Here is my Combofix log
ComboFix 09-11-03.01 - Emery Cauble 11/03/2009 15:53.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2648 [GMT -6:00]
Running from: c:\documents and settings\Emery Cauble\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Sunbelt Personal Firewall *disabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-3028066344-4032122234-2429014814-1005
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\Data
.
((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.
2009-11-02 19:14 . 2009-11-02 19:14 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple Computer
2009-10-31 00:20 . 2009-11-03 00:24 -------- d-----w- c:\program files\iTunes
2009-10-26 16:58 . 2009-10-26 16:58 -------- d-----w- c:\documents and settings\Emery Cauble\Application Data\WinPatrol
2009-10-26 16:58 . 2009-10-26 16:58 -------- d-----w- c:\program files\BillP Studios
2009-10-21 13:52 . 2009-11-03 14:58 -------- d-----w- c:\documents and settings\Emery Cauble\Application Data\Dropbox
2009-10-14 23:14 . 2009-10-14 23:14 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-10-14 13:29 . 2009-09-06 07:09 126976 -c----w- c:\windows\system32\dllcache\ftpsvc2.dll
2009-10-08 13:18 . 2009-10-08 13:18 -------- d-----w- c:\program files\Microsoft
2009-10-07 14:44 . 2009-11-03 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-10-07 14:43 . 2009-10-07 14:44 -------- d-----w- c:\program files\PCPitstop
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 21:37 . 2007-01-30 23:35 4338 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-03 00:21 . 2007-04-06 18:31 -------- d-----w- c:\program files\Apple Software Update
2009-11-03 00:06 . 2008-01-16 18:53 16 ----a-w- c:\windows\popcinfo.dat
2009-11-02 19:18 . 2009-11-02 19:18 -------- d-----w- c:\documents and settings\ipod\Application Data\Logitech
2009-11-02 19:18 . 2009-11-02 19:18 -------- d-----w- c:\documents and settings\ipod\Application Data\Sunbelt
2009-11-02 19:14 . 2009-11-02 19:14 -------- d-----w- c:\documents and settings\Guest\Application Data\Logitech
2009-11-02 19:14 . 2009-11-02 19:14 -------- d-----w- c:\documents and settings\Guest\Application Data\Sunbelt
2009-10-29 22:31 . 2007-01-16 20:52 261856 ----a-w- c:\documents and settings\Emery Cauble\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 21:20 . 2007-01-18 18:50 -------- d-----w- c:\documents and settings\Emery Cauble\Application Data\AdobeUM
2009-10-14 23:14 . 2009-09-03 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-14 23:13 . 2007-01-30 23:27 -------- d-----w- c:\program files\Microsoft Works
2009-10-14 14:40 . 2009-09-01 22:19 -------- d-----w- c:\documents and settings\Emery Cauble\Application Data\HpUpdate
2009-10-07 20:21 . 2009-04-28 15:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 15:08 . 2008-01-16 18:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-07 15:05 . 2007-10-31 21:27 -------- d-----w- c:\program files\SpywareBlaster
2009-10-05 14:44 . 2007-10-22 18:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-28 22:44 . 2008-06-27 19:25 -------- d-----w- c:\documents and settings\Emery Cauble\Application Data\uTorrent
2009-09-11 14:33 . 2007-04-06 18:32 -------- d-----w- c:\documents and settings\Emery Cauble\Application Data\Apple Computer
2009-09-11 14:31 . 2009-09-11 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 14:28 . 2009-09-11 14:28 -------- d-----w- c:\program files\QuickTime
2009-09-11 14:18 . 2004-10-08 12:01 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-04-28 15:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-04-28 15:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 11:59 . 2008-05-10 16:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 13:11 . 2007-05-16 23:20 -------- d-----w- c:\program files\Common Files\Real
2009-09-09 13:11 . 2009-09-09 13:11 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-09 13:10 . 2007-05-16 23:20 -------- d-----w- c:\program files\Real
2009-09-07 19:02 . 2009-09-07 19:02 27944 ----a-w- c:\windows\system32\sbbd.exe
2009-09-04 22:19 . 2009-09-04 22:19 -------- d--h--r- c:\documents and settings\Emery Cauble\Application Data\SecuROM
2009-09-04 22:19 . 2009-09-04 22:19 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-04 21:03 . 2004-10-08 12:01 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-10-08 12:01 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 06:58 . 2009-08-27 06:58 315392 ----a-w- c:\windows\HideWin.exe
2009-08-26 08:00 . 2004-10-08 12:01 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 20:53 . 2009-08-25 20:49 155866 ----a-w- c:\windows\hpqins00.dat
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-17 17:44 . 2009-08-17 17:28 150326 ----a-w- c:\windows\hpwins05.dat
2009-08-11 01:06 . 2009-09-14 12:51 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2007-01-23 17:20 . 2007-01-23 17:20 65 ----a-w- c:\program files\Common Files\appop.log
2002-07-26 23:02 . 2007-01-18 21:30 153088 ----a-w- c:\program files\UNWISE.EXE
2006-01-31 15:21 . 2006-01-31 15:21 40960 ----a-w- c:\program files\mozilla firefox\plugins\formback.dll
2006-01-31 15:21 . 2006-01-31 15:21 53248 ----a-w- c:\program files\mozilla firefox\plugins\formcal.dll
2006-01-31 15:21 . 2006-01-31 15:21 86016 ----a-w- c:\program files\mozilla firefox\plugins\formclok.dll
2006-01-31 15:21 . 2006-01-31 15:21 65536 ----a-w- c:\program files\mozilla firefox\plugins\formfade.dll
2006-01-31 15:21 . 2006-01-31 15:21 77824 ----a-w- c:\program files\mozilla firefox\plugins\formfile.dll
2006-01-31 15:22 . 2006-01-31 15:22 143360 ----a-w- c:\program files\mozilla firefox\plugins\formflds.dll
2006-01-31 15:22 . 2006-01-31 15:22 53248 ----a-w- c:\program files\mozilla firefox\plugins\formgif.dll
2006-01-31 15:22 . 2006-01-31 15:22 167936 ----a-w- c:\program files\mozilla firefox\plugins\formgrid.dll
2006-01-31 15:22 . 2006-01-31 15:22 45056 ----a-w- c:\program files\mozilla firefox\plugins\formhpic.dll
2006-01-31 15:22 . 2006-01-31 15:22 57344 ----a-w- c:\program files\mozilla firefox\plugins\formicon.dll
2006-01-31 15:23 . 2006-01-31 15:23 53248 ----a-w- c:\program files\mozilla firefox\plugins\forminfo.dll
2006-01-31 15:23 . 2006-01-31 15:23 147456 ----a-w- c:\program files\mozilla firefox\plugins\formjpeg.dll
2006-01-31 15:23 . 2006-01-31 15:23 49152 ----a-w- c:\program files\mozilla firefox\plugins\formlink.dll
2006-01-31 15:23 . 2006-01-31 15:23 45056 ----a-w- c:\program files\mozilla firefox\plugins\formmarq.dll
2006-01-31 15:24 . 2006-01-31 15:24 143360 ----a-w- c:\program files\mozilla firefox\plugins\formmask.dll
2006-01-31 15:24 . 2006-01-31 15:24 61440 ----a-w- c:\program files\mozilla firefox\plugins\formport.dll
2006-01-31 15:24 . 2006-01-31 15:24 106496 ----a-w- c:\program files\mozilla firefox\plugins\formpri.dll
2006-01-31 15:24 . 2006-01-31 15:24 49152 ----a-w- c:\program files\mozilla firefox\plugins\formprog.dll
2006-01-31 15:24 . 2006-01-31 15:24 77824 ----a-w- c:\program files\mozilla firefox\plugins\formqt3.dll
2006-01-31 15:24 . 2006-01-31 15:24 49152 ----a-w- c:\program files\mozilla firefox\plugins\formroll.dll
2006-01-31 15:24 . 2006-01-31 15:24 45056 ----a-w- c:\program files\mozilla firefox\plugins\formsbar.dll
2006-01-31 15:24 . 2006-01-31 15:24 53248 ----a-w- c:\program files\mozilla firefox\plugins\formslid.dll
2006-01-31 15:25 . 2006-01-31 15:25 65536 ----a-w- c:\program files\mozilla firefox\plugins\formtbar.dll
2006-01-31 15:25 . 2006-01-31 15:25 36864 ----a-w- c:\program files\mozilla firefox\plugins\formtile.dll
2006-01-31 15:25 . 2006-01-31 15:25 45056 ----a-w- c:\program files\mozilla firefox\plugins\formtime.dll
2006-01-31 15:25 . 2006-01-31 15:25 40960 ----a-w- c:\program files\mozilla firefox\plugins\formtran.dll
2006-01-31 15:25 . 2006-01-31 15:25 77824 ----a-w- c:\program files\mozilla firefox\plugins\formtree.dll
2006-01-31 15:25 . 2006-01-31 15:25 45056 ----a-w- c:\program files\mozilla firefox\plugins\formwash.dll
2005-10-05 19:03 . 2005-10-05 19:03 122880 ----a-w- c:\program files\mozilla firefox\plugins\orfc.dll
2006-01-31 15:28 . 2006-01-31 15:28 200704 ----a-w- c:\program files\mozilla firefox\plugins\orfcexec.dll
2006-01-31 15:20 . 2006-01-31 15:20 245760 ----a-w- c:\program files\mozilla firefox\plugins\orfcgui.dll
2006-01-31 15:21 . 2006-01-31 15:21 249856 ----a-w- c:\program files\mozilla firefox\plugins\orfcmain.dll
2007-12-14 18:44 . 2007-12-14 18:41 24 --sh--w- c:\windows\S02366AB7.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Emery Cauble\Application Data\Dropbox\bin\DropboxExt.3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Emery Cauble\Application Data\Dropbox\bin\DropboxExt.3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Emery Cauble\Application Data\Dropbox\bin\DropboxExt.3.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-19 1421824]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2003-11-10 406016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-09-07 959784]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-19 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-18 1657376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\Emery Cauble\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Emery Cauble\Application Data\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-2 809488]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 05:30 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Emery Cauble^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Emery Cauble\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\wwrip62\\wwrip.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [1/23/2007 11:20 AM 38784]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [9/14/2009 6:50 AM 13360]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [6/4/2009 8:35 AM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [6/21/2008 3:54 AM 66600]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [5/28/2009 6:46 PM 202928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [6/23/2009 10:23 AM 47640]
R2 PPNT;PPNT;c:\windows\system32\drivers\ppnt.sys [3/14/2002 1:53 PM 13824]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [9/14/2009 6:51 AM 69936]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 6:24 AM 95528]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [7/11/2008 12:02 AM 328992]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 6:24 AM 1365288]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [8/26/2009 3:52 PM 38912]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [6/4/2009 8:35 AM 65576]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2/14/2008 10:36 AM 222976]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [9/7/2009 1:02 PM 1012040]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 .nmkaelm;.nmkaelm; [x]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2/12/2008 1:04 PM 13352]
S3 Gpcltfenwp;Gpcltfenwp; [x]
S3 Ineciarmm;Ineciarmm; [x]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys --> c:\windows\system32\drivers\IviUdf.sys [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/5/2009 2:58 PM 93872]
S3 Scdptterskst;Scdptterskst; [x]
S3 TechStyler;OYO TechStyler 1400;c:\windows\system32\drivers\oyostylr.sys [9/24/2004 4:41 PM 7296]
S3 Xmlpbrt;Xmlpbrt; [x]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - pgfilter
*Deregistered* - PROCEXP113
*Deregistered* - udffsrec
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-11-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {CDF8B7CC-62B7-4A46-B5B2-4A56DEB9D460} = 66.90.133.117,66.90.130.117
TCP: {F24AB622-8672-4971-9DB2-ED12480E467B} = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6F0C8A85-8B0D-11D2-801B-00105AA78F4A} - hxxp://ecare4e.netopia.com/oyogeospace/ecare4/components/CobAgent_4.2.1.316.cab
DPF: {7873B468-E762-4143-83E6-7258CB6B5D9D} - hxxp://ecare4e.netopia.com/oyogeospace/ecare4/components/ECareAgent.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://64.207.56.124:81/xplugDL.cab
FF - ProfilePath - c:\documents and settings\Emery Cauble\Application Data\Mozilla\Firefox\Profiles\dxuzsik0.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Mozilla Firefox\plugins\np_orfc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-Lotus Notes 5.0 Connector - c:\program files\Common Files\PUMATECH Shared\Connectors\SDK27\Lotus Notes 5.0 Connector\LN5Uninstall
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-11-03 16:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x8B5D47B8]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.net
atapi.sys @ 0x0 0x0 bytes
\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xBA622B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xBA622B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xBA622B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xBA622B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xBA622B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xBA622B40 atapi.sys
\Driver\atapi IRP hooks detected !
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{17DE1F14-B3E4-1035-F057BA15C83B1D27}\{8EADAA70-8C9A-100D-77D42F75FD081297}\{52159879-7142-2CA4-73B8A923B4C8F27A}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{484F515E-F5F4-CAE2-00797FFBC1B1DB0A}\{B5BB857C-6143-5E3C-4B14653578135B7A}\{14E971F7-0C0F-F2F4-35B0BAA5D2098273}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7FA7DB51-4296-4DCE-E915E900AF1A706F}\{6ECD6E35-CD02-B6E7-116E97829ECA1B77}\{2BCFFA55-7302-F76B-60625DCE35F7A6E2}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A54AE6D9-1146-03FB-2857897F111C6A4F}\{DD8CECF2-78C0-CF9A-49F4FAE856227A78}\{638B8461-7EC5-D2C3-C076811FCCFACE61}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,7c,22,63,
c2,ca,ed,d4,14,01,80,a3,4c,01,a1,2e,4a,02,91,27,a1,87,1e,2b,9e,fd,6a,42,cf,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AF786902-5081-2756-12E9AFF5FE8C5591}\{5B784720-FD2D-0193-B8CD4993A91EC92D}\{3AAAA277-B786-78CA-52C7468A0DB889F6}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B3A3A58F-967E-A40A-C7DDFB524B0CDFB3}\{B28E8422-363F-1C4B-CC056478281B7FCE}\{569EFB20-10B3-C9F5-895B6A19B8852344}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,7c,22,63,
c2,ca,ed,d4,14,01,80,a3,4c,01,a1,2e,4a,02,91,27,a1,87,1e,2b,9e,fd,6a,42,cf,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CD33F05B-57D8-EB8D-1C637C8E18479BDE}\{4B66B287-DF55-8BF6-0C7A245C073DF874}\{2B094E66-D192-13E4-CB3BD0799FCAC2FC}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,7c,22,63,
c2,ca,ed,d4,14,01,80,a3,4c,01,a1,2e,4a,02,91,27,a1,87,1e,2b,9e,fd,6a,42,cf,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DCB42C02-2C7E-50EC-E2B5A792F7765BFB}\{38286259-1A12-EDE0-84E2CD6A1D76E8F7}\{2C2658AF-F73E-73C6-89D45D0D6FCCCFF2}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EEC79885-4786-49D7-ED36B6E7637E50FF}\{25B171C9-78C7-18E7-FBBA7E6592C7CB70}\{6B8ADD0A-85A7-C5B5-191A2895BD30C6E1}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1232)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\wbem\fastprox.dll
- - - - - - - > 'lsass.exe'(1288)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-11-03 16:04
ComboFix-quarantined-files.txt 2009-11-03 22:04
ComboFix2.txt 2009-06-24 19:52
Pre-Run: 800,011,792,384 bytes free
Post-Run: 800,320,339,968 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
Here is the New HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:10, on 11/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\JCW Software LLC\FastManager\FastManager.exe
C:\Program Files\Corel\CorelDRAW Graphics Suite 13\Programs\CorelDRW.exe
C:\WWRIP62\wwrip.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Emery Cauble\Application Data\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://utilities.pcp...s/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) -
http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {6F0C8A85-8B0D-11D2-801B-00105AA78F4A} -
http://ecare4e.netop...t_4.2.1.316.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) -
http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {7873B468-E762-4143-83E6-7258CB6B5D9D} -
http://ecare4e.netop.../ECareAgent.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -
http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) -
http://utilities.pcp...DiskMD3Ctrl.dll
O16 - DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} (PCPitstop AntiVirus) -
http://utilities.pcp...opAntiVirus.dll
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} -
http://64.207.56.124:81/xplugDL.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) -
http://www.worldwinn.../familyfeud.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) -
http://utilities.pcp.../pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDF8B7CC-62B7-4A46-B5B2-4A56DEB9D460}: NameServer = 66.90.133.117,66.90.130.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{F24AB622-8672-4971-9DB2-ED12480E467B}: NameServer = 192.168.1.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
--
End of file - 9496 bytes
Computer still acting sluggish... Very slow reboot, startup and shutdown. Some webpages won't act correctly or load at all.