Dad accidentally installed something. [F]

[Redmo0n]

My dad clicked a virus warning popup because he thought it was AVG or something.

He got his friend to come over and he removed most of it, but it still remains because some programs like AVG, Skype and Firefox where missing/uninstalled and wouldn't work, then i tried to re download and install firefox but it said the process was already running, even though it wasn't, and i even restarted the computer and it still won't run.

I already ran combofix and hijackthis (combofix removed 3 files and i removed some redicrect pages in hijackthis) and after running combofix a few files reappeared on the desktop (steam, ccleaner and another game) so there must be something wrong still. I also disabled all the startup processes and there isn't anything i can't accsess (msconfig and task manager work).

I can't understand what still plauging the computer, heres a combofix and Hijackthis log. (the comboxfix log doesn't show the removed files since i also ran it in safe mode a second time with no additional files removed)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:21 PM, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4293 bytes






##################################################


ComboFix 08-07-15.4 - HP_Administrator 2008-07-17 17:26:03.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.831 [GMT 8:00]
Running from: C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-07-17 17:22 . 2008-07-17 17:22 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-17 17:06 . 2008-07-17 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-13 12:56 . 2006-05-01 12:00 161,792 --a------ C:\WINDOWS\system32\CNMLM86.DLL
2008-07-13 12:42 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-13 12:42 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-13 12:40 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-13 12:40 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-13 12:06 . 2008-07-13 12:06 <DIR> d---s---- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\UserData
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Leadertech
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Lavasoft
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\ICAClient
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\HPQ
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\funkitron
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\DMCache
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\CyberLink
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Aventail
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Apple Computer
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\AdobeUM
2008-07-13 11:42 . 2008-07-13 11:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\WinBatch
2008-07-13 11:42 . 2008-07-13 11:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Uniblue
2008-07-13 11:42 . 2008-07-13 11:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\skypePM
2008-07-13 11:42 . 2008-07-13 11:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Skype
2008-07-13 11:42 . 2008-07-13 11:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\MSNInstaller
2008-07-13 11:41 . 2008-07-13 11:41 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Shared
2008-07-13 11:32 . 2008-07-13 11:32 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-13 11:32 . 2008-07-13 11:32 917,504 --a------ C:\WINDOWS\system32\FLASH.OCX
2008-07-13 11:25 . 2008-07-13 11:26 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Contacts
2008-07-13 11:25 . 2008-07-13 11:25 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Citrix
2008-07-13 11:25 . 2008-07-13 11:25 <DIR> d-------- C:\Backup
2008-07-13 11:25 . 2006-12-02 13:17 24,192 --a------ C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\usbsermptxp.sys
2008-07-13 09:02 . 2008-07-13 09:02 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-13 03:05 . 2008-07-17 17:22 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-07-12 10:32 . 2008-07-12 10:32 1,921 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_RC624AA-ABG m7585a_YC_0Pavi_QAUD642_E64APemMPA2_48_IBasswood_SASUSTek Computer INC._V1.05_B3.08_T060918_WXP2_L409_M1023_J250_7Intel_8Core2 6300_91.87_#061111_N168C001B_Z_G10DE0392.MRK
2008-07-12 10:29 . 2006-09-12 01:48 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\WINDOWS
2008-07-12 10:29 . 2008-07-17 17:17 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC
2008-07-12 10:27 . 2006-09-12 01:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-07-12 10:27 . 2006-09-12 02:13 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-07-12 10:25 . 2004-08-03 21:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-12 10:25 . 2004-08-03 22:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-12 10:25 . 2004-08-03 20:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-07-12 10:25 . 2001-08-17 11:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-12 10:25 . 2001-08-17 12:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-11 21:36 . 2008-07-11 21:36 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\TmpRecentIcons
2008-07-07 17:20 . 2008-07-09 18:11 <DIR> d-------- C:\etax2008
2008-06-17 19:03 . 2008-07-12 08:14 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\skypePM
2008-06-17 18:11 . 2008-06-17 18:11 <DIR> d-------- C:\Program Files\Skype
2008-06-17 18:11 . 2008-06-17 18:11 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-17 18:11 . 2008-07-12 11:23 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-06-17 18:11 . 2008-06-17 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 09:14 --------- d-----w C:\Program Files\Steam
2008-07-13 04:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-13 04:06 --------- d-----w C:\Program Files\Google
2008-07-13 01:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-13 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-15 07:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-17 10:46 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2006-12-02 05:17 24,192 ----a-w C:\Documents and Settings\HP_Administrator\usbsermptxp.sys
2006-12-02 05:17 22,768 ----a-w C:\Documents and Settings\HP_Administrator\usbsermpt.sys
2004-05-13 22:34 999,424 ----a-w C:\Program Files\vorbisfile.dll
2004-05-13 22:34 53,248 ----a-w C:\Program Files\ogg.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-17_17.10.24.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-10 04:00:00 819,200 ----a-w C:\WINDOWS\system32\dllcache\setup_wm.exe
+ 2006-10-02 05:30:10 819,200 ----a-w C:\WINDOWS\system32\dllcache\setup_wm.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 2006-04-13 07:05 90112 c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 18:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 04:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2006-02-15 20:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2006-07-06 12:15 151552 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-10 12:00 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
--a------ 2005-09-27 15:34 169984 C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 07:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-10 12:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-06-21 08:06 7622656 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-10 12:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-10 12:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-22 20:14 237568 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2004-12-14 00:23 663552 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-13 12:06 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftutil2]
--a------ 2004-06-07 12:05 106496 C:\WINDOWS\system32\ftutil2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-21 08:06 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-07-22 07:56 16261632 C:\WINDOWS\RTHDCPL.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

S3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2006-04-12 11:36]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-06 01:44]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 17:28:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-17 17:28:32
ComboFix-quarantined-files.txt 2008-07-17 09:28:28
ComboFix2.txt 2008-07-17 09:10:32

Pre-Run: 191,042,727,936 bytes free
Post-Run: 191,028,563,968 bytes free

150 --- E O F --- 2008-07-17 09:22:23

 

[Redmo0n]

Re: Dad accidentally installed something.

*Sorry about not using edit*

I found the original Combofix file in C:\ drive with the files that where removed, i don't know if it helps, but here you go:

ComboFix 08-07-15.4 - HP_Administrator 2008-07-17 17:08:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.656 [GMT 8:00]
Running from: C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\XP Antivirus
C:\WINDOWS\cookies.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-07-17 17:06 . 2008-07-17 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-13 12:56 . 2006-05-01 12:00 161,792 --a------ C:\WINDOWS\system32\CNMLM86.DLL
2008-07-13 12:42 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-13 12:42 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-13 12:40 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-13 12:40 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-13 12:06 . 2008-07-13 12:06 <DIR> d---s---- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\UserData
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Leadertech
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Lavasoft
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\ICAClient
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\HPQ
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\funkitron
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\DMCache
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\CyberLink
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Aventail
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Apple Computer
2008-07-13 11:43 . 2008-07-13 11:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\AdobeUM
2008-07-13 11:42 . 2008-07-13 11:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\WinBatch
2008-07-13 11:42 . 2008-07-13 11:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Uniblue
2008-07-13 11:42 . 2008-07-13 11:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\skypePM
2008-07-13 11:42 . 2008-07-13 11:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\Skype
2008-07-13 11:42 . 2008-07-13 11:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Application Data\MSNInstaller
2008-07-13 11:41 . 2008-07-13 11:41 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Shared
2008-07-13 11:32 . 2008-07-13 11:32 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-13 11:32 . 2008-07-13 11:32 917,504 --a------ C:\WINDOWS\system32\FLASH.OCX
2008-07-13 11:25 . 2008-07-13 11:26 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Contacts
2008-07-13 11:25 . 2008-07-13 11:25 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\Citrix
2008-07-13 11:25 . 2008-07-13 11:25 <DIR> d-------- C:\Backup
2008-07-13 11:25 . 2006-12-02 13:17 24,192 --a------ C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\usbsermptxp.sys
2008-07-13 09:02 . 2008-07-13 09:02 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-13 03:05 . 2008-07-17 16:59 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-07-12 10:32 . 2008-07-12 10:32 1,921 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_RC624AA-ABG m7585a_YC_0Pavi_QAUD642_E64APemMPA2_48_IBasswood_SASUSTek Computer INC._V1.05_B3.08_T060918_WXP2_L409_M1023_J250_7Intel_8Core2 6300_91.87_#061111_N168C001B_Z_G10DE0392.MRK
2008-07-12 10:29 . 2006-09-12 01:48 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC\WINDOWS
2008-07-12 10:29 . 2008-07-14 07:30 <DIR> d-------- C:\Documents and Settings\HP_Administrator.YOUR-C6B5E4EABC
2008-07-12 10:27 . 2006-09-12 01:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-07-12 10:27 . 2006-09-12 02:13 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-07-12 10:25 . 2004-08-03 21:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-12 10:25 . 2004-08-03 22:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-12 10:25 . 2004-08-03 20:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-07-12 10:25 . 2001-08-17 11:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-12 10:25 . 2001-08-17 12:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-11 21:36 . 2008-07-11 21:36 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\TmpRecentIcons
2008-07-07 17:20 . 2008-07-09 18:11 <DIR> d-------- C:\etax2008
2008-06-17 19:03 . 2008-07-12 08:14 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\skypePM
2008-06-17 18:11 . 2008-06-17 18:11 <DIR> d-------- C:\Program Files\Skype
2008-06-17 18:11 . 2008-06-17 18:11 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-17 18:11 . 2008-07-12 11:23 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-06-17 18:11 . 2008-06-17 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-13 04:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-13 04:06 --------- d-----w C:\Program Files\Google
2008-07-13 01:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-13 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-15 07:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-17 10:46 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2006-12-02 05:17 24,192 ----a-w C:\Documents and Settings\HP_Administrator\usbsermptxp.sys
2006-12-02 05:17 22,768 ----a-w C:\Documents and Settings\HP_Administrator\usbsermpt.sys
2004-05-13 22:34 999,424 ----a-w C:\Program Files\vorbisfile.dll
2004-05-13 22:34 53,248 ----a-w C:\Program Files\ogg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 15:34 169984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 2006-04-13 07:05 90112 c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 18:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 04:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2006-02-15 20:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2006-07-06 12:15 151552 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-10 12:00 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 07:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-10 12:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-06-21 08:06 7622656 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-10 12:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-10 12:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-22 20:14 237568 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2004-12-14 00:23 663552 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-13 12:06 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftutil2]
--a------ 2004-06-07 12:05 106496 C:\WINDOWS\system32\ftutil2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-21 08:06 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-07-22 07:56 16261632 C:\WINDOWS\RTHDCPL.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2006-04-12 11:36]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-06 01:44]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 17:10:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-17 17:10:32
ComboFix-quarantined-files.txt 2008-07-17 09:10:29

Pre-Run: 189,880,827,904 bytes free
Post-Run: 189,882,974,208 bytes free

151 --- E O F --- 2008-07-13 23:37:51

 

[Silverlord]

Re: Dad accidentally installed something.

Hello,

Have you tried uninstalling these programs from add/remove (important it's done from there) and reinstalling them?

 

[Redmo0n]

Re: Dad accidentally installed something.

Sorry forgot to mention that the programs are no longer located in add/remove.

When you go in there skype,avg, firefox and msn are no longer located there (and there may be others missing to)

I assumed that they had been corrupted some how and and tried to also use the AVG uninstaller which did not work either, so i just deleted the files

 

[Silverlord]

Re: Dad accidentally installed something.

ah manually deleting the files would have been a bad idea, you can try using ccleaner to remove the last bits of the registries.. CCleaner - Download

 

[Redmo0n]

Re: Dad accidentally installed something.

Nono, i deleted the files after discovering that they where no longer in the add/remove programs. So either they are hidden from add/remove (which i have no idea how) or they are corrupt. Since i cannot even uninstall avg using their uninstaller, then i guess they are corrupt and are not installed on the computer anymore.

I have already tried to use ccleaner to remove but the same problem exists.

 

[KSoD]

Re: Dad accidentally installed something.

Hello,

Use Revo Unisntaller.

Download Revo Uninstaller Freeware - Free and Full Download

That should allow you to remove them. Then you should be able to reinstall them. I will check your combofix log ASAP.

Cheers,
Mak

 

[Redmo0n]

Re: Dad accidentally installed something.

Thx Mak i should be able to do it tomorrow, atm my friend is using the monitor to play EVE online.

 

[KSoD]

Re: Dad accidentally installed something.

Hello Redmo0n,

After looking thru the ComboFix log i dont see anything out of the ordinary. I see a entry for FreeMP3Player and RecordNRip. If you know of these then i will leave them. If not then i can help you remove them. Other than that the log looks fine to me.

Cheers,
Mak

 

[Redmo0n]

Re: Dad accidentally installed something.

Nope have no idea what they are, probably something installed by mistake or with other software.

I'm gonna go make a cup of tea and then see if i can uninstall them programs, so ill post back soon with more info.



Edit: Ok, i used the program to uninstall Firefox and it works now after a reinstall! Though, Avg, Skype and a few other programs are still no longer located in the Add/Remove. I was thinking and i am pretty sure (now that i think about it) my dads friend used the recovery console, reformatted or system restore (which is active) to remove the virus. Could that explane why some files where still on the hard drive but others where missing or corrupt? Could it have changed/removed the registry?

I'm gonna try download/install AVG now and then MSN, skype, itunes etc. Thanks for all the help, if the files (Freemp3player and RecordNRip) are causing any problems or could potentially cause problems, give me a kill file for combofix and ill remove them asap

-Thx



Edit: I installed AVG, Skype, Itunes and MSN successfully and everything seems to be fine now.