Solved

Can't Install Kaspersky, Hijack this log

Posted on 2011-03-15
22
1,418 Views
Last Modified: 2013-12-06
I was working on a PC in my shop that had a virus, got it all fixed up, but the Kaspersky Anti-virus she used was corrupted by the virus.

I just had to reinstall it everything was fine and dandy.

I get a call back from her later saying that her wireless keyboard and mouse wouldn't work. I told her to bring it up to me thinking it would be an easy fix, but no matter what i couldn't get the drivers to take.

I poped the receiver into a XP PC i had here, and it installed no problems, so the receiver was good.

I decided the quickest way to fix it would just do a system restore. I knew that if i restored before the KAV reinstall it would still be corrupted, but that wasn't a big deal to me, just reinstall again.

After the restore, the wireless keyboard and mouse worked without a hitch.

Kav was corrupted, so i downloaded the installer again, but it wouldn't take.
I received this message:
"The setup wizard could not install the application. It is possible your computer might be infected. Click Yes below to download a special tool, which will scan your computer and eliminate all the infections, so that you can proceed with the software installation. Do you want to download and scan your computer for viruses with AVPTool?"

I said sure, downloaded the tool, ran it, no problems. Same issue.

Here are the steps i've performed.

Malwarebytes - Clean
ComboFix - Clean
Hitman Pro - Clean
TDSS Killer - clean
SmitFraud - Clean
Proxy - None
Host File - Legit

As far as i know there are NO viruses on the PC.

What now? Kaspersky doesn't seem to be any help to me.

The only other step i can think of is Hijack this, but i'm pretty awful at deciding what is good and what is bad.

So here is the log -

Running windows XP SP3
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:37 AM, on 3/15/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
J:\Apps\HiJackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Yahoo!\Companion\Installs\cpn3\ytbb.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bing Bar] "C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphoto.com/download/HPSWUpdate.ocx
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 9933 bytes

Open in new window

0
Comment
Question by:STS-Tech
  • 10
  • 3
  • 3
  • +4
22 Comments
 
LVL 7

Accepted Solution

by:
Mdragga earned 125 total points
ID: 35138326
The Hijack this log looks reasonably clean without any glaring problems to me at least.

I would recommend downloading and running the appropriate Kaspersky removal tool for whatever version was previously installed.

http://support.kaspersky.com/faq/?qid=208279463

I would also remove all their toolbars. No one in their right mind needs 4 (Bing, Yahoo, Google, Viewpoint) and I have seen occasions where messed up toolbar software, or not up to date toolbar software has caused complications with Kaspersky.

0
 
LVL 2

Author Comment

by:STS-Tech
ID: 35138650
Ah i forgot to mention i Did use the removal tool and try again, same issue.

Planned on the removing the toolbars, i can give that a shot it it fixes it, i generally just reset IE to disable the toolbars.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 35139358
Sounds to me like it's still infected. I would scan the computer with Malware Bytes http://www.malwarebytes.org/
0
 
LVL 7

Expert Comment

by:Mdragga
ID: 35139497
Does Kaspersky show at all through the Windows Add/Remove Programs List? I would go ahead and remove it from there then restart the machine. Then run the removal tool and run it (select all known products) and reboot the machine again and then try to install it.

Are you trying to install it from a CD or from a downloaded installer?

Are the time and date correct on the machine? Be sure to check the Time Zone considering we just had DST change.
0
 
LVL 27

Assisted Solution

by:Jonvee
Jonvee earned 125 total points
ID: 35139909
Although you've run several scanners, i agree with edbedb that the computer may still be infected.
Also, although HijackThis is good, it will often miss rootkits.

Try therefore Rkill, a small, freeware and portable tool designed to terminate active malware processes:
http://www.technibble.com/rkill-repair-tool-of-the-week/

Follow that with the ESET Online Scanner, a free, & powerful tool:
http://www.eset.com/online-scanner

You could also try Stinger.
Recommend you do not initially disable System Restore as suggested.
McAfee Labs Stinger:
http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx
0
 
LVL 22

Assisted Solution

by:optoma
optoma earned 125 total points
ID: 35139965
Hi, run RogueKiller and post its log along with Combofix's.

    * Download RogueKiller on your desktop
    * Quit all running programs
    * For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    * When prompted, type 1 and validate
    * The RKreport.txt shall be generated next to the executable.
    * If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

http://www.sur-la-toile.com/RogueKiller/
http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe >direct download link
0
 
LVL 13

Expert Comment

by:upalakshitha
ID: 35140227
Are you using kaspersky workstation version?
first remove existing kaspersky with removal tool as mentioned above.then try to install kaspersky internet security latest as a trial version.if it successfully installs, update & do a full scan.
then uninstall & try to install the version,which you have lisence.some times older versions of kaspersky cannot be installed when infected.
0
 

Expert Comment

by:FnGizzardBrain
ID: 35140496
Ok, I ran into this problem here at work once. I resolved it by going to the link provided below.

http://support.kaspersky.com/faq/?qid=208282163

On the page you can download the ISO to burn to a CD or a EXE to extract it to a jumpdrive. This will allow you to boot from the CD or USB (Depending on what you choose) and scan your PC.

Good Luck!
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 35140518
I have used Malwarebytes, and rkill, i will try the KAV bootable, i have a disc already for it, and the Stinger program.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 35141144
Actually decided on doing ESET Scanner first, so far its found a few things, 40 minutes into it about 40% Will Report in.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 35141667
Eset scan said it found 4, and cleaned them. No change, followed KAV steps they sent me from an email, "http://support.kasperskyamericas.com/knowledge-base-article/3993" did not do anything.

Booting to Kaspersky bootable now...
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Expert Comment

by:Mdragga
ID: 35141696
Its time consuming and annoying but possibly after running the Kaspersky removal tool you could do a registry search for and then manually delete any "Kaspersky" keys. I'm still thinking this is somehow related to a corrupt installation that is lingering but the fact that ESET found something is at least some sort of progress.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 35142709
Incidently were you able to run Stinger?

Also ...if you still have the ComboFix log file (previously requested by optoma), it could be useful.

Finally, if no further infections are detected, you could try the System File Checker>
If you insert your CD, while simultaneously depressing the Shift key, this will prevent autorun.  Release the key after 10 to 15 seconds.

Start>Run       .. and then type SFC /scannow
http://www.updatexp.com/scannow-sfc.html
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 35146926
KAV Scan found nothing, i will try stinger and post combo fix logs.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 35147056
Combofix log here


ComboFix 11-03-14.06 - HP_Administrator 03/15/2011   8:24.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1526.906 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{26694F83-70E7-49BD-BA54-F6A73A68080F}
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{26694F83-70E7-49BD-BA54-F6A73A68080F}\chrome.manifest
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{26694F83-70E7-49BD-BA54-F6A73A68080F}\chrome\content\_cfg.js
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{26694F83-70E7-49BD-BA54-F6A73A68080F}\chrome\content\overlay.xul
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{26694F83-70E7-49BD-BA54-F6A73A68080F}\install.rdf
C:\install.exe
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\Downloaded Program Files\popcaploader.inf
D:\Autorun.inf
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-15 to 2011-03-15  )))))))))))))))))))))))))))))))
.
.
2011-03-14 17:47 . 2011-03-14 17:47	--------	d-----w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2011-03-14 17:32 . 2011-03-14 17:33	--------	d-----w-	C:\kleaner.tmp
2011-03-14 15:17 . 2011-03-14 15:17	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-03-13 19:53 . 2011-03-13 19:53	--------	d-----w-	c:\documents and settings\All Users\Application Data\LightScribe
2011-03-13 19:45 . 2011-03-13 19:46	--------	d-----w-	c:\program files\SureThing CD Labeler 5
2011-03-13 16:07 . 2011-03-13 16:07	--------	d-----w-	c:\documents and settings\HP_Administrator\Application Data\Nero
2011-03-13 16:07 . 2011-03-13 16:07	--------	d-----w-	c:\documents and settings\All Users\Application Data\Nero
2011-03-13 16:07 . 2011-03-13 16:07	--------	d-----w-	c:\program files\Common Files\Nero
2011-03-13 16:07 . 2011-03-13 16:07	--------	d-----w-	c:\program files\Nero
2011-03-12 22:18 . 2011-03-12 22:19	--------	d-----w-	c:\program files\iTunes
2011-03-02 15:04 . 2011-03-14 17:51	16968	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2011-03-02 15:04 . 2011-03-02 15:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\Hitman Pro
2011-02-14 06:08 . 2011-02-14 06:08	--------	d-----w-	c:\documents and settings\HP_Administrator\Application Data\WeatherBug
2011-02-14 06:08 . 2011-02-14 06:08	18944	----a-r-	c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{297DCADA-86A1-4A42-8A13-66B7D7A09FD2}\IconBB6A16301.exe
2011-02-14 06:07 . 2011-02-14 06:07	--------	d-----w-	c:\documents and settings\All Users\Application Data\NCH Software
2011-02-14 06:07 . 2011-02-14 06:07	--------	d-----w-	c:\program files\NCH Software
2011-02-14 06:07 . 2011-02-14 06:07	--------	d-----w-	c:\documents and settings\HP_Administrator\Application Data\NCH Software
2011-02-14 06:06 . 2011-02-14 06:06	--------	d-----w-	c:\program files\MSN Toolbar
2011-02-14 06:04 . 2011-02-14 06:07	--------	d-----w-	c:\program files\Bing Bar Installer
2011-02-14 06:04 . 2011-02-14 06:05	--------	d-----w-	c:\program files\DigitalVid
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-09 21:00	456192	----a-w-	c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-09 21:00	291840	----a-w-	c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2004-08-09 21:00	2067456	----a-w-	c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-09 21:00	677888	----a-w-	c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-09 21:00	439296	----a-w-	c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-09 21:00	290048	----a-w-	c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-09 21:00	1854976	----a-w-	c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-09 21:00	301568	----a-w-	c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-09 21:00	916480	----a-w-	c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-09 21:00	43520	----a-w-	c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-09 21:00	1469440	----a-w-	c:\windows\system32\inetcpl.cpl
2010-12-20 22:09 . 2010-10-08 12:45	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 22:08 . 2010-10-08 12:45	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-09 21:00	730112	----a-w-	c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-09 21:00	385024	----a-w-	c:\windows\system32\html.iec
2004-08-09 21:00	94784	-csh--w-	c:\windows\twain.dll
2008-04-14 00:12	50688	--sh--w-	c:\windows\twain_32.dll
2010-09-18 06:53	974848	--sha-w-	c:\windows\system32\mfc42.dll
2008-04-14 00:12	57344	--sha-w-	c:\windows\system32\msvcirt.dll
2008-04-14 00:12	413696	--sha-w-	c:\windows\system32\msvcp60.dll
2008-04-14 00:12	343040	--sha-w-	c:\windows\system32\msvcrt.dll
2008-04-14 00:12	11776	--sha-w-	c:\windows\system32\regsvr32.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-09 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-14 180269]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe" [2010-03-24 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 28672]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-07-29 05:25	497648	----a-w-	c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2007-05-09 16:54	50736	----a-w-	c:\program files\AIM6\aim6.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 14:43	69632	----a-w-	c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-02 23:23	102400	----a-w-	c:\program files\Creative\MediaSource\Detector\CTDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 09:05	90112	----a-w-	c:\program files\HP DigitalMedia Archive\DMAScheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 21:01	67584	----a-w-	c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EM_EXEC]
2002-07-09 13:50	28672	----a-w-	c:\progra~1\Logitech\MOUSEW~1\system\EM_EXEC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftutil2]
2004-06-07 14:05	106496	----a-w-	c:\windows\system32\ftutil2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 02:34	49152	----a-w-	c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-15 22:34	249856	----a-w-	c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-02-21 16:59	143360	----a-w-	c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-23 13:13	77824	----a-w-	c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-23 13:17	118784	----a-w-	c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 14:50	205480	----a-w-	c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2007-08-30 14:50	205480	----a-w-	c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2007-08-28 21:43	73728	----a-w-	c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 20:33	421160	----a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2002-05-21 00:36	90112	----a-w-	c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
2009-04-07 21:37	467240	----a-w-	c:\program files\Pure Networks\Network Magic\nmapp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2009-04-07 20:34	642856	----a-w-	c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38	421888	----a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-22 22:14	237568	----a-w-	c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2009-06-30 15:00	2836376	----a-w-	c:\program files\Registry Mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-10-25 07:57	16855552	----a-w-	c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 14:11	57344	----a-w-	c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19	148888	----a-w-	c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-04-09 21:04	68856	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-09-14 11:06	180269	----a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45	313472	-c--a-r-	c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2004-03-18 13:33	892928	-c--a-w-	c:\program files\Logitech\iTouch\iTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"Symantec RemoteAssist"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"nmservice"=2 (0x2)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMON"=2 (0x2)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"ELService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeActiveFileMonitor9.0"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 5:17 PM 135664]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/10/2007 1:43 PM 24652]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-03-12 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2009-04-13 14:17]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 21:17]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 21:17]
.
2011-02-22 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2011-02-14 06:07]
.
2011-03-15 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
.
2011-03-15 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
.
2011-03-13 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
.
2011-03-15 c:\windows\Tasks\User_Feed_Synchronization-{E6C14B4F-C93F-4C47-A471-D05BD6EB3F0F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = about:blank
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-Wzubevulase - c:\windows\umakozehu.dll
AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\FlashUtil10m_ActiveX.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 08:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3600)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-03-15  08:36:56 - machine was rebooted
ComboFix-quarantined-files.txt  2011-03-15 12:36
.
Pre-Run: 201,666,715,648 bytes free
Post-Run: 202,376,474,624 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 9C522B63BAA2351D4B2947E78A9FAE48

Open in new window

0
 
LVL 23

Assisted Solution

by:edbedb
edbedb earned 125 total points
ID: 35147215
I would try the Symantec cleanup tool to remove all traces of it. Remnants of their software can cause all kinds of problems.

http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 35150215
Stinger did nothing, Symantec removal did nothing...
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 35150729
Ran AVP Removal One last time, also ran the rouguekiller, didn't find anything.

Running System File Checker now, but i'm pretty sure that was one of my first steps, but we will see.
0
 
LVL 22

Expert Comment

by:optoma
ID: 35150924
Strange . Run autoruns and attach its arn file.
http://technet.microsoft.com/en-us/sysinternals/bb963902
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 35152041
Thanks for the CF logfile.  
Update:  Have thoroughly searched through your logfile and can see no suspicious entries!  
Clearly some "infection(s)" have already been deleted ...see under heading "Other Deletions".
 
Had other infections been present, we could have tried removing them by re-running CF with a script.

There are SymantecAntiVirus registry entry references, but these may have been removed since you ran the Symantec cleanup tool.

It'll be interesting to see what  the autoruns log shows ...
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 35168321
Sorry guys ended up just formatting and reinstalling, was wasting too much time on it, i will award points to those i feel deserve them.

Thanks for all the help!
0
 
LVL 2

Author Closing Comment

by:STS-Tech
ID: 35168330
Ended up Formatting
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Website BlackListed 22 81
Recommendation of Antivirus software for Personal Use 19 164
turbotax on windows 10 60
Endpoint security products 4 44
It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now