please help. neXplore pop-ups

Unknown

i have recently started getting these neXplore related pop-ups.
i use firefox 3.5 and these pop-ups are internet explorer.

if anyone could help me resolve this issue, i would greatly appreciate it.
=)

here's my HJT log.



Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 3:07:54 PM, on 12/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gecu-ep.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {e6195d7d-5de0-4f01-9e27-cd40867b9900} - kokiguto.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [vevoyofatu] Rundll32.exe "hunazazi.dll",s
O4 - HKLM\..\Run: [nuzuvugem] Rundll32.exe "c:\windows\system32\helileve.dll",a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: nizosole.dll c:\windows\system32\helileve.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O21 - SSODL: SwUpdate - {009541A0-3B00-1F1C-00F3-040224001C01} - C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll
O21 - SSODL: nadokezam - {00ecf2f0-ddbe-4d2d-8fe2-c696dd74b669} - c:\windows\system32\helileve.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: tokatiluy - {00ecf2f0-ddbe-4d2d-8fe2-c696dd74b669} - c:\windows\system32\helileve.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

--
End of file - 8303 bytes

chiaz

Hey there, welcome.

A few things before we start....
1. Please Read All Instructions Carefully.
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you.
4. If you have to go away for an extended period of time, let me know.
5. Please continue to respond until I give you the "All Clear".
(Just because you can't see a problem doesn't mean it isn't there)

===============

Please download Malwarebytes' Anti-Malware by clicking the link below:
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.


Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

nocaptainyet

thank you for responding. =)

i'm having a problem with the Malwarebytes' Anti-Malware.
i've downloaded it and installed but it is not launching.
it say that the mbam.exe has been deleted or moved and it will not work.
what do i do?

chiaz

Try renaming the file. For example, rename MBAM.exe to aaa.exe.

If it still doesn't work after renaming, go on with ComboFix.

nocaptainyet

still didn't work.

but here's the combofix log.

ComboFix 09-12-29.04 - HP_Administrator 12/29/2009 15:58:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.486 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\swUPdate.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\kb913800.exe
c:\windows\system32\fogiguzu.dll
c:\windows\system32\hojubipa.dll
c:\windows\system32\hunazazi.dll
c:\windows\system32\liwifina.dll
c:\windows\system32\lojaloke.dll
c:\windows\system32\lugapeda.dll
c:\windows\system32\neyikine.dll
c:\windows\system32\niketota.dll
c:\windows\system32\nizosole.dll
c:\windows\Tasks\fpydaost.job
D:\Autorun.inf

---

BITS: Possible infected sites

---

hxxp://82.98.235.34
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-29 02:10 . 2009-12-29 18:54

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2009-12-29 01:46 . 2009-12-29 01:46

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-12-29 01:46 . 2009-12-29 01:46

---

d

---

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-28 22:07 . 2009-12-28 22:07 388096 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-28 22:07 . 2009-12-28 22:07

---

d

---

w- c:\program files\TrendMicro
2009-12-24 22:09 . 2009-12-24 22:09

---

d

---

w- c:\documents and settings\All Users\Application Data\WEBREG
2009-12-24 21:53 . 2009-12-24 22:00

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\HP
2009-12-24 21:45 . 2009-12-24 21:45

---

d

---

w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-12-24 21:45 . 2009-12-24 21:45

---

d

---

w- c:\documents and settings\All Users\Application Data\HP
2009-12-24 21:44 . 2009-12-24 21:44

---

d

---

w- c:\program files\Common Files\Hewlett-Packard
2009-12-24 21:44 . 2007-12-18 01:05 278016 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mu.dll
2009-12-24 21:44 . 2008-02-07 17:26 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
2009-12-24 21:43 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-12-24 21:43 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-12-24 21:43 . 2008-02-12 19:49 271704 ----a-w- c:\windows\system32\hpzids01.dll
2009-12-24 21:42 . 2007-10-31 00:22 303104 ----a-w- c:\windows\system32\hpovst14.dll
2009-12-24 21:42 . 2007-10-31 00:22 970752 ----a-w- c:\windows\system32\hpotiop6.dll
2009-12-24 21:42 . 2007-10-31 00:22 729088 ----a-w- c:\windows\system32\hpowiax8.dll
2009-12-24 21:41 . 2009-12-24 21:57 157442 ----a-w- c:\windows\hpoins29.dat
2009-12-24 21:41 . 2008-02-20 20:43 986

---

w- c:\windows\hpomdl29.dat
2009-12-24 20:52 . 2009-08-27 05:41 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2009-12-24 20:52 . 2009-08-27 05:41 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2009-12-24 20:52 . 2009-12-24 21:43

---

dc----w- c:\windows\system32\DRVSTORE
2009-12-23 20:40 . 2009-12-23 20:40

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-12-23 20:39 . 2009-12-23 20:39

---

d

---

w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Adobe
2009-12-23 16:56 . 2009-12-23 16:56

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-12-22 17:48 . 2009-12-15 06:58 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-22 17:48 . 2009-12-15 06:58 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-22 17:48 . 2009-12-15 06:58 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-22 17:48 . 2009-12-15 06:58 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-20 23:37 . 2009-12-20 23:37

---

d

---

w- c:\windows\Sun
2009-12-18 17:38 . 2009-12-18 17:38 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-18 17:38 . 2009-12-15 06:58 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-16 15:23 . 2009-12-16 15:23

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\Template
2009-12-16 15:18 . 2004-08-04 06:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-12-16 15:18 . 2004-08-04 06:01 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2009-12-16 15:05 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-12-16 15:05 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-12-16 05:45 . 2004-08-10 04:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-12-16 05:22 . 2009-12-16 05:22

---

d

---

w- c:\program files\Windows Media Connect 2
2009-12-16 05:20 . 2009-12-16 05:21

---

d

---

w- c:\windows\system32\drivers\UMDF
2009-12-16 05:20 . 2009-12-16 05:20

---

d

---

w- c:\windows\system32\LogFiles
2009-12-16 05:20 . 2009-12-16 05:20

---

d

---

w- C:\40901231917794212f
2009-12-16 05:14 . 2009-12-16 05:16

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\Otto
2009-12-16 05:14 . 2009-12-16 05:16

---

d

---

w- c:\documents and settings\All Users\Application Data\Otto
2009-12-16 01:53 . 2009-12-16 01:53 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-12-16 01:53 . 2009-12-16 01:59

---

d

---

w- c:\documents and settings\All Users\Application Data\NOS
2009-12-15 23:56 . 2009-12-17 17:48

---

d

---

w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Identities
2009-12-15 23:44 . 2009-12-15 23:44 0 ----a-w- c:\windows\nsreg.dat
2009-12-15 23:44 . 2009-12-15 23:44

---

d

---

w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Mozilla
2009-12-15 19:43 . 2009-10-29 07:46 52224

---

w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-15 19:43 . 2009-10-29 07:46 459264

---

w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-15 19:43 . 2009-10-29 07:46 6067200

---

w- c:\windows\system32\dllcache\ieframe.dll
2009-12-15 19:43 . 2009-10-29 07:46 268288

---

w- c:\windows\system32\dllcache\iertutil.dll
2009-12-15 19:43 . 2009-10-29 07:46 63488

---

w- c:\windows\system32\dllcache\icardie.dll
2009-12-15 19:43 . 2009-10-29 07:46 380928

---

w- c:\windows\system32\dllcache\ieapfltr.dll
2009-12-15 19:43 . 2009-10-28 14:36 13824

---

w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-15 19:43 . 2009-06-29 08:33 2452872

---

w- c:\windows\system32\dllcache\ieapfltr.dat
2009-12-15 18:47 . 2009-12-15 18:47

---

d

---

w- c:\windows\ServicePackFiles
2009-12-15 18:44 . 2009-12-15 18:44

---

d

---

w- c:\program files\MSXML 4.0
2009-12-15 17:10 . 2009-12-15 17:41

---

d

---

w- c:\windows\system32\CatRoot_bak
2009-12-15 17:08 . 2008-06-13 13:10 272128

---

w- c:\windows\system32\drivers\bthport.sys
2009-12-15 17:08 . 2008-06-13 13:10 272128

---

w- c:\windows\system32\dllcache\bthport.sys
2009-12-15 16:50 . 2008-10-24 11:10 453632

---

w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-15 16:50 . 2009-08-04 13:58 2136064

---

w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-15 16:50 . 2009-08-04 14:00 2180352

---

w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-15 16:50 . 2009-08-04 13:13 2015744

---

w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-15 16:50 . 2009-08-04 13:13 2057728

---

w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-15 07:00 . 2009-11-25 20:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-12-15 06:58 . 2009-12-15 17:03

---

d

---

w- C:\$AVG
2009-12-15 06:58 . 2009-12-15 06:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-15 06:58 . 2009-12-15 06:58 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-15 06:58 . 2009-12-15 06:58 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-15 06:58 . 2009-12-29 22:56

---

d

---

w- c:\windows\system32\drivers\Avg
2009-12-15 06:58 . 2009-12-15 07:00

---

d

---

w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-15 06:58 . 2009-12-15 06:58 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-15 06:58 . 2009-12-15 06:58

---

d

---

w- c:\program files\AVG
2009-12-15 06:58 . 2009-12-29 22:55

---

d

---

w- c:\documents and settings\All Users\Application Data\avg9
2009-12-15 06:31 . 2009-12-15 06:31

---

d-sh--w- c:\documents and settings\HP_Administrator\UserData
2009-12-15 06:26 . 2006-12-16 17:07

---

d

---

w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-12-15 06:26 . 2006-12-16 16:44

---

d

---

w- c:\windows\system32\config\systemprofile\Application Data\Intuit
2009-12-15 06:26 . 2006-12-16 16:43

---

d

---

w- c:\windows\system32\config\systemprofile\WINDOWS
2009-12-15 06:26 . 2006-12-16 16:43

---

d

---

w- c:\documents and settings\Default User\WINDOWS
2009-12-15 06:17 . 2009-12-29 23:02 247 ----a-w- c:\windows\system\hpsysdrv.dat
2009-12-15 06:07 . 2009-12-16 05:13

---

d

---

r- c:\documents and settings\All Users\Documents
2009-12-15 06:03 . 2009-12-27 05:13

---

d-sh--r- c:\windows\system32\dllcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 21:48 . 2006-12-16 16:40

---

d

---

w- c:\program files\Hewlett-Packard
2009-12-24 21:45 . 2006-12-16 16:29

---

d

---

w- c:\program files\HP
2009-12-24 21:44 . 2006-12-16 17:08

---

d

---

w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-12-16 15:23 . 2009-12-16 15:23 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-12-16 05:13 . 2009-12-15 06:27 139 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2009-12-16 01:50 . 2006-12-16 16:34

---

d

---

w- c:\program files\HP DigitalMedia Archive
2009-12-15 16:41 . 2006-12-16 17:00

---

d

---

w- c:\program files\Common Files\Symantec Shared
2009-12-15 16:41 . 2006-12-16 17:00

---

d

---

w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-15 07:09 . 2006-12-16 16:57

---

d

---

w- c:\program files\Yahoo!
2009-12-15 07:09 . 2006-12-16 16:34

---

d

---

w- c:\program files\Sonic
2009-12-15 07:08 . 2006-12-16 16:33

---

d

---

w- c:\program files\Common Files\Real
2009-12-15 07:07 . 2006-12-16 16:44

---

d

---

w- c:\program files\Quicken
2009-12-15 07:04 . 2006-12-16 16:36

---

d

---

w- c:\documents and settings\All Users\Application Data\WildTangent
2009-12-15 07:01 . 2006-12-16 16:04

---

d

---

w- c:\program files\GemMaster
2009-12-15 06:29 . 2009-12-15 06:29 1733 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_RB044AV-ABA a1620y_YC_0Pavi_QMXG650_E64NAecMPA9_48_IAsterope3_SECS_V1.0_B3.19_T060905_WXP2_L409_M960_J160_7Intel_8Pentium 4_93.06_#061221_N10EC8139_Z14F12F20_G10025A61_OLITE-ON COMBO SOHC-4836K_DHWP2647.MRK
2009-10-29 07:46 . 2004-08-10 04:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 04:00 78336

---

w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 04:00 17408

---

w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-10 04:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-10 04:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-10 04:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-10 04:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-10 04:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-10 04:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-09-29 18:56 . 2009-09-29 18:56 61440 --sha-w- c:\windows\system32\howiduga.dll
2009-09-28 03:17 . 2009-09-28 03:17 51712 --sha-w- c:\windows\system32\kokiguto.dll
2009-09-28 03:16 . 2009-09-28 03:16 51712 --sha-w- c:\windows\system32\lumuheze.dll
2009-09-27 15:17 . 2009-09-27 15:17 93184 --sha-w- c:\windows\system32\wufewoga.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 20:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e6195d7d-5de0-4f01-9e27-cd40867b9900}]
2009-09-28 03:17 51712 --sha-w- c:\windows\system32\kokiguto.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-15 2033432]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-15 06:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 17:05 90112 ----a-w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/14/2009 11:58 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/14/2009 11:58 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/14/2009 11:58 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/14/2009 11:58 PM 285392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://gecu-ep.org/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qfwglqwe.default\
FF - prefs.js: browser.startup.homepage - hxxp://gecu-ep.org/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-vevoyofatu - hunazazi.dll
HKLM-Run-nuzuvugem - c:\windows\system32\liwifina.dll
SharedTaskScheduler-{1d62adec-00d5-4f83-9fa3-e92bcb5fb15e} - c:\windows\system32\liwifina.dll
SSODL-sabuzemam-{1d62adec-00d5-4f83-9fa3-e92bcb5fb15e} - c:\windows\system32\liwifina.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 16:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2860)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

---

Other Running Processes

---

.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system32\dllhost.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-12-29 16:06:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 23:06

Pre-Run: 139,727,450,112 bytes free
Post-Run: 140,577,632,256 bytes free

- - End Of File - - 69EEA7A2B3FC26897270AC9051DAED3E

nocaptainyet

new HJT log

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:30:13 PM, on 12/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gecu-ep.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {e6195d7d-5de0-4f01-9e27-cd40867b9900} - kokiguto.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

--
End of file - 6777 bytes

chiaz

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the red text in the quotebox below into it:

[COLOR="Red"]File::
c:\windows\system32\howiduga.dll
c:\windows\system32\kokiguto.dll
c:\windows\system32\lumuheze.dll
c:\windows\system32\wufewoga.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e6195d7d-5de0-4f01-9e27-cd40867b9900}][/COLOR]

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your new reply.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*

nocaptainyet

ComboFix 09-12-29.04 - HP_Administrator 12/30/2009 11:32:22.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.485 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\howiduga.dll"
"c:\windows\system32\kokiguto.dll"
"c:\windows\system32\lumuheze.dll"
"c:\windows\system32\wufewoga.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\howiduga.dll
c:\windows\system32\kokiguto.dll
c:\windows\system32\lumuheze.dll
c:\windows\system32\wufewoga.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-29 02:10 . 2009-12-29 18:54

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2009-12-29 01:46 . 2009-12-29 01:46

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-12-29 01:46 . 2009-12-29 01:46

---

d

---

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-28 22:07 . 2009-12-28 22:07 388096 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-28 22:07 . 2009-12-28 22:07

---

d

---

w- c:\program files\TrendMicro
2009-12-24 22:09 . 2009-12-24 22:09

---

d

---

w- c:\documents and settings\All Users\Application Data\WEBREG
2009-12-24 21:53 . 2009-12-24 22:00

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\HP
2009-12-24 21:45 . 2009-12-24 21:45

---

d

---

w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-12-24 21:45 . 2009-12-24 21:45

---

d

---

w- c:\documents and settings\All Users\Application Data\HP
2009-12-24 21:44 . 2009-12-24 21:44

---

d

---

w- c:\program files\Common Files\Hewlett-Packard
2009-12-24 21:44 . 2007-12-18 01:05 278016 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mu.dll
2009-12-24 21:44 . 2008-02-07 17:26 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
2009-12-24 21:43 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-12-24 21:43 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-12-24 21:43 . 2008-02-12 19:49 271704 ----a-w- c:\windows\system32\hpzids01.dll
2009-12-24 21:42 . 2007-10-31 00:22 303104 ----a-w- c:\windows\system32\hpovst14.dll
2009-12-24 21:42 . 2007-10-31 00:22 970752 ----a-w- c:\windows\system32\hpotiop6.dll
2009-12-24 21:42 . 2007-10-31 00:22 729088 ----a-w- c:\windows\system32\hpowiax8.dll
2009-12-24 21:41 . 2009-12-24 21:57 157442 ----a-w- c:\windows\hpoins29.dat
2009-12-24 21:41 . 2008-02-20 20:43 986

---

w- c:\windows\hpomdl29.dat
2009-12-24 20:52 . 2009-08-27 05:41 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2009-12-24 20:52 . 2009-08-27 05:41 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2009-12-24 20:52 . 2009-12-24 21:43

---

dc----w- c:\windows\system32\DRVSTORE
2009-12-23 20:40 . 2009-12-23 20:40

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-12-23 20:39 . 2009-12-23 20:39

---

d

---

w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Adobe
2009-12-23 16:56 . 2009-12-23 16:56

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-12-22 17:48 . 2009-12-15 06:58 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-22 17:48 . 2009-12-15 06:58 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-22 17:48 . 2009-12-15 06:58 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-22 17:48 . 2009-12-15 06:58 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-20 23:37 . 2009-12-20 23:37

---

d

---

w- c:\windows\Sun
2009-12-18 17:38 . 2009-12-18 17:38 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-18 17:38 . 2009-12-15 06:58 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-16 15:23 . 2009-12-16 15:23

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\Template
2009-12-16 15:18 . 2004-08-04 06:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-12-16 15:18 . 2004-08-04 06:01 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2009-12-16 15:05 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-12-16 15:05 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-12-16 05:45 . 2004-08-10 04:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-12-16 05:22 . 2009-12-16 05:22

---

d

---

w- c:\program files\Windows Media Connect 2
2009-12-16 05:20 . 2009-12-16 05:21

---

d

---

w- c:\windows\system32\drivers\UMDF
2009-12-16 05:20 . 2009-12-16 05:20

---

d

---

w- c:\windows\system32\LogFiles
2009-12-16 05:20 . 2009-12-16 05:20

---

d

---

w- C:\40901231917794212f
2009-12-16 05:14 . 2009-12-16 05:16

---

d

---

w- c:\documents and settings\HP_Administrator\Application Data\Otto
2009-12-16 05:14 . 2009-12-16 05:16

---

d

---

w- c:\documents and settings\All Users\Application Data\Otto
2009-12-16 01:53 . 2009-12-16 01:53 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-12-16 01:53 . 2009-12-16 01:59

---

d

---

w- c:\documents and settings\All Users\Application Data\NOS
2009-12-15 23:56 . 2009-12-17 17:48

---

d

---

w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Identities
2009-12-15 23:44 . 2009-12-15 23:44 0 ----a-w- c:\windows\nsreg.dat
2009-12-15 23:44 . 2009-12-15 23:44

---

d

---

w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Mozilla
2009-12-15 19:43 . 2009-10-29 07:46 52224

---

w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-15 19:43 . 2009-10-29 07:46 459264

---

w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-15 19:43 . 2009-10-29 07:46 6067200

---

w- c:\windows\system32\dllcache\ieframe.dll
2009-12-15 19:43 . 2009-10-29 07:46 268288

---

w- c:\windows\system32\dllcache\iertutil.dll
2009-12-15 19:43 . 2009-10-29 07:46 63488

---

w- c:\windows\system32\dllcache\icardie.dll
2009-12-15 19:43 . 2009-10-29 07:46 380928

---

w- c:\windows\system32\dllcache\ieapfltr.dll
2009-12-15 19:43 . 2009-10-28 14:36 13824

---

w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-15 19:43 . 2009-06-29 08:33 2452872

---

w- c:\windows\system32\dllcache\ieapfltr.dat
2009-12-15 18:47 . 2009-12-15 18:47

---

d

---

w- c:\windows\ServicePackFiles
2009-12-15 18:44 . 2009-12-15 18:44

---

d

---

w- c:\program files\MSXML 4.0
2009-12-15 17:10 . 2009-12-15 17:41

---

d

---

w- c:\windows\system32\CatRoot_bak
2009-12-15 17:08 . 2008-06-13 13:10 272128

---

w- c:\windows\system32\drivers\bthport.sys
2009-12-15 17:08 . 2008-06-13 13:10 272128

---

w- c:\windows\system32\dllcache\bthport.sys
2009-12-15 16:50 . 2008-10-24 11:10 453632

---

w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-15 16:50 . 2009-08-04 13:58 2136064

---

w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-15 16:50 . 2009-08-04 14:00 2180352

---

w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-15 16:50 . 2009-08-04 13:13 2015744

---

w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-15 16:50 . 2009-08-04 13:13 2057728

---

w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-15 07:00 . 2009-11-25 20:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-12-15 06:58 . 2009-12-15 17:03

---

d

---

w- C:\$AVG
2009-12-15 06:58 . 2009-12-15 06:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-15 06:58 . 2009-12-15 06:58 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-15 06:58 . 2009-12-15 06:58 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-15 06:58 . 2009-12-30 18:31

---

d

---

w- c:\windows\system32\drivers\Avg
2009-12-15 06:58 . 2009-12-15 07:00

---

d

---

w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-15 06:58 . 2009-12-15 06:58 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-15 06:58 . 2009-12-15 06:58

---

d

---

w- c:\program files\AVG
2009-12-15 06:58 . 2009-12-29 22:55

---

d

---

w- c:\documents and settings\All Users\Application Data\avg9
2009-12-15 06:31 . 2009-12-15 06:31

---

d-sh--w- c:\documents and settings\HP_Administrator\UserData
2009-12-15 06:26 . 2006-12-16 17:07

---

d

---

w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-12-15 06:26 . 2006-12-16 16:44

---

d

---

w- c:\windows\system32\config\systemprofile\Application Data\Intuit
2009-12-15 06:26 . 2006-12-16 16:43

---

d

---

w- c:\windows\system32\config\systemprofile\WINDOWS
2009-12-15 06:26 . 2006-12-16 16:43

---

d

---

w- c:\documents and settings\Default User\WINDOWS
2009-12-15 06:17 . 2009-12-30 18:26 247 ----a-w- c:\windows\system\hpsysdrv.dat
2009-12-15 06:07 . 2009-12-16 05:13

---

d

---

r- c:\documents and settings\All Users\Documents
2009-12-15 06:03 . 2009-12-27 05:13

---

d-sh--r- c:\windows\system32\dllcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 21:48 . 2006-12-16 16:40

---

d

---

w- c:\program files\Hewlett-Packard
2009-12-24 21:45 . 2006-12-16 16:29

---

d

---

w- c:\program files\HP
2009-12-24 21:44 . 2006-12-16 17:08

---

d

---

w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-12-16 15:23 . 2009-12-16 15:23 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-12-16 05:13 . 2009-12-15 06:27 139 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2009-12-16 01:50 . 2006-12-16 16:34

---

d

---

w- c:\program files\HP DigitalMedia Archive
2009-12-15 16:41 . 2006-12-16 17:00

---

d

---

w- c:\program files\Common Files\Symantec Shared
2009-12-15 16:41 . 2006-12-16 17:00

---

d

---

w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-15 07:09 . 2006-12-16 16:57

---

d

---

w- c:\program files\Yahoo!
2009-12-15 07:09 . 2006-12-16 16:34

---

d

---

w- c:\program files\Sonic
2009-12-15 07:08 . 2006-12-16 16:33

---

d

---

w- c:\program files\Common Files\Real
2009-12-15 07:07 . 2006-12-16 16:44

---

d

---

w- c:\program files\Quicken
2009-12-15 07:04 . 2006-12-16 16:36

---

d

---

w- c:\documents and settings\All Users\Application Data\WildTangent
2009-12-15 07:01 . 2006-12-16 16:04

---

d

---

w- c:\program files\GemMaster
2009-12-15 06:29 . 2009-12-15 06:29 1733 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_RB044AV-ABA a1620y_YC_0Pavi_QMXG650_E64NAecMPA9_48_IAsterope3_SECS_V1.0_B3.19_T060905_WXP2_L409_M960_J160_7Intel_8Pentium 4_93.06_#061221_N10EC8139_Z14F12F20_G10025A61_OLITE-ON COMBO SOHC-4836K_DHWP2647.MRK
2009-10-29 07:46 . 2004-08-10 04:00 832512

---

w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 04:00 78336

---

w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 04:00 17408

---

w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-10 04:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-10 04:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-10 04:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-10 04:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-10 04:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-10 04:00 112128 ----a-w- c:\windows\system32\rastls.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 20:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-15 2033432]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-15 06:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 17:05 90112 ----a-w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/14/2009 11:58 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/14/2009 11:58 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/14/2009 11:58 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/14/2009 11:58 PM 285392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://gecu-ep.org/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qfwglqwe.default\
FF - prefs.js: browser.startup.homepage - hxxp://gecu-ep.org/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 11:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscdll.dll
.
Completion time: 2009-12-30 11:36:43
ComboFix-quarantined-files.txt 2009-12-30 18:36
ComboFix2.txt 2009-12-29 23:06

Pre-Run: 140,548,526,080 bytes free
Post-Run: 140,512,616,448 bytes free

- - End Of File - - 723DB71FB1FEA60AE2D37E4D94EFA44E

chiaz

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

===============

Now let's have you go HERE to run Panda ActiveScan 2.0

• Click the big green Scan now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• Once the scan is completed, please hit the notepad icon next to the text Export to:
• Save it to a convenient location such as your Desktop
• Post the contents of the ActiveScan.txt in your next reply, as well as let me know how your PC is running now.

nocaptainyet

my computer is running fine, no more pop-ups, just getting the trojan warnings.

ANALYSIS: 2009-12-31 11:49:16
PROTECTIONS: 1
MALWARE: 8
SUSPECTS: 11
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 9.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@doubleclick[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@fastclick[1].txt
00377802 Spyware/PeoplePC Spyware No 0 Yes No c:\program files\online services\peoplepc\isp5900\dll\ras.dll
00950035 Cookie/RegistryDefender TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@registrydefender[2].txt
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp31\a0005461.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp31\a0005446.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp31\a0005448.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp31\a0005451.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\hojubipa.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\liwifina.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\neyikine.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2009-12-30_11.32.17.zip[howiduga.dll]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp28\a0005174.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp29\a0005316.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp29\a0005334.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp31\a0005593.dll
03983016 Generic Malware Virus/Trojan No 0 Yes No c:\program files\updates from hp\9972322\program\interop.shdocvw.dll
05828873 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\documents and settings\all users\application data\macromedia\swupdate\swupdate.dll.vir
05828873 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp31\a0005443.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\documents and settings\hp_administrator\desktop\combofix.exe[32788r22fwjfw\pev.exe]
No c:\hp\recovery\wizard\swr_wizard.exe
No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp30\a0005404.exe
No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp31\a0005515.exe
No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp31\a0005576.exe
No c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp31\a0005699.exe
No c:\qoobox\quarantine\c\windows\system32\hunazazi.dll.vir
No c:\qoobox\quarantine\c\windows\system32\nizosole.dll.vir
No c:\qoobox\quarantine\[4]-submit_2009-12-30_11.32.17.zip[kokiguto.dll]
No c:\qoobox\quarantine\[4]-submit_2009-12-30_11.32.17.zip[lumuheze.dll]
No c:\windows\pev.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
191613 HIGH MS08-020
187733 HIGH MS08-008
182046 HIGH MS07-067
179553 HIGH MS07-061
170904 HIGH MS07-043
157260 HIGH MS07-020
157259 HIGH MS07-019
156477 HIGH MS07-017
150249 HIGH MS07-013
150248 HIGH MS07-012
150247 HIGH MS07-011
150243 HIGH MS07-008
150242 HIGH MS07-007
150241 MEDIUM MS07-006
141033 MEDIUM MS06-075
137571 HIGH MS06-070
133379 HIGH MS06-057
129977 MEDIUM MS06-053
129976 MEDIUM MS06-052
126092 MEDIUM MS06-050
126087 HIGH MS06-046
126086 MEDIUM MS06-045
126082 HIGH MS06-041
123421 HIGH MS06-036
120815 HIGH MS06-022
117384 MEDIUM MS06-018
108744 MEDIUM MS06-008
108742 MEDIUM MS06-006
93454 MEDIUM MS05-049

chiaz

Go to Control Panel > Add/Remove Programs and uninstall PeoplePC if present.

Then reboot your PC, before navigating to and deleting this folder if it still exists:
c:\program files\online services\peoplepc\

==================

It's time to remove ComboFix.

Go to to Start > Run
Type in box

combofix /uninstall

Note: the space between the X and the /u

Press Enter.

This command will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.




Please let me know if you are still getting warnings of any sort.