 11:01:30 313856 --a------ C:\WINNT\system32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2007-12-02 11:01:28 113 --a------ C:\WINNT\system32\zonedon.reg
2007-12-02 11:01:28 113 --a------ C:\WINNT\system32\zonedoff.reg
2007-12-02 11:01:27 171792 --a------ C:\WINNT\system32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:27 286992 --a------ C:\WINNT\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:27 21264 --a------ C:\WINNT\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:26 947472 --a------ C:\WINNT\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:26 154384 --a------ C:\WINNT\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:25 172304 --a------ C:\WINNT\system32\jview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:25 15120 --a------ C:\WINNT\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:25 404752 --a------ C:\WINNT\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:25 63248 --a------ C:\WINNT\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:25 187152 --a------ C:\WINNT\system32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 11:01:24 49424 --a------ C:\WINNT\system32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-12-02 10:58:12 0 d--h---c- C:\WINNT\$xpsp1hfm$
2007-12-02 10:57:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-12-02 10:55:07 0 d--h----- C:\WINNT\$hf_mig$
2007-12-02 10:46:08 0 d-------- C:\WINNT\system32\bits
2007-12-02 10:43:56 0 d-------- C:\WINNT\SoftwareDistribution
2007-12-02 10:12:22 0 d-------- C:\Program Files\Canon
2007-12-02 09:21:51 47697 --a------ C:\WINNT\system32\drivers\RapDrv.sys <Not Verified; Internet Security Systems, Inc.; ISS Proventia>
2007-12-02 09:21:51 76849 --a------ C:\WINNT\system32\drivers\MakoNT.sys <Not Verified; Internet Security Systems, Inc.; ISS Proventia>
2007-12-02 09:21:51 196978 --a------ C:\WINNT\system32\drivers\Blackcat.sys <Not Verified; Internet Security Systems, Inc.; ISS Proventia Host>
2007-12-02 09:21:51 0 d-------- C:\Program Files\ISS
2007-12-02 09:14:34 524288 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-12-02 09:14:34 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-12-02 09:14:34 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2007-12-02 09:14:34 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-12-02 09:14:34 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-12-02 09:14:33 270336 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-12-02 09:14:33 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-12-02 09:14:33 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2007-12-02 09:14:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-12-02 09:14:33 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-12-02 09:11:12 0 d-------- C:\WINNT\system32\xircom
2007-12-02 09:09:13 0 d-------- C:\WINNT\srchasst
2007-12-02 09:09:07 0 d-------- C:\WINNT\system32\DirectX
2007-12-02 09:09:01 0 d-------- C:\Program Files\Movie Maker
2007-12-02 09:08:45 0 d-------- C:\WINNT\system32\Restore
2007-12-02 09:08:41 0 d-------- C:\WINNT\PCHEALTH
2007-12-02 09:08:37 0 d-------- C:\Program Files\Common Files\MSSoap
2007-12-02 09:05:28 0 d-------- C:\Program Files\Online Services
2007-12-02 09:05:24 0 d-------- C:\WINNT\system32\FxsTmp
2007-12-02 09:05:07 0 d-------- C:\Program Files\Messenger
2007-12-02 09:04:59 0 d-------- C:\Program Files\MSN Gaming Zone
2007-12-02 09:04:51 0 d-------- C:\WINNT\system32\MsDtc
2007-12-02 08:57:53 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-12-02 08:57:14 0 d-------- C:\WINNT\system32\CatRoot2
2007-12-02 08:49:24 237728 --a------ C:\$LDR$
2007-12-02 08:48:32 241725 --a------ C:\WINNT\system32\msuni11.dll <Not Verified; Microsoft Corporation; Microsoft (R) Jet>
2007-12-02 08:48:31 368710 --a------ C:\WINNT\system32\msisam11.dll <Not Verified; Microsoft Corporation; Microsoft (R) Jet>
2007-12-02 08:48:28 163840 --a------ C:\WINNT\system32\mindex.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows Media Player>
2007-12-02 08:47:24 0 d-------- C:\$WIN_NT$.~BT
2007-12-02 08:47:10 0 d-------- C:\WINNT\setup.pss
2007-12-02 08:06:25 0 d---s---- C:\Documents and Settings\Jason B Harleston\UserData
2007-12-02 07:51:03 0 d-------- C:\WINNT\RegisteredPackages
2007-12-02 07:50:37 0 d--h----- C:\WINNT\msdownld.tmp
2007-12-02 03:53:00 0 d-------- C:\WINNT\WinSxS
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\usmt
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\oobe
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\IME
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\icsxml
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\3com_dmi
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\3076
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\2052
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\1054
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\1042
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\1041
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\1037
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\1033
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\1031
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\1028
2007-12-02 03:53:00 0 d-------- C:\WINNT\system32\1025
2007-12-02 03:53:00 0 d-------- C:\WINNT\Resources
2007-12-02 03:53:00 0 d-------- C:\WINNT\mui


-- Find3M Report ---------------------------------------------------------------

2008-01-01 13:04:58 0 d-------- C:\Program Files\QuickTime
2008-01-01 13:04:56 0 d-------- C:\Program Files\iTunes
2007-12-31 13:45:55 0 d-a------ C:\Program Files\Common Files
2007-12-29 16:09:28 76 --a------ C:\Program Files\ini.ini
2007-12-02 11:19:16 0 d-------- C:\Program Files\Windows NT
2007-12-02 10:44:21 0 d-ah----- C:\Program Files\WindowsUpdate
2007-12-02 10:15:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-02 09:08:01 22192 --a------ C:\WINNT\system32\emptyregdb.dat
2007-12-01 15:24:23 920622 ---h----- C:\WINNT\ShellIconCache
2007-11-29 00:08:52 0 d-------- C:\Documents and Settings\Jason B Harleston\Application Data\Macromedia
2007-11-28 23:17:08 0 d-------- C:\Documents and Settings\Jason B Harleston\Application Data\Apple Computer
2007-11-28 23:16:57 0 d-------- C:\Program Files\iPod
2007-11-28 23:16:07 0 d-------- C:\Program Files\Apple Software Update
2007-11-27 20:48:11 0 d-------- C:\Program Files\GetData
2007-11-27 03:02:06 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-27 02:55:44 0 d-------- C:\Program Files\Common Files\InstallShield
2007-11-27 02:26:08 0 d-------- C:\Program Files\Realtek AC97
2007-11-27 01:06:13 0 d-------- C:\Documents and Settings\Jason B Harleston\Application Data\Identities
2007-11-27 01:02:54 0 d-------- C:\Program Files\microsoft frontpage
2007-11-27 01:02:09 0 -rahs---- C:\MSDOS.SYS
2007-11-27 01:02:09 0 -rahs---- C:\IO.SYS
2007-11-27 01:02:09 0 --ah----- C:\CONFIG.SYS
2007-11-27 01:02:09 0 --ah----- C:\AUTOEXEC.BAT
2007-11-27 01:01:29 21952 ---h----- C:\Program Files\folder.htt
2007-11-27 01:01:29 271 ---hs---- C:\Program Files\desktop.ini
2007-11-26 20:05:11 0 d-------- C:\Program Files\Accessories
2007-11-26 19:48:11 0 d-a------ C:\Program Files\Common Files\ODBC


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [08/04/2004 12:56 AM C:\WINNT\system32\mobsync.exe]
"NvCplDaemon "= "C:\WINNT\System32\NvCpl.dll" [10/22/2006 12:22 PM]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [12/29/2007 04:35 PM]
"SoundMan "= "SOUNDMAN.EXE" [11/17/2006 05:42 AM C:\WINNT\soundman.exe]
"NvMediaCenter "= "C:\WINNT\System32\NvMcTray.dll" [10/22/2006 12:22 PM]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/29/2007 04:35 PM]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/30/2007 03:52 PM]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [12/30/2007 03:51 PM]
"pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [12/30/2007 04:03 PM]
"MSConfig "= "C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 12:56 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [12/29/2007 04:35 PM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/29/2007 04:35 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall "=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 7:28:24 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINNT\system32\spoolvs.exe




-- End of Deckard's System Scanner: finished at 2008-01-01 16:27:08 ------------

 

Here is the extra.txt log

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 Processor 3400+
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 1022.42 MiB / 395.86 MiB
Pagefile Memory (total/avail): 2459.57 MiB / 2013.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1944.4 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 42.94 GiB total, 21.86 GiB free.
D: is Fixed (FAT32) - 115.01 GiB total, 81.53 GiB free.
E: is CDROM (CDFS)
F: is Removable (FAT)

\\.\PHYSICALDRIVE0 - IBM-DTLA-307045 - 42.94 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 42.94 GiB - C:

\\.\PHYSICALDRIVE1 - IC35L120AVV207-0 - 115.04 GiB - 1 partition
\PARTITION0 - Unknown - 115.04 GiB - D:

\\.\PHYSICALDRIVE2 - Kingston DataTraveler2.0 USB Device - 494.19 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 497.74 MiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FW: Proventia Desktop v8.0 (Internet Security Systems, Inc.)
FW: Trend Micro PC-cillin Internet Security (Firewall) v15 (Trend Micro, Inc.) Disabled
AV: Trend Micro PC-cillin Internet Security 2007 v15.30.1151 (Trend Micro, Inc.) Disabled
AV: Symantec AntiVirus Corporate Edition v10.0.2.2000 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jason B Harleston\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WINDOWS-9273-PC
ComSpec=C:\WINNT\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jason B Harleston
LOGONSERVER=\\WINDOWS-9273-PC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\JASONB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JASONB~1\LOCALS~1\Temp
USERDOMAIN=WINDOWS-9273-PC
USERNAME=Jason B Harleston
USERPROFILE=C:\Documents and Settings\Jason B Harleston
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Jason B Harleston (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINNT\ISUNINST.EXE -f "C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c "C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll "
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Age of Empires II - The Conquerors - 1.0e Patch --> "C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\unins000.exe "
Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}
Canon Camera Access Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{901F8ED7-13E8-43EF-B738-2FE89B0588EB} /l1033
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A1D0D14A-B776-4907-BC00-5149F2298086} /l1033
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}
Canon Camera Window DSLR 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0A146245-DB79-4197-BF5D-FE1A699A2CC7}
Canon Camera Window MC 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4DBBF091-FACD-422C-B43C-786335BD5398}
Canon PhotoRecord --> MsiExec.exe /X{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}
Canon ZoomBrowser EX (E) --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Google Toolbar for Internet Explorer --> MsiExec.exe /X{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll "
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Image Zone 4.7 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone Express --> MsiExec.exe /X{85BCA736-A0F4-448E-9BC1-6EA08693E10B}
HP PSC & OfficeJet 4.7 --> "C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update --> MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
IGZ Lobby System --> "C:\Program Files\IGZones\unins000.exe "
iTunes --> MsiExec.exe /I{ABCE1C63-56ED-41FF-BEAF-57321F70DC49}
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Age of Empires Gold --> "C:\Program Files\Microsoft Games\Age of Empires\UNINSTAL.EXE" /runtemp
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Age of Empires II: The Conquerors Expansion --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTALX.EXE" /runtemp /addremove
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINNT\System32\nvudisp.exe UninstallGUI
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Realtek AC'97 Audio --> Alcrmv.exe -r -m
Recover My Files --> "C:\Program Files\GetData\Recover My Files\unins000.exe "
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Symantec AntiVirus --> MsiExec.exe /I{46B63F23-2B4A-4525-A827-688026BE5E40}
Trend Micro PC-cillin Internet Security 2007 --> C:\PROGRA~1\TRENDM~1\INTERN~1\remove.exe
Trend Micro PC-cillin Internet Security 2007 --> MsiExec.exe /X{BB4B6355-D38A-492C-873B-A1B2CF6C3832}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1532 / Error
Event Submitted/Written: 12/30/2007 10:34:42 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Vundo in File: C:\WINNT\system32\mllml.dll by: Auto-Protect scan. Action: Reboot Required. Action Description: The file was quarantined successfully.

Event Record #/Type1531 / Error
Event Submitted/Written: 12/30/2007 10:34:36 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Trojan.Vundo in File: c:\WINNT\system32\mllml.dll by: Auto-Protect scan. Action: Reboot Required. Action Description: The file was quarantined successfully.

Event Record #/Type1530 / Error
Event Submitted/Written: 12/30/2007 10:34:35 PM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Vundo in File: C:\WINNT\system32\mllml.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was left unchanged.

Event Record #/Type1529 / Error
Event Submitted/Written: 12/30/2007 10:33:12 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Vundo in File: C:\WINNT\system32\mllml.dll by: Auto-Protect scan. Action: Reboot Required. Action Description: The file was quarantined successfully.

Event Record #/Type1528 / Error
Event Submitted/Written: 12/30/2007 10:33:05 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Trojan.Vundo in File: c:\WINNT\system32\mllml.dll by: Auto-Protect scan. Action: Reboot Required. Action Description: The file was quarantined successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2625 / Error
Event Submitted/Written: 01/01/2008 09:05:48 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Background Intelligent Transfer Service service terminated with the following error:
%%126

Event Record #/Type2581 / Error
Event Submitted/Written: 12/31/2007 10:48:42 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Background Intelligent Transfer Service service terminated with the following error:
%%126

Event Record #/Type2528 / Error
Event Submitted/Written: 12/31/2007 03:46:15 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register with DCOM within the required timeout.

Event Record #/Type2527 / Error
Event Submitted/Written: 12/31/2007 03:45:45 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Background Intelligent Transfer Service service terminated with the following error:
%%126

Event Record #/Type2524 / Error
Event Submitted/Written: 12/31/2007 03:45:45 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2008-01-01 16:27:08 ------------

 

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINNT\lsass.exe
C:\WINNT\avp.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "MSConfig "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


I see you have Symantec antivirus running, and Trend security suite too. Is the Trend antivirus installed and enabled, or are you using just the Firewall portion of it?

 

Both are currently enabled, although I believe that it is not best practice to run two antivirus programs...

Here is the combo fix log:

ComboFix 07-12-31.4 - Jason B Harleston 2008-01-01 20:05:44.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.408 [GMT -5:00]
Running from: C:\Documents and Settings\Jason B Harleston\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jason B Harleston\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINNT\avp.exe
C:\WINNT\lsass.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\folder.js\
C:\Program Files\ini.ini\
C:\WINNT\avp.exe
C:\WINNT\lsass.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-01 16:22 . 2008-01-01 16:22 <DIR> d-------- C:\Deckard
2007-12-31 12:36 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2007-12-31 00:29 . 2006-12-19 13:16 333,824 -----c--- C:\WINNT\system32\dllcache\wiaservc.dll
2007-12-31 00:24 . 2007-07-06 07:46 660,992 -----c--- C:\WINNT\system32\dllcache\mqqm.dll
2007-12-31 00:24 . 2007-07-06 07:46 471,552 -----c--- C:\WINNT\system32\dllcache\mqutil.dll
2007-12-31 00:24 . 2007-07-06 07:46 177,152 -----c--- C:\WINNT\system32\dllcache\mqrt.dll
2007-12-31 00:24 . 2007-07-06 07:46 138,240 -----c--- C:\WINNT\system32\dllcache\mqad.dll
2007-12-31 00:24 . 2007-07-06 07:46 95,744 -----c--- C:\WINNT\system32\dllcache\mqsec.dll
2007-12-31 00:24 . 2007-07-06 05:05 72,960 -----c--- C:\WINNT\system32\dllcache\mqac.sys
2007-12-31 00:24 . 2007-07-06 07:46 48,640 -----c--- C:\WINNT\system32\dllcache\mqupgrd.dll
2007-12-31 00:24 . 2007-07-06 07:46 47,104 -----c--- C:\WINNT\system32\dllcache\mqdscli.dll
2007-12-31 00:24 . 2007-07-06 07:46 16,896 -----c--- C:\WINNT\system32\dllcache\mqise.dll
2007-12-31 00:21 . 2007-02-28 04:10 2,180,352 -----c--- C:\WINNT\system32\dllcache\ntoskrnl.exe
2007-12-31 00:21 . 2007-02-28 04:08 2,136,064 -----c--- C:\WINNT\system32\dllcache\ntkrnlmp.exe
2007-12-31 00:21 . 2007-02-28 03:38 2,057,600 -----c--- C:\WINNT\system32\dllcache\ntkrnlpa.exe
2007-12-31 00:21 . 2007-02-28 03:38 2,015,744 -----c--- C:\WINNT\system32\dllcache\ntkrpamp.exe
2007-12-31 00:09 . 2006-08-16 04:37 225,664 -----c--- C:\WINNT\system32\dllcache\tcpip6.sys
2007-12-31 00:09 . 2006-08-16 06:58 100,352 -----c--- C:\WINNT\system32\dllcache\6to4svc.dll
2007-12-30 23:56 . 2007-12-30 23:56 0 --a------ C:\WINNT\nsreg.dat
2007-12-30 13:19 . 2007-12-30 13:19 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-30 11:52 . 2006-08-21 04:14 128,896 -----c--- C:\WINNT\system32\dllcache\fltmgr.sys
2007-12-30 11:52 . 2006-08-21 04:14 23,040 -----c--- C:\WINNT\system32\dllcache\fltmc.exe
2007-12-30 11:52 . 2006-08-21 07:21 16,896 -----c--- C:\WINNT\system32\dllcache\fltlib.dll
2007-12-30 11:11 . 2007-11-14 02:26 450,560 -----c--- C:\WINNT\system32\dllcache\jscript.dll
2007-12-30 10:55 . 2006-06-22 05:47 181,248 -----c--- C:\WINNT\system32\dllcache\rasmans.dll
2007-12-30 10:53 . 2006-12-14 08:45 981,760 -----c--- C:\WINNT\system32\dllcache\mfc42u.dll
2007-12-30 10:51 . 2007-05-17 06:28 549,376 -----c--- C:\WINNT\system32\dllcache\oleaut32.dll
2007-12-30 10:50 . 2007-02-05 15:17 185,344 -----c--- C:\WINNT\system32\dllcache\upnphost.dll
2007-12-30 10:49 . 2006-04-20 06:51 359,808 -----c--- C:\WINNT\system32\dllcache\tcpip.sys
2007-12-30 10:44 . 2007-03-08 08:47 1,843,584 -----c--- C:\WINNT\system32\dllcache\win32k.sys
2007-12-30 10:44 . 2007-03-08 10:36 577,536 -----c--- C:\WINNT\system32\dllcache\user32.dll
2007-12-30 10:44 . 2007-03-08 10:36 281,600 -----c--- C:\WINNT\system32\dllcache\gdi32.dll
2007-12-30 10:44 . 2007-03-08 10:36 40,960 -----c--- C:\WINNT\system32\dllcache\mf3216.dll
2007-12-30 10:42 . 2006-11-27 09:54 539,136 -----c--- C:\WINNT\system32\dllcache\msftedit.dll
2007-12-30 10:42 . 2006-11-27 09:54 433,152 -----c--- C:\WINNT\system32\dllcache\riched20.dll
2007-12-30 10:41 . 2007-10-29 17:43 1,287,680 -----c--- C:\WINNT\system32\dllcache\quartz.dll
2007-12-30 10:39 . 2006-10-12 06:09 256,512 -----c--- C:\WINNT\system32\dllcache\agentsvr.exe
2007-12-30 10:39 . 2006-10-12 09:02 57,344 -----c--- C:\WINNT\system32\dllcache\agentdpv.dll
2007-12-30 10:39 . 2006-10-12 09:02 42,496 -----c--- C:\WINNT\system32\dllcache\agentdp2.dll
2007-12-30 10:37 . 2007-07-09 08:09 584,192 -----c--- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-12-30 10:37 . 2007-02-09 06:10 574,464 -----c--- C:\WINNT\system32\dllcache\ntfs.sys
2007-12-30 10:37 . 2006-03-16 19:38 28,672 --a------ C:\WINNT\system32\verclsid.exe
2007-12-30 10:36 . 2007-04-16 10:52 984,576 -----c--- C:\WINNT\system32\dllcache\kernel32.dll
2007-12-30 10:35 . 2006-05-05 04:41 453,120 -----c--- C:\WINNT\system32\dllcache\mrxsmb.sys
2007-12-30 10:35 . 2006-05-05 04:47 174,592 -----c--- C:\WINNT\system32\dllcache\rdbss.sys
2007-12-29 20:59 . 2007-09-17 14:31 1,126,072 --a------ C:\WINNT\system32\drivers\vsapint.sys
2007-12-29 20:59 . 2006-12-29 01:53 288,848 --a------ C:\WINNT\system32\drivers\TM_CFW.sys
2007-12-29 20:59 . 2007-09-17 14:40 202,768 --a------ C:\WINNT\system32\drivers\tmxpflt.sys
2007-12-29 20:59 . 2006-12-29 01:53 111,888 --a------ C:\WINNT\system32\drivers\tm_mbd_c.sys
2007-12-29 20:59 . 2006-12-29 01:53 75,088 --a------ C:\WINNT\system32\drivers\tmtdi.sys
2007-12-29 20:59 . 2007-09-17 14:40 35,856 --a------ C:\WINNT\system32\drivers\tmpreflt.sys
2007-12-29 20:58 . 2007-12-29 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-29 20:57 . 2007-12-31 10:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 20:52 . 2007-12-29 20:52 0 --a------ C:\WINNT\vpc32.INI
2007-12-29 16:20 . 2005-09-17 00:20 108,168 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2007-12-29 16:20 . 2005-09-17 00:20 87,768 --a------ C:\WINNT\system32\S32EVNT1.DLL
2007-12-29 16:18 . 2008-01-01 09:10 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-12-29 16:18 . 2007-12-29 16:21 <DIR> d-------- C:\Program Files\Symantec
2007-12-29 16:18 . 2007-12-30 15:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-29 16:16 . 2007-12-29 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-29 16:12 . 2005-09-23 07:29 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-12-29 15:58 . 2008-01-01 01:49 <DIR> d-------- C:\Temp
2007-12-23 02:49 . 2007-12-23 03:02 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-12-20 22:12 . 2007-12-20 22:13 <DIR> d-------- C:\Program Files\Google
2007-12-16 08:50 . 2007-12-16 08:50 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-16 08:49 . 2007-12-16 08:49 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-16 08:48 . 2007-12-16 08:48 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-16 08:48 . 2004-10-04 18:26 51,120 -ra------ C:\WINNT\system32\drivers\HPZid412.sys
2007-12-16 08:48 . 2004-10-04 18:26 16,496 -ra------ C:\WINNT\system32\drivers\HPZipr12.sys
2007-12-16 08:47 . 2004-08-03 23:08 31,616 --a------ C:\WINNT\system32\drivers\usbccgp.sys
2007-12-16 08:47 . 2004-08-03 23:08 31,616 --a--c--- C:\WINNT\system32\dllcache\usbccgp.sys
2007-12-16 08:47 . 2004-08-03 23:01 25,856 --a------ C:\WINNT\system32\drivers\usbprint.sys
2007-12-16 08:47 . 2004-08-03 23:01 25,856 --a--c--- C:\WINNT\system32\dllcache\usbprint.sys
2007-12-16 08:47 . 2004-10-04 18:26 21,744 -ra------ C:\WINNT\system32\drivers\HPZius12.sys
2007-12-16 08:45 . 2007-12-16 08:50 <DIR> d-------- C:\Program Files\HP
2007-12-16 08:43 . 2007-12-16 08:51 69,372 --a------ C:\WINNT\hpoins05.dat
2007-12-16 08:43 . 2004-12-14 10:39 19,696 --------- C:\WINNT\hpomdl05.dat
2007-12-09 07:26 . 2007-07-30 19:19 271,224 --a------ C:\WINNT\system32\mucltui.dll
2007-12-09 07:26 . 2007-07-30 19:19 30,072 --a------ C:\WINNT\system32\mucltui.dll.mui
2007-12-02 13:19 . 2007-12-29 02:58 <DIR> d-------- C:\Program Files\IGZones
2007-12-02 11:56 . 2007-12-02 11:58 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-02 11:22 . 2007-12-02 11:51 316,640 --a------ C:\WINNT\WMSysPr9.prx
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\WINNT\ServicePackFiles
2007-12-02 11:17 . 2004-08-04 00:56 2,897,920 --a------ C:\WINNT\system32\xpsp2res.dll
2007-12-02 11:15 . 2004-07-17 11:40 19,528 --a------ C:\WINNT\002397_.tmp
2007-12-02 11:13 . 2007-12-02 11:13 <DIR> d-------- C:\WINNT\EHome
2007-12-02 11:03 . 2004-08-04 00:56 614,912 --a------ C:\WINNT\system32\h323msp.dll
2007-12-02 11:03 . 2004-08-04 00:56 331,264 --a------ C:\WINNT\system32\ipnathlp.dll
2007-12-02 11:03 . 2004-08-04 00:56 265,728 --a------ C:\WINNT\system32\h323.tsp
2007-12-02 11:03 . 2004-08-04 00:56 77,312 --a------ C:\WINNT\system32\browser.dll
2007-12-02 11:03 . 2007-03-08 10:36 40,960 --a------ C:\WINNT\system32\mf3216.dll
2007-12-02 11:00 . 2004-08-04 00:56 239,104 --a------ C:\WINNT\system32\srrstr.dll
2007-12-02 10:58 . 2007-12-02 11:02 <DIR> d--h-c--- C:\WINNT\$xpsp1hfm$
2007-12-02 10:55 . 2008-01-01 02:46 <DIR> d--h----- C:\WINNT\$hf_mig$
2007-12-02 10:46 . 2007-12-02 10:46 <DIR> d-------- C:\WINNT\system32\bits
2007-12-02 10:45 . 2004-08-04 00:56 438,784 --a------ C:\WINNT\system32\xpob2res.dll
2007-12-02 10:45 . 2004-08-04 00:56 351,232 --a------ C:\WINNT\system32\winhttp.dll
2007-12-02 10:45 . 2004-08-04 00:56 18,944 --a------ C:\WINNT\system32\qmgrprxy.dll
2007-12-02 10:45 . 2004-08-04 00:56 8,192 --a------ C:\WINNT\system32\bitsprx2.dll
2007-12-02 10:45 . 2004-08-04 00:56 7,168 --a------ C:\WINNT\system32\bitsprx3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 18:04 --------- d-----w C:\Program Files\QuickTime
2008-01-01 18:04 --------- d-----w C:\Program Files\iTunes
2007-12-29 21:09 76 ----a-w C:\Program Files\ini.ini
2007-12-02 16:01 155,995 ----a-w C:\WINNT\java\Packages\YM4D7NDB.ZIP
2007-12-02 15:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-01 19:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-29 04:17 --------- d-----w C:\Documents and Settings\Jason B Harleston\Application Data\Apple Computer
2007-11-29 04:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-29 04:16 --------- d-----w C:\Program Files\iPod
2007-11-29 04:16 --------- d-----w C:\Program Files\Apple Software Update
2007-11-29 04:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-28 01:48 --------- d-----w C:\Program Files\GetData
2007-11-27 09:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-27 08:02 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 08:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-27 07:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-27 07:26 --------- d-----w C:\Program Files\Realtek AC97
2007-11-27 06:02 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-27 06:01 558,142 ----a-w C:\WINNT\java\Packages\B5VPFRDR.ZIP
2007-11-27 06:01 271 --sh--w C:\Program Files\desktop.ini
2007-11-27 06:01 21,952 ---h--w C:\Program Files\folder.htt
2007-11-27 01:05 --------- d-----w C:\Program Files\Accessories
2007-11-25 14:17 --------- d-----w C:\Documents and Settings\Jason B. Harleston\Application Data\My Games
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINNT\system32\wmasf.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2007-06-14 09:22 2,231 ----a-w C:\Program Files\folder.js
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
.

((((((((((((((((((((((((((((( snapshot@2007-12-31_14.55.13.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-10-14 16:34:52 7,168 ----a-w C:\WINNT\$hf_mig$\KB885836\spmsg.dll
+ 2004-10-14 16:36:18 169,984 ----a-w C:\WINNT\$hf_mig$\KB885836\spuninst.exe
+ 2004-10-14 16:36:16 21,504 ----a-w C:\WINNT\$hf_mig$\KB885836\update\spcustom.dll
+ 2004-10-14 16:34:54 654,848 ----a-w C:\WINNT\$hf_mig$\KB885836\update\update.exe
+ 2005-06-15 17:42:35 297,984 ----a-w C:\WINNT\$hf_mig$\KB899587\SP2QFE\kerberos.dll
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINNT\$hf_mig$\KB899587\spmsg.dll
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINNT\$hf_mig$\KB899587\spuninst.exe
+ 2005-06-29 21:54:32 30,720 ----a-w C:\WINNT\$hf_mig$\KB899587\update\arpidfix.exe
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINNT\$hf_mig$\KB899587\update\spcustom.dll
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINNT\$hf_mig$\KB899587\update\update.exe
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINNT\$hf_mig$\KB899587\update\updspapi.dll
- 2005-03-02 00:57:44 2,135,552 ------w C:\WINNT\Driver Cache\i386\ntkrnlmp.exe
+ 2007-02-28 09:08:48 2,136,064 ------w C:\WINNT\Driver Cache\i386\ntkrnlmp.exe
- 2005-03-02 00:34:40 2,056,832 ------w C:\WINNT\Driver Cache\i386\ntkrnlpa.exe
+ 2007-02-28 08:38:55 2,057,600 ------w C:\WINNT\Driver Cache\i386\ntkrnlpa.exe
- 2005-03-02 00:34:42 2,015,232 ------w C:\WINNT\Driver Cache\i386\ntkrpamp.exe
+ 2007-02-28 08:38:57 2,015,744 ------w C:\WINNT\Driver Cache\i386\ntkrpamp.exe
- 2005-03-02 00:59:53 2,179,328 ------w C:\WINNT\Driver Cache\i386\ntoskrnl.exe
+ 2007-02-28 09:10:57 2,180,352 ------w C:\WINNT\Driver Cache\i386\ntoskrnl.exe
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE
+ 2007-12-31 20:46:18 22,444 ----a-w C:\WINNT\SoftwareDistribution\EventCache\{A0F8FF34-FAAB-4770-8AF4-292DFE6E6A45}.bin
+ 2007-12-31 20:46:19 6,736 ----a-w C:\WINNT\SoftwareDistribution\EventCache\{A6FC25FE-1407-4588-AD32-047AB4E446CD}.bin
- 2004-08-04 05:56:42 100,352 ----a-w C:\WINNT\system32\6to4svc.dll
+ 2006-08-16 11:58:05 100,352 ----a-w C:\WINNT\system32\6to4svc.dll
- 2004-08-04 03:58:22 72,960 ----a-w C:\WINNT\system32\drivers\mqac.sys
+ 2007-07-06 10:05:47 72,960 ----a-w C:\WINNT\system32\drivers\mqac.sys
- 2004-08-04 04:07:46 223,616 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
+ 2006-08-16 09:37:30 225,664 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
- 2004-08-04 05:56:44 294,400 ----a-w C:\WINNT\system32\kerberos.dll
+ 2005-06-15 17:49:30 295,936 ----a-w C:\WINNT\system32\kerberos.dll
- 2004-08-04 05:56:44 138,240 ----a-w C:\WINNT\system32\mqad.dll
+ 2007-07-06 12:46:59 138,240 ----a-w C:\WINNT\system32\mqad.dll
- 2004-08-04 05:56:44 47,104 ----a-w C:\WINNT\system32\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 ----a-w C:\WINNT\system32\mqdscli.dll
- 2004-08-04 05:56:44 16,896 ----a-w C:\WINNT\system32\mqise.dll
+ 2007-07-06 12:46:59 16,896 ----a-w C:\WINNT\system32\mqise.dll
- 2004-08-04 05:56:44 660,992 ----a-w C:\WINNT\system32\mqqm.dll
+ 2007-07-06 12:46:59 660,992 ----a-w C:\WINNT\system32\mqqm.dll
- 2004-08-04 05:56:44 177,152 ----a-w C:\WINNT\system32\mqrt.dll
+ 2007-07-06 12:46:59 177,152 ----a-w C:\WINNT\system32\mqrt.dll
- 2004-08-04 05:56:44 95,744 ----a-w C:\WINNT\system32\mqsec.dll
+ 2007-07-06 12:46:59 95,744 ----a-w C:\WINNT\system32\mqsec.dll
- 2004-08-04 05:56:44 48,640 ----a-w C:\WINNT\system32\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 ----a-w C:\WINNT\system32\mqupgrd.dll
- 2004-08-04 05:56:44 471,552 ----a-w C:\WINNT\system32\mqutil.dll
+ 2007-07-06 12:46:59 471,552 ----a-w C:\WINNT\system32\mqutil.dll
- 2005-03-02 00:34:40 2,056,832 ----a-w C:\WINNT\system32\ntkrnlpa.exe
+ 2007-02-28 08:38:55 2,057,600 ----a-w C:\WINNT\system32\ntkrnlpa.exe
- 2005-03-02 00:59:53 2,179,328 ----a-w C:\WINNT\system32\ntoskrnl.exe
+ 2007-02-28 09:10:57 2,180,352 ----a-w C:\WINNT\system32\ntoskrnl.exe
- 2007-12-31 19:47:41 41,918 ----a-w C:\WINNT\system32\perfc009.dat
+ 2008-01-01 14:09:45 41,918 ----a-w C:\WINNT\system32\perfc009.dat
- 2007-12-31 19:47:41 317,000 ----a-w C:\WINNT\system32\perfh009.dat
+ 2008-01-01 14:09:45 317,000 ----a-w C:\WINNT\system32\perfh009.dat
- 2004-08-04 05:56:48 333,312 ----a-w C:\WINNT\system32\wiaservc.dll
+ 2006-12-19 18:16:47 333,824 ----a-w C:\WINNT\system32\wiaservc.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2007-12-29 16:35 1667584]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-29 16:35 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [2004-08-04 00:56 143360 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon "= "C:\WINNT\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-29 16:35 271672]
"SoundMan "= "SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINNT\soundman.exe]
"NvMediaCenter "= "C:\WINNT\System32\NvMcTray.dll" [2006-10-22 12:22 86016]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-12-29 16:35 49152]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-30 15:52 48752]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-12-30 15:51 85744]
"pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-12-30 16:03 3429904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 00:56 214528]
"tscuninstall "= "C:\WINNT\system32\tscupgrd.exe" [2004-08-03 22:59 44544]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Reboot.exe [2004-10-01 01:01:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

R2 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Program Files\ISS\Proventia Desktop\vpatch.exe [2006-06-12 19:28]
R3 MakoNT;MakoNT;C:\WINNT\system32\drivers\MakoNT.sys [2006-06-12 19:28]
R3 rap;rap;C:\WINNT\system32\drivers\RapDrv.sys [2006-06-12 19:28]
R4 black;black;C:\WINNT\system32\drivers\BlackCat.sys [2006-06-12 19:28]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 14:11:01 C:\WINNT\Tasks\WebReg officejet 7200 series.job "
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 20:13:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 20:17:51
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 01:17:43
C:\qoobox\ComboFix2.txt 2008-01-01 06:54:19
C:\qoobox\ComboFix3.txt 2008-01-01 04:01:18
C:\qoobox\ComboFix4.txt 2007-12-31 19:58:23
.
2008-01-01 07:46:46 --- E O F ---

 

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:36 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ISS\Proventia Desktop\blackice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Proventia Desktop Agent.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1196610191405
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196610974905
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 7093 bytes

 

You are correct ..... only 1 antivirus program should be actively running. Recommend you disable or uninstall 1 of them.

Thhere are a couple of files ComboFix has shown as removed yet they appear again in the file list. Lets see if we can get them cleaned permanently.

Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\Program Files\page.html
C:\Program Files\folder.js
C:\Program Files\func.js
C:\Program Files\Del.js
C:\Program Files\ini.ini
C:\WINNT\002397_.tmp

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Thanks..I will follow your suggestion.

Here is the Combo fix log...it looks pretty good. I selected everything in the ATF Cleaner menu.


ComboFix 07-12-31.4 - Jason B Harleston 2008-01-01 23:14:58.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.442 [GMT -5:00]
Running from: C:\Documents and Settings\Jason B Harleston\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jason B Harleston\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Del.js
C:\Program Files\folder.js
C:\Program Files\func.js
C:\Program Files\ini.ini
C:\Program Files\page.html
C:\WINNT\002397_.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Del.js
C:\Program Files\folder.js
C:\Program Files\folder.js\
C:\Program Files\func.js
C:\Program Files\ini.ini
C:\Program Files\ini.ini\
C:\Program Files\page.html
C:\WINNT\002397_.tmp

.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-01 16:22 . 2008-01-01 16:22 <DIR> d-------- C:\Deckard
2007-12-31 12:36 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2007-12-31 00:29 . 2006-12-19 13:16 333,824 -----c--- C:\WINNT\system32\dllcache\wiaservc.dll
2007-12-31 00:24 . 2007-07-06 07:46 660,992 -----c--- C:\WINNT\system32\dllcache\mqqm.dll
2007-12-31 00:24 . 2007-07-06 07:46 471,552 -----c--- C:\WINNT\system32\dllcache\mqutil.dll
2007-12-31 00:24 . 2007-07-06 07:46 177,152 -----c--- C:\WINNT\system32\dllcache\mqrt.dll
2007-12-31 00:24 . 2007-07-06 07:46 138,240 -----c--- C:\WINNT\system32\dllcache\mqad.dll
2007-12-31 00:24 . 2007-07-06 07:46 95,744 -----c--- C:\WINNT\system32\dllcache\mqsec.dll
2007-12-31 00:24 . 2007-07-06 05:05 72,960 -----c--- C:\WINNT\system32\dllcache\mqac.sys
2007-12-31 00:24 . 2007-07-06 07:46 48,640 -----c--- C:\WINNT\system32\dllcache\mqupgrd.dll
2007-12-31 00:24 . 2007-07-06 07:46 47,104 -----c--- C:\WINNT\system32\dllcache\mqdscli.dll
2007-12-31 00:24 . 2007-07-06 07:46 16,896 -----c--- C:\WINNT\system32\dllcache\mqise.dll
2007-12-31 00:21 . 2007-02-28 04:10 2,180,352 -----c--- C:\WINNT\system32\dllcache\ntoskrnl.exe
2007-12-31 00:21 . 2007-02-28 04:08 2,136,064 -----c--- C:\WINNT\system32\dllcache\ntkrnlmp.exe
2007-12-31 00:21 . 2007-02-28 03:38 2,057,600 -----c--- C:\WINNT\system32\dllcache\ntkrnlpa.exe
2007-12-31 00:21 . 2007-02-28 03:38 2,015,744 -----c--- C:\WINNT\system32\dllcache\ntkrpamp.exe
2007-12-31 00:09 . 2006-08-16 04:37 225,664 -----c--- C:\WINNT\system32\dllcache\tcpip6.sys
2007-12-31 00:09 . 2006-08-16 06:58 100,352 -----c--- C:\WINNT\system32\dllcache\6to4svc.dll
2007-12-30 23:56 . 2007-12-30 23:56 0 --a------ C:\WINNT\nsreg.dat
2007-12-30 13:19 . 2007-12-30 13:19 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-30 11:52 . 2006-08-21 04:14 128,896 -----c--- C:\WINNT\system32\dllcache\fltmgr.sys
2007-12-30 11:52 . 2006-08-21 04:14 23,040 -----c--- C:\WINNT\system32\dllcache\fltmc.exe
2007-12-30 11:52 . 2006-08-21 07:21 16,896 -----c--- C:\WINNT\system32\dllcache\fltlib.dll
2007-12-30 11:11 . 2007-11-14 02:26 450,560 -----c--- C:\WINNT\system32\dllcache\jscript.dll
2007-12-30 10:55 . 2006-06-22 05:47 181,248 -----c--- C:\WINNT\system32\dllcache\rasmans.dll
2007-12-30 10:53 . 2006-12-14 08:45 981,760 -----c--- C:\WINNT\system32\dllcache\mfc42u.dll
2007-12-30 10:51 . 2007-05-17 06:28 549,376 -----c--- C:\WINNT\system32\dllcache\oleaut32.dll
2007-12-30 10:50 . 2007-02-05 15:17 185,344 -----c--- C:\WINNT\system32\dllcache\upnphost.dll
2007-12-30 10:49 . 2006-04-20 06:51 359,808 -----c--- C:\WINNT\system32\dllcache\tcpip.sys
2007-12-30 10:44 . 2007-03-08 08:47 1,843,584 -----c--- C:\WINNT\system32\dllcache\win32k.sys
2007-12-30 10:44 . 2007-03-08 10:36 577,536 -----c--- C:\WINNT\system32\dllcache\user32.dll
2007-12-30 10:44 . 2007-03-08 10:36 281,600 -----c--- C:\WINNT\system32\dllcache\gdi32.dll
2007-12-30 10:44 . 2007-03-08 10:36 40,960 -----c--- C:\WINNT\system32\dllcache\mf3216.dll
2007-12-30 10:42 . 2006-11-27 09:54 539,136 -----c--- C:\WINNT\system32\dllcache\msftedit.dll
2007-12-30 10:42 . 2006-11-27 09:54 433,152 -----c--- C:\WINNT\system32\dllcache\riched20.dll
2007-12-30 10:41 . 2007-10-29 17:43 1,287,680 -----c--- C:\WINNT\system32\dllcache\quartz.dll
2007-12-30 10:39 . 2006-10-12 06:09 256,512 -----c--- C:\WINNT\system32\dllcache\agentsvr.exe
2007-12-30 10:39 . 2006-10-12 09:02 57,344 -----c--- C:\WINNT\system32\dllcache\agentdpv.dll
2007-12-30 10:39 . 2006-10-12 09:02 42,496 -----c--- C:\WINNT\system32\dllcache\agentdp2.dll
2007-12-30 10:37 . 2007-07-09 08:09 584,192 -----c--- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-12-30 10:37 . 2007-02-09 06:10 574,464 -----c--- C:\WINNT\system32\dllcache\ntfs.sys
2007-12-30 10:37 . 2006-03-16 19:38 28,672 --a------ C:\WINNT\system32\verclsid.exe
2007-12-30 10:36 . 2007-04-16 10:52 984,576 -----c--- C:\WINNT\system32\dllcache\kernel32.dll
2007-12-30 10:35 . 2006-05-05 04:41 453,120 -----c--- C:\WINNT\system32\dllcache\mrxsmb.sys
2007-12-30 10:35 . 2006-05-05 04:47 174,592 -----c--- C:\WINNT\system32\dllcache\rdbss.sys
2007-12-29 20:59 . 2007-09-17 14:31 1,126,072 --a------ C:\WINNT\system32\drivers\vsapint.sys
2007-12-29 20:59 . 2006-12-29 01:53 288,848 --a------ C:\WINNT\system32\drivers\TM_CFW.sys
2007-12-29 20:59 . 2007-09-17 14:40 202,768 --a------ C:\WINNT\system32\drivers\tmxpflt.sys
2007-12-29 20:59 . 2006-12-29 01:53 111,888 --a------ C:\WINNT\system32\drivers\tm_mbd_c.sys
2007-12-29 20:59 . 2006-12-29 01:53 75,088 --a------ C:\WINNT\system32\drivers\tmtdi.sys
2007-12-29 20:59 . 2007-09-17 14:40 35,856 --a------ C:\WINNT\system32\drivers\tmpreflt.sys
2007-12-29 20:58 . 2007-12-29 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-29 20:57 . 2007-12-31 10:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 20:52 . 2007-12-29 20:52 0 --a------ C:\WINNT\vpc32.INI
2007-12-29 16:20 . 2005-09-17 00:20 108,168 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2007-12-29 16:20 . 2005-09-17 00:20 87,768 --a------ C:\WINNT\system32\S32EVNT1.DLL
2007-12-29 16:18 . 2008-01-01 23:06 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-12-29 16:18 . 2007-12-29 16:21 <DIR> d-------- C:\Program Files\Symantec
2007-12-29 16:18 . 2007-12-30 15:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-29 16:16 . 2007-12-29 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-29 16:12 . 2005-09-23 07:29 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-12-29 15:58 . 2008-01-01 01:49 <DIR> d-------- C:\Temp
2007-12-23 02:49 . 2007-12-23 03:02 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-12-20 22:12 . 2007-12-20 22:13 <DIR> d-------- C:\Program Files\Google
2007-12-16 08:50 . 2007-12-16 08:50 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-16 08:49 . 2007-12-16 08:49 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-16 08:48 . 2007-12-16 08:48 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-16 08:48 . 2004-10-04 18:26 51,120 -ra------ C:\WINNT\system32\drivers\HPZid412.sys
2007-12-16 08:48 . 2004-10-04 18:26 16,496 -ra------ C:\WINNT\system32\drivers\HPZipr12.sys
2007-12-16 08:47 . 2004-08-03 23:08 31,616 --a------ C:\WINNT\system32\drivers\usbccgp.sys
2007-12-16 08:47 . 2004-08-03 23:08 31,616 --a--c--- C:\WINNT\system32\dllcache\usbccgp.sys
2007-12-16 08:47 . 2004-08-03 23:01 25,856 --a------ C:\WINNT\system32\drivers\usbprint.sys
2007-12-16 08:47 . 2004-08-03 23:01 25,856 --a--c--- C:\WINNT\system32\dllcache\usbprint.sys
2007-12-16 08:47 . 2004-10-04 18:26 21,744 -ra------ C:\WINNT\system32\drivers\HPZius12.sys
2007-12-16 08:45 . 2007-12-16 08:50 <DIR> d-------- C:\Program Files\HP
2007-12-16 08:43 . 2007-12-16 08:51 69,372 --a------ C:\WINNT\hpoins05.dat
2007-12-16 08:43 . 2004-12-14 10:39 19,696 --------- C:\WINNT\hpomdl05.dat
2007-12-09 07:26 . 2007-07-30 19:19 271,224 --a------ C:\WINNT\system32\mucltui.dll
2007-12-09 07:26 . 2007-07-30 19:19 30,072 --a------ C:\WINNT\system32\mucltui.dll.mui
2007-12-02 13:19 . 2007-12-29 02:58 <DIR> d-------- C:\Program Files\IGZones
2007-12-02 11:56 . 2007-12-02 11:58 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-02 11:22 . 2007-12-02 11:51 316,640 --a------ C:\WINNT\WMSysPr9.prx
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\WINNT\ServicePackFiles
2007-12-02 11:17 . 2004-08-04 00:56 2,897,920 --a------ C:\WINNT\system32\xpsp2res.dll
2007-12-02 11:13 . 2007-12-02 11:13 <DIR> d-------- C:\WINNT\EHome
2007-12-02 11:03 . 2004-08-04 00:56 614,912 --a------ C:\WINNT\system32\h323msp.dll
2007-12-02 11:03 . 2004-08-04 00:56 331,264 --a------ C:\WINNT\system32\ipnathlp.dll
2007-12-02 11:03 . 2004-08-04 00:56 265,728 --a------ C:\WINNT\system32\h323.tsp
2007-12-02 11:03 . 2004-08-04 00:56 77,312 --a------ C:\WINNT\system32\browser.dll
2007-12-02 11:03 . 2007-03-08 10:36 40,960 --a------ C:\WINNT\system32\mf3216.dll
2007-12-02 11:00 . 2004-08-04 00:56 239,104 --a------ C:\WINNT\system32\srrstr.dll
2007-12-02 10:58 . 2007-12-02 11:02 <DIR> d--h-c--- C:\WINNT\$xpsp1hfm$
2007-12-02 10:55 . 2008-01-01 02:46 <DIR> d--h----- C:\WINNT\$hf_mig$
2007-12-02 10:46 . 2007-12-02 10:46 <DIR> d-------- C:\WINNT\system32\bits
2007-12-02 10:45 . 2004-08-04 00:56 438,784 --a------ C:\WINNT\system32\xpob2res.dll
2007-12-02 10:45 . 2004-08-04 00:56 351,232 --a------ C:\WINNT\system32\winhttp.dll
2007-12-02 10:45 . 2004-08-04 00:56 18,944 --a------ C:\WINNT\system32\qmgrprxy.dll
2007-12-02 10:45 . 2004-08-04 00:56 8,192 --a------ C:\WINNT\system32\bitsprx2.dll
2007-12-02 10:45 . 2004-08-04 00:56 7,168 --a------ C:\WINNT\system32\bitsprx3.dll
2007-12-02 10:44 . 2007-07-30 19:19 549,720 --a------ C:\WINNT\system32\wuapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 18:04 --------- d-----w C:\Program Files\QuickTime
2008-01-01 18:04 --------- d-----w C:\Program Files\iTunes
2007-12-02 16:01 155,995 ----a-w C:\WINNT\java\Packages\YM4D7NDB.ZIP
2007-12-02 15:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-01 19:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-29 04:17 --------- d-----w C:\Documents and Settings\Jason B Harleston\Application Data\Apple Computer
2007-11-29 04:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-29 04:16 --------- d-----w C:\Program Files\iPod
2007-11-29 04:16 --------- d-----w C:\Program Files\Apple Software Update
2007-11-29 04:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-28 01:48 --------- d-----w C:\Program Files\GetData
2007-11-27 09:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-27 08:02 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 08:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-27 07:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-27 07:26 --------- d-----w C:\Program Files\Realtek AC97
2007-11-27 06:02 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-27 06:01 558,142 ----a-w C:\WINNT\java\Packages\B5VPFRDR.ZIP
2007-11-27 06:01 271 --sh--w C:\Program Files\desktop.ini
2007-11-27 06:01 21,952 ---h--w C:\Program Files\folder.htt
2007-11-27 01:05 --------- d-----w C:\Program Files\Accessories
2007-11-25 14:17 --------- d-----w C:\Documents and Settings\Jason B. Harleston\Application Data\My Games
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINNT\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot_2008-01-01_20.16.42.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-01 14:09:45 41,918 ----a-w C:\WINNT\system32\perfc009.dat
+ 2008-01-02 04:05:10 41,918 ----a-w C:\WINNT\system32\perfc009.dat
- 2008-01-01 14:09:45 317,000 ----a-w C:\WINNT\system32\perfh009.dat
+ 2008-01-02 04:05:10 317,000 ----a-w C:\WINNT\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2007-12-29 16:35 1667584]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-29 16:35 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [2004-08-04 00:56 143360 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon "= "C:\WINNT\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-29 16:35 271672]
"SoundMan "= "SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINNT\soundman.exe]
"NvMediaCenter "= "C:\WINNT\System32\NvMcTray.dll" [2006-10-22 12:22 86016]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-12-29 16:35 49152]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-30 15:52 48752]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-12-30 15:51 85744]
"pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-12-30 16:03 3429904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 00:56 214528]
"tscuninstall "= "C:\WINNT\system32\tscupgrd.exe" [2004-08-03 22:59 44544]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Reboot.exe [2004-10-01 01:01:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

R2 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Program Files\ISS\Proventia Desktop\vpatch.exe [2006-06-12 19:28]
R3 MakoNT;MakoNT;C:\WINNT\system32\drivers\MakoNT.sys [2006-06-12 19:28]
R3 rap;rap;C:\WINNT\system32\drivers\RapDrv.sys [2006-06-12 19:28]
R4 black;black;C:\WINNT\system32\drivers\BlackCat.sys [2006-06-12 19:28]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 14:11:01 C:\WINNT\Tasks\WebReg officejet 7200 series.job "
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 23:23:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 23:27:25
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 04:27:18
C:\qoobox\ComboFix2.txt 2008-01-02 01:17:53
C:\qoobox\ComboFix3.txt 2008-01-01 06:54:19
C:\qoobox\ComboFix4.txt 2008-01-01 04:01:18
C:\qoobox\ComboFix5.txt 2007-12-31 19:58:23
.
2008-01-01 07:46:46 --- E O F ---

 

Looks good. Lets clean up and run an online scan to make sure we haven't overlooked anything. Click Start>run and type ComboFix /u then hit enter. This will uninstall ComboFix and remove the rogue files it has in quarantine.

Open your antivirus control panel and delete everything in quarantine.

Then do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

 

These viruses are very resilient.. Here's the kaspersky's log...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 02, 2008 7:26:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/01/2008
Kaspersky Anti-Virus database records: 501725
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 82724
Number of viruses found: 11
Number of infected objects: 91
Number of suspicious objects: 0
Duration of the scan process: 02:52:04

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0000.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0001.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0002.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0003\4FFFCADC.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0004\4FFFCB8A.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240000\4F7705CA.VBN Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240001\4F7705FA.VBN Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240003\4F770695.VBN Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240004\4F7707F5.VBN Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240005\4F770889.VBN Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740000.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740001\4F76CEF5.VBN Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E240000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E240001\4F7C0748.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E240002\4F7C088C.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E240003\4F7C08EC.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E240004\4F7C0C3A.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E240005\4F7C0D25.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EB80000\4FFED7E1.VBN Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\Jason B Harleston\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jason B Harleston\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jason B Harleston\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jason B Harleston\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jason B Harleston\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Jason B Harleston\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jason B Harleston\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jason B Harleston\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jason B Harleston\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\.udout Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\blackice-service.log Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\BOEP_Daemon.log Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\BOEP_Driver.log Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\desktop-rapapp.log Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\IBE\IBEDD.ewm Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\IBE\IBEDM.ewm Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\IBE\IBEDS.ewm Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\IBE\IBEED.ewm Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\IBE\IBEEK.ewm Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\IBE\IBEEL.ewm Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\IBE\IBEM0K.ewm Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\IBE\IBEM1K.ewm Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\IBE\IBEM2K.ewm Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\IBE\IBEM3K.ewm Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\IBE\IBEMD.ewm Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\issCommon.trace Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\msl_update.log Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\PolicyXlate.log Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\quarantine\IBEqm.qsi Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\rapapp.log Object is locked skipped
C:\Program Files\ISS\Proventia Desktop\SensorEventQueue.ADF Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0662NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014225.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014226.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014227.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014228.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014229.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014230.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014231.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014232.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014233.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014234.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014235.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014236.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014237.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014238.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014239.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014240.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014241.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014242.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014243.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014244.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014245.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014246.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014247.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014248.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014249.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014250.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014251.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014252.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014253.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014254.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014255.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014256.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014257.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014258.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014259.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014260.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014261.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014262.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014263.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014264.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014265.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014266.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014267.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014268.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014269.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014270.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014271.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014272.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014273.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014274.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014276.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014277.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014278.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014279.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP35\A0014280.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP38\A0015303.dll Object is locked skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP38\A0015304.exe Infected: Trojan.Win32.Pakes.bvs skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP38\A0015305.exe Infected: Trojan-Downloader.Win32.Small.hkt skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP39\A0015417.exe Infected: Trojan-Downloader.Win32.Alphabet.az skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP41\A0015444.exe Infected: Trojan-Downloader.Win32.Alphabet.az skipped
C:\System Volume Information\_restore{29A11582-9005-48B8-99ED-08588CE21466}\RP46\change.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{9B3F213C-B2A5-4B70-9B3D-8CDA5EC1B691}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\Internet.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
D:\Jason\Accenture\Sunbelt.zip/radmin21.exe/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
D:\Jason\Accenture\Sunbelt.zip/radmin21.exe/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
D:\Jason\Accenture\Sunbelt.zip/radmin21.exe/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
D:\Jason\Accenture\Sunbelt.zip/radmin21.exe/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
D:\Jason\Accenture\Sunbelt.zip/radmin21.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
D:\Jason\Accenture\Sunbelt.zip ZIP: infected - 5 skipped
D:\Jason\Win98_bkup\WINDOWS\SYSTEM\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
D:\Jason\Win98_bkup\WINDOWS\TEMP\radmin21.exe/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
D:\Jason\Win98_bkup\WINDOWS\TEMP\radmin21.exe/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
D:\Jason\Win98_bkup\WINDOWS\TEMP\radmin21.exe/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
D:\Jason\Win98_bkup\WINDOWS\TEMP\radmin21.exe/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
D:\Jason\Win98_bkup\WINDOWS\TEMP\radmin21.exe Gentee: infected - 4 skipped

Scan process completed.