I see other similar threads but it looks like there is not a generic fix that I can copy from someone's solution. This occurs with IE and Firefox on XP. I've run a lot of antimalware/virus programs and have not fixed this. I appreciate any help you can give me. Below are logs from ComboFix and HijackThis if they can help. Thanks
ComboFix 10-06-06.04 - pbaumann 06/07/2010 8:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.485 [GMT -5:00]
Running from: c:\documents and settings\pbaumann\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.
2010-06-07 04:40 . 2010-06-07 04:40 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-06-07 04:37 . 2010-06-07 04:43 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-07 04:37 . 2010-06-07 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-07 04:37 . 2010-06-07 04:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-07 02:37 . 2010-06-07 02:37 16384 ---ha-w- C:\SZKGFS.dat
2010-06-07 02:35 . 2010-06-07 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-06-07 02:35 . 2010-06-07 02:35 -------- d-----w- c:\program files\Common Files\iS3
2010-06-07 02:35 . 2010-06-07 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-06-07 02:14 . 2010-06-07 02:14 -------- d-----w- c:\program files\Trend Micro
2010-06-06 15:36 . 2010-06-07 12:14 -------- d-----w- c:\documents and settings\pbaumann\Application Data\SafeReturner
2010-06-06 15:35 . 2010-06-07 12:15 -------- d-----w- c:\program files\Safe Returner
2010-06-03 14:22 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 14:22 . 2010-06-03 14:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 14:22 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-10 19:45 . 2010-05-10 19:45 -------- d-----w- c:\windows\SolidWorks
2010-05-10 19:45 . 2010-05-10 19:45 -------- d-----w- c:\documents and settings\pbaumann\Application Data\SolidWorks
2010-05-10 19:24 . 2010-05-10 19:25 -------- d-----w- c:\program files\QuickTime
2010-05-10 19:24 . 2010-05-10 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-10 19:23 . 2010-05-10 19:23 -------- d-----w- c:\program files\Common Files\Apple
2010-05-10 19:23 . 2010-05-10 19:23 -------- d-----w- c:\documents and settings\pbaumann\Local Settings\Application Data\Apple
2010-05-10 19:23 . 2010-05-10 19:23 -------- d-----w- c:\program files\Apple Software Update
2010-05-10 19:23 . 2010-05-10 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-10 19:23 . 2010-05-10 19:23 -------- d-----w- c:\documents and settings\pbaumann\Local Settings\Application Data\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 04:04 . 2007-03-05 13:25 -------- d-----w- c:\documents and settings\pbaumann\Application Data\Avvi
2010-06-07 02:44 . 2010-06-07 02:43 1224 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-07 02:19 . 2009-04-16 13:21 -------- d-----w- c:\program files\CCleaner
2010-06-06 15:36 . 2009-08-18 20:32 -------- d-----w- c:\documents and settings\pbaumann\Application Data\.oit
2010-06-04 04:52 . 2009-04-24 02:20 -------- d-----w- c:\program files\ARM7
2010-06-03 15:46 . 2010-04-17 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\iFolder
2010-05-21 02:06 . 2010-01-27 20:28 -------- d-----w- c:\documents and settings\pbaumann\Application Data\Cyaz
2010-05-21 00:03 . 2008-12-21 13:02 -------- d-----w- c:\documents and settings\pbaumann\Application Data\Kuyhx
2010-05-12 02:30 . 2009-04-15 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-19 13:29 . 2006-08-18 08:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-17 05:17 . 2010-04-17 05:17 6144 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\App_global.asax.agwqrl0n.dll
2010-04-17 05:17 . 2010-04-17 05:17 6656 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\ca856094\008d2b08_29c2ca01\SyncService.Web.DLL
2010-04-17 05:17 . 2010-04-17 05:17 54272 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\6ed9b65c\00a6bd2a_29c2ca01\Novell.iFolder.Web.DLL
2010-04-17 05:17 . 2010-04-17 05:17 54272 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\49544621\008d2b08_29c2ca01\Simias.Web.DLL
2010-04-17 05:17 . 2010-04-17 05:17 541184 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\6c5b1d88\008d2b08_29c2ca01\SimiasLib.DLL
2010-04-17 05:17 . 2010-04-17 05:17 49664 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\9d4e8389\008d2b08_29c2ca01\Mono.WebServer2.DLL
2010-04-17 05:17 . 2010-04-17 05:17 286720 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\a11a69c4\008d2b08_29c2ca01\Mono.Security.DLL
2010-04-17 05:17 . 2010-04-17 05:17 270336 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\3db2fc64\004c5b28_29c2ca01\log4net.DLL
2010-04-17 05:17 . 2010-04-17 05:17 20480 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\554a9aea\008d2b08_29c2ca01\Simias.POBox.Web.DLL
2010-04-17 05:17 . 2010-04-17 05:17 126464 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\9f7dce4c\008d2b08_29c2ca01\SimiasClient.DLL
2010-04-17 05:17 . 2010-04-17 05:13 -------- d-----w- c:\documents and settings\pbaumann\Application Data\iFolder
2010-04-17 05:14 . 2010-04-17 05:14 -------- d-----w- c:\documents and settings\pbaumann\Application Data\simias
2010-04-17 05:09 . 2010-04-17 05:09 -------- d-----w- c:\program files\iFolder3
2010-04-17 05:09 . 2010-04-17 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Simias
2010-04-17 05:07 . 2010-04-17 05:07 -------- d-----w- c:\documents and settings\pbaumann\Application Data\Downloaded Installations
2010-04-10 18:33 . 2010-04-10 18:33 -------- d-----w- c:\documents and settings\pbaumann\Application Data\HpUpdate
2010-04-10 18:33 . 2006-08-18 08:51 -------- d-----w- c:\program files\Hp
2010-04-10 18:33 . 2006-08-18 08:41 -------- d-----w- c:\program files\Hewlett-Packard
2010-04-08 15:00 . 2010-04-08 15:00 -------- d-----w- c:\program files\Citrix
2010-03-10 06:15 . 2004-08-04 08:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2007-02-24 04:11 . 2007-02-24 04:11 22 -csha-w- c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iFolder0]
@="{AA81D830-3B41-497c-B508-E9D02F8DF421}"
[HKEY_CLASSES_ROOT\CLSID\{AA81D830-3B41-497c-B508-E9D02F8DF421}]
2010-03-12 21:15 94720 ----a-w- c:\program files\iFolder3\iFolderShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iFolder1]
@="{AA81D831-3B41-497c-B508-E9D02F8DF421}"
[HKEY_CLASSES_ROOT\CLSID\{AA81D831-3B41-497c-B508-E9D02F8DF421}]
2010-03-12 21:15 94720 ----a-w- c:\program files\iFolder3\iFolderShell.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-23 802816]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-15 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-2-23 184320]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41 40960 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 3:00 AM 14336]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 8:38 PM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S4 MSIX-bf9c3826;MSIX-bf9c3826;c:\windows\system32\bf9c3826.exe --> c:\windows\system32\bf9c3826.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
FF - ProfilePath - c:\documents and settings\pbaumann\Application Data\Mozilla\Firefox\Profiles\tyo79z4q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\pbaumann\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\pbaumann\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 08:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????Q??????(?@???????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(956)
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\program files\HPQ\IAM\Bin\ASChnl.dll
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\ItMsg.dll
- - - - - - - > 'lsass.exe'(1016)
c:\windows\system32\bmnet.dll
- - - - - - - > 'explorer.exe'(3708)
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\program files\iFolder3\iFolderShell.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\iFolder3\iFolderComponent.dll
c:\program files\iFolder3\Novell.iFolder.dll
c:\program files\iFolder3\SimiasClient.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-06-07 08:36:28
ComboFix-quarantined-files.txt 2010-06-07 13:36
Pre-Run: 81,245,204,480 bytes free
Post-Run: 81,199,292,416 bytes free
- - End Of File - - 6FC78C6935BD77F4B103DD0ECDB4381A
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:24 AM, on 6/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250134744859
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JS...0/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} (SolidWorks Installation Manager Contol) - http://www.solidworks.com/sw/support/subscription/sldimdownload.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: BrSplService (Brother XP spl Service) - Unknown owner - C:\WINDOWS\system32\brsvc01a.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9294 bytes
ComboFix 10-06-06.04 - pbaumann 06/07/2010 8:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.485 [GMT -5:00]
Running from: c:\documents and settings\pbaumann\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.
2010-06-07 04:40 . 2010-06-07 04:40 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-06-07 04:37 . 2010-06-07 04:43 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-07 04:37 . 2010-06-07 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-07 04:37 . 2010-06-07 04:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-07 02:37 . 2010-06-07 02:37 16384 ---ha-w- C:\SZKGFS.dat
2010-06-07 02:35 . 2010-06-07 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-06-07 02:35 . 2010-06-07 02:35 -------- d-----w- c:\program files\Common Files\iS3
2010-06-07 02:35 . 2010-06-07 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-06-07 02:14 . 2010-06-07 02:14 -------- d-----w- c:\program files\Trend Micro
2010-06-06 15:36 . 2010-06-07 12:14 -------- d-----w- c:\documents and settings\pbaumann\Application Data\SafeReturner
2010-06-06 15:35 . 2010-06-07 12:15 -------- d-----w- c:\program files\Safe Returner
2010-06-03 14:22 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 14:22 . 2010-06-03 14:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 14:22 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-10 19:45 . 2010-05-10 19:45 -------- d-----w- c:\windows\SolidWorks
2010-05-10 19:45 . 2010-05-10 19:45 -------- d-----w- c:\documents and settings\pbaumann\Application Data\SolidWorks
2010-05-10 19:24 . 2010-05-10 19:25 -------- d-----w- c:\program files\QuickTime
2010-05-10 19:24 . 2010-05-10 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-10 19:23 . 2010-05-10 19:23 -------- d-----w- c:\program files\Common Files\Apple
2010-05-10 19:23 . 2010-05-10 19:23 -------- d-----w- c:\documents and settings\pbaumann\Local Settings\Application Data\Apple
2010-05-10 19:23 . 2010-05-10 19:23 -------- d-----w- c:\program files\Apple Software Update
2010-05-10 19:23 . 2010-05-10 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-10 19:23 . 2010-05-10 19:23 -------- d-----w- c:\documents and settings\pbaumann\Local Settings\Application Data\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 04:04 . 2007-03-05 13:25 -------- d-----w- c:\documents and settings\pbaumann\Application Data\Avvi
2010-06-07 02:44 . 2010-06-07 02:43 1224 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-07 02:19 . 2009-04-16 13:21 -------- d-----w- c:\program files\CCleaner
2010-06-06 15:36 . 2009-08-18 20:32 -------- d-----w- c:\documents and settings\pbaumann\Application Data\.oit
2010-06-04 04:52 . 2009-04-24 02:20 -------- d-----w- c:\program files\ARM7
2010-06-03 15:46 . 2010-04-17 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\iFolder
2010-05-21 02:06 . 2010-01-27 20:28 -------- d-----w- c:\documents and settings\pbaumann\Application Data\Cyaz
2010-05-21 00:03 . 2008-12-21 13:02 -------- d-----w- c:\documents and settings\pbaumann\Application Data\Kuyhx
2010-05-12 02:30 . 2009-04-15 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-19 13:29 . 2006-08-18 08:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-17 05:17 . 2010-04-17 05:17 6144 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\App_global.asax.agwqrl0n.dll
2010-04-17 05:17 . 2010-04-17 05:17 6656 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\ca856094\008d2b08_29c2ca01\SyncService.Web.DLL
2010-04-17 05:17 . 2010-04-17 05:17 54272 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\6ed9b65c\00a6bd2a_29c2ca01\Novell.iFolder.Web.DLL
2010-04-17 05:17 . 2010-04-17 05:17 54272 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\49544621\008d2b08_29c2ca01\Simias.Web.DLL
2010-04-17 05:17 . 2010-04-17 05:17 541184 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\6c5b1d88\008d2b08_29c2ca01\SimiasLib.DLL
2010-04-17 05:17 . 2010-04-17 05:17 49664 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\9d4e8389\008d2b08_29c2ca01\Mono.WebServer2.DLL
2010-04-17 05:17 . 2010-04-17 05:17 286720 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\a11a69c4\008d2b08_29c2ca01\Mono.Security.DLL
2010-04-17 05:17 . 2010-04-17 05:17 270336 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\3db2fc64\004c5b28_29c2ca01\log4net.DLL
2010-04-17 05:17 . 2010-04-17 05:17 20480 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\554a9aea\008d2b08_29c2ca01\Simias.POBox.Web.DLL
2010-04-17 05:17 . 2010-04-17 05:17 126464 ----a-w- c:\documents and settings\All Users\Application Data\iFolder\simias10\1a25e600\9ec5bf89\assembly\dl3\9f7dce4c\008d2b08_29c2ca01\SimiasClient.DLL
2010-04-17 05:17 . 2010-04-17 05:13 -------- d-----w- c:\documents and settings\pbaumann\Application Data\iFolder
2010-04-17 05:14 . 2010-04-17 05:14 -------- d-----w- c:\documents and settings\pbaumann\Application Data\simias
2010-04-17 05:09 . 2010-04-17 05:09 -------- d-----w- c:\program files\iFolder3
2010-04-17 05:09 . 2010-04-17 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Simias
2010-04-17 05:07 . 2010-04-17 05:07 -------- d-----w- c:\documents and settings\pbaumann\Application Data\Downloaded Installations
2010-04-10 18:33 . 2010-04-10 18:33 -------- d-----w- c:\documents and settings\pbaumann\Application Data\HpUpdate
2010-04-10 18:33 . 2006-08-18 08:51 -------- d-----w- c:\program files\Hp
2010-04-10 18:33 . 2006-08-18 08:41 -------- d-----w- c:\program files\Hewlett-Packard
2010-04-08 15:00 . 2010-04-08 15:00 -------- d-----w- c:\program files\Citrix
2010-03-10 06:15 . 2004-08-04 08:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2007-02-24 04:11 . 2007-02-24 04:11 22 -csha-w- c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iFolder0]
@="{AA81D830-3B41-497c-B508-E9D02F8DF421}"
[HKEY_CLASSES_ROOT\CLSID\{AA81D830-3B41-497c-B508-E9D02F8DF421}]
2010-03-12 21:15 94720 ----a-w- c:\program files\iFolder3\iFolderShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iFolder1]
@="{AA81D831-3B41-497c-B508-E9D02F8DF421}"
[HKEY_CLASSES_ROOT\CLSID\{AA81D831-3B41-497c-B508-E9D02F8DF421}]
2010-03-12 21:15 94720 ----a-w- c:\program files\iFolder3\iFolderShell.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-23 802816]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-15 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-2-23 184320]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41 40960 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 3:00 AM 14336]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 8:38 PM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S4 MSIX-bf9c3826;MSIX-bf9c3826;c:\windows\system32\bf9c3826.exe --> c:\windows\system32\bf9c3826.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
FF - ProfilePath - c:\documents and settings\pbaumann\Application Data\Mozilla\Firefox\Profiles\tyo79z4q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\pbaumann\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\pbaumann\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 08:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????Q??????(?@???????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(956)
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\program files\HPQ\IAM\Bin\ASChnl.dll
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\ItMsg.dll
- - - - - - - > 'lsass.exe'(1016)
c:\windows\system32\bmnet.dll
- - - - - - - > 'explorer.exe'(3708)
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\program files\iFolder3\iFolderShell.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\iFolder3\iFolderComponent.dll
c:\program files\iFolder3\Novell.iFolder.dll
c:\program files\iFolder3\SimiasClient.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-06-07 08:36:28
ComboFix-quarantined-files.txt 2010-06-07 13:36
Pre-Run: 81,245,204,480 bytes free
Post-Run: 81,199,292,416 bytes free
- - End Of File - - 6FC78C6935BD77F4B103DD0ECDB4381A
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:24 AM, on 6/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250134744859
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JS...0/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} (SolidWorks Installation Manager Contol) - http://www.solidworks.com/sw/support/subscription/sldimdownload.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: BrSplService (Brother XP spl Service) - Unknown owner - C:\WINDOWS\system32\brsvc01a.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9294 bytes