Please help with daughter's computer

chipatkinson · November 2008

I've run virus and spyware scans but nothing was detected. Internet explorer keeps freezing/locking up. Will someone please review the HJT log posted below and tell me if I need to correct anything? Thanks!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:51 AM, on 11/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\folding\F@H1\FAH504-Console.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\folding\F@H1\FahCore_81.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TrayServer] "C:\Program Files\MAGIX\Movie_Edit_Pro_12\TrayServer.exe"
O4 - HKLM\..\Run: [DISCover] "C:\Program Files\DISC\DISCover.exe" nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] "C:\PROGRA~1\SYMANT~1\VPTray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] "C:\WINDOWS\ARPWRMSG.EXE"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [ftutil2] "C:\WINDOWS\system32\rundll32.exe" ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: DVD@ccess.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.netdimensions.com
O15 - Trusted Zone: http://*.skillsoft.com
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.taxsimple.org/tsweb/msrdp.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc02.custhelp.com/7560-b440h-turbotax/rnl/java/RntX.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: [email]FAH@C:+folding+F@H1+FAH504-Console.exe[/email] - Stanford University - C:\folding\F@H1\FAH504-Console.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIXÂ® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 12438 bytes

Trogan · November 2008

Hi,

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

chipatkinson · November 2008

Thanks for your help. I ran the scan you requested and have posted the results below:

Malwarebytes' Anti-Malware 1.30
Database version: 1419
Windows 5.1.2600 Service Pack 3

11/23/2008 3:33:00 PM
mbam-log-2008-11-23 (15-33-00).txt

Scan type: Full Scan (C:\|K:\|)
Objects scanned: 237110
Time elapsed: 1 hour(s), 37 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\SysRestore.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Ascentive (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\Performance Center (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Ascentive (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Ascentive\Performance Center\APCLang.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\Performance Center\ApcMain.exe (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysRestore.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\Performance Centertemp.htm (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\Performance Center\GUID (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\Performance Center\SOUND.WAV (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Ascentive\Performance Center.lnk (Rogue.Multiple) -> Quarantined and deleted successfully.

Trogan · November 2008

Hi,

Just so you know that I receive email notifications when you reply to this thread.

Please do the following...

1. Download ATF (Atribune Temp File) CleanerÂ© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.
Under Main select the following:
- Windows Temp
- Current User Temp
- All Users Temp
- Temporary Internet Files
- Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

2. I need to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button.
Save the file to your desktop, with the default name of uninstall_list
Copy & Paste the entire contents of that file in your in your next post.

3. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

[*]Click OK
[*]Now under select a target to scan:

SelectMy Computer

[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

Now click on the Save Report As button:
Change Save as type: to Text file
Save this as Kaspersky scan to your Desktop

4. Please post the following...

Kaspersky report
Uninstall list
New HijackThis log

chipatkinson · November 2008

Thanks for your help! I've posted the Kapersky report, uninstall list and HJT log below as requested.

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, November 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, November 24, 2008 19:40:58
Records in database: 1409941

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
K:\

Scan statistics:
Files scanned: 182257
Threat name: 16
Infected objects: 69
Suspicious objects: 24
Duration of the scan: 03:15:33

File name / Threat name / Threats count
C:\chip mail\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02640000.VBN Infected: Trojan-Downloader.JS.Small.dn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06CC0000.VBN Infected: Trojan-Downloader.JS.Agent.kd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180000.VBN Infected: Trojan-Spy.Win32.Goldun.pa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180001.VBN Infected: Trojan-Spy.Win32.Goldun.pa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE00000.VBN Infected: Trojan-Downloader.JS.Agent.kd 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.bak Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.bak Infected: Email-Worm.Win32.Klez.h 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.bak Infected: Email-Worm.Win32.Magistr.b 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.bak Infected: Email-Worm.Win32.Mabutu.a 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.bak Infected: Trojan-Spy.HTML.Fiffraud.m 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.bak Infected: Trojan-Spy.HTML.Bankfraud.ra 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.bak Infected: Trojan-Spy.HTML.Bankfraud.ri 2
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.bak Infected: Trojan-Spy.HTML.Bankfraud.rw 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Klez.h 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Magistr.b 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Mabutu.a 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Fiffraud.m 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.ra 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.ri 2
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.rw 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Tanatos.a 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Bagle.g 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Inbox.dbx Infected: Net-Worm.Win32.Mytob.bj 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\saved sent messages.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\hp\bin\wbug\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
C:\Outlook Express Backup\Chip\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Outlook Express Backup\Chip -satx\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Outlook Express Backup\LeAnn Atkinson\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Outlook Express Backup\LeAnn Atkinson\Deleted Items.dbx Infected: Email-Worm.Win32.Klez.h 1
C:\Outlook Express Backup\LeAnn Atkinson\Deleted Items.dbx Infected: Email-Worm.Win32.Magistr.b 1
C:\Outlook Express Backup\LeAnn Atkinson\Deleted Items.dbx Infected: Email-Worm.Win32.Mabutu.a 1
C:\Outlook Express Backup\LeAnn Atkinson\Inbox.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Outlook Express Backup\LeAnn Atkinson\Inbox.dbx Infected: Email-Worm.Win32.Tanatos.a 1
C:\Outlook Express Backup\LeAnn Atkinson\Inbox.dbx Infected: Email-Worm.Win32.Bagle.g 1
C:\Outlook Express Backup\LeAnn Atkinson\Inbox.dbx Infected: Net-Worm.Win32.Mytob.bj 1
C:\Outlook Express Backup\LeAnn-satx\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Outlook Express Backup\LeAnn-satx\Deleted Items.dbx Infected: Email-Worm.Win32.Klez.h 1
C:\Outlook Express Backup\LeAnn-satx\Deleted Items.dbx Infected: Email-Worm.Win32.Magistr.b 1
C:\Outlook Express Backup\LeAnn-satx\Deleted Items.dbx Infected: Email-Worm.Win32.Mabutu.a 1
C:\Outlook Express Backup\LeAnn-satx\Inbox.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Outlook Express Backup\LeAnn-satx\Inbox.dbx Infected: Email-Worm.Win32.Tanatos.a 1
C:\Outlook Express Backup\LeAnn-satx\Inbox.dbx Infected: Email-Worm.Win32.Bagle.g 1
C:\Outlook Express Backup\LeAnn-satx\Inbox.dbx Infected: Net-Worm.Win32.Mytob.bj 1
C:\Outlook Express Backup\OEBackup12-16-2006.oeb Suspicious: Trojan-Spy.HTML.Fraud.gen 2
D:\I386\APPS\APP19117\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\APPS\APP19117\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
K:\chip mail\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
K:\Leann mail\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
K:\Leann mail\Deleted Items.dbx Infected: Email-Worm.Win32.Klez.h 1
K:\Leann mail\Deleted Items.dbx Infected: Email-Worm.Win32.Magistr.b 1
K:\Leann mail\Deleted Items.dbx Infected: Email-Worm.Win32.Mabutu.a 1
K:\Leann mail\Deleted Items.dbx Infected: Trojan-Spy.HTML.Fiffraud.m 1
K:\Leann mail\Inbox.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
K:\Leann mail\Inbox.dbx Infected: Email-Worm.Win32.Tanatos.a 1
K:\Leann mail\Inbox.dbx Infected: Email-Worm.Win32.Bagle.g 1
K:\Leann mail\Inbox.dbx Infected: Net-Worm.Win32.Mytob.bj 1
K:\Outlook Express Backup\Chip\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
K:\Outlook Express Backup\Chip -satx\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
K:\Outlook Express Backup\LeAnn Atkinson\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
K:\Outlook Express Backup\LeAnn Atkinson\Deleted Items.dbx Infected: Email-Worm.Win32.Klez.h 1
K:\Outlook Express Backup\LeAnn Atkinson\Deleted Items.dbx Infected: Email-Worm.Win32.Magistr.b 1
K:\Outlook Express Backup\LeAnn Atkinson\Deleted Items.dbx Infected: Email-Worm.Win32.Mabutu.a 1
K:\Outlook Express Backup\LeAnn Atkinson\Inbox.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
K:\Outlook Express Backup\LeAnn Atkinson\Inbox.dbx Infected: Email-Worm.Win32.Tanatos.a 1
K:\Outlook Express Backup\LeAnn Atkinson\Inbox.dbx Infected: Email-Worm.Win32.Bagle.g 1
K:\Outlook Express Backup\LeAnn Atkinson\Inbox.dbx Infected: Net-Worm.Win32.Mytob.bj 1
K:\Outlook Express Backup\leann backup\OEBackup11-13-2008.oeb Suspicious: Exploit.HTML.Iframe.FileDownload 1
K:\Outlook Express Backup\leann backup\OEBackup11-13-2008.oeb Infected: Email-Worm.Win32.Klez.h 1
K:\Outlook Express Backup\leann backup\OEBackup11-13-2008.oeb Infected: Email-Worm.Win32.Magistr.b 1
K:\Outlook Express Backup\leann backup\OEBackup11-13-2008.oeb Infected: Email-Worm.Win32.Mabutu.a 1
K:\Outlook Express Backup\leann backup\OEBackup11-13-2008.oeb Infected: Trojan-Spy.HTML.Fiffraud.m 1
K:\Outlook Express Backup\leann backup\OEBackup11-13-2008.oeb Infected: Trojan-Spy.HTML.Bankfraud.ra 1
K:\Outlook Express Backup\leann backup\OEBackup11-13-2008.oeb Infected: Trojan-Spy.HTML.Bankfraud.ri 2
K:\Outlook Express Backup\leann backup\OEBackup11-13-2008.oeb Infected: Trojan-Spy.HTML.Bankfraud.rw 1
K:\Outlook Express Backup\LeAnn-satx\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
K:\Outlook Express Backup\LeAnn-satx\Deleted Items.dbx Infected: Email-Worm.Win32.Klez.h 1
K:\Outlook Express Backup\LeAnn-satx\Deleted Items.dbx Infected: Email-Worm.Win32.Magistr.b 1
K:\Outlook Express Backup\LeAnn-satx\Deleted Items.dbx Infected: Email-Worm.Win32.Mabutu.a 1
K:\Outlook Express Backup\LeAnn-satx\Inbox.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
K:\Outlook Express Backup\LeAnn-satx\Inbox.dbx Infected: Email-Worm.Win32.Tanatos.a 1
K:\Outlook Express Backup\LeAnn-satx\Inbox.dbx Infected: Email-Worm.Win32.Bagle.g 1
K:\Outlook Express Backup\LeAnn-satx\Inbox.dbx Infected: Net-Worm.Win32.Mytob.bj 1
K:\Outlook Express Backup\OEBackup12-16-2006.oeb Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Photoshop 6.0
Adobe Reader 8.1.3
Adobe SVG Viewer
AnswerWorks 4.0 Runtime - English
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Audible Download Manager
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
DivX
DVD@ccess 2.0.3
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
ewido anti-malware
Family Tree Maker 2005
Firebird SQL Server - MAGIX Edition 2.0.0.1 (US)
GemMaster Mystic
Glary Registry Repair 2.9
Glary Utilities 2.6
Google Earth
GSP Sudoku
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 2.1
HP Games 3.43.97
HP Imaging Device Functions 7.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP PSC & OfficeJet 4.7
HP Update
HP Web Helper
iolo technologies' Search and Recover 3
iolo technologies' System Mechanic 6
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Lexmark Z600 Series
LiveUpdate 2.0 (Symantec Corporation)
MAGIX Goya burnR 1.3.1.2 (US)
MAGIX Movie Edit Pro 12 6.5.4.0 (US)
MAGIX Music Manager 2007 8.1.0.727 (US)
MAGIX Photo Manager 2007 4.1.0.728 (US)
Malwarebytes' Anti-Malware
MasterCook 7
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003 60 days trial
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mobipocket Reader 6.0 R.C. 2
Mobipocket Reader 6.1
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
My HP Games
Netscape Browser (remove only)
NVIDIA Drivers
Otto
Outlook Express Backup Wizard version 1.1
Panda NanoScan
PC-Doctor 5 for Windows
Performance Center
Personal Ancestral File 5
Personal Ancestral File Companion 5.2
PIXELRULER
PokerStars
PokerStars.net
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Remove WeatherBug Installer
Rhapsody
Rhapsody Player Engine
Rohos Mini Drive 1.15
Safari
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB955936)
Security Update for Microsoft Office Excel 2007 (KB955470)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spy Sweeper
Spy Sweeper Core
SpywareBlaster v3.5.1
Symantec AntiVirus
TiVo Desktop 2.5.1
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb957829)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Updates from HP (remove only)
Viewpoint Media Player
Web Pictures Downloader 1.9
WexTech AnswerWorks
WildTangent Web Driver
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Yahoo! Messenger
Yahoo! Toolbar for Internet Explorer

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:04 AM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\folding\F@H1\FAH504-Console.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\folding\F@H1\FahCore_81.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TrayServer] "C:\Program Files\MAGIX\Movie_Edit_Pro_12\TrayServer.exe"
O4 - HKLM\..\Run: [DISCover] "C:\Program Files\DISC\DISCover.exe" nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] "C:\PROGRA~1\SYMANT~1\VPTray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] "C:\WINDOWS\ARPWRMSG.EXE"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [ftutil2] "C:\WINDOWS\system32\rundll32.exe" ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: DVD@ccess.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.netdimensions.com
O15 - Trusted Zone: http://*.skillsoft.com
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.taxsimple.org/tsweb/msrdp.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc02.custhelp.com/7560-b440h-turbotax/rnl/java/RntX.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: [email]FAH@C:+folding+F@H1+FAH504-Console.exe[/email] - Stanford University - C:\folding\F@H1\FAH504-Console.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIXÂ® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 13164 bytes

Trogan · November 2008

Hi,

Please do the following...

1. Kaspersky has flagged a lot of emails from Outlook. They may not be infected themselves, but may contain harmful HTML links? You will have to determine if they are safe or not, maybe by checking each email.

Suspicious:
C:\chip mail\Sent Items.dbx <-- Trojan-Spy.HTML.Fraud.gen
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.bak
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Deleted Items.dbx
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{C61683AB-9972-4232-B55C-C13C2C85E71A}\Microsoft\Outlook Express\Inbox.dbx
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\saved sent
C:\Outlook Express Backup\Chip\Sent Items.dbx
C:\Outlook Express Backup\Chip -satx\Sent Items.dbx
C:\Outlook Express Backup\LeAnn Atkinson\Deleted Items.dbx
C:\Outlook Express Backup\LeAnn Atkinson\Inbox.dbx
C:\Outlook Express Backup\LeAnn-satx\Deleted Items.dbx
C:\Outlook Express Backup\LeAnn-satx\Inbox.dbx
K:\Leann mail\Deleted Items.dbx
K:\Leann mail\Inbox.dbx

2. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Follow these steps to remove older versions of Java components and update to the latest version...

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Now download and install Java SE Runtime Environment (JRE) 6 Update 10.

3. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

If you do not need these in the Trusted Zone, then remove them.
O15 - Trusted Zone: http://*.netdimensions.com
O15 - Trusted Zone: http://*.skillsoft.com
O15 - Trusted Zone: http://*.trymedia.com (HKLM)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

4. Apart from that, everything looks fine. Let me know if you have any questions.

chipatkinson · November 2008

I followed all your instructions. Thanks for your help!:D

Trogan · November 2008

You're welcome!

Please help with daughter's computer

Comments