# Computer slow after virus removal



## stacia123 (Jun 10, 2010)

Hello all! I hope you can help me. My windows XP computer had viruses last week that I removed with AVG and Malwarebytes. Everything seems clear but the computer runs very slow now. Calling up a file can take up to 5 minutes for it to appear after I doubleclick. Moving files with drag and drop takes forever. Even the mouse pointer arrow is slow when it moves across the screen.

The computer was fine before the viruses so I assume that's what caused the problem. What should I do?


----------



## etaf (Oct 2, 2003)

i suspect the virus is still on the pc - have a read here and post the required logs into a reply (NOT attached , unless directed to attach) http://forums.techguy.org/virus-other-malware-removal/943214-everyone-must-read-before-posting.html
I have moved to the virus forum. The virus forum is very busy so expect 48hrs before you get a reply


----------



## stacia123 (Jun 10, 2010)

etaf, thank you so much for your reply.

I hate to say this but my husband, without telling me, did a system restore last night. I don't know what a system restore does, but this is what he said: He did the "basic" system restore, ran an antivirus scan and then Malwarebytes, found a trojan and a virus (he didn't know what they were) which he says Malwarebytes removed.

I am so sorry. I feel like this could possibly screw the computer up even more, but I honestly don't know. Should I even bother continuing with the scans or anything? 

Also, if you can't help me because other scans and stuff are being done that you haven't advised me to do, I COMPLETELY understand.

I hope I haven't wasted your time. This was not at all what I had planned.


----------



## etaf (Oct 2, 2003)

the virus may still be there even with a restore - that part of the pc will also be infected - you need to re-run all the programs and post the logs as stated in the link.

is it still running slow - or did the restore and virus scan resolve that issue


----------



## stacia123 (Jun 10, 2010)

Hello etaf, and thanks for sticking with me.

The first scan with Malwarebytes after my husband did the system recovery found two viruses:

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Files Detected: 1
C:\Documents and Settings\Edco\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.

Last night an antivirus scan with ZoneAlarm found another one, HPPavillion_Spring06.exe -- according to the ZoneAlarm screen the name was not-a-virus:Adware.Win32.weatherbug.a and it was found in C:\hp\bin\wbug\HPPavillion_Spring06.exe

Here are the logs you requested:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:44:22 PM, on 7/23/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Zonealarm Helper Object - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.6.4.4\bh\zonealarm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.6.4.4\zonealarmTlbr.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7197 bytes

----------------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 6.0.2900.2180
Run by HP_Owner at 18:53:28 on 2012-07-23
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.217 [GMT -5:00]
.
AV: ZoneAlarm Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *Enabled* 
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Zonealarm Helper Object: {2a841f7a-a014-4da5-b6d9-8b913dfb7a8c} - c:\program files\check point software technologies ltd\zonealarm\1.6.4.4\bh\zonealarm.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: ZoneAlarm Security Toolbar: {438fae3e-bdef-44d3-ab8b-0c7c8350df59} - c:\program files\check point software technologies ltd\zonealarm\1.6.4.4\zonealarmTlbr.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>] 
mRun: [PCDrProfiler] 
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{0C8FCA58-9A44-464C-B8DA-05AC2B891482} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{80443072-5384-4D29-A197-604ECE8884D8} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2012-7-22 133208]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2012-7-22 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2012-7-22 485808]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2012-7-11 526640]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-4-30 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-4-30 497320]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2012-6-11 53307]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-22 250056]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-22 129976]
.
=============== Created Last 30 ================
.
2012-07-23 08:18:51 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\Adobe
2012-07-23 08:02:41 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-23 08:02:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-23 02:09:53 -------- d-----w- c:\documents and settings\hp_owner\application data\Check Point Software Technologies LTD
2012-07-23 01:02:44 -------- d-----w- c:\documents and settings\hp_owner\application data\SUPERAntiSpyware.com
2012-07-22 11:19:09 -------- d-sh--r- C:\cmdcons
2012-07-22 11:04:55 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-07-22 11:04:47 588728 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-07-22 11:04:47 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-07-22 11:04:47 43960 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-07-22 11:04:47 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-07-22 11:04:47 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-07-22 11:04:46 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-07-22 11:04:46 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-07-22 10:59:00 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\ApplicationHistory
2012-07-22 10:59:00 -------- d-----w- c:\documents and settings\hp_owner\application data\Intuit
2012-07-22 10:58:59 -------- d-----w- c:\documents and settings\hp_owner\WINDOWS
2012-07-22 10:58:59 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\Wildtangent
2012-07-22 10:58:59 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\Microsoft
2012-07-22 10:58:59 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
2012-07-22 10:57:05 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-22 10:57:05 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-22 10:43:37 -------- d-----w- c:\documents and settings\hp_owner\application data\Malwarebytes
2012-07-22 10:38:34 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-07-22 10:38:32 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-07-22 10:38:29 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-07-22 10:38:28 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2012-07-22 10:10:05 -------- d-sh--r- c:\windows\system32\dllcache
2012-07-22 09:44:34 -------- d-----w- c:\documents and settings\hp_owner\application data\CheckPoint
2012-07-22 09:44:18 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\Mozilla
2012-07-22 09:43:44 11352 ----a-w- c:\windows\system32\drivers\kl2.sys
2012-07-22 09:43:43 133208 ----a-w- c:\windows\system32\drivers\kl1.sys
2012-07-22 09:42:37 -------- d-----w- c:\program files\Check Point Software Technologies LTD
2012-07-22 09:37:30 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-07-22 09:37:29 94208 ----a-w- c:\windows\system32\GTW32N50.dll
2012-07-22 09:37:29 374752 ----a-w- c:\windows\system32\WUSBGXP.sys
2012-07-22 09:37:29 339488 ----a-w- c:\windows\system32\WUSB20XP.sys
2012-07-22 09:37:29 31930 ----a-w- c:\windows\system32\GTNDIS3.VXD
2012-07-22 09:37:29 245376 ----a-w- c:\windows\system32\rt2500usb.sys
2012-07-22 09:37:29 15872 ----a-w- c:\windows\system32\GTNDIS5.sys
2012-07-22 09:37:27 17992 ----a-w- c:\windows\system32\drivers\bcm42rly.sys
2012-07-22 09:37:27 17992 ----a-w- c:\windows\system32\bcm42rly.sys
2012-07-12 00:06:49 98816 ----a-w- c:\windows\sed.exe
2012-07-12 00:06:49 518144 ----a-w- c:\windows\SWREG.exe
2012-07-12 00:06:49 256000 ----a-w- c:\windows\PEV.exe
2012-07-12 00:06:49 208896 ----a-w- c:\windows\MBR.exe
2012-07-10 12:17:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-07-10 10:51:35 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-07-10 10:47:12 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-07-10 10:47:12 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-07-10 09:24:58 -------- d-----w- c:\program files\IrfanView4.33
.
==================== Find3M ====================
.
.
============= FINISH: 18:55:10.06 ===============

---------------------------------------------------------------------------------

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 7/22/2012 5:57:20 AM
System Uptime: 7/23/2012 6:37:49 PM (0 hours ago)
.
Motherboard: ECS | | Alhena 
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | CPU 1 | 3065/133mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | CPU 1 | 3065/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 67 GiB total, 21.216 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 0.306 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A47103C&REV_10\4&B4B0D3&0&28A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A47103C&REV_10\4&B4B0D3&0&28A4
Service: RTL8023xp
.
==== System Restore Points ===================
.
RP1: 7/22/2012 4:37:24 AM - Installed Linksys Wireless-G USB Network Adapter
RP2: 7/22/2012 4:42:53 AM - Installed Windows XP KB943232.
RP3: 7/23/2012 6:22:10 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 11 Plugin
Adobe Reader 7.0.5
ATI Control Panel
ATI Display Driver
BufferChm
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
Destinations
DeviceManagementQFolder
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
FullDPAppQFolder
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB943232)
HP Boot Optimizer
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Software Update
HP Support Overview
HP Web Helper
HPPhotoSmartExpress
HpSdpAppCoreApp
InstantShareDevices
J2SE Runtime Environment 5.0 Update 6
Linksys Wireless-G USB Network Adapter
Macromedia Flash Player 8
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.1
Microsoft Money 2006
Microsoft Office Standard Edition 2003 60 days trial
Microsoft Silverlight
Microsoft Works
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
My HP Games
OptionalContentQFolder
PC-Doctor 5 for Windows
PhotoGallery
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
RandMap
RealPlayer
Realtek High Definition Audio Driver
Remove WeatherBug Installer
Rhapsody
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
SkinsHP1
SlideShow
SlideShowMusic
Sonic Express Labeler
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Unload
Update for Windows XP (KB912945)
Updates from HP (remove only)
VC 9.0 Runtime
Visual C++ 8.0 CRT (x86) WinSXS MSM
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
WebFldrs XP
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer
ZoneAlarm Antivirus
ZoneAlarm Firewall
ZoneAlarm Free Antivirus + Firewall
ZoneAlarm LTD Toolbar
ZoneAlarm Security
ZoneAlarm Security Toolbar 
.
==== Event Viewer Messages From Past Week ========
.
7/22/2012 4:44:12 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
7/22/2012 4:44:12 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\CheckPoint\ZAForceField\ZDXUI.dll. Reference error message: The operation completed successfully. .
7/22/2012 4:44:12 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
7/22/2012 4:44:10 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\CheckPoint\ZoneAlarm\vsinit.dll. Reference error message: The operation completed successfully. .
7/22/2012 4:43:50 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
7/22/2012 4:43:50 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\schk.tmp. Reference error message: The operation completed successfully. .
7/22/2012 4:43:50 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
7/22/2012 4:43:48 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\CheckPoint\Install\Clean_tool.exe. Reference error message: The operation completed successfully. .
7/22/2012 11:41:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde ViaIde
.
==== End Of File ===========================

------------------------------------------------------------------------------------

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-07-23 18:57:51
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-16 WDC_WD800BB-00JHC0 rev.05.01C05
Running: 5tiecbll.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\pxrdipod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwEnumerateKey [0xF1DB642C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwEnumerateValueKey [0xF1DB6DDC]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----


----------



## Cookiegal (Aug 27, 2003)

Why was this computer never updated to Service Pack 3? Don't do it now as doing so on an infected computer can cause further problems. Before going any further, we have to check to see if the operating system is genuine.

Please run the MGA Diagnostic Tool and post back the report it creates:
Download *MGADiag* to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.

Also please do this:

Please download * WVCheck* and save it to your desktop.


Double click WVCheck.exe to run it. (If you downloaded the zipped version you will need to extract it first.)
As indicated by the prompt, this program can take a while depending on your hard drive space.
Once the program is done, copy the contents of the notepad file as a reply.


----------



## stacia123 (Jun 10, 2010)

I'm not sure why service pack 3 isn't installed. The computer is on manual Windows Updates and not automatic, and I remember getting service pack 2 a while ago but we haven't updated the service pack since.

This is a valid copy of Windows. We bought the computer from Hewlett Packard online about 5 years ago or so and we have the product code.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-DV4TC-HDXYJ-VMJ33
Windows Product Key Hash: IbHCRE8/yUSgcqwQzP7/dLRA1jk=
Windows Product ID: 76477-OEM-2146967-49313
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.2.0.hom
ID: {F55CCBCF-90C8-400F-A25D-D04ECD1B5259}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{F55CCBCF-90C8-400F-A25D-D04ECD1B5259}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-VMJ33</PKey><PID>76477-OEM-2146967-49313</PID><PIDType>3</PIDType><SID>S-1-5-21-1308407030-3846138847-890139228</SID><SYSTEM><Manufacturer>HP Pavilion 061</Manufacturer><Model>RB042AV-ABA a1410y</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>3.19</Version><SMBIOSVersion major="2" minor="4"/><Date>20060905000000.000000+000</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>7425355F0184C06C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard Company</name><model>HP Pavilion</model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1405C:GENUINE C&C INC|18830:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: HP PAVILION

OEM Activation 2.0 Data-->
N/A

Windows Validation Check
Version: 1.9.12.5
Log Created On: 1937_24-07-2012
-----------------------

Windows Information
-----------------------
Windows Version: Windows XP Service Pack 2 
Windows Mode: Normal
Systemroot Path: C:\WINDOWS

WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Do not download or install updates automatically.
-----------------------
Last success time for Automatic Updates for 'Detect', 'Download' and 'Install' could not be found.

WVCheck's Registry Check Check
-----------------------
Antiwpa: Not Found
-----------------------
Chew7Hale: Not Found
-----------------------

WVCheck's File Dump
-----------------------
WVCheck found no known bad files.

WVCheck's Dir Dump
-----------------------
WVCheck found no known bad directories.

WVCheck's Missing File Check
-----------------------
WVCheck found no missing Windows files.

WVCheck's MBAM Quarantine Check
-----------------------
There were no bad files quarantined by MBAM.

WVCheck's HOSTS File Check
-----------------------
WVCheck found no bad lines in the hosts file.

WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - c72661f8552ace7c5c85e16a3cf505c4

-------- End of File, program close at 1942_24-07-2012 --------


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices (but the keyboard and mouse will function) to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## stacia123 (Jun 10, 2010)

Good morning. ComboFix installed the recovery console but hung at Stage 48 of the scan. It was on Stage 48 when I went to bed and still there about 7 hours later, so I quit out. It had been running about 10 hours total by then.

Should I attempt to run it again?

ETA: When I turned ZoneAlarm back on it found the EICAR test file which I assume ComboFix had grabbed at some point. Just wanted to mention that.


----------



## Cookiegal (Aug 27, 2003)

Please try running ComboFix in safe mode.


----------



## stacia123 (Jun 10, 2010)

Hello! I've had ComboFix running about 3 hours in safe mode, and it ran a lot faster. It reached Stage 48 about 2 1/2 hours ago, but it's still on that stage. How long should I let it run? I don't want to be quitting out if all I need to do is wait longer. Thanks.


----------



## stacia123 (Jun 10, 2010)

Just wanted to let you know we had thunderstorms and the power flickered, turning the computer and the scan off before it finished. It was stuck on Stage 48 about 4 hours and never completed.


----------



## Cookiegal (Aug 27, 2003)

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
At the top put a check mark in the box beside "Scan All Users".
Under the *Additional Scans *section put a check in the box next to Disabled MS Config Items, NetSvcs and EventViewer logs (Last 10 errors)
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## stacia123 (Jun 10, 2010)

Here is the log:


----------



## Cookiegal (Aug 27, 2003)

Before I post the fix, have you uninstalled both MalwareBytes and Kaspersky? Because I see MBAM's driver is marked for deletion and there are drivers still installed for Kaspersky.

Also, is fuzzyskeletonian.com your selected home page?


----------



## stacia123 (Jun 10, 2010)

The Kaspersky was so long ago I forgot -- it was actually downloaded on this computer so I could bring it over via USB drive to the Windows Vista computer I use for work. I never used the Kaspersky program on this XP box. However, those 3 drivers in the system folder can't be deleted. Should I try to delete them or can they be left? Let me know.

The homepage is right, and I have uninstalled Malwarebytes. Thanks!


----------



## Cookiegal (Aug 27, 2003)

I will try to delete them with the following fix.

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here please.


```
[Kill All Processes]
[Unregister Dlls]
[Driver Services - Safe List]
YY -> (MBAMSwissArmy) MBAMSwissArmy [Kernel | Disabled | Stop_Pending] -> 
YY -> (KLIF) Kaspersky Lab Driver [File_System | System | Running] -> C:\WINDOWS\system32\drivers\klif.sys
YY -> (KL1) KL1 [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\kl1.sys
YY -> (kl2) kl2 [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\kl2.sys
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1308407030-3846138847-890139228-1008\] > -> HKEY_USERS\S-1-5-21-1308407030-3846138847-890139228-1008\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{E2D4D26B-0180-43a4-B05F-462D6D54C789}" [HKLM] -> [Internet Connection Help]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{E2D4D26B-0180-43a4-B05F-462D6D54C789}" [HKLM] -> [Internet Connection Help]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1308407030-3846138847-890139228-1008\] > -> HKEY_USERS\S-1-5-21-1308407030-3846138847-890139228-1008\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{E2D4D26B-0180-43a4-B05F-462D6D54C789}" [HKLM] -> [Internet Connection Help]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Java Plug-in 1.5.0_06]
YN -> {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Java Plug-in 1.5.0_06]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -> [C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink]
[Files/Folders - Created Within 30 Days]
NY ->  kl2.sys -> C:\WINDOWS\System32\drivers\kl2.sys
NY ->  kl1.sys -> C:\WINDOWS\System32\drivers\kl1.sys
NY ->  klif.sys -> C:\WINDOWS\System32\drivers\klif.sys
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  32 C:\Documents and Settings\HP_Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\HP_Owner\Local Settings\Temp\*.tmp
NY ->  32 C:\Documents and Settings\HP_Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\HP_Owner\Local Settings\Temp\*.tmp
NY ->  31 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[Start Explorer]
[Reboot]
```


----------



## stacia123 (Jun 10, 2010)

Here's the log! I'm uninstalling Malwarebytes via the Control Panel right now.

All Processes Killed
[Driver Services - Safe List]
Error: Unable to stop service MBAMSwissArmy!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy deleted successfully.
File not found.
Error: Unable to stop service KLIF!
Unable to delete service\driver key KLIF.
File move failed. C:\WINDOWS\system32\drivers\klif.sys scheduled to be moved on reboot.
Error: Unable to stop service KL1!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KL1 deleted successfully.
File move failed. C:\WINDOWS\system32\DRIVERS\kl1.sys scheduled to be moved on reboot.
Error: Unable to stop service kl2!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kl2 deleted successfully.
C:\WINDOWS\system32\drivers\kl2.sys moved successfully.
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-1308407030-3846138847-890139228-1008\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E2D4D26B-0180-43a4-B05F-462D6D54C789} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E2D4D26B-0180-43a4-B05F-462D6D54C789} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ not found.
Registry value HKEY_USERS\S-1-5-21-1308407030-3846138847-890139228-1008\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E2D4D26B-0180-43a4-B05F-462D6D54C789} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\EarthLink TotalAccess\TaskPanl.exe deleted successfully.
[Files/Folders - Created Within 30 Days]
File C:\WINDOWS\System32\drivers\kl2.sys not found!
File move failed. C:\WINDOWS\System32\drivers\kl1.sys scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\drivers\klif.sys scheduled to be moved on reboot.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\HP_Owner\Local Settings\Temp\IEC2.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\nswD.tmp folder deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF11EC.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF1225.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF12AB.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF2115.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF304.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF36DF.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF3848.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF5534.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF5DA2.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF6713.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF6766.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF7512.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF89DC.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF8AE5.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF8FE6.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF90C0.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DF973F.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFA1F8.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFA31E.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFA671.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFADEE.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFB4AC.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFBA29.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFC3CF.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFD548.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFD60F.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFD919.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFE0E5.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFE51A.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFE6E7.tmp deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFE88.tmp deleted successfully.
File delete failed. C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFF321.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFF321.tmp scheduled to be deleted on reboot.
C:\WINDOWS\Temp\ZLT006c8.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT00ce9.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT00d9c.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT00e6e.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT012ab.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT016a9.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT01e90.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT021bb.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT02922.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT02a47.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT032ee.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT0330b.TMP deleted successfully.
File delete failed. C:\WINDOWS\Temp\ZLT036e9.TMP scheduled to be deleted on reboot.
C:\WINDOWS\Temp\ZLT0403e.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT043ee.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT04621.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT0475b.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT04894.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT04de8.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT0520f.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT057c8.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT058f8.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT05d42.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT05e3e.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT05e6f.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT05ed9.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT06191.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT0693b.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT06df0.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT07159.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT072fa.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT075c2.TMP deleted successfully.
C:\WINDOWS\Temp\ZLT07772.TMP deleted successfully.
[Empty Temp Folders]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: Edco
->Temp folder emptied: 66769789 bytes
->Temporary Internet Files folder emptied: 59857374 bytes
->Java cache emptied: 394 bytes
->FireFox cache emptied: 235217229 bytes
->Opera cache emptied: 3266169 bytes
->Flash cache emptied: 5721 bytes

User: HP_Owner
->Temp folder emptied: 23268535 bytes
->Temporary Internet Files folder emptied: 15907304 bytes
->FireFox cache emptied: 535729473 bytes
->Opera cache emptied: 30358416 bytes
->Flash cache emptied: 1152 bytes

User: LocalService
->Temp folder emptied: 985320 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 984792 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1259540 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 121037 bytes

Total Files Cleaned = 929.00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: Edco
->Flash cache emptied: 0 bytes

User: HP_Owner
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: All Users

User: Default User

User: Edco
->Java cache emptied: 0 bytes

User: HP_Owner

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.47.2 fix logfile created on 07272012_183701

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\klif.sys scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\DRIVERS\kl1.sys scheduled to be moved on reboot.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFF321.tmp moved successfully.
File\Folder C:\WINDOWS\Temp\ZLT036e9.TMP not found!

Registry entries deleted on Reboot...


----------



## Cookiegal (Aug 27, 2003)

Please run the following on-line scanner. Note that you must use Internet Explorer to perform the scan.

Note: If you're running a 64-bit system you have to choose the 32-bit option in IE. To do that, go to the Start Menu and right-click the Internet Explorer (32-bit) icon and then select 'Run as administrator' from the right-click menu.

http://www.eset.com/online-scanner

Accept the Terms of Use and then press the Start button

Allow the ActiveX control to be installed.

Put a check by Remove found threats and then run the scan.

When the scan is finished, you will see the results in a window.

A log.txt file is created here: C:\Program Files\EsetOnlineScanner\log.txt.

Open the log file with Notepad and copy and paste the contents here please.


----------



## stacia123 (Jun 10, 2010)

Here's the log - thanks again!

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=4b6f6e8bf553bd49a489b8db158abea4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-28 03:32:38
# local_time=2012-07-27 10:32:38 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16776869 100 13 0 1321117 0 0
# scanned=114763
# found=2
# cleaned=2
# scan_time=5604
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] Win32/Conedex.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP3\A0001626.exe a variant of Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


----------



## Cookiegal (Aug 27, 2003)

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
:folderfind
*ff24043d-55f8-5ce9-a20a-8337d9b4b888*
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## stacia123 (Jun 10, 2010)

Here's the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 17:57 on 28/07/2012 by HP_Owner
Administrator - Elevation successful

========== folderfind ==========

Searching for "*ff24043d-55f8-5ce9-a20a-8337d9b4b888*"
C:\Documents and Settings\Edco\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} d--hs-- [04:00 04/08/2004]
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} d------ [00:05 12/07/2012]
C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} d------ [04:00 04/08/2004]

-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Please start OTS again. Copy and paste the information in the code box below into the pane where it says "Paste fix here" and then click the "Run Fix" button.


```
[Custom Items]
:Files
C:\Documents and Settings\Edco\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
```
Then post the log please.


----------



## stacia123 (Jun 10, 2010)

Here's the log! Sorry for the delay, our wireless adapter gave up the ghost and we had to get a new one this weekend.

[Custom Items]
========== FILES ==========
C:\Documents and Settings\Edco\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} folder moved successfully.
< End of fix log >
OTS by OldTimer - Version 3.1.47.2 fix logfile created on 07302012_193144


----------



## Cookiegal (Aug 27, 2003)

Please remove comboFix by dragging it to the Recycle Bin then grab the latest version and try running it again.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Theres no need to install the recovery console again if it was successfully installed before.


----------



## stacia123 (Jun 10, 2010)

Hello. I've been running ComboFix for 14 hours, and it's been on Stage_48 for 12 hours. The hard drive is running so something is going on. I'm going to leave it while I'm out today (I won't be back until late afternoon) but I am curious -- is it supposed to take this long?


----------



## Cookiegal (Aug 27, 2003)

It shouldn't take that long but please run OTL again with the following script as I forgot to include this one in the last fix:


```
[Custom Items]
:Files
C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
```


----------



## stacia123 (Jun 10, 2010)

When I came back and checked today the ComboFix scan was on Stage_50. Should I still stop it and run OTL?


----------



## Cookiegal (Aug 27, 2003)

If it seems to be advancing let it continue for a while.


----------



## stacia123 (Jun 10, 2010)

It finished! It took almost 25 hours, but it's done. I've attached the log.


----------



## Cookiegal (Aug 27, 2003)

The ZoneAlarm firewall was not disabled so I suspect that had something to do with how long it took to run ComboFix. It seems it ran three times but no other logs were created except the current one.

Please run OTL now with the fix I posted earlier and post that log.


----------



## stacia123 (Jun 10, 2010)

The firewall is a puzzler -- I disabled it every time, manually. Both the ZoneAlarm firewall and antivirus. I'm not sure what I did wrong there. And it did run 3 times, the first 2 I posted about and the 3rd which finished and created the log.

Will do the OTL fix as soon as I get off work, thanks!


----------



## Cookiegal (Aug 27, 2003)

You're welcome.


----------



## stacia123 (Jun 10, 2010)

I ran OTS, here's the log:

[Custom Items]
========== FILES ==========
C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U folder moved successfully.
C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} folder moved successfully.
< End of fix log >
OTS by OldTimer - Version 3.1.47.2 fix logfile created on 08022012_220839


----------



## Cookiegal (Aug 27, 2003)

That's good.

Please run the following on-line scanner. Note that you must use Internet Explorer to perform the scan.

Note: If you're running a 64-bit system you have to choose the 32-bit option in IE. To do that, go to the Start Menu and right-click the Internet Explorer (32-bit) icon and then select 'Run as administrator' from the right-click menu.

http://www.eset.com/online-scanner

Accept the Terms of Use and then press the Start button

Allow the ActiveX control to be installed.

Put a check by Remove found threats and then run the scan.

When the scan is finished, you will see the results in a window.

A log.txt file is created here: C:\Program Files\EsetOnlineScanner\log.txt.

Open the log file with Notepad and copy and paste the contents here please.


----------



## stacia123 (Jun 10, 2010)

Ran it, said no threats found! 

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=4b6f6e8bf553bd49a489b8db158abea4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-28 03:32:38
# local_time=2012-07-27 10:32:38 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16776869 100 13 0 1321117 0 0
# scanned=114763
# found=2
# cleaned=2
# scan_time=5604
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] Win32/Conedex.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP3\A0001626.exe a variant of Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=4b6f6e8bf553bd49a489b8db158abea4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-04 01:57:00
# local_time=2012-08-03 08:57:00 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16776533 100 13 165951 1918120 0 0
# scanned=118372
# found=0
# cleaned=0
# scan_time=7663


----------



## Cookiegal (Aug 27, 2003)

How are things with the computer now?


----------



## stacia123 (Jun 10, 2010)

It's running much better! It started running faster after the first ComboFix even though it only went to stage 48. Also, we ran SuperAntispyware tonight and it ran completely instead of stalling at about 6 minutes in, which is what it used to do.


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log.


----------



## stacia123 (Jun 10, 2010)

Thanks for your patience! Here's the log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:42:18 AM, on 8/8/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFFA.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=71126
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKCU\..\Run: [EPSON Artisan 50 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFFA.EXE /FU "C:\WINDOWS\TEMP\E_S59.tmp" /EF "HKCU"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7093 bytes


----------



## Cookiegal (Aug 27, 2003)

Now you need to install Service Pack 3. Otherwise, you're leaving your computer at great risk for infection. But before doing that, please read the following article and be sure to follow all the steps and have made backups before attempting the installation.

http://support.microsoft.com/kb/950717

Here are some final instructions for you. Please do all of the following before attempting to install Service Pack 3.

As with any infection, I recommend that you change all passwords for logging into to sites that you use on your computer as a precaution.

Please open OTS again and click on the button that says "CleanUp" at the top. This will remove some of the tools we've used and will also uninstall the OTS program.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /uninstall* in the runbox and click *OK*. Note the *space* between the *X* and the */uninstall*, it needs to be there (the screenshot is just for illustration purposes but the actual command uses the entire word "uninstall" and not just the "u" as shown in the picture).










Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.


----------

