Recently, I removed Windows XP Security 2012 and was left with a process called ping.exe which uses enormous amounts of CPU.

I am in the process of completing the sticky guide (http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865) and am currently running scan #2 using GMER.

I have ran the Windows Malicious Software Removal Tool, ATF-Cleaner, and GMER while using safe mode.

Is it OK for me to be in safe mode when creating these logs?

ALSO, the first thing I ever did was run Malwarebytes Anti-malware, but it did not catch anything. WMSRT and TDSSkiller did not find anything as well. I've read that this is a symptom of the virus (interfering with anti-virus programs).

Thank you
I will post the logs upon completion, as I will have to restart my computer to enable networking, but it is in the middle of scanning via GMER

Recommended Answers

All 27 Replies

Hi Todd,

Normally we prefer all tools to be run in Normal Windows boot.
No worries, though.

Since the next few days are going to be a bit hectic, we can save some time by going ahead with the following:

-- Please follow the steps in the linky below to run combofix and post the log for us:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please run it exactly as directed and be sure to install the recovery console.

-- I or another volunteer will check back as time permits.

Cheers :)
PP

Thank you very much, I am literally on my way out the door, but will run these steps and post follow-up as soon as I can.

The GMER One file I opened was blank. I let it run the initial scan and saved it, but the file is blank.

GMER Two
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-24 23:27:44
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 ST3250823AS rev.3.03
Running: 20lyke5y.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kxdyrpob.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Cdfs \Cdfs F676C400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0xEE 0xF4 0x06 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA7 0xFE 0xA1 0x3A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x33 0x66 0xEB 0x86 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x6E 0xD1 0xBF 0xEA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x1D 0x5D 0x95 0xFF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x1D 0x5D 0x95 0xFF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0xEE 0xF4 0x06 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA7 0xFE 0xA1 0x3A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x33 0x66 0xEB 0x86 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x6E 0xD1 0xBF 0xEA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x1D 0x5D 0x95 0xFF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x1D 0x5D 0x95 0xFF ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION CD50EE43FAA88350FA12FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6171C11EC38DE3DFEBC9E127BECC74CDA0204D2F389B3AA0C68A0E8EA021B6473C552D7DC09199DE28B9AA420EFD70A2B7C17D0A5FCABA84D98B4BBD463356FFA9FB51635CCC601E69E08E2E56928FA640F6608641B1CD15A80CC7727AAC2B6825DC1DA060F4414773764D8F0434B9A1823566AFAAAD158BAABEB35310D41E525CB3408C2175C1CE5804BD5797478656E667FCD06F4111509E646759345204D9478FE6730AFC98217EB8B0B8AFAD9FD9F4A2EEBF54812007446459CC312446014B74A26EAA93FD2052CA98D05560D2BFA03E36510F57E39409E87700CB50437FB216FD261D7E13EBDBA5B569B0C2554E20BD33B6B53F405440A5D9D0AF7AC0E390E7C63D592C89AE0530FC25525A5884D9DE7D3773A88C7EB67CC323022FCC5CA9F36AE603503DFA4F561158FAC0BF9C33DBBFA7208C10F365810234283AA5FC6379073691F122C51E528F1F935437FE6AF20DC711F9988B6C21447DBEE5C05D37C3750B2B4E73F462D69E397D12E9066FB980D5FE38185135179D8EBBBAE822FDB094A4CDC707E7217E0D6BF1CA3CD8970DF81F7C1D90008F118F8B1C2B2C7298318489E8387715C337F1CA0AF6E762B9E6016CAA

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB62280$\2183453225 0 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278 0 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\bckfg.tmp 814 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\keywords 34 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\L 0 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\L\vevgtwwl 162816 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\U 0 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB62280$\485945278\U\80000032.@ 97792 bytes

---- EOF - GMER 1.0.15 ----

DDS Log
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Run by HP_Administrator at 2:46:56 on 2011-12-25
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.303 [GMT -8:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Pro Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - n:\avg\avgssie.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ViewMgr] c:\program files\viewpoint\viewpoint manager\ViewMgr.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/haphazard/raptisoftgameloader.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.8.98/cab/aolpPlugins.10.6.0.6.cab
DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} - hxxp://pictures.aolcdn.com/ap/Resources/1.0.2.19.b//cab/YgpUploader.9.3.2.3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
TCP: Interfaces\{5E653F4F-3D17-4EAB-97EA-A31EFBE63872} : DhcpNameServer = 192.168.1.1 68.238.64.12
TCP: Interfaces\{8BE37668-6FF2-4C07-8190-0DE081053795} : NameServer = 66.75.160.63,66.75.160.64
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\7xpzdyya.todd\
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\7xpzdyya.todd\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32dsw.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\minefield\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Password Exporter: {B17C1C5A-04B1-11DB-9804-B622A1EF5492} - %profile%\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R1 atitray;atitray;c:\program files\radeon omega drivers\v3.8.421\ati tray tools\atitray.sys [2005-11-13 17824]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-20 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-20 26824]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2002-2-11 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-2-1 394952]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-5 561152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-9 24652]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2008-11-17 53307]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2005-5-30 85248]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-8-11 28672]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S2 avg8wd;AVG Free8 WatchDog;n:\avg\avgwdsvc.exe --> n:\avg\avgwdsvc.exe [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 ESEADriver2;ESEADriver2;\??\c:\docume~1\hp_adm~1\locals~1\temp\eseadriver2.sys --> c:\docume~1\hp_adm~1\locals~1\temp\ESEADriver2.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\hp_adm~1\locals~1\temp\bqw3c3.tmp --> c:\docume~1\hp_adm~1\locals~1\temp\BQW3C3.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S4 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2002-2-15 114749]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-3-23 198256]
S4 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2005-3-23 79472]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-3-23 165488]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-9-10 822424]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-12-25 07:40:13 98816 ----a-w- c:\windows\sed.exe
2011-12-25 07:40:13 518144 ----a-w- c:\windows\SWREG.exe
2011-12-25 07:40:13 256000 ----a-w- c:\windows\PEV.exe
2011-12-25 07:40:13 208896 ----a-w- c:\windows\MBR.exe
2011-12-24 10:31:43 29184 ----a-w- c:\windows\system32\HuA7tA.com
2011-12-15 03:16:52 54016 ----a-w- c:\windows\system32\drivers\aryplp.sys
2011-12-12 08:51:24 -------- d-----w- c:\windows\system32\oobe
.
==================== Find3M ====================
.
.
============= FINISH: 2:47:15.51 ===============

Attach Log
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/10/2005 3:29:08 PM
System Uptime: 12/25/2011 1:31:46 AM (1 hours ago)
.
Motherboard: ASUSTek Computer INC. | | LIMESTONE
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Socket 775 | 2800/200mhz
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Socket 775 | 2800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 225 GiB total, 37.051 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 1.416 GiB free.
E: is CDROM (UDF)
F: is CDROM ()
H: is Removable
I: is Removable
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\46E08E11D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\46E08E11D800
Service: NIC1394
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_2A22103C&REV_01\4&1AF1648C&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_2A22103C&REV_01\4&1AF1648C&0&40F0
Service: E100B
.
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ROOT\MEDIA\0000
Manufacturer: Antares Audio Technologies
Name:
PNP Device ID: ROOT\MEDIA\0000
Service:
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0001
Manufacturer: LogMeIn, Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0001
Service: hamachi
.
==== System Restore Points ===================
.
RP1468: 11/25/2011 4:47:51 PM - System Checkpoint
RP1469: 12/12/2011 1:07:51 AM - System Checkpoint
RP1470: 12/14/2011 1:41:34 PM - System Checkpoint
RP1471: 12/19/2011 1:09:07 AM - System Checkpoint
RP1472: 12/24/2011 11:40:30 PM - ComboFix created restore point
.
==== Installed Programs ======================
.
µTorrent
1600
Ad-Aware 2007
Ad-Aware SE Personal
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Device Central CS3
Adobe Download Manager
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Reader Japanese Fonts
Adobe Setup
Adobe Stock Photos 1.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Agere Systems PCI Soft Modem
AIM 7
AIM Ad Hack
AIM MusicLink 2.1.0.5
AiO_Scan
AiOSoftware
AMD Fusion for Gaming
AMX Mod X Installer 1.8.1
Antares Voice Thing!
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Instant Messenger
AOL Pictures Tools (version 10.6.0.6)
AOL Toolbar 2.0
AOL You've Got Pictures Screensaver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
Ask Toolbar
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
Avi2Dvd 0.4.5 beta
AviSynth 2.5
Bent Ericksen & Associates HR Director-Dental 11th Edition
BitPim 1.0.6
Blasterball 2 Remix
Bonjour
BufferChm
BUM
CameraDrivers
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
ccCommon
CCleaner (remove only)
CDisplay 1.8
Company of Heroes
Company of Heroes - FAKEMSI
Condition Zero
ConvertXtoDVD 3.1.0.24
Copy
Counter-Strike: Source
CP_AtenaShokunin1Config
cp_dwSharkTaleAlbums1
cp_dwSharkTaleCards1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_PLSBusinessFlyers
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Day of Defeat
Destinations
Director
DivX Content Uploader
DivX Web Player
DocProc
DocumentViewer
Download Updater (AOL LLC)
DVD Flick
Easy GIF Animator 4.1
ElectricSheep 2.6.6
Family Lawyer '99
Fax
Fireflies Screensaver (remove only)
FL Studio 7
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.9.1108
Free Games Offer, Desktop Shortcut
Free PDF to Word Doc Converter v1.1
FrostWire 4.20.6
Garena
GemMaster Mystic
gigabeat S Series Manual
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Hamachi 1.0.1.5
Help and Support Additions
Heroes of Newerth
High Definition Audio Driver Package - KB888111
HLSW v1.2.1.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP Deskjet 3840 Series
HP Deskjet Printer Preload
HP Help and Support 4.0
HP Image Zone 4.8.6
HP Image Zone for Media Center PC
HP Image Zone Plus 4.8.6
HP Photosmart Cameras 4.5
HP PrecisionScan LTX
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Scan-to-Web Wizard
HP Software Update
HP Tunes
HPIZplus450
HpSdpAppCoreApp
HPSystemDiagnostics
IL Download Manager
InstantShare
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iPodRip
iTunes
iTunes Library Updater
J2SE Runtime Environment 5.0
Japan Map 1.45
Java Auto Updater
Java(TM) 6 Update 2
Java(TM) 6 Update 20
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
JD Secure 3.1
KBD
Killing Floor
KODAK EASYSHARE Gallery Easy Upload, v2.1
Learn2 Player (Uninstall Only)
Left 4 Dead
LG USB Modem driver
LibUSB-Win32-0.1.12.1
Linksys Wireless-G USB Network Adapter
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
LS_HSI
Macromedia Shockwave Player
Magic ISO Maker v5.5 (build 0272)
Malwarebytes' Anti-Malware
MapSource
MapSource - City Select North America v7
MapSource - Trip & Waypoint Manager v2
Maxthon Browser (remove only)
MediaMonkey 3.1
MediaMonkey Script - ImportM3U 3.1
MediaMonkey Script - RecreateM3U 2.1
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Bootvis
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher 2007 Trial
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft VC9 runtime libraries
Microsoft Visual C# 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft WinUsb 1.0
Microsoft Works
Microsoft XNA Framework Redistributable 3.0
Microsoft XNA Game Studio 3.0
Microsoft XNA Game Studio 3.0 (ARP entry)
Microsoft XNA Game Studio 3.0 (Platformer)
Microsoft XNA Game Studio 3.0 (Redists)
Microsoft XNA Game Studio 3.0 (Shared Components)
Microsoft XNA Game Studio 3.0 (VCSExpress)
Microsoft XNA Game Studio 3.0 (XnaLiveProxy)
Microsoft XNA Game Studio 3.0 Documentation
Microsoft XNA Game Studio Platform Tools
middle_man
Minefield (3.1b2pre)
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
MultiRes (remove only)
Musicnotes Player V1.22.3
muvee autoProducer 4.0
muvee autoProducer unPlugged - HPD
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
O&O Defrag Professional Edition
Otto
Palm Desktop and Synchronization Software
PanoStandAlone
PC-Doctor for Windows
PDF Settings
peaceful-nature
PeerGuardian 2.0
Photodex Presenter
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
Print Server Driver
PrintScreen
ProductContext
PS2
PSPrinters06
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QFolder
Quicken 2007
QuickFreedom 1.2.0
QuickProjects
QuickTime
Readme
RealPlayer
Remove Microsoft Money 2005 installer
Remove Quicken New User Edition installer
RocketDock 1.3.5
RzE's CS Helper
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
SereneScreen Aquarium
Shareaza 2.3.1.0
Skins
SkinsHP1
SmartFTP Client
SmartFTP Client 2.5 Setup Files (remove only)
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony ACID Pro 6.0
Sony Media Manager 2.2
Sony Picture Utility
Sony USB Driver
SPBBC
Spybot - Search & Destroy 1.4
Spyware Terminator
SQL Server System CLR Types
StarCraft II
Steam
Switch Off
Symantec
Symantec pcAnywhere
The Print Shop Premier Edition 5.0
TOPO!
TrayApp
Uninstall KkMenu docklet for Stardock Object Dock
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP
V CAST Music
Valve Hammer Editor
Ventrilo Client
Version 1.00
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
vixy converter uninstall
VZAccess Manager
Warcraft III: All Products
Warsow 0.42
WC3Banlist
WebFldrs XP
WebReg
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series SDK
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 10 Hotfix [See KB889858 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885295
Windows XP Hotfix - KB885354
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891220
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB890629
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
WinPcap 3.1
WinRAR archiver
WinSCP 4.1.9
Wireshark 0.99.6a
Xfire (remove only)
Yahoo! BrowserPlus 2.9.8
Yahoo! Toolbar
ZoneAlarm Pro
Zune
Zune Language Pack (DE)
Zune Language Pack (ES)
Zune Language Pack (FR)
Zune Language Pack (IT)
.
==== Event Viewer Messages From Past Week ========
.
12/25/2011 2:21:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
12/25/2011 1:32:14 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/24/2011 3:21:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
12/24/2011 2:42:50 AM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
12/24/2011 2:42:50 AM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
12/24/2011 2:23:42 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
12/24/2011 2:23:41 AM, error: Service Control Manager [7024] - The Media Center Extender Service service terminated with service-specific error 2147500037 (0x80004005).
12/24/2011 2:23:41 AM, error: Service Control Manager [7000] - The eamon service failed to start due to the following error: The system cannot find the file specified.
12/24/2011 2:23:41 AM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The system cannot find the path specified.
12/24/2011 2:22:31 AM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
12/24/2011 11:42:20 PM, error: Service Control Manager [7034] - The Lexar JD31 service terminated unexpectedly. It has done this 1 time(s).
12/24/2011 11:39:04 PM, error: Service Control Manager [7034] - The Ad-Aware 2007 Service service terminated unexpectedly. It has done this 1 time(s).
12/24/2011 11:06:34 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/22/2011 2:35:55 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/22/2011 2:35:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/22/2011 2:26:15 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD atitray AvgLdx86 AvgMfx86 awlegacy Fips intelppm IPSec MRxSmb NetBIOS NetBT NPPTNT2 RasAcd Rdbss Tcpip vsdatant
12/22/2011 2:26:15 AM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 2:26:15 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 2:26:15 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 2:26:15 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 2:26:15 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 2:26:15 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 2:26:15 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 2:22:24 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the vsmon service.
12/22/2011 1:08:57 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
.
==== End Of File ===========================

ComboFix Log
ComboFix 11-12-24.10 - HP_Administrator 12/24/2011 23:51:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.511 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Pro Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\inst.exe
c:\documents and settings\HP_Administrator\Application Data\vso_ts_preview.xml
c:\documents and settings\HP_Administrator\Start Menu\Programs\1964.lnk
c:\documents and settings\HP_Administrator\WINDOWS
c:\windows\$NtUninstallKB62280$\2183453225
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\bckfg.tmp
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\keywords
c:\windows\$NtUninstallKB62280$\485945278\kwrd.dll
c:\windows\$NtUninstallKB62280$\485945278\L\vevgtwwl
c:\windows\$NtUninstallKB62280$\485945278\lsflt7.ver
c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
c:\windows\command
c:\windows\command\EXTRACT.PIF
c:\windows\dasetup.log
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
c:\windows\system32\Setup_ver1.1777.0.exe
D:\Autorun.inf
c:\windows\$NtUninstallKB62280$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-11-25 to 2011-12-25 )))))))))))))))))))))))))))))))
.
.
2011-12-24 10:31 . 2011-12-24 10:31 29184 ----a-w- c:\windows\system32\HuA7tA.com
2011-12-15 03:16 . 2011-12-15 03:16 54016 ----a-w- c:\windows\system32\drivers\aryplp.sys
2011-12-15 01:37 . 2011-12-15 01:37 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-12-12 08:51 . 2011-12-12 08:51 -------- d-----w- c:\windows\system32\oobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"RTHDCPL"="RTHDCPL.EXE" [2005-04-12 14156800]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-11 111816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
c:\documents and settings\HP_Administrator\Sta

So far Ping.exe hasn't shown up in the task manager. Will run one more scan with MBAM and then check back here tomorrow. Thanks so far!

So far Ping.exe hasn't shown up in the task manager. Will run one more scan with MBAM and then check back here tomorrow. Thanks so far!

Happy to help :)

-- There are still a few things we need to do yet. I'll post the steps this evening when I get home.

In the meantime, it might help if you could navigate to c:\windows\system32\drivers\aryplp.sys and rightclick it and see if there is any property information for it.... Or, do you know what it belongs to?

PP:)

OK - Since I'll be offline for a bit, let's go ahead and do this:

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

And . . . We'll go from there :)
PP

I have no idea what aryplp.sys is for. What should I do about it?

I'm running ComboFix right now, and I shutdown ZoneAlarm to do so, but it tells me that I am running AVG Anti-virus. As far as I know I uninstalled this program, so I don't know why it is saying that. I couldn't find it in the system processes either.

What is a good combination of firewall/anti-virus I should use? Thanks again.

ComboFix + CFScript Log
ComboFix 11-12-28.03 - HP_Administrator 12/28/2011 14:01:50.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.604 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Pro Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\windows\system32\drivers\aryplp.sys"
"c:\windows\system32\HuA7tA.com"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB62280$ . . . . Failed to delete
c:\windows\system32\drivers\aryplp.sys
c:\windows\Tasks\At1.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At9.job
.
----- File Replicators -----
.
d:\i386\Apps\APP00845\commands.exe
d:\i386\Apps\APP01243\commands.exe
d:\i386\Apps\APP01452\commands.exe
d:\i386\Apps\APP01847\commands.exe
d:\i386\Apps\APP03873\commands.exe
d:\i386\Apps\APP03912\commands.exe
d:\i386\Apps\APP05646\commands.exe
d:\i386\Apps\APP08032\commands.exe
d:\i386\Apps\APP08884\commands.exe
d:\i386\Apps\APP10274\commands.exe
d:\i386\Apps\APP11453\commands.exe
d:\i386\Apps\APP11464\commands.exe
d:\i386\Apps\APP12090\commands.exe
d:\i386\Apps\APP13102\commands.exe
d:\i386\Apps\APP18763\commands.exe
d:\i386\Apps\APP19218\commands.exe
d:\i386\Apps\APP19259\commands.exe
d:\i386\Apps\APP19694\commands.exe
d:\i386\Apps\APP22154\commands.exe
d:\i386\Apps\APP22753\commands.exe
d:\i386\Apps\APP23242\commands.exe
d:\i386\Apps\APP26503\commands.exe
d:\i386\Apps\APP31457\commands.exe
d:\i386\Apps\APP31989\commands.exe
d:\i386\Drv\APP01428\commands.exe
d:\i386\Drv\APP05076\commands.exe
d:\i386\Drv\APP05291\commands.exe
d:\i386\Drv\APP06096\commands.exe
d:\i386\Drv\APP14236\commands.exe
d:\i386\Drv\APP18428\commands.exe
d:\i386\Drv\APP19558\commands.exe
d:\i386\Drv\APP19570\commands.exe
d:\i386\Drv\APP23061\commands.exe
d:\i386\Drv\APP23736\commands.exe
d:\i386\Drv\APP25077\commands.exe
d:\i386\Drv\APP28868\commands.exe
d:\i386\Drv\APP30148\commands.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 22:20 . 2011-12-28 22:20 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-28 21:15 . 2011-12-28 21:15 -------- d-----w- c:\windows\system32\oobe
2011-12-28 11:10 . 2011-12-28 11:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-12-28 10:59 . 2011-12-28 10:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-12-15 01:37 . 2011-12-15 01:37 -------- d-s---w- c:\documents and settings\NetworkService\UserData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 23:24 . 2010-07-26 04:09 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-25_10.25.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-28 22:19 . 2011-12-28 22:19 16384 c:\windows\temp\Perflib_Perfdata_f0.dat
+ 2008-06-14 22:25 . 2011-12-25 22:40 2285568 c:\windows\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"RTHDCPL"="RTHDCPL.EXE" [2005-04-12 14156800]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-11 111816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-25 981680]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-07-23 231888]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 18:51 24638 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0OODBS
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^4t Tray Minimizer.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\4t Tray Minimizer.lnk
backup=c:\windows\pss\4t Tray Minimizer.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=c:\windows\pss\Cyber-shot Viewer Media Check Tool.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-19 01:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-03-23 22:34 58992 ----a-w- c:\program files\Common Files\Symantec Shared\CCAPP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1127676410\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-04-05 14:19 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-12-14 16:07 176128 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2004-06-07 11:42 659456 ----a-w- c:\windows\system32\hphmon06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-10 04:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 13:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-10 04:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
2007-05-11 09:08 2512392 ----a-w- c:\windows\system32\oodtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-05 14:23 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintServer Diagnostic]
2004-11-25 01:09 266240 ----a-w- c:\program files\Print Server\PTP\PSDiagnostic.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
2007-09-02 20:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 20:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-09-07 23:28 1242448 ----a-w- c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 11:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-05-31 02:00 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 21:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"O&O Defrag"=3 (0x3)
"iPodService"=3 (0x3)
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"sp_rssrv"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"LightScribeService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"awhost32"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1127676410\\ee\\aolservicehost.exe"=
"c:\\Program Files\\Common Files\\AOL\\1127676410\\ee\\aolsoftware.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\Steam\\steamapps\\skgmaverick\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\toddthirtyone\\counter-strike\\hl.exe"=
.
R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys [11/13/2005 3:43 PM 17824]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/20/2009 12:54 PM 97928]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/9/2008 9:15 AM 24652]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [11/17/2008 9:25 PM 53307]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [5/30/2005 5:43 PM 85248]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [8/11/2009 12:27 PM 28672]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/4/2008 10:18 PM 47360]
S2 avg8wd;AVG Free8 WatchDog;n:\avg\avgwdsvc.exe --> n:\avg\avgwdsvc.exe [?]
S3 ESEADriver2;ESEADriver2;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\ESEADriver2.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\ESEADriver2.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\BQW3C3.tmp --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\BQW3C3.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 1:10 PM 32512]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GTNDIS5
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2009-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-12-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-968509-3672355333-2252962230-1008Core.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-21 23:21]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-968509-3672355333-2252962230-1008UA.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-21 23:21]
.
2008-12-10 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2004-08-10 04:00]
.
2011-12-28 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-05-31 19:24]
.
2011-12-15 c:\windows\Tasks\WebReg Deskjet 3840.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-11-05 03:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
TCP: Interfaces\{8BE37668-6FF2-4C07-8190-0DE081053795}: NameServer = 66.75.160.63,66.75.160.64
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/haphazard/raptisoftgameloader.cab
DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} - hxxp://pictures.aolcdn.com/ap/Resources/1.0.2.19.b//cab/YgpUploader.9.3.2.3.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\7xpzdyya.todd\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Minefield\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Password Exporter: {B17C1C5A-04B1-11DB-9804-B622A1EF5492} - %profile%\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-28 14:20
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\BQW3C3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="CD50EE43FAA88350FA12FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6171C11EC38DE3DFEBC9E127BECC74CDA0204D2F389B3AA0C68A0E8EA021B6473C552D7DC09199DE28B9AA420EFD70A2B7C17D0A5FCABA84D98B4BBD463356FFA9FB51635CCC601E69E08E2E56928FA640F6608641B1CD15A80CC7727AAC2B6825DC1DA060F4414773764D8F0434B9A1823566AFAAAD158BAABEB35310D41E525CB3408C2175C1CE5804BD5797478656E667FCD06F4111509E646759345204D9478FE6730AFC98217EB8B0B8AFAD9FD9F4A2EEBF54812007446459CC312446014B74A26EAA93FD2052CA98D05560D2BFA03E36510F57E39409E87700CB50437FB216FD261D7E13EBDBA5B569B0C2554E20BD33B6B53F405440A5D9D0AF7AC0E390E7C63D592C89AE0530FC25525A5884D9DE7D3773A88C7EB67CC323022FCC5CA9F36AE603503DFA4F561158FAC0BF9C33DBBFA7208C10F365810234283AA5FC6379073691F122C51E528F1F935437FE6AF20DC711F9988B6C21447DBEE5C05D37C3750B2B4E73F462D69E397D12E9066FB980D5FE38185135179D8EBBBAE822FDB094A4CDC707E7217E0D6BF1CA3CD8970DF81F7C1D90008F118F8B1C2B2C7298318489E8387715C337F1CA0AF6E762B9E6016CAA5FB11E4D7F52AC2636AE6A5E5AA196397FEC61DD6E66BB6AEC9F2B7DB3B07BD0031770DF6D4548B81CE999C3B3BEBAA8E1B4FE1996F5B583DE9CB344046F889483A17778BA2C2C702CC3C9A7E79D4D5DD157FEB57256B2C83752E352A88EFBAF6C8F5AE92072489D0C2CB406EC64E1E0319EF10AF46FBADAD83EDE43ABE58B18A043FD24EDA8D38DC85EFC10EBAB10BFCC95DB90847D12E6EA40002D4D900258386C117452CF38A17DC6E67261EC07C4F3BA963885018CFF7D9FD5E237E181B68E070C241BA34117685338D40F120A60277D91F9CBBDA0B859A26619384B8F1C31563B1D1FD0D2CF62FCEA3ABE5598E9F79959374190CAB51CDD9845778DBDA211B5351C61F249217FDF4AE7BE2D5113935A978042C01D01D5520D5E19B5FD892DBA0A7377A7D4D58897DC60702E85A618C099B846DF2EFAD00A1F7ED6206C62F384E497D2307B942DDE4986A12C46EB0DA46DEF0867FCECB16ADA1F77576CF108302E2B8DE8E0ADEFA4964049604A4C1EB1CB68A59288A4350B49B41B03A75528288B249A44945BDD5EF7D76C4A0A73680E62DD4F75192E5DC4D464FA4418C18724F0ED6244DC2F055C1CCA987FC752FCEA55E18A9C5AA075E32126A165C3E8781E85A4BBE16B20FD548CE487DDCE0557F807D60E933EA806A3F86207D428549538D93D389821532283593C179689155303ECD7D6929BD2E8A78BDC1088EB50A"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1592)
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\wanmpsvc.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
c:\windows\system32\dllhost.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-12-28 14:27:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-28 22:27
ComboFix2.txt 2011-12-25 10:31
.
Pre-Run: 39,262,941,184 bytes free
Post-Run: 39,350,685,696 bytes free
.
- - End Of File - - BAE8AEE515E27C40A38FEFEB9D139787

I have no idea what aryplp.sys is for. What should I do about it?

I went ahead and removed it - if it is legitimate and needed then a replacement should be easy enough to obtain.

-- Do you know what this is --> GarenaPEngine Do you use it for gaming?

-- Though it does look as if combofix may have removed some legitimate HP files. We will dequarantine those. If you like, we can dequarantine aryplp.sys as well and you can upload it for analysis at Jotti or Virustotal.

-- As for AVG still showing up, we can address that after we finish with the cleanup. AVG ought to have an uninstall cleanup tool on their site. Or, we can do it manually.

What is a good combination of firewall/anti-virus I should use?

If you want a great security suite and don't mind paying for it, I think Kaspersky ONE OR Kaspersky Internet Security is far and away the best of the bunch.
If you want to go the free route, get the Comodo Firewall - but don't install the antivirus, just the firewall.
I prefer to pair the Comodo Firewall with Avira Free Antivirus.

Those would be my recommendations.


Anyhoo, please do the following:

-- Re-run GMER and post those logs.

-- Please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for us.

-- Please run an ESET Online Scan and post the results.

-- Also, please open a command prompt (Start > Run > Type CMD ENTER
Then copy&paste the command below and hit enter:
dir /a /s "C:\Qoobox\Quarantine\" >> C:\PEEK.txt
Please post the C:\PEEK.txt


I'll try to check back as time permits and, with any luck, will have a script to run combofix and restore those HP files.

PP:)

Sorry for responding so late, but I haven't given up on this problem. I re-ran GMER and was wondering if you wanted the initial scan or the GMER Two log? The scan took ran all night, but my computer froze before it was able to finish. I am away but will be able to post these logs by Thursday.

Sorry for responding so late...

No Worries.
I, too, am really busy these days. My forum time is going to be intermittent.

I'd like to see all those logs from my last post, if possible.

Cheers :)
PP

I am currently running GMER. This is attempt #3 to run it without freezing my computer. I am willing to do a complete "Destructive Recovery" if this doesn't work. Would that completely fix my problem/

SO the GMER scan finished.. but I clicked "Scan" not "Save". Will post the other 2 logs once the ESET Scan finishes (14% completed. 45 minute running scan time)

I am willing to do a complete "Destructive Recovery" if this doesn't work. Would that completely fix my problem/

Yes - Actually, in cases such as this, that would be the best solution.

There are only two problems I can think of:
1) The second run of combofix removed some legit files that may be necessary to the recovery process. We'd need to fix that before you went ahead. So I'd need to see the below log.

-- Please open a command prompt (Start > Run > Type CMD ENTER
Then copy&paste the command below and hit enter:
dir /a /s "C:\Qoobox\Quarantine\" >> C:\PEEK.txt
Please post the C:\PEEK.txt

2) The second problem is this - I have seen variations of this malware that, rather than infecting the MBR, actually create a new partition on the HD and flag it to boot first. If that is the case here, I believe we'd need to remove that if you are using the recovery partition.
If you have OS disk, then it won't be a problem because you can completely wipe the hard drive prior to reinstall.....

PP:)

FSS Log
Farbar Service Scanner
Ran by HP_Administrator (administrator) on 07-01-2012 at 12:02:29
Microsoft Windows XP Professional Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-09 20:00] - [2006-05-19 04:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys
[2004-08-09 20:00] - [2008-08-14 01:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702

C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-09 20:00] - [2004-08-09 20:00] - 0162816 ____A () 6EA52432D25A7B1A98699C1ECBA7A167

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-09 20:00] - [2008-06-20 02:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-09 20:00] - [2004-08-09 20:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-09 20:00] - [2008-02-19 21:32] - 0045568 ____A (Microsoft Corporation) AAC8FFBFD61E784FA3BAC851D4A0BD5F

C:\WINDOWS\system32\ipnathlp.dll
[2004-08-09 20:00] - [2004-09-01 15:34] - 0330752 ____A (Microsoft Corporation) 4AC3902BF0D21A3F49A12FBD1604690A

C:\WINDOWS\system32\netman.dll
[2004-08-09 20:00] - [2005-08-22 10:29] - 0197632 ____A (Microsoft Corporation) 36739B39267914BA69AD0610A0299732

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2004-08-09 20:00] - [2004-08-09 20:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll
[2004-08-09 20:00] - [2004-08-09 20:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys
[2004-08-09 20:00] - [2004-08-09 20:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\wscsvc.dll
[2004-08-09 20:00] - [2004-08-09 20:00] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2004-08-09 20:00] - [2004-08-09 20:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\svchost.exe
[2004-08-09 20:00] - [2004-08-09 20:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-09 20:00] - [2009-02-09 02:20] - 0399360 ____A (Microsoft Corporation) 01095FEBF33BEEA00C2A0730B9B3EC28

C:\WINDOWS\system32\services.exe
[2004-08-09 20:00] - [2009-02-06 09:14] - 0110592 ____A (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE


Extra List:
=======
AegisP(11) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0B0000000400000001000000020000000300000005000000060000000700000008000000090000000A0000000B000000

**** End of log ****

Peek.txt

Volume in drive C is HP_PAVILION
Volume Serial Number is 3423-DC14

Directory of C:\Qoobox\Quarantine

12/28/2011 02:15 PM <DIR> .
12/28/2011 02:15 PM <DIR> ..
12/25/2011 01:29 AM <DIR> C
12/28/2011 01:55 PM 867 catchme.log
12/28/2011 01:59 PM 0 catchme.txt
12/25/2011 02:25 AM <DIR> D
12/28/2011 02:25 PM <DIR> Registry_backups
12/28/2011 02:16 PM <DIR> Replicators
2 File(s) 867 bytes

Directory of C:\Qoobox\Quarantine\C

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
12/25/2011 01:29 AM <DIR> Documents and Settings
12/28/2011 02:16 PM <DIR> WINDOWS
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
12/25/2011 01:29 AM <DIR> Administrator
12/25/2011 01:29 AM <DIR> All Users
12/25/2011 01:29 AM <DIR> Default User
12/25/2011 01:29 AM <DIR> HP_Administrator
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\Administrator

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
12/25/2011 01:29 AM <DIR> WINDOWS
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\WINDOWS

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\All Users

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
12/25/2011 01:29 AM <DIR> Application Data
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
12/25/2011 01:29 AM <DIR> TEMP
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\TEMP

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\Default User

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
12/25/2011 01:29 AM <DIR> WINDOWS
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\Default User\WINDOWS

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
12/25/2011 01:29 AM <DIR> Application Data
12/25/2011 01:29 AM <DIR> Start Menu
12/25/2011 01:29 AM <DIR> WINDOWS
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Application Data

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
06/04/2008 10:18 PM 87,608 inst.exe.vir
07/17/2009 02:51 PM 668 vso_ts_preview.xml.vir
2 File(s) 88,276 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Start Menu

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
12/25/2011 01:29 AM <DIR> Programs
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Start Menu\Programs

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
11/01/2007 10:31 PM 711 1964.lnk.vir
1 File(s) 711 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\WINDOWS

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS

12/28/2011 02:16 PM <DIR> .
12/28/2011 02:16 PM <DIR> ..
12/25/2011 01:29 AM <DIR> $NtUninstallKB62280$
12/25/2011 01:29 AM <DIR> Command
04/14/2008 05:50 PM 19,456 dasetup.log.vir
03/20/2006 07:23 PM 23,040 kb913800.exe.vir
12/28/2011 02:16 PM <DIR> system32
12/28/2011 02:16 PM <DIR> Tasks
2 File(s) 42,496 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB62280$

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
12/24/2011 11:42 PM <DIR> 485945278
12/25/2011 01:29 AM 222 _2183453225_.zip
1 File(s) 222 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB62280$\485945278

12/24/2011 11:42 PM <DIR> .
12/24/2011 11:42 PM <DIR> ..
12/14/2011 05:24 PM 2,048 @.vir
12/24/2011 11:42 PM 814 bckfg.tmp.vir
12/24/2011 11:32 PM 208 cfg.ini.vir
12/24/2011 11:28 PM 4,608 Desktop.ini.vir
12/14/2011 05:32 PM 34 keywords.vir
12/24/2011 11:29 PM 223,744 kwrd.dll.vir
12/24/2011 11:42 PM <DIR> L
12/24/2011 11:32 PM 5,176 lsflt7.ver.vir
12/24/2011 11:42 PM <DIR> U
7 File(s) 236,632 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB62280$\485945278\L

12/24/2011 11:42 PM <DIR> .
12/24/2011 11:42 PM <DIR> ..
12/14/2011 05:24 PM 162,816 vevgtwwl.vir
1 File(s) 162,816 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB62280$\485945278\U

12/24/2011 11:42 PM <DIR> .
12/24/2011 11:42 PM <DIR> ..
12/21/2011 04:48 PM 1,536 00000001.@.vir
12/14/2011 05:25 PM 224,768 00000002.@.vir
12/14/2011 05:25 PM 1,024 00000004.@.vir
12/21/2011 04:48 PM 11,264 80000000.@.vir
12/14/2011 05:25 PM 12,800 80000004.@.vir
12/21/2011 04:48 PM 97,792 80000032.@.vir
6 File(s) 349,184 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\Command

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
05/05/2000 07:58 PM 967 EXTRACT.PIF.vir
1 File(s) 967 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\system32

12/28/2011 02:16 PM <DIR> .
12/28/2011 02:16 PM <DIR> ..
12/25/2011 01:29 AM <DIR> config
12/28/2011 02:16 PM <DIR> drivers
10/25/2004 06:17 AM 90,112 ps2.bat.vir
11/03/2008 11:47 PM 0 Setup_ver1.1777.0.exe.vir
2 File(s) 90,112 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\system32\config

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
12/25/2011 01:29 AM <DIR> systemprofile
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
12/25/2011 01:29 AM <DIR> WINDOWS
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\WINDOWS

12/25/2011 01:29 AM <DIR> .
12/25/2011 01:29 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers

12/28/2011 02:16 PM <DIR> .
12/28/2011 02:16 PM <DIR> ..
12/14/2011 07:16 PM 54,016 aryplp.sys.vir
1 File(s) 54,016 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\Tasks

12/28/2011 02:16 PM <DIR> .
12/28/2011 02:16 PM <DIR> ..
12/24/2011 02:31 AM 346 At1.job.vir
12/28/2011 05:21 AM 346 At11.job.vir
12/28/2011 06:21 AM 346 At13.job.vir
12/28/2011 07:21 AM 346 At15.job.vir
12/28/2011 08:21 AM 346 At17.job.vir
12/28/2011 09:21 AM 346 At19.job.vir
12/28/2011 10:21 AM 346 At21.job.vir
12/28/2011 11:21 AM 346 At23.job.vir
12/28/2011 12:21 PM 346 At25.job.vir
12/28/2011 01:21 PM 346 At27.job.vir
12/25/2011 02:25 PM 346 At29.job.vir
12/24/2011 02:31 AM 346 At3.job.vir
12/25/2011 03:25 PM 346 At31.job.vir
12/27/2011 08:16 PM 346 At33.job.vir
12/27/2011 08:16 PM 346 At35.job.vir
12/24/2011 02:31 AM 346 At37.job.vir
12/24/2011 02:31 AM 346 At39.job.vir
12/27/2011 08:21 PM 346 At41.job.vir
12/27/2011 09:21 PM 346 At43.job.vir
12/24/2011 02:31 AM 346 At45.job.vir
12/26/2011 03:40 AM 346 At47.job.vir
12/25/2011 02:25 AM 346 At5.job.vir
12/28/2011 03:21 AM 346 At7.job.vir
12/28/2011 04:28 AM 346 At9.job.vir
24 File(s) 8,304 bytes

Directory of C:\Qoobox\Quarantine\D

12/25/2011 02:25 AM <DIR> .
12/25/2011 02:25 AM <DIR> ..
04/30/2004 11:01 PM 53 Autorun.inf.vir
1 File(s) 53 bytes

Directory of C:\Qoobox\Quarantine\Registry_backups

12/28/2011 02:25 PM <DIR> .
12/28/2011 02:25 PM <DIR> ..
12/25/2011 02:30 AM 4,968 AddRemove-AVG8Uninstall.reg.dat
12/25/2011 02:29 AM 542 MSConfigStartUp-AVG8_TRAY.reg.dat
12/25/2011 02:29 AM 600 MSConfigStartUp-InsaniquariumDeluxeSetup.reg.dat
12/25/2011 02:29 AM 534 SafeBoot-WudfPf.reg.dat
12/25/2011 02:29 AM 534 SafeBoot-WudfRd.reg.dat
12/28/2011 02:12 PM 14,474 tcpip.reg
6 File(s) 21,652 bytes

Directory of C:\Qoobox\Quarantine\Replicators

12/28/2011 02:16 PM <DIR> .
12/28/2011 02:16 PM <DIR> ..
09/23/2004 06:30 AM 200,704 E7166D4E0FF2BF4236F2976E587F133B
12/28/2011 02:15 PM 2,542 Replicator_1.txt
2 File(s) 203,246 bytes

Total Files Listed:
59 File(s) 1,259,554 bytes
89 Dir(s) 39,218,741,248 bytes free

I don't think I have the OS disc, but I might be able to find it. Is there any way to see if it did create a new partition? Thanks again

OK, just checked. I didn't buy the OS disc with my computer, so all I have is the D: partition it loads from.

I don't think I have the OS disc, but I might be able to find it. Is there any way to see if it did create a new partition? Thanks again

Yes - negster22 has an interesting approach to fixing this using GParted (if indeed this is the case) or checking to see if the malware partition has been created.

I am not going to be around much this weekend - lots of football and beer to be taken care of ;)

Her blog is very detailed and you should be able to follow the steps easily:

Using GParted to Edit the Partion Table & Manage Partitions

http://secure-computer-solutions.com/blog/

http://secure-computer-solutions.com/blog/2011/11/a_new_tdl4_with_a_stealthy_new.html

I'll try to check back tonight - let me know how this are going.
-- If you choose to use the recovery partition, wait until we restore those replicators combofix removed.

*** Obviously, you want to be careful messing with the partitions. If you don't see exactly what you're looking for, bets to leave it alone....

PP:)

Definitely! I'll post updates as I go along.

As for the symptoms, I don't seem to be getting any of the mentioned ones.

1. Browser redirection is still the most noticable symptom

2. All scan results, including dedicated MBR and rootkit scanners come back negative or inconclusive

3. Infects the Windows XP operating system on upward

4. If a user has ESET Smart Security onboard, its resident protection monitor will alert with: "Win32/Olmarik.TDL4 trojan in operating memory unable to clean"

5. Multiple Internet Explorer processes (that were not invoked by the user), persistently run in the background and respawn if they are terminated

6. Executing Bootrec /fixmbr from the Windows Recovery Environment will no longer be effective in removing the rootkit because this new TDL4 variant does not modify the original Windows MBR code

7. Executing Bootrec /fixboot from the Windows Recovery Environment is likely to result in a non-booting system because /fixboot will attempt to repair the TDL4 partition while leaving the malicious entry in the partition table intact.

I haven't been redirected while browsing (using either Internet Explorer or Firefox). There aren't multiple instances of IEXPLORE.EXE (not iexplorer.exe). And ESET has found some viruses but it hasn't finished. I can't understand symptoms 6 or 7, however.

ESET
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader\popcap\installers\insaniquariumsetup.exe probably a variant of Win32/Agent.NAPAILZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\HP_Administrator\My Documents\My Music\Incomplete\CORRUPT-0-Metric - The Police And The Private.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Documents and Settings\HP_Administrator\My Documents\My Music\Incomplete\T-3429759-when im gone remix - best track ever.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\acslang.exe probably a variant of Win32/StartPage.HSZAKFT trojan deleted - quarantined
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\acssetup.exe probably a variant of Win32/StartPage.HSZAKFT trojan deleted - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1470\A0490270.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1470\A0491270.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1470\A0491286.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1470\A0491306.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1471\A0492306.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1471\A0493306.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1471\A0494309.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1471\A0494438.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1471\A0495445.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1477\A0496809.exe probably a variant of Win32/Agent.NAPAILZ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1477\A0496886.exe probably a variant of Win32/StartPage.HSZAKFT trojan deleted - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1477\A0496887.exe probably a variant of Win32/StartPage.HSZAKFT trojan deleted - quarantined
C:\WINDOWS\system32\drivers\netbt.sys Win32/Sirefef.DA trojan unable to clean

I will use GParted to check the partitions etc. And will be backing up my files in the meantime.

As for the symptoms, I don't seem to be getting any of the mentioned ones.

Yeah - I don't think you have this variant.
This is more a case on my part of "better safe than sorry." With this malware and with rootkits in general, there are a lot of things I do not know. And, there are a lot of things you cannot be "certain" of with these malware.
They are ever evolving....

I would think a restoration would remove any malware created partition, but I don't know for certain. For all I know, it could protect itself.

It ain't going to hurt anything to check with GParted and see if the signs are there. If there's no sign of the malware partition, then you can proceed to do the restore with confidence.

I can't understand symptoms 6 or 7, however.

Those pertain to the fixes for previous versions which infected the MBR. Obviously, if the malware has created it's own partition, then those remedies will have no effect or actually create more problems...


** I have attached a new CFScript that should dequarantine those legit files combofix removed. Just run it as you did the previous one and post me the resulting log.

PP:)

C:\WINDOWS\system32\drivers\netbt.sys Win32/Sirefef.DA trojan unable to clean

This is problematic - fixing this will bork the internet connection. We ought to be able to fix that, but some cases are considerably more difficult than others.

'Course, if you do a Recovery, then no worries :)

-- Be careful backing up the files. I doubt you'll backup any malware because this baddie seems to limit itself to certain drivers, but again I'm not certain....

As for the symptoms, I don't seem to be getting any of the mentioned ones.

Sorry I'm not as up to date on these baddies as I used to be. Just don't have as much free time to indulge my malware-fighting hobby as I used to....

OK - I took a quick look at some writeups and you should be OK on this front.
The Sirefef family doesn't employ a bootkit function like the Olmarik/Olmasco TDL type rootkit family does.

Still a pain in the ass, though....

PP:)

It's totally OK, you've helped me so much!

I did the complete system destructive recovery and downloaded Kaspersky Internet Security 2012.
HOWEVER, I totally forgot I wasn't supposed to do that until I ran ComboFix. I've gotten just 1 error so far, although I can't remember exactly what it said.

It only came up with that message after I installed Kaspersky. I am running Kaspersky right now and will post the results afterwards. I don't know why, but it seems to have found a couple threats (already).

I'm also updating Windows to Service Pack 3. What steps would you like me to take next?
Also, thank you very much for your help so far. It's been a couple weeks!

It's totally OK, you've helped me so much!
I did the complete system destructive recovery and downloaded Kaspersky Internet Security 2012.
HOWEVER, I totally forgot I wasn't supposed to do that until I ran ComboFix. I've gotten just 1 error so far, although I can't remember exactly what it said.

Happy to try to help :)

OK - Well I guess if the recovery has gone well enough that you are installing SP3, then those files removed by combofix must not have been too vital.... No need now to DL or run combofix - so don't do that.

-- The AV detections may be heuristic detections based on known malware patterns - probably false positives. No worries at this point.

Let me know when you get everything back to normal. Do Not run any other tools other than Kaspersky.

I would suggest getting hold of some recovery disks from the OEM of your compy. Or, order them from M$. I never understood why OEMs stopped including OS disk with compy (well... greed, I guess), but these days they are more needed than ever...

PP:)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.