Solved Is this malware?

Sfantasia · 2010/05/10

[Resolved] Is this malware?

In my HijackThis log I have 2 entries which I do not understand. They are as follows:

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-D-BB-GAE} - C:\WINDOWS\system32\Browseui.Dall

O22 - SharedTaskScheduler: Component Categories cache daemon - {CF-B-D-BE-438755C2} - C:\WINDOWS\system32\Browseui.Dall

Can someone please tell me if this is malware and if so what is the best way to remove them.

Thank you

Admin. · 2010/05/10

Hi,

Read this post as indicated at the top of this forum & follow the instructions.

Sfantasia · 2010/05/11

Is this malware

DDS.TXT

DDS (Ver_10-03-17.01) - NTFSx86
Run by Sal Fantasia at 11:16:53.51 on Tue 05/11/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2501 [GMT -5:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\ups.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
D:\Utilities\Tray It\TrayIt!.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\DOCUME~1\SALFAN~1\LOCALS~1\Temp\{358852E5-44F5-44AE-B297-6A508EEB12DE}\adni18_Weather_II.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\qoeapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Sal Fantasia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: {18df081c-e8ad-4283-a596-fa578c2ebdc3}: AcroIEHelperStub
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe "
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe "
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe "
mRun: [IMONTRAY] c:\program files\intel\intel(r) active monitor\imontray.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-5.1.18.0\QOELoader.exe "
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe "
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ClocX] c:\program files\clocx\ClocX.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe "
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe "
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [<NO NAME>]
mRun: [Atomic.exe] c:\program files\atomic clock sync\Atomic.exe
StartupFolder: c:\docume~1\salfan~1\startm~1\programs\startup\adni18~1.lnk - c:\program files\adni\adni18_Weather_II.exe
StartupFolder: c:\docume~1\salfan~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\salfan~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\salfan~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
StartupFolder: c:\docume~1\salfan~1\startm~1\programs\startup\trayit!.lnk - d:\utilities\tray it\TrayIt!.exe
StartupFolder: c:\docume~1\salfan~1\startm~1\programs\startup\wallpa~1.lnk - c:\program files\wallpapertoy\Wallpapertoy.Exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
IE: &Copy Location - c:\windows\web\graburl.htm
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\mi1933~1\office\1033\phdintl.dll/phdContext.htm
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - {C651A691-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - c:\lotus\organize\bandobjs.dll
IE: {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - {C651A693-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - {A58D06D4-CA90-11D2-92D2-0000F87A4A55} - c:\windows\system32\oline.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: a1agiftsonline.com\www
Trusted Zone: ablazewithtraffic.com
Trusted Zone: ablazewithtraffic.com\www
Trusted Zone: ablazewithtraffic.org\www
Trusted Zone: about.com\couponing
Trusted Zone: adobe.com\get
Trusted Zone: adultfriendfinder.com
Trusted Zone: adultfriendfinder.com\secure
Trusted Zone: amd.com\support
Trusted Zone: amd.com\www
Trusted Zone: att.com\ebill04
Trusted Zone: bettycrocker.com\www
Trusted Zone: bfnsoftware.com\www
Trusted Zone: blank
Trusted Zone: buy.com\www
Trusted Zone: ca.com\shop
Trusted Zone: characterarcade.com
Trusted Zone: characterarcade.com\www
Trusted Zone: chase.com\chaseonline
Trusted Zone: classmates.com\www
Trusted Zone: cnet.com\download
Trusted Zone: convergentcare.com\twdal
Trusted Zone: coolsavings.com\www
Trusted Zone: couponmom.com\www
Trusted Zone: coupons.com\bricks
Trusted Zone: coupons.com\microsite
Trusted Zone: coupons.com\print
Trusted Zone: coupons.com\www
Trusted Zone: craigslist.org\accounts
Trusted Zone: craigslist.org\post
Trusted Zone: custhelp.com\zynga
Trusted Zone: download.com\www
Trusted Zone: envision-hits.com\www
Trusted Zone: facebook.com\apps
Trusted Zone: facebook.com\www
Trusted Zone: fansgifts.com
Trusted Zone: frostbank.com\www
Trusted Zone: ****direct.com\members
Trusted Zone: google.com\maps
Trusted Zone: google.com\www
Trusted Zone: grocerycouponnetwork.com\www
Trusted Zone: heb.com\www
Trusted Zone: hp.com\h10025.www1
Trusted Zone: hp.com\h20270.www2
Trusted Zone: hp.com\wimpro.cce
Trusted Zone: hp.com\www.shopping
Trusted Zone: igl.net\cgi1
Trusted Zone: igl.net\hoylegames
Trusted Zone: igl.net\www
Trusted Zone: igl.net\www4
Trusted Zone: intel.com\downloadcenter
Trusted Zone: internet
Trusted Zone: java.com
Trusted Zone: java.com\www
Trusted Zone: jrsmedical.com\www
Trusted Zone: kens5.com\www
Trusted Zone: kraftfirsttaste.com\www
Trusted Zone: kraftfoods.com\www
Trusted Zone: landolakes.com\www
Trusted Zone: mapquest.com\www
Trusted Zone: metadot.net\montastic-wiki
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\profile
Trusted Zone: microsoft.com\support
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www
Trusted Zone: myecount.com\www
Trusted Zone: mysanantonio.com\www
Trusted Zone: mysurvey.com\www
Trusted Zone: networktechs.com\hjt
Trusted Zone: nidink.com\www
Trusted Zone: noradsanta.org\www
Trusted Zone: ntlworld.com\homepage
Trusted Zone: onlinesearches.com\publicrecords
Trusted Zone: otxresearch.com\survey
Trusted Zone: paypal.com\history
Trusted Zone: paypal.com\www
Trusted Zone: pcpitstop.com\www
Trusted Zone: pillsbury.com\www
Trusted Zone: playdom.com\tiki-fb-active-vip
Trusted Zone: powerplay4all.com\www
Trusted Zone: qwest.com\myaccount
Trusted Zone: qwest.com\qcontrol
Trusted Zone: redplum.com\coupons
Trusted Zone: rengamesonline.com\www
Trusted Zone: rewardshotline.com\www
Trusted Zone: rr.com\herhelp01.ndc
Trusted Zone: rr.com\selfcare
Trusted Zone: rr.com\webmail.satx
Trusted Zone: rr.com\www
Trusted Zone: rxpulse.com\www
Trusted Zone: salfantasia.us
Trusted Zone: sendearnings.com\www
Trusted Zone: shoppershotline.com\www
Trusted Zone: slashkey.com\www
Trusted Zone: smartsource.com\couponmom.coupons
Trusted Zone: smartsource.com\coupons
Trusted Zone: smartsource.com\coupons2
Trusted Zone: smcorp.com\www
Trusted Zone: softpedia.com\www
Trusted Zone: surfcash.us\www
Trusted Zone: surveymonkey.com\www
Trusted Zone: sushiavenue.com
Trusted Zone: thedailyplate.com\www
Trusted Zone: thepiratebay.org
Trusted Zone: timewarnercable.com\payxpress
Trusted Zone: timewarnercable.com\www
Trusted Zone: trafficdynamitepro.com
Trusted Zone: txlottery.org\www
Trusted Zone: uclick.com\www
Trusted Zone: ucsd.edu\cseweb
Trusted Zone: usps.com\ecap-ws-prod
Trusted Zone: usps.com\shop
Trusted Zone: usps.com\www
Trusted Zone: valpak.com\www
Trusted Zone: walmart.com\www
Trusted Zone: webexhibits.org\www
Trusted Zone: webs.com\members
Trusted Zone: webs.com\missyouhoyle
Trusted Zone: wegmans.com\www
Trusted Zone: windowsbbs.com\www
Trusted Zone: wordsteal.com\www
Trusted Zone: yourcgi.com\www
Trusted Zone: youtube.com\www
Trusted Zone: zonealarm.com\download
Trusted Zone: zonealarm.com\promotions
Trusted Zone: zynga.com\secure
Trusted Zone: zynga.com\toolbar
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {41ACD49D-1974-791A-0981-AA9872721044} - hxxp://download.gamedesire.com/g_bin/eng/boards_2_0_0_35.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://coupons.smartsource.com/download/cscmv5X.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233262970812
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233263033046
DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} - hxxp://www.igl.net/clo/install/CLOActiveXInstallerProj1.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15111/CTPID.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-1-29 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-1-29 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-10-13 739696]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-1-29 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-1-29 32240]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-1-29 486280]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-1-29 144960]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-1-29 238832]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2010-1-28 41504]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-5-24 189704]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-10-13 133520]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]

=============== Created Last 30 ================

2010-05-11 16:14:46 0 --sha-w- C:\DkHyperbootSync
2010-05-11 15:34:18 0 d-----w- c:\program files\Amazon
2010-05-10 20:45:24 0 d-----w- c:\program files\Windows Installer Clean Up
2010-05-10 20:44:26 0 d-----w- c:\program files\MSECACHE
2010-05-10 17:25:27 0 d-----w- c:\program files\Microsoft Speech SDK 5.1
2010-05-07 16:14:39 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-05 03:44:23 0 d-----w- c:\program files\ADNI
2010-04-29 23:06:44 0 d-----w- c:\docume~1\salfan~1\applic~1\SumatraPDF
2010-04-29 22:41:27 0 d-----w- c:\program files\SumatraPDF
2010-04-28 13:03:21 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-28 13:02:45 0 d-----w- c:\program files\AccuWeather.com Stratus
2010-04-25 23:11:07 0 d-----w- c:\program files\Adobe(2)
2010-04-25 23:07:10 0 d-----w- c:\program files\common files\Adobe AIR(2)
2010-04-16 00:02:15 3686454 ---ha-w- c:\windows\system32\toyhide.bmp

==================== Find3M ====================

2010-05-11 12:17:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-21 00:27:18 1704526 ----a-w- C:\setup_xp.exe
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-19 13:50:15 23113 ----a-w- c:\windows\hpqins15.dat
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\6to4svc.dll
2002-09-11 14:26:52 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf
2008-04-14 00:12:40 73728 --sha-w- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe
2009-02-19 00:05:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021820090219\index.dat

============= FINISH: 11:20:48.39 ===============

Sfantasia · 2010/05/11

Is this malware

ATTACH.TXT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/29/2009 2:11:43 PM
System Uptime: 5/11/2010 6:58:22 AM (5 hours ago)

Motherboard: Intel Corporation | | D865PERL
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | J2E1 | 2992/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 10.71 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 29.256 GiB free.
E: is FIXED (NTFS) - 70 GiB total, 55.138 GiB free.
F: is FIXED (NTFS) - 70 GiB total, 69.08 GiB free.
G: is FIXED (NTFS) - 70 GiB total, 64.997 GiB free.
H: is FIXED (NTFS) - 70 GiB total, 67.021 GiB free.
I: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_E0008086&REV_02\3&267A616A&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_E0008086&REV_02\3&267A616A&0&FD
Service:

==== System Restore Points ===================

RP484: 4/26/2010 3:49:26 PM - Removed AccuWeather.com Stratus
RP485: 4/26/2010 8:26:21 PM - Restore Operation
RP486: 4/26/2010 10:04:37 PM - Removed AccuWeather.com Stratus
RP487: 4/26/2010 10:21:48 PM - Removed AccuWeather.com Stratus
RP488: 4/28/2010 7:54:43 AM - Restore Operation
RP489: 4/28/2010 11:19:23 AM - Removed AccuWeather.com Stratus
RP490: 4/29/2010 3:29:17 PM - System Checkpoint
RP491: 4/29/2010 4:18:56 PM - Printer Driver Amyuni Document Converter 2.50 Installed
RP492: 5/1/2010 8:16:17 AM - System Checkpoint
RP493: 5/2/2010 8:26:22 AM - System Checkpoint
RP494: 5/2/2010 7:52:05 PM - Configured Amazon Unbox Video
RP495: 5/2/2010 7:57:19 PM - Configured Amazon Unbox Video
RP496: 5/2/2010 8:25:18 PM - Configured Amazon Unbox Video
RP497: 5/2/2010 8:31:54 PM - Configured Amazon Unbox Video
RP498: 5/2/2010 8:59:04 PM - Configured Amazon Unbox Video
RP499: 5/2/2010 9:59:21 PM - Configured Amazon Unbox Video
RP500: 5/2/2010 10:04:08 PM - Installed Windows XP KB942288-v3.
RP501: 5/2/2010 10:16:47 PM - Configured Amazon Unbox Video
RP502: 5/2/2010 11:18:04 PM - Configured Amazon Unbox Video
RP503: 5/3/2010 1:05:13 PM - Configured Amazon Unbox Video
RP504: 5/3/2010 1:16:30 PM - Installed Windows XP KB942288-v3.
RP505: 5/3/2010 1:33:56 PM - Configured Amazon Unbox Video
RP506: 5/4/2010 12:24:49 PM - Configured Amazon Unbox Video
RP507: 5/7/2010 9:57:54 AM - System Checkpoint
RP508: 5/7/2010 11:13:54 AM - Installed Java(TM) 6 Update 20
RP509: 5/9/2010 8:13:57 AM - System Checkpoint
RP510: 5/9/2010 6:53:50 PM - Configured Amazon Unbox Video
RP511: 5/9/2010 7:34:35 PM - Configured Amazon Unbox Video
RP512: 5/9/2010 7:39:53 PM - Configured Amazon Unbox Video
RP513: 5/9/2010 9:30:48 PM - CLEAN REGISTRY
RP514: 5/9/2010 9:51:47 PM - Configured Amazon Unbox Video
RP515: 5/10/2010 11:31:33 AM - Removed Microsoft Speech SDK 5.1
RP516: 5/10/2010 12:00:36 PM - Configured Amazon Unbox Video
RP517: 5/10/2010 12:25:21 PM - Installed Microsoft Speech SDK 5.1
RP518: 5/10/2010 3:45:23 PM - Installed Windows Installer Clean Up
RP519: 5/10/2010 4:27:36 PM - Removed Advanced Installer 6.9.1
RP520: 5/10/2010 4:41:57 PM - Installed Amazon Unbox Video
RP521: 5/10/2010 4:44:56 PM - Installed Windows Media Format 11 SDK KB939209.
RP522: 5/10/2010 4:56:47 PM - Configured Amazon Unbox Video
RP523: 5/10/2010 5:01:31 PM - Configured Amazon Unbox Video
RP524: 5/10/2010 5:09:35 PM - Installed Amazon Unbox Video
RP525: 5/10/2010 5:12:20 PM - Installed Windows Media Format 11 SDK KB939209.
RP526: 5/10/2010 5:50:44 PM - Configured Amazon Unbox Video
RP527: 5/10/2010 6:29:37 PM - Installed Amazon Unbox Video
RP528: 5/10/2010 6:32:13 PM - Installed Windows Media Format 11 SDK KB939209.
RP529: 5/10/2010 9:44:22 PM - Configured Amazon Unbox Video
RP530: 5/10/2010 10:59:19 PM - Installed Amazon Unbox Video
RP531: 5/10/2010 11:20:11 PM - Configured Amazon Unbox Video
RP532: 5/10/2010 11:23:17 PM - Configured Amazon Unbox Video
RP533: 5/11/2010 7:12:41 AM - Configured Amazon Unbox Video
RP534: 5/11/2010 10:33:30 AM - Installed Amazon Unbox Video

==== Installed Programs ======================

32 Bit HP CIO Components Installer
3D Windows XP Screen Saver
6000E609_eDocs
6000E609_Help
6000E609a
Acrobat.com
Adobe Download Manager
Adobe Flash Player 10 ActiveX
AI RoboForm
Amazon Unbox Video
Apache HTTP Server 2.0.59
APC PowerChute Personal Edition
ASAP Utilities
ATI - Software Uninstall Utility
ATI Display Driver
Atomic Clock Sync
AutoHotkey 1.0.47.04
BoldChat v5.50
BPDSoftware
BPDSoftware_Ini
BufferChm
CA Anti-Spam
CA Anti-Spyware
CA Anti-Virus
CA Internet Security Suite
Clear Cache feature for Internet Explorer
Clever Icons Horizon Christmas 2006 Set
CLO
ClocX (1.5b2)
Cool Edit Pro 2.0
Coupon Printer for Windows
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
Creative Vienna SoundFont Studio
Creative WaveStudio 7
DAO 3.5
DeviceDiscovery
Diskeeper 2010 Home
Facebook Plug-In
FavOrg
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService2
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB939209)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 12.0
HP Driver Diagnostics
HP Imaging Device Functions 12.0
HP Officejet 6000 E609 Series
HP Product Detection
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
HPSSupply
IconForge beta version 7.20
ICQ6.5
ieSpell
Intel(R) Active Monitor
Intel(R) Network Connections 13.0.42.0
Jasc Animation Shop 3
Jasc Animation Shop 3 20041030_07 Help file Patch
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9 GDI+ Patch
Jasc Paint Shop Pro 9.01 - (9.0.1.1)
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) 6 Update 7
Junk Mail filter update
Lotus Organizer 6.0
MarketResearch
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Color Control Panel Applet for Windows XP
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Excel 2000 SR-1
Microsoft FrontPage 2000 SR-1
Microsoft IntelliPoint 6.3
Microsoft IntelliType Pro 6.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Internet Explorer 5 PowerTweaks Web Accessory
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Sounds
Microsoft PhotoDraw 2000 V2
Microsoft Silverlight
Microsoft Speech SDK 5.1
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSVCSetup
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Network
OpenOffice.org 3.0
OutFront Web Template
PrintKey2000
ProductContext
Quicken 2006
Renaissance Games Online
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Shop for HP Supplies
SmartWebPrinting
SolutionCenter
Sonic Backup MyPC Special Edition for HP
Sonic Update Manager
Sound Blaster Audigy
Star Envelope Printer Pro v5.01
Status
Sumatra PDF reader
The Real Yellow Pages v7.1.2
Toolbox
TrayApp
TWC Customer Controls
Tweak UI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
ViewSonic Monitor Drivers
ViewSonic Windows XP Signed Files
Visual Business Cards 4
Wallpaper Changer for Windows XP
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip
Xara3D6
XMLinst
ZoneAlarm Pro

==== Event Viewer Messages From Past Week ========

5/6/2010 7:58:17 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer PROFESSIONAL that believes that it is the master browser for the domain on transport NetBT_Tcpip_{4AEF8857-1ECF-4. The master browser is stopping or an election is being forced.
5/4/2010 3:56:23 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
5/4/2010 3:56:23 PM, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/4/2010 3:54:47 PM, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.0.100. The machine with the IP address 192.168.0.101 did not allow the name to be claimed by this machine.
5/4/2010 3:54:25 PM, error: Service Control Manager [7000] - The PPCtlPriv service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/4/2010 3:54:24 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PPCtlPriv service to connect.
5/4/2010 3:54:24 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service PPCtlPriv with arguments " " in order to run the server: {F974178A-A284-440A-BEFC-5B0D11BCDB68}
5/4/2010 3:48:17 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
5/4/2010 3:09:27 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
5/10/2010 4:43:08 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Amazon Unbox Video Service service to connect.
5/10/2010 4:43:01 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
5/10/2010 4:43:01 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Amazon\Amazon Unbox Video\FormatChangeFix.ax. Reference error message: The operation completed successfully. .
5/10/2010 4:43:01 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
5/10/2010 11:32:07 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The system cannot find the file specified.
5/10/2010 11:12:59 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\FormatChangeFix.ax. Reference error message: The operation completed successfully. .

==== End Of File ===========================

broni · 2010/05/11

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

RESTART COMPUTER

STEP 3. Download HijackThis:
http://free.antivirus.com/hijackthis/
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Sfantasia · 2010/05/12

Is this malware

OK I followed the instructions, however when I ran the GMER it started scanning but after a while it just seemed to stop when the scan info showed

Sections C:\Windows\System32\Sychost.exe [1236]
C:\Windows\System32\SHELL32.dll

After about 30 minutes I clicked on stop and a message came up saying the program was still scanning so I canceled the stop. After it ran for another 30 minutes or so I just stooped it and rebooted and ran HiJackThis. Please advise what to do concerning GMER.

The Malwarebytes log is below and I will post the HiJackThis log in a following reply.

MALWAREBYTES

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4093

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/12/2010 12:20:53 PM
mbam-log-2010-05-12 (12-20-53).txt

Scan type: Quick scan
Objects scanned: 124332
Time elapsed: 15 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Files.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Sfantasia · 2010/05/12

Is this malware

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:16:59 PM, on 5/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
D:\Utilities\Tray It\TrayIt!.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\DOCUME~1\SALFAN~1\LOCALS~1\Temp\{C108A2B3-E5F4-4232-8428-3DBCEC1A11D4}\adni18_Weather_II.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe "
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe "
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe "
O4 - Startup: adni18_Weather_II.lnk = C:\Program Files\ADNI\adni18_Weather_II.exe
O4 - Startup: APC UPS Status.lnk = ?
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Startup: TrayIt!.lnk = D:\Utilities\Tray It\TrayIt!.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Amazon Unbox.lnk = C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MI1933~1\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O15 - Trusted Zone: http://www.ablazewithtraffic.com
O15 - Trusted Zone: http://*.ablazewithtraffic.com
O15 - Trusted Zone: http://www.ablazewithtraffic.org
O15 - Trusted Zone: http://couponing.about.com
O15 - Trusted Zone: http://get.adobe.com
O15 - Trusted Zone: http://*.adultfriendfinder.com
O15 - Trusted Zone: http://support.amd.com
O15 - Trusted Zone: http://www.amd.com
O15 - Trusted Zone: http://www.bettycrocker.com
O15 - Trusted Zone: http://www.bfnsoftware.com
O15 - Trusted Zone: http://www.buy.com
O15 - Trusted Zone: http://shop.ca.com
O15 - Trusted Zone: http://www.characterarcade.com
O15 - Trusted Zone: http://*.characterarcade.com
O15 - Trusted Zone: http://www.classmates.com
O15 - Trusted Zone: http://download.cnet.com
O15 - Trusted Zone: http://www.coolsavings.com
O15 - Trusted Zone: http://www.couponmom.com
O15 - Trusted Zone: http://bricks.coupons.com
O15 - Trusted Zone: http://microsite.coupons.com
O15 - Trusted Zone: http://print.coupons.com
O15 - Trusted Zone: http://www.coupons.com
O15 - Trusted Zone: http://zynga.custhelp.com
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: http://www.envision-hits.com
O15 - Trusted Zone: http://apps.facebook.com
O15 - Trusted Zone: http://www.facebook.com
O15 - Trusted Zone: http://*.fansgifts.com
O15 - Trusted Zone: http://members.****direct.com
O15 - Trusted Zone: http://www.grocerycouponnetwork.com
O15 - Trusted Zone: http://www.heb.com
O15 - Trusted Zone: http://h10025.www1.hp.com
O15 - Trusted Zone: http://h20270.www2.hp.com
O15 - Trusted Zone: http://www.shopping.hp.com
O15 - Trusted Zone: http://cgi1.igl.net
O15 - Trusted Zone: http://hoylegames.igl.net
O15 - Trusted Zone: http://www.igl.net
O15 - Trusted Zone: http://www4.igl.net
O15 - Trusted Zone: http://downloadcenter.intel.com
O15 - Trusted Zone: http://www.java.com
O15 - Trusted Zone: http://*.java.com
O15 - Trusted Zone: http://www.kens5.com
O15 - Trusted Zone: http://www.kraftfirsttaste.com
O15 - Trusted Zone: http://www.kraftfoods.com
O15 - Trusted Zone: http://www.landolakes.com
O15 - Trusted Zone: http://www.mapquest.com
O15 - Trusted Zone: http://montastic-wiki.metadot.net
O15 - Trusted Zone: http://www.mysanantonio.com
O15 - Trusted Zone: http://hjt.networktechs.com
O15 - Trusted Zone: http://www.nidink.com
O15 - Trusted Zone: http://www.noradsanta.org
O15 - Trusted Zone: http://homepage.ntlworld.com
O15 - Trusted Zone: http://publicrecords.onlinesearches.com
O15 - Trusted Zone: http://survey.otxresearch.com
O15 - Trusted Zone: http://www.pcpitstop.com
O15 - Trusted Zone: http://www.pillsbury.com
O15 - Trusted Zone: http://tiki-fb-active-vip.playdom.com
O15 - Trusted Zone: http://www.powerplay4all.com
O15 - Trusted Zone: http://coupons.redplum.com
O15 - Trusted Zone: http://www.rengamesonline.com
O15 - Trusted Zone: http://www.rewardshotline.com
O15 - Trusted Zone: http://herhelp01.ndc.rr.com
O15 - Trusted Zone: http://webmail.satx.rr.com
O15 - Trusted Zone: http://www.rr.com
O15 - Trusted Zone: http://*.salfantasia.us
O15 - Trusted Zone: http://www.sendearnings.com
O15 - Trusted Zone: http://www.slashkey.com
O15 - Trusted Zone: http://couponmom.coupons.smartsource.com
O15 - Trusted Zone: http://coupons.smartsource.com
O15 - Trusted Zone: http://coupons2.smartsource.com
O15 - Trusted Zone: http://www.smcorp.com
O15 - Trusted Zone: http://www.softpedia.com
O15 - Trusted Zone: http://www.surfcash.us
O15 - Trusted Zone: http://www.surveymonkey.com
O15 - Trusted Zone: http://*.sushiavenue.com
O15 - Trusted Zone: http://www.thedailyplate.com
O15 - Trusted Zone: http://*.thepiratebay.org
O15 - Trusted Zone: http://www.timewarnercable.com
O15 - Trusted Zone: http://*.trafficdynamitepro.com
O15 - Trusted Zone: http://www.txlottery.org
O15 - Trusted Zone: http://www.uclick.com
O15 - Trusted Zone: http://cseweb.ucsd.edu
O15 - Trusted Zone: http://www.usps.com
O15 - Trusted Zone: http://www.valpak.com
O15 - Trusted Zone: http://www.walmart.com
O15 - Trusted Zone: http://www.webexhibits.org
O15 - Trusted Zone: http://members.webs.com
O15 - Trusted Zone: http://missyouhoyle.webs.com
O15 - Trusted Zone: http://www.windowsbbs.com
O15 - Trusted Zone: http://www.wordsteal.com
O15 - Trusted Zone: http://www.yourcgi.com
O15 - Trusted Zone: http://www.youtube.com
O15 - Trusted Zone: http://download.zonealarm.com
O15 - Trusted Zone: http://promotions.zonealarm.com
O15 - Trusted Zone: http://toolbar.zynga.com
O15 - Trusted IP range: http://99.242.228.10
O15 - Trusted IP range: http://64.46.38.86
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://download.gamedesire.com/g_bin/eng/boards_2_0_0_35.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1233262970812
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233263033046
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOActiveXInstallerProj1.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} (Stm Class) - https://mpsnare.iesnare.com/StmOCX.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15111/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 19815 bytes

broni · 2010/05/12

If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
Click to expand...

.....

Sfantasia · 2010/05/16

Is this malware

Sorry I took so long to reply, I had to resolve some personal health issues. I had to run the GMER in safe mode but it finally completed. It took a long time to complete but here is the log. I hope the fact that the log is so short means that it didn't find anything seriously wrong.

GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-16 07:22:49
Windows 5.1.2600 Service Pack 3
Running: 5pjx68hd.exe; Driver: C:\DOCUME~1\SALFAN~1\LOCALS~1\Temp\uwtyykow.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000d3aa5714f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00125a9bb528
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000d3aa5714f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00125a9bb528 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

Thanks for your help.

broni · 2010/05/16

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Sfantasia · 2010/05/17

Is this malware

COMBOFIX

ComboFix 10-05-16.02 - Sal Fantasia 05/17/2010 13:50:45.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2856 [GMT -5:00]
Running from: c:\documents and settings\Sal Fantasia\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\ati2evxx(10).dll
c:\windows\system32\ati2evxx(11).dll
c:\windows\system32\ati2evxx(12).dll
c:\windows\system32\ati2evxx(13).dll
c:\windows\system32\ati2evxx(14).dll
c:\windows\system32\ati2evxx(15).dll
c:\windows\system32\ati2evxx(16).dll
c:\windows\system32\ati2evxx(17).dll
c:\windows\system32\ati2evxx(18).dll
c:\windows\system32\ati2evxx(19).dll
c:\windows\system32\ati2evxx(2).dll
c:\windows\system32\ati2evxx(20).dll
c:\windows\system32\ati2evxx(21).dll
c:\windows\system32\ati2evxx(3).dll
c:\windows\system32\ati2evxx(4).dll
c:\windows\system32\ati2evxx(5).dll
c:\windows\system32\ati2evxx(6).dll
c:\windows\system32\ati2evxx(7).dll
c:\windows\system32\ati2evxx(8).dll
c:\windows\system32\ati2evxx(9).dll
c:\windows\system32\atipdlxx(10).dll
c:\windows\system32\atipdlxx(11).dll
c:\windows\system32\atipdlxx(12).dll
c:\windows\system32\atipdlxx(13).dll
c:\windows\system32\atipdlxx(14).dll
c:\windows\system32\atipdlxx(15).dll
c:\windows\system32\atipdlxx(16).dll
c:\windows\system32\atipdlxx(17).dll
c:\windows\system32\atipdlxx(18).dll
c:\windows\system32\atipdlxx(19).dll
c:\windows\system32\atipdlxx(2).dll
c:\windows\system32\atipdlxx(20).dll
c:\windows\system32\atipdlxx(21).dll
c:\windows\system32\atipdlxx(3).dll
c:\windows\system32\atipdlxx(4).dll
c:\windows\system32\atipdlxx(5).dll
c:\windows\system32\atipdlxx(6).dll
c:\windows\system32\atipdlxx(7).dll
c:\windows\system32\atipdlxx(8).dll
c:\windows\system32\atipdlxx(9).dll
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\Data

.
((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-16 18:32 . 2010-05-16 18:32 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-13 17:09 . 2010-05-13 17:09 1752542 ----a-w- C:\rgo_installer.exe
2010-05-12 16:59 . 2010-05-12 16:59 388096 ----a-r- c:\documents and settings\Sal Fantasia\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-12 16:59 . 2010-05-12 16:59 -------- d-----w- c:\program files\Trend Micro
2010-05-12 16:31 . 2010-05-12 16:31 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-12 14:23 . 2010-05-12 14:23 -------- d-----w- c:\documents and settings\Sal Fantasia\Application Data\Malwarebytes
2010-05-12 14:22 . 2010-05-12 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-10 20:45 . 2010-05-10 20:45 3584 ----a-r- c:\documents and settings\Sal Fantasia\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-05-10 20:45 . 2010-05-10 20:45 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-05-10 20:44 . 2010-05-10 20:44 -------- d-----w- c:\program files\MSECACHE
2010-05-10 17:25 . 2010-05-10 17:25 -------- d-----w- c:\program files\Microsoft Speech SDK 5.1
2010-05-07 16:14 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-05 03:44 . 2010-05-05 03:45 -------- d-----w- c:\program files\ADNI
2010-04-29 23:06 . 2010-04-29 23:07 -------- d-----w- c:\documents and settings\Sal Fantasia\Application Data\SumatraPDF
2010-04-29 22:41 . 2010-04-29 22:41 -------- d-----w- c:\program files\SumatraPDF
2010-04-28 13:02 . 2010-04-28 13:02 -------- d-----w- c:\program files\AccuWeather.com Stratus
2010-04-27 03:16 . 2010-04-27 03:16 15849560 ----a-w- c:\documents and settings\Sal Fantasia\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airinstaller1x0\airinstaller1x0.exe
2010-04-27 02:07 . 2010-04-27 02:07 -------- d-----w- c:\program files\NOS
2010-04-27 02:06 . 2010-05-16 18:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-25 23:11 . 2010-04-27 02:05 -------- d-----w- c:\program files\Adobe(2)
2010-04-25 23:07 . 2010-04-27 02:05 -------- d-----w- c:\program files\Common Files\Adobe AIR(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 18:40 . 2009-12-31 02:57 -------- d-----w- c:\documents and settings\Sal Fantasia\Application Data\HPAppData
2010-05-15 23:58 . 2010-04-06 01:32 -------- d-----w- c:\program files\RenGames
2010-05-13 19:19 . 2009-01-31 20:45 -------- d-----w- c:\documents and settings\Sal Fantasia\Application Data\ICQ
2010-05-12 00:50 . 2009-02-01 01:55 -------- d-----w- c:\program files\Visual Business Cards
2010-05-10 21:28 . 2009-04-20 12:36 -------- d-----w- c:\program files\Caphyon
2010-05-07 16:14 . 2009-01-30 04:23 -------- d-----w- c:\program files\Java
2010-05-03 01:15 . 2009-01-29 20:14 102520 ----a-w- c:\documents and settings\Sal Fantasia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 22:45 . 2009-12-31 02:48 -------- d-----w- c:\program files\Yahoo!
2010-04-29 22:45 . 2009-02-02 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-29 22:02 . 2009-08-17 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-28 15:56 . 2009-01-31 19:15 -------- d-----w- c:\program files\Messenger Plus! Live
2010-04-27 02:05 . 2009-01-29 23:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 01:06 . 2009-02-01 02:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 01:05 . 2009-02-02 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 01:05 . 2009-02-01 02:04 -------- d-----w- c:\documents and settings\Sal Fantasia\Application Data\Spybot - Search & Destroy
2010-04-16 17:47 . 2010-01-01 03:19 -------- d-----w- c:\documents and settings\Sal Fantasia\Application Data\HpUpdate
2010-04-07 22:49 . 2009-02-01 05:26 -------- d-----w- c:\program files\Google
2010-04-01 03:09 . 2009-01-31 02:43 -------- d-----w- c:\program files\Common Files\Java
2010-03-27 21:43 . 2009-08-19 12:29 -------- d-----w- c:\documents and settings\Sal Fantasia\Application Data\Uniblue
2010-03-27 21:43 . 2010-03-27 21:43 -------- d-----w- c:\program files\Uniblue
2010-03-24 13:35 . 2009-01-29 23:26 -------- d-----w- c:\program files\Creative
2010-03-24 13:34 . 2009-01-29 20:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-24 13:18 . 2009-01-29 23:30 -------- d--h--w- c:\program files\Creative Installation Information
2010-03-24 13:00 . 2010-03-24 12:58 54743966 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative MediaSource Player_Organizer 3.30.21__\CMS_PCAPP_LB_3_30_21.exe
2010-03-24 12:58 . 2010-03-24 12:58 12907880 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative WaveStudio 7.12.00__\WAVESTD_PCAPP_LB_7_12_00.exe
2010-03-24 12:58 . 2010-03-24 12:57 37634288 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative MediaSource 5 Player_Organizer 5.26.02__\CMS5_PCAPP_LB_5_26_02.exe
2010-03-24 12:50 . 2010-03-24 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2010-03-21 00:27 . 2009-07-26 20:43 1704526 ----a-w- C:\setup_xp.exe
2010-03-11 12:38 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-06-26 19:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2006-02-28 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 01:52 . 2010-03-09 01:52 50354 ----a-w- c:\documents and settings\Sal Fantasia\Application Data\Facebook\uninstall.exe
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Sal Fantasia\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Sal Fantasia\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ------w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 13:50 . 2010-02-19 13:45 23113 ----a-w- c:\windows\hpqins15.dat
2002-09-11 14:26 . 2009-07-17 23:12 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf
2008-04-14 00:12 . 2010-01-31 14:09 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm "= "c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-03-07 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [2008-04-14 110592]
"IMONTRAY "= "c:\program files\Intel\Intel(R) Active Monitor\imontray.exe" [2005-05-03 32768]
"P17Helper "= "P17.dll" [2005-05-03 64512]
"UpdateManager "= "c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"UpdReg "= "c:\windows\UpdReg.EXE" [2000-05-11 90112]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"ClocX "= "c:\program files\ClocX\ClocX.exe" [2007-07-26 270336]
"itype "= "c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-01-08 1496968]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"CTSysVol "= "c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Atomic.exe "= "c:\program files\Atomic Clock Sync\Atomic.exe" [2004-06-17 524288]

c:\documents and settings\Sal Fantasia\Start Menu\Programs\Startup\
adni18_Weather_II.lnk - c:\program files\ADNI\adni18_Weather_II.exe [2009-7-12 2182144]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-7-27 221247]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-11-22 869376]
TrayIt!.lnk - d:\utilities\Tray It\TrayIt!.exe [2007-7-18 204800]
Wallpaper Changer.lnk - c:\program files\WallpaperToy\Wallpapertoy.Exe [2009-1-29 110592]

[HKLM\~\startupfolder\C:^Documents and Settings^Sal Fantasia^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apache2 "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe "=
"c:\\Program Files\\ICQ6.5\\ICQ.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe "=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe "=

R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [1/28/2010 3:27 PM 41504]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 12:35 PM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 17:34]

2010-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 17:34]

2010-03-13 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 23:57]

2010-03-13 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-01-08 00:45]

2009-10-28 c:\windows\Tasks\Microsoft_Hardware_Launch_rundll32_exe.job
- ?????w??!??>url.dll,OpenURL http://go.microsoft.com/fwlink/?LinkId=116866?????Sal Fantasia?????????????????? [2010-05-17 13:00]

2009-10-28 c:\windows\Tasks\Microsoft_Hardware_Launch_rundll32_exe.job
- ?????w??!??>url.dll,OpenURL http://go.microsoft.com/fwlink/?LinkId=116866?????Sal Fantasia?????????????????? [2010-05-17 18:49]

2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{A4CFDD50-F7FA-42AA-9879-C26EA92A28EB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 00:36]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Copy Location - c:\windows\WEB\graburl.htm
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MI1933~1\Office\1033\phdintl.dll/phdContext.htm
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{B06300D0-CCDE-11d2-92D3-0000F87A4A55} - {C651A691-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {{B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - c:\lotus\organize\bandobjs.dll
IE: {{BF80219A-CCDD-11d2-92D3-0000F87A4A55} - {C651A693-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {{FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - {A58D06D4-CA90-11D2-92D2-0000F87A4A55} - c:\windows\system32\oline.dll
Trusted Zone: a1agiftsonline.com\www
Trusted Zone: ablazewithtraffic.com
Trusted Zone: ablazewithtraffic.com\www
Trusted Zone: ablazewithtraffic.org\www
Trusted Zone: about.com\couponing
Trusted Zone: adobe.com\get
Trusted Zone: adultfriendfinder.com
Trusted Zone: adultfriendfinder.com\secure
Trusted Zone: amd.com\support
Trusted Zone: amd.com\www
Trusted Zone: att.com\ebill04
Trusted Zone: bettycrocker.com\www
Trusted Zone: bfnsoftware.com\www
Trusted Zone: blank
Trusted Zone: buy.com\www
Trusted Zone: ca.com\shop
Trusted Zone: characterarcade.com
Trusted Zone: characterarcade.com\www
Trusted Zone: chase.com\chaseonline
Trusted Zone: classmates.com\www
Trusted Zone: cnet.com\download
Trusted Zone: convergentcare.com\twdal
Trusted Zone: coolsavings.com\www
Trusted Zone: couponmom.com\www
Trusted Zone: coupons.com\bricks
Trusted Zone: coupons.com\microsite
Trusted Zone: coupons.com\print
Trusted Zone: coupons.com\www
Trusted Zone: craigslist.org\accounts
Trusted Zone: craigslist.org\post
Trusted Zone: custhelp.com\zynga
Trusted Zone: download.com\www
Trusted Zone: envision-hits.com\www
Trusted Zone: facebook.com\apps
Trusted Zone: facebook.com\www
Trusted Zone: fansgifts.com
Trusted Zone: frostbank.com\www
Trusted Zone: ****direct.com\members
Trusted Zone: google.com\maps
Trusted Zone: google.com\www
Trusted Zone: grocerycouponnetwork.com\www
Trusted Zone: heb.com\www
Trusted Zone: hp.com\h10025.www1
Trusted Zone: hp.com\h20270.www2
Trusted Zone: hp.com\wimpro.cce
Trusted Zone: hp.com\www.shopping
Trusted Zone: igl.net\cgi1
Trusted Zone: igl.net\hoylegames
Trusted Zone: igl.net\www
Trusted Zone: igl.net\www4
Trusted Zone: intel.com\downloadcenter
Trusted Zone: internet
Trusted Zone: java.com
Trusted Zone: java.com\www
Trusted Zone: jrsmedical.com\www
Trusted Zone: kens5.com\www
Trusted Zone: kraftfirsttaste.com\www
Trusted Zone: kraftfoods.com\www
Trusted Zone: landolakes.com\www
Trusted Zone: mapquest.com\www
Trusted Zone: metadot.net\montastic-wiki
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\profile
Trusted Zone: microsoft.com\support
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www
Trusted Zone: myecount.com\www
Trusted Zone: mysanantonio.com\www
Trusted Zone: mysurvey.com\www
Trusted Zone: networktechs.com\hjt
Trusted Zone: nidink.com\www
Trusted Zone: noradsanta.org\www
Trusted Zone: ntlworld.com\homepage
Trusted Zone: onlinesearches.com\publicrecords
Trusted Zone: otxresearch.com\survey
Trusted Zone: paypal.com\history
Trusted Zone: paypal.com\www
Trusted Zone: pcpitstop.com\www
Trusted Zone: pillsbury.com\www
Trusted Zone: playdom.com\tiki-fb-active-vip
Trusted Zone: powerplay4all.com\www
Trusted Zone: qwest.com\myaccount
Trusted Zone: qwest.com\qcontrol
Trusted Zone: redplum.com\coupons
Trusted Zone: rengamesonline.com\www
Trusted Zone: rewardshotline.com\www
Trusted Zone: rr.com\herhelp01.ndc
Trusted Zone: rr.com\selfcare
Trusted Zone: rr.com\webmail.satx
Trusted Zone: rr.com\www
Trusted Zone: rxpulse.com\www
Trusted Zone: salfantasia.us
Trusted Zone: sendearnings.com\www
Trusted Zone: shoppershotline.com\www
Trusted Zone: slashkey.com\www
Trusted Zone: smartsource.com\couponmom.coupons
Trusted Zone: smartsource.com\coupons
Trusted Zone: smartsource.com\coupons2
Trusted Zone: smcorp.com\www
Trusted Zone: softpedia.com\www
Trusted Zone: surfcash.us\www
Trusted Zone: surveymonkey.com\www
Trusted Zone: sushiavenue.com
Trusted Zone: thedailyplate.com\www
Trusted Zone: thepiratebay.org
Trusted Zone: timewarnercable.com\payxpress
Trusted Zone: timewarnercable.com\supportcenter
Trusted Zone: timewarnercable.com\www
Trusted Zone: trafficdynamitepro.com
Trusted Zone: txlottery.org\www
Trusted Zone: uclick.com\www
Trusted Zone: ucsd.edu\cseweb
Trusted Zone: usps.com\ecap-ws-prod
Trusted Zone: usps.com\shop
Trusted Zone: usps.com\www
Trusted Zone: valpak.com\www
Trusted Zone: walmart.com\www
Trusted Zone: webexhibits.org\www
Trusted Zone: webs.com\members
Trusted Zone: webs.com\missyouhoyle
Trusted Zone: wegmans.com\www
Trusted Zone: windowsbbs.com\www
Trusted Zone: wordsteal.com\www
Trusted Zone: yourcgi.com\www
Trusted Zone: youtube.com\www
Trusted Zone: zonealarm.com\download
Trusted Zone: zonealarm.com\promotions
Trusted Zone: zonealarm.com\www
Trusted Zone: zynga.com\secure
Trusted Zone: zynga.com\toolbar
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-DAO 3.5 - c:\program files\Intuit\DAO 3.5\Uninst.isu

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 13:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-17 13:57:26
ComboFix-quarantined-files.txt 2010-05-17 18:57

Pre-Run: 16,469,778,432 bytes free
Post-Run: 18,088,517,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

- - End Of File - - 9A64D4773A8DADEC50940DD06190804D

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:19:19 PM, on 5/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
D:\Utilities\Tray It\TrayIt!.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe "
O4 - Startup: adni18_Weather_II.lnk = C:\Program Files\ADNI\adni18_Weather_II.exe
O4 - Startup: APC UPS Status.lnk = ?
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Startup: TrayIt!.lnk = D:\Utilities\Tray It\TrayIt!.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MI1933~1\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O15 - Trusted Zone: http://www.ablazewithtraffic.com
O15 - Trusted Zone: http://*.ablazewithtraffic.com
O15 - Trusted Zone: http://www.ablazewithtraffic.org
O15 - Trusted Zone: http://couponing.about.com
O15 - Trusted Zone: http://get.adobe.com
O15 - Trusted Zone: http://*.adultfriendfinder.com
O15 - Trusted Zone: http://support.amd.com
O15 - Trusted Zone: http://www.amd.com
O15 - Trusted Zone: http://www.bettycrocker.com
O15 - Trusted Zone: http://www.bfnsoftware.com
O15 - Trusted Zone: http://www.buy.com
O15 - Trusted Zone: http://shop.ca.com
O15 - Trusted Zone: http://www.characterarcade.com
O15 - Trusted Zone: http://*.characterarcade.com
O15 - Trusted Zone: http://www.classmates.com
O15 - Trusted Zone: http://download.cnet.com
O15 - Trusted Zone: http://www.coolsavings.com
O15 - Trusted Zone: http://www.couponmom.com
O15 - Trusted Zone: http://bricks.coupons.com
O15 - Trusted Zone: http://microsite.coupons.com
O15 - Trusted Zone: http://print.coupons.com
O15 - Trusted Zone: http://www.coupons.com
O15 - Trusted Zone: http://zynga.custhelp.com
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: http://www.envision-hits.com
O15 - Trusted Zone: http://apps.facebook.com
O15 - Trusted Zone: http://www.facebook.com
O15 - Trusted Zone: http://*.fansgifts.com
O15 - Trusted Zone: http://members.****direct.com
O15 - Trusted Zone: http://www.grocerycouponnetwork.com
O15 - Trusted Zone: http://www.heb.com
O15 - Trusted Zone: http://h10025.www1.hp.com
O15 - Trusted Zone: http://h20270.www2.hp.com
O15 - Trusted Zone: http://www.shopping.hp.com
O15 - Trusted Zone: http://cgi1.igl.net
O15 - Trusted Zone: http://hoylegames.igl.net
O15 - Trusted Zone: http://www.igl.net
O15 - Trusted Zone: http://www4.igl.net
O15 - Trusted Zone: http://downloadcenter.intel.com
O15 - Trusted Zone: http://www.java.com
O15 - Trusted Zone: http://*.java.com
O15 - Trusted Zone: http://www.kens5.com
O15 - Trusted Zone: http://www.kraftfirsttaste.com
O15 - Trusted Zone: http://www.kraftfoods.com
O15 - Trusted Zone: http://www.landolakes.com
O15 - Trusted Zone: http://www.mapquest.com
O15 - Trusted Zone: http://montastic-wiki.metadot.net
O15 - Trusted Zone: http://www.mysanantonio.com
O15 - Trusted Zone: http://hjt.networktechs.com
O15 - Trusted Zone: http://www.nidink.com
O15 - Trusted Zone: http://www.noradsanta.org
O15 - Trusted Zone: http://homepage.ntlworld.com
O15 - Trusted Zone: http://publicrecords.onlinesearches.com
O15 - Trusted Zone: http://survey.otxresearch.com
O15 - Trusted Zone: http://www.pcpitstop.com
O15 - Trusted Zone: http://www.pillsbury.com
O15 - Trusted Zone: http://tiki-fb-active-vip.playdom.com
O15 - Trusted Zone: http://www.powerplay4all.com
O15 - Trusted Zone: http://coupons.redplum.com
O15 - Trusted Zone: http://www.rengamesonline.com
O15 - Trusted Zone: http://www.rewardshotline.com
O15 - Trusted Zone: http://herhelp01.ndc.rr.com
O15 - Trusted Zone: http://webmail.satx.rr.com
O15 - Trusted Zone: http://www.rr.com
O15 - Trusted Zone: http://*.salfantasia.us
O15 - Trusted Zone: http://www.sendearnings.com
O15 - Trusted Zone: http://www.slashkey.com
O15 - Trusted Zone: http://couponmom.coupons.smartsource.com
O15 - Trusted Zone: http://coupons.smartsource.com
O15 - Trusted Zone: http://coupons2.smartsource.com
O15 - Trusted Zone: http://www.smcorp.com
O15 - Trusted Zone: http://www.softpedia.com
O15 - Trusted Zone: http://www.surfcash.us
O15 - Trusted Zone: http://www.surveymonkey.com
O15 - Trusted Zone: http://*.sushiavenue.com
O15 - Trusted Zone: http://www.thedailyplate.com
O15 - Trusted Zone: http://*.thepiratebay.org
O15 - Trusted Zone: http://www.timewarnercable.com
O15 - Trusted Zone: http://*.trafficdynamitepro.com
O15 - Trusted Zone: http://www.txlottery.org
O15 - Trusted Zone: http://www.uclick.com
O15 - Trusted Zone: http://cseweb.ucsd.edu
O15 - Trusted Zone: http://www.usps.com
O15 - Trusted Zone: http://www.valpak.com
O15 - Trusted Zone: http://www.walmart.com
O15 - Trusted Zone: http://www.webexhibits.org
O15 - Trusted Zone: http://members.webs.com
O15 - Trusted Zone: http://missyouhoyle.webs.com
O15 - Trusted Zone: http://www.windowsbbs.com
O15 - Trusted Zone: http://www.wordsteal.com
O15 - Trusted Zone: http://www.yourcgi.com
O15 - Trusted Zone: http://www.youtube.com
O15 - Trusted Zone: http://download.zonealarm.com
O15 - Trusted Zone: http://promotions.zonealarm.com
O15 - Trusted Zone: http://toolbar.zynga.com
O15 - Trusted IP range: http://99.242.228.10
O15 - Trusted IP range: http://64.46.38.86
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://download.gamedesire.com/g_bin/eng/boards_2_0_0_35.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1233262970812
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233263033046
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOActiveXInstallerProj1.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} (Stm Class) - https://mpsnare.iesnare.com/StmOCX.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15111/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 17601 bytes

broni · 2010/05/17

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

=================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Sfantasia · 2010/05/20

Is this malware

Before I post the Kaspersky scan results I need to tell you the physical structure on MyComputer. As you can see by the scan log I have 8 Drives listed: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\

Drives A:\ and I:\ are the Floppy and CD-RW drives respectively.

Drives C:\ and D:\ are two physical drives located in the computer with the C:\ drive being the System drive and the D:\ drive the Slave. I use the D:\ drive to only store downloaded installation programs and other things strictly for storage. Neither of these drives has a partition.

Drives E:\ F:\ G:\ H:\ are four partitions in a single external USB drive which I use as follows: The E:\ F:\ G:\ drives are backups of the MyDocuments folder, C:\ System drive and the D:\ Slave drive respectively. The H:\ drive is the location I have indicated in my Internet Explorer options to store my Temporary Internet Files and Browsing History files.

I have also deleted all of the indicated files at the end of the log.

Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, May 20, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, May 19, 2010 23:30:03
Records in database: 4139978
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 448810
Threats found: 4
Infected objects found: 10
Suspicious objects found: 2
Scan duration: 04:54:04

File name / Threat / Threats count
C:\Documents and Settings\Sal Fantasia\My Documents\E-Mail\Fraud\Chase Bank - Dear Customer.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\MSN Messenger\Emoticons\birthdaycake.zip Infected: Trojan-Downloader.Win32.VB.oc 1
D:\MSN Messenger\Emoticons\cat.zip Infected: Trojan-Downloader.Win32.VB.oc 1
D:\MSN Messenger\Emoticons\temperkid.zip Infected: Trojan-Downloader.Win32.VB.oc 1
D:\Sudoku\Install\SudokuInstall.exe Infected: not-a-virus:AdWare.Win32.Rabio.hq 1
D:\Sudoku\Royal Suduko\royal_sudoku.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
E:\My Documents\E-Mail\Fraud\Chase Bank - Dear Customer.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
G:\MSN Messenger\Emoticons\birthdaycake.zip Infected: Trojan-Downloader.Win32.VB.oc 1
G:\MSN Messenger\Emoticons\cat.zip Infected: Trojan-Downloader.Win32.VB.oc 1
G:\MSN Messenger\Emoticons\temperkid.zip Infected: Trojan-Downloader.Win32.VB.oc 1
G:\Sudoku\Install\SudokuInstall.exe Infected: not-a-virus:AdWare.Win32.Rabio.hq 1
G:\Sudoku\Royal Suduko\royal_sudoku.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1

Selected area has been scanned.

Thank you

broni · 2010/05/20

I have also deleted all of the indicated files at the end of the log.
Click to expand...

Make sure to empty recycle bin.

Don't forget to re-enable your CA Internet Security Suite.

Please, review all HJT O15 entries (Trusted Zone) and make sure, you're familiar with all entries.

Other than that...

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

[SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

Sfantasia · 2010/05/21

Is this malware

I appreciate all the time you have spent.

FYI

I turned on the CA Security immediately after the ComboFix scan stopped.

All of the HJT 015 items are legitimate trusted zone entries, but there are some that are outdated and I will remove them.

I use Roboform to log into any sites which require a password and I wrote a small program which every 28 days rewrites the .frp file (which contains the login and password information) and generates a new random password. It also generates a report so I know what the new password is.

I run Diskeeper which is continually running in the background.

My computers run real well and I have never had a trojan or virus infection in any computers I have had starting with the IBM 5100.

I need to mention however that my original question had referred to two HJT entries and a question:

Is this malware?

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

The only reason I posted it was because I didn't recocgnize them and I didn't know what they were. So I would appreciate it if you can tell me since it isn't malware, what is it?

Thank you

broni · 2010/05/21

Both entries are legit.
See:
http://www.systemlookup.com/O22/68-SYSDIR_browseui_dll.html
http://www.systemlookup.com/O22/102-SYSDIR_browseui_dll.html

Sfantasia · 2010/05/22

Is this malware

Thank you very much for all the help. I would like this thread to be closed.

broni · 2010/05/22

You're very welcome
We don't close threads. I simply marked it as resolved.

Log in or Sign up

Solved Is this malware?

Sfantasia Inactive Thread Starter

Admin. Administrator Administrator Staff

Sfantasia Inactive Thread Starter

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Is this malware?

Sfantasia Inactive Thread Starter

Admin. Administrator Administrator Staff

Sfantasia Inactive Thread Starter

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Sfantasia Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches