# redirected to other sites + generic host process for win32 with problems



## egroj (Apr 22, 2011)

Hello all,

last nite I began getting redirected to crappy search engines while surfing the net (like the previous thread), but not only when clicking links on google. This would happen at random clicks.

I also I began getting a separate window with crappy web domain hosting sites at random (not having necessarily clicked on anything previously).

Also I began getting an explorer window poping up at random with the caption "generic process for win32 has encountered a problem and needs to close".

And lastly my CPU is running thru the roof went it shouldn't be, seemingly at random, then it slows down to normal for a while, and then this repeats itself.

I ran AVG, Malwarebytes, Superantispyware, Spybot-search&destroy, and Ad-aware. They all got a bunch of something, but I still have this host of problems happening.

I have read the posting rules, but my computer understanding is just a bit beyond basic, so decided to wait and see what I am told the best course of action is. I am on XP 32, SP3

Thank you.


----------



## egroj (Apr 22, 2011)

Hi again, I have some new info:

after I posted my first post last night I went to bed and left the computer to go to hibernate on its own. This morning I cannot get it started: it'll go to the screen where I am allowed to use F2, F12 (BIOS screen?) and then goes to the screen where it says resuming windows and allows the use of F8. It just keeps cycling from one screen to the other.
Now I am truly stuck! (I am using my wifes laptop to post this)

cheers.


----------



## egroj (Apr 22, 2011)

Hi again,

after a couple of hours I figured out how to get the computer started again. I opened taskmanager and looked at the processes window for quite a while and found out that Applemobiledeviceservice.exe was taking most of the system resources, also some of the svchost.exe are using between 30000K and 80000K. Though I tried to end the apple process it kept reappearing.

Out of curiosity i searched for Applemobiledeviceservice.exe and right-clicked and found out I could scan it on its own with AVG ("shell extension scan"?). This is what I got:

Scan "Shell extension scan" completed.
Infections;"6";"3";"3"
Folders selected for scanning:;"C:\WINDOWS\Prefetch\APPLEMOBILEDEVICESERVICE.EXE-0A278840.pf;"
Scan started:;"April 22, 2011, 7:18:07 PM"
Scan finished:;"April 22, 2011, 7:21:44 PM (3 minute(s) 36 second(s))"
Total object scanned:;"1084899"
User who launched the scan:;"Jorge"
Infections
;"File";"Infection";"Result"
;"C:\WINDOWS\system32\wuauclt.exe (3328):\memory_001b0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
;"C:\WINDOWS\system32\wuauclt.exe (3328)";"Trojan horse Agent_r.XJ";""
;"C:\WINDOWS\system32\svchost.exe (5656):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
;"C:\WINDOWS\system32\svchost.exe (5656)";"Trojan horse Agent_r.XJ";""
;"C:\WINDOWS\explorer.exe (1872):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
;"C:\WINDOWS\explorer.exe (1872)";"Trojan horse Agent_r.XJ";""

So there is part of the problem, but by the looks of it I am sure there is plenty more. Anyway, I really hope the above will stir somebody's curiosity soon enough, I certainly need the help.

Thanks.

PS: I have now lost sound as well (on and off at random times) and the "generic host process for win32..." keeps appearing, though I have not been redirected for a while...


----------



## dvk01 (Dec 14, 2002)

If you follow the advice in the sticky at the top of the forum, you get better help

follow advice *here* and post the logs those programs make


----------



## egroj (Apr 22, 2011)

Hi Derek,

thank you for replying. Sorry about not having posted any logs. As soon as I signed up I read the sticky about posting for help but, as I said in my first post, I am not very computer literate and I got stuck at #2. I don't know what a script blocker is!!

-I have backed up anything that's important (chances of bugs tagging along with backed up files?)

-I downloaded Hijack this v2.0.4 as it is indicated v2.0.5 is a beta version. I hope that was the right choice. Here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:19:50 PM, on 23/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jorge\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MFARestart] "C:\Documents and Settings\All Users\Application Data\MFAData\pack\avgrunasx.exe" /usereg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - http://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1219981782196
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - https://www2.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Futuremark SystemInfo) - http://ec2-174-129-18-125.compute-1.amazonaws.com/intel-systeminfo-api/receivers/FMSI.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - Unknown owner - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 11072 bytes

cheers,

jorge.


----------



## dvk01 (Dec 14, 2002)

without you running dds & gmer, we can't see what might be wrong
If you had a script blocker, you would know it


----------



## egroj (Apr 22, 2011)

very well, i'll get to it


----------



## egroj (Apr 22, 2011)

logs from DDS, next message will be output from GMER:

.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by Jorge at 12:56:51.70 on 23/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.917 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Jorge\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: AutorunsDisabled - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>] 
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MFARestart] "c:\documents and settings\all users\application data\mfadata\pack\avgrunasx.exe" /usereg
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: GreyMSIAds = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219981782196
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://ec2-174-129-18-125.compute-1.amazonaws.com/intel-systeminfo-api/receivers/FMSI.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2009-2-14 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2009-2-14 5248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-8 64288]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-10-12 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 2146496]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-2 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-12 517448]
S3 cpuz130;cpuz130;\??\c:\docume~1\jorge\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\jorge\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\jorge\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\jorge\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-2 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-16 15232]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 12872]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-04-21 17:31:20 -------- d--h--w- C:\Settings
2011-04-21 02:38:41 -------- d-----w- c:\docume~1\jorge\applic~1\4833ECA1A8523BEFA28FD8E0B086A3DE
2011-04-15 01:20:30 -------- d-----w- c:\program files\common files\Futuremark Shared
2011-04-07 07:21:21 -------- d-----w- c:\docume~1\jorge\applic~1\HpUpdate
2011-04-07 07:21:15 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-06 18:58:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\kMp06509aAaDo06509
2011-04-06 04:51:06 -------- d-----w- c:\program files\ScreenRecorder
2011-04-06 04:50:27 -------- d-----w- c:\windows\system32\windows media
2011-04-06 04:50:13 -------- d--h--w- c:\windows\msdownld.tmp
2011-04-06 04:50:06 -------- d-----w- c:\program files\Windows Media Components
2011-04-06 04:47:38 -------- d-----w- C:\UtilityOnlineMarch09
2011-04-03 02:11:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\mytaxexpress
2011-04-03 02:11:34 -------- d-----w- C:\myTaxExpress
2011-03-26 06:01:42 0 ----a-w- c:\windows\Fhozezipahalafun.bin
2011-03-26 06:01:39 -------- d-----w- c:\docume~1\jorge\locals~1\applic~1\{39DCA268-5E38-4DF4-B70D-879F496580B6}
.
==================== Find3M ====================
.
2011-04-18 10:23:39 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-07 01:50:11 41 ----a-w- c:\windows\WFXDEL.BAT
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 01:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS548080M9AT00 rev.MG4OA5EA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89DBC4F0]<< 
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89dc27d0]; MOV EAX, [0x89dc284c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; 
JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89DCE030]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89D90358]
\Driver\atapi[0x89DDE9A0] -> IRP_MJ_CREATE -> 0x89DBC4F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; 
MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89DBC33B
user & kernel MBR OK 
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 12:59:23.42 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 28/08/2008 12:47:21 PM
System Uptime: 23/04/2011 11:17:22 AM (1 hours ago)
.
Motherboard: Dell Inc. | | 0C5668
Processor: Intel(R) Pentium(R) M processor 1.86GHz | Microprocessor | 1862/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 70 GiB total, 20.242 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP832: 27/02/2011 8:52:10 PM - Installed Autodesk Seek Viewer (1.0.54)
RP833: 01/03/2011 6:02:18 PM - System Checkpoint
RP834: 03/03/2011 8:51:39 AM - System Checkpoint
RP835: 04/03/2011 9:44:05 AM - System Checkpoint
RP836: 05/03/2011 2:08:28 PM - System Checkpoint
RP837: 06/03/2011 2:13:07 PM - System Checkpoint
RP838: 06/03/2011 5:20:16 PM - after increase virtual mem, before installing winfax
RP839: 06/03/2011 5:51:00 PM - Printer Driver WinFax Installed
RP840: 06/03/2011 5:51:15 PM - Printer Driver WinFax (Photo Quality) Installed
RP841: 07/03/2011 7:29:31 PM - System Checkpoint
RP842: 08/03/2011 8:33:41 PM - System Checkpoint
RP843: 09/03/2011 7:17:04 AM - Software Distribution Service 3.0
RP844: 09/03/2011 9:27:30 PM - Installed archCalc
RP845: 10/03/2011 11:00:12 PM - System Checkpoint
RP846: 12/03/2011 10:37:08 AM - System Checkpoint
RP847: 13/03/2011 7:00:19 PM - System Checkpoint
RP848: 14/03/2011 10:33:44 PM - System Checkpoint
RP849: 16/03/2011 9:15:57 AM - System Checkpoint
RP850: 17/03/2011 3:49:41 PM - System Checkpoint
RP851: 19/03/2011 12:16:18 PM - System Checkpoint
RP852: 20/03/2011 4:31:35 PM - System Checkpoint
RP853: 20/03/2011 6:56:25 PM - Removed Adobe Reader 9.4.2.
RP854: 21/03/2011 7:28:41 PM - System Checkpoint
RP855: 22/03/2011 9:23:57 PM - System Checkpoint
RP856: 23/03/2011 10:45:58 PM - before acad2008
RP857: 23/03/2011 10:47:20 PM - Software Distribution Service 3.0
RP858: 23/03/2011 10:56:33 PM - acad 2008 USE THIS ONE
RP859: 23/03/2011 11:23:54 PM - Installed AutoCAD 2008 - English
RP860: 25/03/2011 8:49:26 AM - System Checkpoint
RP861: 26/03/2011 9:00:04 AM - System Checkpoint
RP862: 27/03/2011 9:26:41 AM - System Checkpoint
RP863: 28/03/2011 9:58:00 AM - System Checkpoint
RP864: 29/03/2011 7:22:19 PM - System Checkpoint
RP865: 31/03/2011 7:35:20 AM - System Checkpoint
RP866: 01/04/2011 8:50:25 AM - System Checkpoint
RP867: 02/04/2011 9:14:16 AM - System Checkpoint
RP868: 03/04/2011 9:39:01 AM - System Checkpoint
RP869: 04/04/2011 11:04:07 AM - System Checkpoint
RP870: 05/04/2011 11:05:09 AM - System Checkpoint
RP871: 05/04/2011 9:50:04 PM - Installed Windows Media Encoder 9 Series
RP872: 05/04/2011 9:51:06 PM - Installed ScreenRecorder
RP873: 05/04/2011 9:53:33 PM - Software Distribution Service 3.0
RP874: 05/04/2011 9:55:25 PM - Software Distribution Service 3.0
RP875: 07/04/2011 12:42:23 AM - System Checkpoint
RP876: 07/04/2011 9:42:52 AM - Software Distribution Service 3.0
RP877: 08/04/2011 3:25:08 PM - System Checkpoint
RP878: 09/04/2011 4:25:33 PM - System Checkpoint
RP879: 10/04/2011 6:37:19 PM - System Checkpoint
RP880: 11/04/2011 7:43:42 PM - System Checkpoint
RP881: 13/04/2011 9:10:13 PM - System Checkpoint
RP882: 14/04/2011 9:42:08 PM - System Checkpoint
RP883: 15/04/2011 7:33:02 AM - Software Distribution Service 3.0
RP884: 15/04/2011 8:27:03 AM - Software Distribution Service 3.0
RP885: 16/04/2011 11:13:27 AM - System Checkpoint
RP886: 17/04/2011 12:00:57 PM - System Checkpoint
RP887: 18/04/2011 12:10:15 PM - System Checkpoint
RP888: 19/04/2011 5:02:01 PM - System Checkpoint
RP889: 20/04/2011 12:00:44 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
3D Home Architect 4
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
Adobe Shockwave Player 11.5
Advertising Center
Akamai NetSession Interface
ALPS Touch Pad Driver
AOTC - Revit Architecture 2008 Essentials
Apple Application Support
Apple Mobile Device Support
Apple Software Update
archCalc
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoCAD 2008 - English
Autodesk Architectural Desktop 2006
Autodesk Design Review 2011
Autodesk Seek Viewer (1.0.54)
AVG 2011
AVG PC Tuneup 2011
Belarc Advisor 8.1
Bonjour
Broadcom 440x 10/100 Integrated Controller
BufferChm
C-Major Audio
CCleaner
Cheetah DVD Burner
Compatibility Pack for the 2007 Office system
Concord WinFax Plugin v3.0
Conexant D110 MDC V.92 Modem
D2600
DAEMON Tools
Dell Resource CD
DeviceDiscovery
Dietrich's Baudaten
DivX Plus Web Player
DJ_SF_05_D2600_Software_Min
Driver Detective
Futuremark SystemInfo
Google Earth Plug-in
Google Update Helper
GoToMeeting 4.0.0.320
GPBaseService2
Hardlock Device Drivers
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet D2600 Printer Driver Software 12.0 Rel .5
HP Imaging Device Functions 12.0
hp print screen utility
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
HPDiagnosticAlert
HPProductAssistant
HPSSupply
ImgBurn
Intel(R) PROSet/Wireless Software
ISO Recorder
iTunes
Java Auto Updater
Java(TM) 6 Update 22
LimeWire 5.4.6
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows XP Video Decoder Checkup Utility
mIWA
mIWCA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSN
mSSO
MSVCSetup
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mToolkit
mWlsSafe
mXML
myTaxExpress NETFILE 2010
mZConfig
Nero 9 Lite
Nero ControlCenter
Nero Installer
Nero Online Upgrade
Nero StartSmart
neroxml
pdfFactory Pro
PowerDVD
QuickSet
QuickTime
RealPlayer
Revit Architecture 2008
ScreenRecorder
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923789)
Shop for HP Supplies
SmartWebPrinting
SolutionCenter
Sonic Encoders
Spybot - Search & Destroy
Status
SUPERAntiSpyware Free Edition
Symantec WinFax PRO
TELUS Support Centre
Toolbox
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB971029)
VC80CRTRedist - 8.0.50727.4053
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vuze
WebFldrs XP
WebReg
Win2PDF Font Helper 1.21 (GPL Ghostscript 8.62)
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB2502898
WinRAR archiver
Wise Disk Cleaner 4.82
Wise PC Engineer 6.3.1
Wise Registry Cleaner Free 5.31
WoodWorks Design Office 7
Xvid 1.2.2 final uninstall
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
22/04/2011 7:20:08 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 11 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/04/2011 7:19:01 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 10 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/04/2011 7:17:14 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 9 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/04/2011 7:05:51 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 8 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/04/2011 7:03:41 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 7 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/04/2011 6:48:46 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 6 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/04/2011 6:47:14 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 5 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/04/2011 6:22:54 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 4 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/04/2011 2:35:07 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/04/2011 2:30:43 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/04/2011 2:30:18 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It 
has done this 3 time(s).
22/04/2011 2:29:36 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
22/04/2011 2:29:27 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It 
has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
22/04/2011 2:18:02 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response 
from the stisvc service.
22/04/2011 10:21:09 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has 
done this 14 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
21/04/2011 10:32:40 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: 
PCIIde
20/04/2011 8:10:41 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVGIDSAgent service to 
connect.
20/04/2011 8:10:41 PM, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
20/04/2011 12:35:00 AM, error: Dhcp [1002] - The IP address lease 192.168.1.65 for the Network Card with network address 
0012F08B93B3 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
20/04/2011 12:09:27 AM, error: Dhcp [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 
0012F08B93B3 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
17/04/2011 12:39:55 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response 
from the Messenger service.
16/04/2011 12:58:45 AM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It 
has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
.
==== End Of File ===========================


----------



## egroj (Apr 22, 2011)

Sorry Derek, I just realized I should have sent attach.txt as an attachment (kind of obvious) My bad.

I am having a bit of trouble with GMER. As soon as I double click the program it seems to do some running right away and then it stops (no visible warnings of rootkit activity). I'll start again and then uncheck IAT/EAT anyway and press scan.

Log coming soon (I hope)


----------



## egroj (Apr 22, 2011)

Hi Derek,

As soon as I double click on the GMER exe file and before I can do anything else the program runs briefly. This is what comes out:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-04-23 23:22:08
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS548080M9AT00 rev.MG4OA5EA
Running: iqrt383c.exe; Driver: C:\DOCUME~1\Jorge\LOCALS~1\Temp\ugtdrpog.sys

---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----

After this is done I was able to click on SCAN, and after 6+ hours of continuous scanning my computer finally "gave up" and froze, so here I am writing this message...should I try this approach again?

I am not sure that it is something I am doing wrong. Any ideas or any other ways I can approach using GMER?

Thanks for your patience.


----------



## dvk01 (Dec 14, 2002)

That is OK, I have an idea what is wrong from those

Uninstall AVG
reboot &

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​* Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.  *

Download ComboFix from *Here* or * Here*to your Desktop.
*As you download it rename it to username123.exe*

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *renamed combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *

Please tell us if it has cured the problems or if there are any outstanding issues


----------



## egroj (Apr 22, 2011)

Good morning Derek,
I got your message as I was going to bed!!

I tried to uninstall AVG (control panel, add/remove programs) and after about 10 minutes of going at it it actually re-installed iself (I did click on remove!). The computer became very slow and erratic so I restarted it and it is taking for ever to reboot. Now I see the desktop background but nothing else (I am writing to you from my wife's laptop) It seems definitely frozen at this stage, so I'll try to reboot again.

Will keep you posted...


----------



## egroj (Apr 22, 2011)

OK got the computer up and running again. I went to the AVG uninstall in start menu/all programs and seems to be working. I'll read the link about temporarily disabling all the other security in the meanwhile...


----------



## egroj (Apr 22, 2011)

Derek,

after seemingly having uninstalled AVG I restarted the computer and it froze again only showing the desktop background. I turned it off again and restarted and this time it did restart properly. However:

AVG is still here!!

How else can I try to uninstall it?


----------



## egroj (Apr 22, 2011)

OK I tried to uninstall again as previously, but when finished I didn't click on restart. Instead I turned off the computer and waited a few seconds, and this time AVG got uninstalled.
The computer didn't freeze when starting. This leads me to believe restart is somehow mulfunctioning now too?
Will keep following the instructions


----------



## egroj (Apr 22, 2011)

Hi Derek, finally here it is combofix.txt:

ComboFix 11-04-23.01 - Jorge 24/04/2011 1:59.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1562 [GMT -7:00]
Running from: c:\documents and settings\Jorge\Desktop\username123.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jorge\Application Data\Adobe\plugs
c:\documents and settings\Jorge\Application Data\Adobe\shed
c:\documents and settings\Jorge\WINDOWS
c:\windows\system32\Thumbs.db
c:\windows\system32\UNWISE.EXE
.
.
((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 )))))))))))))))))))))))))))))))
.
.
2011-04-21 20:46 . 2011-04-21 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-04-21 20:46 . 2011-04-21 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-21 17:31 . 2011-04-21 17:31 -------- d-----w- C:\Settings
2011-04-21 08:42 . 2011-04-21 08:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-04-21 08:42 . 2011-04-21 08:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-21 02:38 . 2011-04-21 02:38 -------- d-----w- c:\documents and settings\Jorge\Application Data\4833ECA1A8523BEFA28FD8E0B086A3DE
2011-04-15 01:20 . 2011-04-15 01:20 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2011-04-07 07:21 . 2011-04-14 15:15 -------- d-----w- c:\documents and settings\Jorge\Application Data\HpUpdate
2011-04-07 07:21 . 2011-04-07 07:21 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-06 18:58 . 2011-04-15 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\kMp06509aAaDo06509
2011-04-06 04:51 . 2011-04-06 04:51 -------- d-----w- c:\program files\ScreenRecorder
2011-04-06 04:50 . 2011-04-06 04:50 -------- d-----w- c:\windows\system32\windows media
2011-04-06 04:50 . 2011-04-06 04:50 -------- d--h--w- c:\windows\msdownld.tmp
2011-04-06 04:50 . 2011-04-06 04:50 -------- d-----w- c:\program files\Windows Media Components
2011-04-06 04:47 . 2011-04-06 04:49 -------- d-----w- C:\UtilityOnlineMarch09
2011-04-03 02:11 . 2011-04-03 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\mytaxexpress
2011-04-03 02:11 . 2011-04-03 02:11 -------- d-----w- C:\myTaxExpress
2011-03-26 06:01 . 2011-03-26 07:10 0 ----a-w- c:\windows\Fhozezipahalafun.bin
2011-03-26 06:01 . 2011-03-26 06:01 -------- d-----w- c:\documents and settings\Jorge\Local Settings\Application Data\{39DCA268-5E38-4DF4-B70D-879F496580B6}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2008-08-28 19:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-07 01:50 . 2008-08-29 05:22 41 ----a-w- c:\windows\WFXDEL.BAT
2011-03-04 06:37 . 2004-08-10 11:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 11:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-10 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-10 11:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 11:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 02:42 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 11:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2008-08-29 02:51 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 11:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 01:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2008-08-28 19:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-08-28 19:35 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-04-18 520192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"WFXSwtch"="c:\progra~1\WinFax\WFXSWTCH.exe" [2001-09-10 27648]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2001-09-10 45568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-02 05:45 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1909:TCP"= 1909:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/11/2009 11:24 AM 64288]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/08/2004 4:00 AM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2010 9:10 PM 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\Jorge\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Jorge\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2010 9:10 PM 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 04:10]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 04:10]
.
2011-04-24 c:\windows\Tasks\User_Feed_Synchronization-{DBF522DE-E863-4160-8F68-AE20937E41A5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
2009-11-10 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-11-10 22:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uInternet Settings,ProxyOverride = *.local
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-DeviceDiscovery - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
MSConfigStartUp-HP Software Update - c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
AddRemove-Hardlock Device Drivers - c:\windows\system32\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-24 02:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS548080M9AT00 rev.MG4OA5EA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89DEF33B
user & kernel MBR OK 
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-1767777339-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
@DACL=(02 0000)
"Status"=dword:00000000
"RsopStatus"=dword:00000000
"LastPolicyTime"=dword:00efa3b7
"PrevSlowLink"=dword:00000000
"PrevRsopLogging"=dword:00000001
"ForceRefreshFG"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless]
@DACL=(02 0000)
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
"Dllname"="c:\\Program Files\\Intel\\Wireless\\Bin\\LgNotify.dll"
"Logon"="IntelUserLogon"
"Logoff"="IntelUserLogoff"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1036)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(1100)
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-24 02:16:18
ComboFix-quarantined-files.txt 2011-04-24 09:16
.
Pre-Run: 32,163,966,976 bytes free
Post-Run: 33,011,601,408 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 64E307D44DE8AFB880291A0B63E53C35

what next?


----------



## egroj (Apr 22, 2011)

sorry Derek, I am falling sleep at the desk. I need to sleep some, I'll be back in as soon as I wake up.

cheers.


----------



## dvk01 (Dec 14, 2002)

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------



## egroj (Apr 22, 2011)

I dropped the script into combofix and when it was finished a log opened up (log.txt), but I cannot do anything else as everything has dissapeared from my desktop. I only have the desktop bacground and this log.txt file.

I await for further instructions.


----------



## dvk01 (Dec 14, 2002)

reboot


----------



## egroj (Apr 22, 2011)

attempted to reboot. got blue screen with: "INVALID_WORK_QUEUE_ITEM".
ok computer's up again!


----------



## egroj (Apr 22, 2011)

found the file, sent as attachment


----------



## dvk01 (Dec 14, 2002)

how is it now
are you having any problems still


----------



## egroj (Apr 22, 2011)

yes, though everything seems a bit faster, as soon as I connected to the web I got a different web site page in a different window.
I don't know if this means anything but I turned the computer on about 5-10 minutes ago and all I've done is connect to the internet, but when i look at the processes in the task manager I see:

iexplorer.exe 78000k mem usage
svchost.exe 35000k mem usage
explorer.exe 31000k mem usage
another iexplorer.exe 21000k mem usage.

All I have open is one page (this) on IE and the task manager.

Also I got another window's message as usual: "generic host process for win32 has encountered..." the previous time I rebooted.


----------



## dvk01 (Dec 14, 2002)

Download MBR Check to your desktop


Right click *MBRcheck.exe* and select* Run as Administrator* (Vista or windows 7) or Double click *MBRcheck.exe* to run it (XP)
It will show a Black screen with some data on it 
it will create a log called MBRcheck_time and date.txt on desktop 
Post that resultant log here please
Do NOT fix anything or run any suggested fix before we see the report


----------



## egroj (Apr 22, 2011)

In case it is important info. I definitely have a pattern of when I get a pop-up window: when I reboot and then connect to the web for the first time. Here is the log:

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line: 
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c
Kernel Drivers (total 136):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0x89DE6000 \WINDOWS\system32\KDCOM.DLL
0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9F68000 pci.sys
0xBA4C0000 compbatt.sys
0xBA4C4000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 PCIIde.sys
0xBA328000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xBA5AA000 intelide.sys
0xB9F4A000 pcmcia.sys
0xBA0D8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F05000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9EED000 atapi.sys
0xBA338000 cercsr6.sys
0xB9ED5000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EB5000 fltmgr.sys
0xB9EA3000 sr.sys
0xBA118000 Lbd.sys
0xBA128000 PxHelp20.sys
0xB9E8C000 KSecDD.sys
0xB9DFF000 Ntfs.sys
0xB9DD2000 NDIS.sys
0xB9DB8000 Mup.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9863000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB963D000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB9629000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA448000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9605000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA450000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA208000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xBA218000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB95F1000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xB92CE000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xB928B000 \SystemRoot\system32\drivers\STAC97.sys
0xB9267000 \SystemRoot\system32\drivers\portcls.sys
0xBA228000 \SystemRoot\system32\drivers\drmk.sys
0xB9244000 \SystemRoot\system32\drivers\ks.sys
0xB9211000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xB9114000 \SystemRoot\system32\DRIVERS\HSF_DPV.SYS
0xB9067000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA458000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA238000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB904C000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xBA460000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA468000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB9812000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA470000 \SystemRoot\system32\drivers\Afc.sys
0xB9802000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB97F2000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA478000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB900F000 \SystemRoot\system32\DRIVERS\iwca.sys
0xBA785000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB97E2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9853000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8FF8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB97D2000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB97C2000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA480000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8FE7000 \SystemRoot\system32\DRIVERS\psched.sys
0xB97B2000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA488000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA490000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8FB7000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB97A2000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5EA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8F59000 \SystemRoot\system32\DRIVERS\update.sys
0xBA554000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA1A8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAB377000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5CA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA5D2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAAE58000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5D4000 \SystemRoot\System32\Drivers\Beep.SYS
0xAB0C4000 \SystemRoot\System32\drivers\vga.sys
0xBA5D6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5D8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xAB0BC000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAB0B4000 \SystemRoot\System32\Drivers\Npfs.SYS
0xABDFC000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAAA97000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAAA3E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAAA16000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA9F4000 \SystemRoot\System32\drivers\afd.sys
0xAB357000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA9C9000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA959000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAB347000 \SystemRoot\System32\Drivers\Fips.SYS
0xAA933000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAB22C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAB2CC000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAB0AC000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAB2BC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAB2AC000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA4D3D000 \SystemRoot\System32\Drivers\BANTExt.sys
0xA4A66000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xA4A62000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA4613000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA3CCD000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA668000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA40BB000 \SystemRoot\System32\drivers\Dxapi.sys
0xA481A000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xAAB75000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF049000 \SystemRoot\System32\ati2cqag.dll
0xBF07D000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
0xBF391000 \SystemRoot\System32\ATMFD.DLL
0xB0515000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xAD32E000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA40B3000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA1C00000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA1BC3000 \SystemRoot\system32\drivers\wdmaud.sys
0xAAE18000 \SystemRoot\system32\drivers\sysaudio.sys
0xA1983000 \??\C:\WINDOWS\system32\drivers\hardlock.sys
0xA195F000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA17AE000 \SystemRoot\System32\Drivers\HTTP.sys
0xA172E000 \SystemRoot\system32\DRIVERS\srv.sys
0xA1937000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA0BEB000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 54):
0 System Idle Process
4 System
924 C:\WINDOWS\system32\smss.exe
1016 csrss.exe
1044 C:\WINDOWS\system32\winlogon.exe
1096 C:\WINDOWS\system32\services.exe
1108 C:\WINDOWS\system32\lsass.exe
1280 C:\WINDOWS\system32\svchost.exe
1372 svchost.exe
1428 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1536 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1592 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
1644 C:\WINDOWS\system32\svchost.exe
1652 C:\WINDOWS\explorer.exe
1800 svchost.exe
1884 svchost.exe
200 C:\WINDOWS\system32\spoolsv.exe
272 svchost.exe
340 C:\WINDOWS\system32\svchost.exe
356 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
400 C:\Program Files\Bonjour\mDNSResponder.exe
508 C:\WINDOWS\ehome\ehrecvr.exe
656 C:\WINDOWS\ehome\ehSched.exe
940 C:\WINDOWS\system32\svchost.exe
1320 C:\Program Files\Common Files\Motive\McciCMService.exe
1664 C:\WINDOWS\system32\svchost.exe
1748 C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
1968 C:\WINDOWS\system32\svchost.exe
2004 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
496 svchost.exe
576 C:\WINDOWS\system32\svchost.exe
1520 C:\WINDOWS\system32\dllhost.exe
2092 wmiprvse.exe
2268 alg.exe
2420 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
2428 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
2436 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
2444 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
2564 C:\Program Files\Apoint\Apoint.exe
2572 C:\WINDOWS\ehome\ehtray.exe
2600 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2608 C:\PROGRA~1\WinFax\WFXSWTCH.exe
2616 C:\WINDOWS\system32\WFXSNT40.EXE
2656 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
2680 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2692 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
2920 C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
2928 C:\WINDOWS\ehome\ehmsas.exe
3156 C:\Program Files\Apoint\hidfind.exe
3172 C:\Program Files\Apoint\ApntEx.exe
3976 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
4024 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
4064 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
3672 C:\Documents and Settings\Jorge\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)
PhysicalDrive0 Model Number: HTS548080M9AT00, Rev: MG4OA5EA
Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!


----------



## dvk01 (Dec 14, 2002)

reset your router to default & change the router DNS settings to one of the free ones shown here http://hijack-this.co.uk/2010/09/list-of-public-dns-services/

see if that soves it 
are you still getting diverts when searching


----------



## dvk01 (Dec 14, 2002)

Please download Malwarebytes' Anti-Malware to your desktop
from  HERE  orHERE

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded. 
Once the program has loaded, select Perform full scan, then click Scan. 
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. 
Please include this log in your next reply.

It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert) 
If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot


----------



## egroj (Apr 22, 2011)

still working on the DNS setting, got another generic host process error and, shortly after, everything froze. I just rebooted and got another pop-up righ away. I have not been redireced for a time while doing searches. working on DNS right now.

should I install MBAM right after changing DNS or reboot first? (maybe to see if that helps on its own with the pop-up)


----------



## egroj (Apr 22, 2011)

by the way I misteriously got a new internet explorer icon on my desktop (not a short cut)!


----------



## dvk01 (Dec 14, 2002)

run mbam & lets see what it finds


----------



## egroj (Apr 22, 2011)

ok, got new DNS working (from norton) after another freeze, rebooted and this time didn't get pop-up when connecting to web for first time.

-- sorry, I did the above before reading your last message -- I am downloading MBAM now


----------



## egroj (Apr 22, 2011)

As I was ready to click SCAN i got another generic host process error, then when I opened internet explorer to send this log I got a full window pop-up again.

Here is the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6443
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
25/04/2011 12:32:09 PM
mbam-log-2011-04-25 (12-32-09).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 248429
Time elapsed: 1 hour(s), 0 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## dvk01 (Dec 14, 2002)

OK lets see what this shows

Download *OTS.exe *to your Desktop 

Close any open browsers.
Double-click on *OTS.exe* to start the program.
If your Real protection or Antivirus intervenes with OTS, allow it to run.
In the *Processes * group click *ALL*
In the *modules * group click *ALL* 
In the * Services * group click *Safe List* 
In the *Drivers* group click *Safe List* 
In the *Registry * group click *ALL*
In the *Files Age* drop down box click *90 days* 
Make sure use company name white list and skip Microsoft files boxes are checked
 In the Files created and Files modified groups select *whitelist/file age *
in the *Additional scans sections* please select * Everything *and make sure safe list box is checked
Now on the toolbar at the top select "Scan all users" then click the *Run Scan* button
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file 
Use the * Reply* button and *attach the notepad file here*. I will review it when it comes in. 

It will be much too big so you will need to zip the file before it will be able to be uploaded


----------



## egroj (Apr 22, 2011)

here it is. i believe i checked everything as instructed.


----------



## dvk01 (Dec 14, 2002)

Start *OTS*. Copy/Paste the information in the Code box below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Kill All Processes]
[Unregister Dlls]
[Processes - All]
YY -> ufdirtkq.exe -> C:\Documents and Settings\All Users\Application Data\uFdIrtkq.exe
YY -> hki8790.exe -> C:\WINDOWS\Temp\hki8790.exe
YY -> setup.exe -> C:\WINDOWS\Temp\qqbf\setup.exe
[Files/Folders - Created Within 90 Days]
NY ->  4833ECA1A8523BEFA28FD8E0B086A3DE -> C:\Documents and Settings\Jorge\Application Data\4833ECA1A8523BEFA28FD8E0B086A3DE
NY ->  kMp06509aAaDo06509 -> C:\Documents and Settings\All Users\Application Data\kMp06509aAaDo06509
NY ->  {39DCA268-5E38-4DF4-B70D-879F496580B6} -> C:\Documents and Settings\Jorge\Local Settings\Application Data\{39DCA268-5E38-4DF4-B70D-879F496580B6}
NY ->  7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 90 Days]
NY ->  yXxAL4.dat -> C:\Documents and Settings\All Users\Application Data\yXxAL4.dat
NY ->  uFdIrtkq.exe_ -> C:\Documents and Settings\All Users\Application Data\uFdIrtkq.exe_
NY ->  uFdIrtkq.exe -> C:\Documents and Settings\All Users\Application Data\uFdIrtkq.exe
NY ->  DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Jorge\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY ->  Nxacebicitaq.dat -> C:\WINDOWS\Nxacebicitaq.dat
[Files - No Company Name]
NY ->  uFdIrtkq.exe_ -> C:\Documents and Settings\All Users\Application Data\uFdIrtkq.exe_
NY ->  uFdIrtkq.exe -> C:\Documents and Settings\All Users\Application Data\uFdIrtkq.exe
NY ->  yXxAL4.dat -> C:\Documents and Settings\All Users\Application Data\yXxAL4.dat
NY ->  Nxacebicitaq.dat -> C:\WINDOWS\Nxacebicitaq.dat
[Alternate Data Streams]
NY -> @Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
[Empty Temp Folders]
[EmptyFlash]
[Start Explorer]
[ZipFiles]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here *.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


----------



## egroj (Apr 22, 2011)

last nite i had the computer on for a while. i kept having the same host of problems plus every once in a while i'd hear the windows warning bell (like when you click close an application but you are asked if you want to save contents first) I couldn't see anything extraordinary happening at the time though.

also, a bit after OTS finished the first time i was requested to use it (last nite) I had the CPU going at 100% for quite a while and, yes, there was a setup.exe going hard at it. then before I turned the computer off for the evening on the right corner of the taskbar menu I had the little windows security icon saying that an important (security?) update had just been installed and the computer needed to be restarted.

well, here is the log. unfortunately, as soon as i opened up my browser i got the internet pop up window again (walmart this time).

All Processes Killed
[Processes - All]
No active process named ufdirtkq.exe was found!
C:\Documents and Settings\All Users\Application Data\uFdIrtkq.exe moved successfully.
No active process named hki8790.exe was found!
C:\WINDOWS\Temp\hki8790.exe moved successfully.
No active process named setup.exe was found!
C:\WINDOWS\Temp\qqbf\setup.exe moved successfully.
[Files/Folders - Created Within 90 Days]
C:\Documents and Settings\Jorge\Application Data\4833ECA1A8523BEFA28FD8E0B086A3DE folder moved successfully.
C:\Documents and Settings\All Users\Application Data\kMp06509aAaDo06509 folder moved successfully.
C:\Documents and Settings\Jorge\Local Settings\Application Data\{39DCA268-5E38-4DF4-B70D-879F496580B6}\chrome\content folder moved successfully.
C:\Documents and Settings\Jorge\Local Settings\Application Data\{39DCA268-5E38-4DF4-B70D-879F496580B6}\chrome folder moved successfully.
C:\Documents and Settings\Jorge\Local Settings\Application Data\{39DCA268-5E38-4DF4-B70D-879F496580B6} folder moved successfully.
C:\WINDOWS\002987_.tmp deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\SET2D.tmp deleted successfully.
C:\WINDOWS\SET2E.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
[Files/Folders - Modified Within 90 Days]
C:\Documents and Settings\All Users\Application Data\yXxAL4.dat moved successfully.
File C:\Documents and Settings\All Users\Application Data\uFdIrtkq.exe_ not found!
File C:\Documents and Settings\All Users\Application Data\uFdIrtkq.exe not found!
C:\Documents and Settings\Jorge\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
C:\WINDOWS\Nxacebicitaq.dat moved successfully.
[Files - No Company Name]
File C:\Documents and Settings\All Users\Application Data\uFdIrtkq.exe_ not found!
File C:\Documents and Settings\All Users\Application Data\uFdIrtkq.exe not found!
File C:\Documents and Settings\All Users\Application Data\yXxAL4.dat not found!
File C:\WINDOWS\Nxacebicitaq.dat not found!
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully.
[Empty Temp Folders]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56502 bytes

User: Jorge
->Temp folder emptied: 1258282 bytes
->Temporary Internet Files folder emptied: 37753868 bytes
->Java cache emptied: 10168 bytes
->Flash cache emptied: 101590 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 25981474 bytes
->Java cache emptied: 9228 bytes
->Flash cache emptied: 18434 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 40163515 bytes
->Java cache emptied: 16910 bytes
->Flash cache emptied: 12582 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 83807 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 626451 bytes

Total Files Cleaned = 101.00 mb

[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Jorge
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 04262011_113822
Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_210.dat not found!
Registry entries deleted on Reboot...


----------



## dvk01 (Dec 14, 2002)

go to add/remove programs & uninstall 
Advertising Center


----------



## egroj (Apr 22, 2011)

can't find anything by that name anywhere (add/remove, program folders, doing a file/folder explorer search)


----------



## dvk01 (Dec 14, 2002)

run dds again & post both its logs


----------



## egroj (Apr 22, 2011)

here they are:

.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by Jorge at 12:43:24.40 on 26/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1334 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton DNS\NortonDNSSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton DNS\NortonDNSTray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Jorge\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uInternet Settings,ProxyOverride = *.local
BHO: AutorunsDisabled - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-unins...zEtRkwxMCsxLVNVRCsx"&"prod=55"&"ver=10.0.1321
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\norton~1.lnk - c:\program files\norton dns\NortonDNSTray.exe
uPolicies-explorer: GreyMSIAds = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219981782196
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://ec2-174-129-18-125.compute-1.amazonaws.com/intel-systeminfo-api/receivers/FMSI.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: {14A59767-3B74-4BD3-A4F2-6DD9C92B5BAB} = 198.153.192.1,198.153.194.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-8 64288]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
R2 Norton DNS;Norton DNS;c:\program files\norton dns\NortonDNSSvc.exe [2010-10-13 97664]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-2 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\jorge\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\jorge\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\jorge\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\jorge\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-2 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-04-26 18:38:22 -------- d-----w- C:\_OTS
2011-04-25 18:30:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 18:30:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 18:30:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 18:08:38 -------- d-----w- c:\program files\Norton DNS
2011-04-25 18:08:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-04-24 08:54:37 -------- d-sha-r- C:\cmdcons
2011-04-24 08:50:09 98816 ----a-w- c:\windows\sed.exe
2011-04-24 08:50:09 89088 ----a-w- c:\windows\MBR.exe
2011-04-24 08:50:09 256512 ----a-w- c:\windows\PEV.exe
2011-04-24 08:50:09 161792 ----a-w- c:\windows\SWREG.exe
2011-04-21 17:31:20 -------- d-----w- C:\Settings
2011-04-15 01:20:30 -------- d-----w- c:\program files\common files\Futuremark Shared
2011-04-07 07:21:21 -------- d-----w- c:\docume~1\jorge\applic~1\HpUpdate
2011-04-07 07:21:15 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-06 04:51:06 -------- d-----w- c:\program files\ScreenRecorder
2011-04-06 04:50:27 -------- d-----w- c:\windows\system32\windows media
2011-04-06 04:50:06 -------- d-----w- c:\program files\Windows Media Components
2011-04-06 04:47:38 -------- d-----w- C:\UtilityOnlineMarch09
2011-04-03 02:11:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\mytaxexpress
2011-04-03 02:11:34 -------- d-----w- C:\myTaxExpress
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-07 01:50:11 41 ----a-w- c:\windows\WFXDEL.BAT
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 01:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS548080M9AT00 rev.MG4OA5EA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89DA74F0]<< 
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89dad7d0]; MOV EAX, [0x89dad84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89D9FAB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89DC6030]
\Driver\atapi[0x89DD3B70] -> IRP_MJ_CREATE -> 0x89DA74F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89DA733B
user & kernel MBR OK 
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 12:45:18.56 ===============


----------



## dvk01 (Dec 14, 2002)

it is definitely showing in the list of installed programs, so now it is a matter of looking for where it actually is 

open Hijackthis, press config=>Misc Tools => Open uninstall manager 

look down the list there for it & then select it & it should appear in the little window beside uninstall command
copy what is written there & post that back here


----------



## dvk01 (Dec 14, 2002)

And also lets try this

Run tdss killer from http://support.kaspersky.com/viruses/solutions?qid=208280684

let it cure anything it fnds ( except SPTD.SYS, which should be ignored) & then reboot

post back with its log


----------



## egroj (Apr 22, 2011)

from HJT:

MsiExec.exe /X{B2EC4A38-B545-4A00-8214-13FE0E915E6D}


----------



## egroj (Apr 22, 2011)

downloaded TDSS and tried to run it, but at 80% inizialization I keep getting the error:

"TDSS rottkit removing tool has encountered a problem and needs to close..."


----------



## dvk01 (Dec 14, 2002)

try tdsskiller in safe mode

go to start/run & paste in this line
MsiExec.exe /X{B2EC4A38-B545-4A00-8214-13FE0E915E6D}

press OK & that should uninstall the advertising center


----------



## egroj (Apr 22, 2011)

I tried to start it in safe mode and got the same previous error. I tried to reboot in safe mode again to give it another try and got a blue error screen:

"IRQL_NOT_LESS_OR_EQUAL"

Tried to reboot again in Safe Mode and got another blue screen error:

"INVALID_WORK_QUEUE_ITEM"

Tried for a third time and no go, got the first message again: "IRQL..."

I still can reboot in Normal Mode however, but still no luck with TDSS


----------



## egroj (Apr 22, 2011)

i tried to remove Advertising Center as per instructions and got the following:

one window saying: "This .msi file cannot be executed. Please start Setup.exe to install this application", only one button "ok"

Concurrently I had another window: "Please wait while windows configures Advertising Center", it had only one button "cancel" (no "x" at the top right corner), both windows dissappeared when clicked on the "x" of the first one.

I'll take no further action until directed to do so...


----------



## dvk01 (Dec 14, 2002)

ok forget the advertising centre, I have found out that it is a part of Nero & unlikley to be cauing the pop up ads you have been getting
You do seem to have a TDSS rootkit but it is proving hard to fix 

see if gmer will run now. Until we can see which files are infectewd we can't attempt a fix


----------



## egroj (Apr 22, 2011)

ok, coming up.


----------



## egroj (Apr 22, 2011)

Derek,

according to the instructions GMER should do a quick scan upon clicking. I am running into the same problem as last time (see post #10). This is the log that comes out right after a start the application:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-04-26 23:43:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS548080M9AT00 rev.MG4OA5EA
Running: iqrt383c.exe; Driver: C:\DOCUME~1\Jorge\LOCALS~1\Temp\ugtdrpog.sys

---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----

should I just click on scan, and if so should I still uncheck IAT/EAT ? (remember last time it ran for 6 hrs before it froze)


----------



## dvk01 (Dec 14, 2002)

yes please try & do a full scan 
If it won't work then try this one

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.


Click on the Log tab.
 In the Write to log box select all items.
 Click on the Create Log button on the bottom right.
 After a few seconds a new Window should appear.
 Make sure Scan all drives is selected and click on the Start button.
 When it is complete a new Window will appear to indicate that the scan is finished.
 The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

however as gmer won't run , TDSSkiller won't run, I think we are almost out of options and might have to end up formatting & reinstalling


----------



## egroj (Apr 22, 2011)

well, I ran GMER and after about 5 hours or so it froze again, so time to try sysprot antirootkit.


----------



## egroj (Apr 22, 2011)

SOME MORE INFO IN CASE IT IS RELEVANT:

I just tried to reboot after the freeze and got a blue screen that says;

"CHECKING FILE SYSTEM ON C:
one of your disks needs to be checked for consistency"

CHEKDSK (SP?) went thru the 3 steps and after quite a while there was a bunch of stuff scrolling quite rapidly and then the computer shut off and restarted again.
So far evrything seems back to as before running GMER.


----------



## egroj (Apr 22, 2011)

here is SYSPROT log:

SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\smss.exe
PID: 732
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\csrss.exe
PID: 832
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\winlogon.exe
PID: 1032
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\services.exe
PID: 1080
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\lsass.exe
PID: 1092
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1264
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1356
Hidden: No
Window Visible: No
Name: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PID: 1420
Hidden: No
Window Visible: No
Name: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PID: 1512
Hidden: No
Window Visible: No
Name: C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PID: 1576
Hidden: No
Window Visible: No
Name: C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PID: 1648
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1696
Hidden: No
Window Visible: No
Name: C:\WINDOWS\explorer.exe
PID: 1876
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1896
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1992
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\spoolsv.exe
PID: 368
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 448
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 508
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PID: 540
Hidden: No
Window Visible: No
Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 644
Hidden: No
Window Visible: No
Name: C:\WINDOWS\ehome\ehrecvr.exe
PID: 720
Hidden: No
Window Visible: No
Name: C:\WINDOWS\ehome\ehSched.exe
PID: 792
Hidden: No
Window Visible: No
Name: C:\Program Files\Google\Update\GoogleUpdate.exe
PID: 924
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1288
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Motive\McciCMService.exe
PID: 1604
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1784
Hidden: No
Window Visible: No
Name: C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PID: 1824
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 2068
Hidden: No
Window Visible: No
Name: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PID: 2168
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 2300
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 2396
Hidden: No
Window Visible: No
Name: C:\Program Files\Norton DNS\NortonDNSSvc.exe
PID: 2484
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 2612
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\wbem\unsecapp.exe
PID: 2740
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
PID: 2852
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 2972
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\dllhost.exe
PID: 3020
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\wscntfy.exe
PID: 3344
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\alg.exe
PID: 3432
Hidden: No
Window Visible: No
Name: C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PID: 3712
Hidden: No
Window Visible: No
Name: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PID: 3720
Hidden: No
Window Visible: No
Name: C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PID: 3776
Hidden: No
Window Visible: No
Name: C:\Program Files\Apoint\Apoint.exe
PID: 3784
Hidden: No
Window Visible: No
Name: C:\WINDOWS\ehome\ehtray.exe
PID: 3796
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Java\Java Update\jusched.exe
PID: 3836
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\WinFax\WFXSWTCH.exe
PID: 3856
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\WFXSNT40.EXE
PID: 3876
Hidden: No
Window Visible: No
Name: C:\Program Files\HP\HP Software Update\hpwuschd2.exe
PID: 3944
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 3972
Hidden: No
Window Visible: No
Name: C:\WINDOWS\ehome\ehmsas.exe
PID: 3996
Hidden: No
Window Visible: No
Name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PID: 4016
Hidden: No
Window Visible: No
Name: C:\Program Files\Norton DNS\NortonDNSTray.exe
PID: 4036
Hidden: No
Window Visible: No
Name: C:\Program Files\Apoint\hidfind.exe
PID: 2932
Hidden: No
Window Visible: No
Name: C:\Program Files\Apoint\ApntEx.exe
PID: 1144
Hidden: No
Window Visible: No
Name: C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
PID: 2248
Hidden: No
Window Visible: No
Name: C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
PID: 2804
Hidden: No
Window Visible: No
Name: C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
PID: 3844
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\Jorge\Desktop\SysProt\SysProt\SysProt.exe
PID: 3704
Hidden: No
Window Visible: Yes
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Jorge\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: A1AA9000
Module End: A1AB4000
Hidden: No
Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806D0380
Hidden: No
Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806D1000
Module End: 806F1300
Hidden: No
Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: 89DE6000
Module End: 89DE9000
Hidden: No
Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: BA4BC000
Module End: BA4BF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: B9F79000
Module End: B9FA7000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: BA5A8000
Module End: BA5AA000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA0A8000
Module End: BA0B2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: BA0B8000
Module End: BA0C8000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: BA0C8000
Module End: BA0D6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: B9F68000
Module End: B9F79000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: BA4C0000
Module End: BA4C3000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: BA4C4000
Module End: BA4C8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PCIIde.sys
Service Name: PCIIde
Module Base: BA670000
Module End: BA671000
Hidden: No
Module Name: \WINDOWS\System32\Drivers\PCIIDEX.SYS
Service Name: ---
Module Base: BA328000
Module End: BA32F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: BA5AA000
Module End: BA5AC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: B9F4A000
Module End: B9F68000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA0D8000
Module End: BA0E3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: B9F2B000
Module End: B9F4A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: BA5AC000
Module End: BA5AE000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: B9F05000
Module End: B9F2B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BA330000
Module End: BA335000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA0E8000
Module End: BA0F5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: B9EED000
Module End: B9F05000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\cercsr6.sys
Service Name: cercsr6
Module Base: BA338000
Module End: BA340000
Hidden: No
Module Name: \WINDOWS\System32\Drivers\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: B9ED5000
Module End: B9EED000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: BA0F8000
Module End: BA101000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA108000
Module End: BA115000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: B9EB5000
Module End: B9ED5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: B9EA3000
Module End: B9EB5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Lbd.sys
Service Name: Lbd
Module Base: BA118000
Module End: BA127000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: BA128000
Module End: BA132000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: B9E8C000
Module End: B9EA3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: B9DFF000
Module End: B9E8C000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: B9DD2000
Module End: B9DFF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: B9DB8000
Module End: B9DD2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: BA1E8000
Module End: BA1F1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: B9634000
Module End: B9638000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: B8FD2000
Module End: B9117000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B8FBE000
Module End: B8FD2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: BA4A0000
Module End: BA4A6000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B8F9A000
Module End: B8FBE000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: BA4A8000
Module End: BA4B0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
Service Name: bcm4sbxp
Module Base: B9741000
Module End: B9751000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: B9731000
Module End: B9741000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Service Name: sdbus
Module Base: B8F86000
Module End: B8F9A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\w29n51.sys
Service Name: w29n51
Module Base: B8C63000
Module End: B8F86000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\STAC97.sys
Service Name: STAC97
Module Base: B8C20000
Module End: B8C63000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B8BFC000
Module End: B8C20000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: BA228000
Module End: BA237000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ks.sys
Service Name: ---
Module Base: B8BD9000
Module End: B8BFC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
Service Name: HSFHWICH
Module Base: B8BA6000
Module End: B8BD9000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
Service Name: HSF_DPV
Module Base: B8AA9000
Module End: B8BA6000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: B89FC000
Module End: B8AA9000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: BA4B0000
Module End: BA4B8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: BA238000
Module End: BA245000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
Service Name: ApfiltrService
Module Base: B89E1000
Module End: B89FC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: BA350000
Module End: BA356000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: BA358000
Module End: BA35E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: BA248000
Module End: BA253000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Afc.sys
Service Name: Afc
Module Base: BA360000
Module End: BA368000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: BA258000
Module End: BA268000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: BA268000
Module End: BA277000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: BA368000
Module End: BA36E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\iwca.sys
Service Name: IWCA
Module Base: B89A4000
Module End: B89E1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BA742000
Module End: BA743000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: BA278000
Module End: BA285000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: B961C000
Module End: B961F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B898D000
Module End: B89A4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: BA288000
Module End: BA293000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: BA298000
Module End: BA2A4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: BA370000
Module End: BA375000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B88DC000
Module End: B88ED000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: BA2A8000
Module End: BA2B1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: AE125000
Module End: AE12A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: AE11D000
Module End: AE122000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: ACE84000
Module End: ACEB4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: ADC1F000
Module End: ADC29000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BA61E000
Module End: BA620000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: ACE26000
Module End: ACE84000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: ADEF7000
Module End: ADEFB000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: ADC0F000
Module End: ADC19000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: ADBDF000
Module End: ADBEE000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BA622000
Module End: BA624000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: BA62A000
Module End: BA62C000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: AD176000
Module End: AD177000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: BA62C000
Module End: BA62E000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: AE0FD000
Module End: AE103000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: BA62E000
Module End: BA630000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: BA630000
Module End: BA632000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: AE0F5000
Module End: AE0FA000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: AE0ED000
Module End: AE0F5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: AD49C000
Module End: AD49F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: A4DD3000
Module End: A4DE6000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: A4D7A000
Module End: A4DD3000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: A4D52000
Module End: A4D7A000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: A4D30000
Module End: A4D52000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: ADBCF000
Module End: ADBD8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: A4D05000
Module End: A4D30000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: A4C95000
Module End: A4D05000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: ADBBF000
Module End: ADBCA000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: A4C6F000
Module End: A4C95000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\BANTExt.sys
Service Name: BANTExt
Module Base: AD0FD000
Module End: AD0FE000
Hidden: No
Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
Service Name: APPDRV
Module Base: B4254000
Module End: B4258000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: AD7C4000
Module End: AD7D4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: B4244000
Module End: B4247000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: AD7B4000
Module End: AD7BD000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: ADB49000
Module End: ADB50000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: B35F3000
Module End: B35F6000
Hidden: No
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: A4C57000
Module End: A4C6F000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA636000
Module End: BA638000
Hidden: Yes
Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: B2D64000
Module End: B2D67000
Hidden: No
Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: ADB31000
Module End: ADB36000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: AD001000
Module End: AD00A000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BA73F000
Module End: BA740000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: BA208000
Module End: BA217000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Service Name: AegisP
Module Base: B285D000
Module End: B2861000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Service Name: s24trans
Module Base: B2859000
Module End: B285C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: A1E5D000
Module End: A1E61000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: A1D1C000
Module End: A1D49000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: A1CB7000
Module End: A1CCC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B2EAB000
Module End: B2EBA000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\drivers\hardlock.sys
Service Name: Hardlock
Module Base: A19D7000
Module End: A1A81000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: A19B3000
Module End: A19D7000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: A182A000
Module End: A186B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: A17AA000
Module End: A1802000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: A192B000
Module End: A192E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: A09E7000
Module End: A0A12000
Hidden: No
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: BA11887E
Driver Base: BA118000
Driver End: BA127000
Driver Name: Lbd.sys
Function Name: ZwSetValueKey
Address: BA118BFE
Driver Base: BA118000
Driver End: BA127000
Driver Name: Lbd.sys
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: JORGE-LAPTOP.DOMAIN.INVALID:1082
Remote Address: 194.247.183.67:HTTPS
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: CLOSE_WAIT
Local Address: JORGE-LAPTOP.DOMAIN.INVALID:1049
Remote Address: 209.107.220.182:HTTPS
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: ESTABLISHED
Local Address: JORGE-LAPTOP.DOMAIN.INVALID:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: JORGE-LAPTOP:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
State: LISTENING
Local Address: JORGE-LAPTOP:9423
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: JORGE-LAPTOP:9422
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: JORGE-LAPTOP:9421
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: JORGE-LAPTOP:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING
Local Address: JORGE-LAPTOP:1075
Remote Address: LOCALHOST:1074
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT
Local Address: JORGE-LAPTOP:1032
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING
Local Address: JORGE-LAPTOP:1054
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: JORGE-LAPTOP:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: JORGE-LAPTOP:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: JORGE-LAPTOP.DOMAIN.INVALID:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: JORGE-LAPTOP.DOMAIN.INVALID:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: JORGE-LAPTOP.DOMAIN.INVALID:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: JORGE-LAPTOP.DOMAIN.INVALID:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: JORGE-LAPTOP.DOMAIN.INVALID:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: JORGE-LAPTOP:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: JORGE-LAPTOP:1051
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: JORGE-LAPTOP:1050
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: JORGE-LAPTOP:1037
Remote Address: NA
Type: UDP
Process: C:\Program Files\Norton DNS\NortonDNSTray.exe
State: NA
Local Address: JORGE-LAPTOP:1029
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: JORGE-LAPTOP:1028
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: JORGE-LAPTOP:1026
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
State: NA
Local Address: JORGE-LAPTOP:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
State: NA
Local Address: JORGE-LAPTOP:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: JORGE-LAPTOP:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: JORGE-LAPTOP:1053
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: JORGE-LAPTOP:1052
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: JORGE-LAPTOP:1027
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: JORGE-LAPTOP:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: JORGE-LAPTOP:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied


----------



## dvk01 (Dec 14, 2002)

that isn't showing the tdss files either

try this 
http://sites.google.com/site/rootrepeal/


----------



## egroj (Apr 22, 2011)

any special instructions to run ROOTREPEAL?


----------



## dvk01 (Dec 14, 2002)

just run it & post the log it makes


----------



## egroj (Apr 22, 2011)

ROOTREPEAL log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2011/04/27 15:34
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA3BE6000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA65C000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA0F07000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\windows\temp\hlktmp
Status: Allocation size mismatch (API: 33570816, Raw: 0)
SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba11887e
#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba118bfe
==EOF==


----------



## dvk01 (Dec 14, 2002)

That looks like it is showing atapi.sys and wmilib.sys as the culprits so

download the atached atapi.zip
save it to desktop & then unzip it so the created files are on desktop 
then

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------



## egroj (Apr 22, 2011)

The only zip file in Qoobox/quarantine is [38]-Submit_2011-04-24_10.52.09 (from the first time I ran ComboFix?) Also "atapi" and "wmilib" were extracted to a folder "atapi" on the desktop. Are they supposed to be out of that folder and be placed directly on the desktop?

COMBOFIX log:

ComboFix 11-04-27.03 - Jorge 28/04/2011 8:35.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1493 [GMT -7:00]
Running from: c:\documents and settings\Jorge\Desktop\username123.exe
Command switches used :: c:\documents and settings\Jorge\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-28 )))))))))))))))))))))))))))))))
.
.
2011-04-28 05:15 . 2011-04-28 05:15 -------- d-----w- c:\program files\Common Files\Java
2011-04-27 22:01 . 2011-04-27 22:02 -------- d-----w- c:\documents and settings\Administrator
2011-04-26 18:38 . 2011-04-26 18:38 -------- d-----w- C:\_OTS
2011-04-25 18:30 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 18:30 . 2011-04-25 18:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 18:30 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 18:08 . 2011-04-25 18:08 -------- d-----w- c:\program files\Norton DNS
2011-04-25 18:08 . 2011-04-25 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-04-21 20:46 . 2011-04-21 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-04-21 20:46 . 2011-04-21 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-21 17:31 . 2011-04-21 17:31 -------- d-----w- C:\Settings
2011-04-21 08:42 . 2011-04-21 08:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-04-21 08:42 . 2011-04-21 08:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-15 01:20 . 2011-04-15 01:20 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2011-04-07 07:21 . 2011-04-14 15:15 -------- d-----w- c:\documents and settings\Jorge\Application Data\HpUpdate
2011-04-07 07:21 . 2011-04-07 07:21 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-06 04:51 . 2011-04-06 04:51 -------- d-----w- c:\program files\ScreenRecorder
2011-04-06 04:50 . 2011-04-06 04:50 -------- d-----w- c:\windows\system32\windows media
2011-04-06 04:50 . 2011-04-06 04:50 -------- d-----w- c:\program files\Windows Media Components
2011-04-06 04:47 . 2011-04-06 04:49 -------- d-----w- C:\UtilityOnlineMarch09
2011-04-03 02:11 . 2011-04-03 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\mytaxexpress
2011-04-03 02:11 . 2011-04-03 02:11 -------- d-----w- C:\myTaxExpress
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-26 21:44 . 2008-08-28 11:05 90112 ----a-w- c:\windows\DUMP3fd7.tmp
2011-04-26 21:40 . 2008-08-28 11:05 90112 ----a-w- c:\windows\DUMP4100.tmp
2011-03-07 05:33 . 2008-08-28 19:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-07 01:50 . 2008-08-29 05:22 41 ----a-w- c:\windows\WFXDEL.BAT
2011-03-04 06:37 . 2004-08-10 11:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 11:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-10 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-10 11:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 11:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 02:42 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 11:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2008-08-29 02:51 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 11:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 01:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-03 04:40 . 2010-05-07 17:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 02:19 . 2010-04-02 17:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2008-08-28 19:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((( [email protected]_09.11.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
- 2007-11-07 10:19 . 2007-11-07 10:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
- 2008-07-29 14:07 . 2008-07-29 14:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
- 2008-07-29 14:07 . 2008-07-29 14:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2011-04-28 15:10 . 2011-04-28 15:10 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat
+ 2011-04-28 15:10 . 2011-04-28 15:10 16384 c:\windows\Temp\Perflib_Perfdata_240.dat
+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
- 2008-07-29 11:54 . 2008-07-29 11:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2011-04-28 05:14 . 2011-02-03 04:40 157472 c:\windows\system32\javaws.exe
- 2010-10-24 03:34 . 2010-09-15 11:50 145184 c:\windows\system32\javaw.exe
+ 2011-04-28 05:14 . 2011-02-03 04:40 145184 c:\windows\system32\javaw.exe
+ 2011-04-28 05:14 . 2011-02-03 04:40 145184 c:\windows\system32\java.exe
- 2010-10-24 03:34 . 2010-09-15 11:50 145184 c:\windows\system32\java.exe
+ 2011-04-28 05:15 . 2011-04-28 05:15 180224 c:\windows\Installer\132c9.msi
+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
- 2008-07-29 16:05 . 2008-07-29 16:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-04-18 520192]
"WFXSwtch"="c:\progra~1\WinFax\WFXSWTCH.exe" [2001-09-10 27648]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2001-09-10 45568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Norton DNS Tray Icon.lnk - c:\program files\Norton DNS\NortonDNSTray.exe [2010-10-13 75136]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 05:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-02 05:45 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1179:UDP"= 1179:UDP:Windows Media Format SDK (wmplayer.exe)
"1178:UDP"= 1178:UDP:Windows Media Format SDK (wmplayer.exe)
"1181:UDP"= 1181:UDP:Windows Media Format SDK (wmplayer.exe)
"1725:TCP"= 1725:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/11/2009 11:24 AM 64288]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/08/2004 4:00 AM 14336]
R2 Norton DNS;Norton DNS;c:\program files\Norton DNS\NortonDNSSvc.exe [13/10/2010 1:32 PM 97664]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2010 9:10 PM 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\Jorge\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Jorge\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2010 9:10 PM 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 04:10]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 04:10]
.
2011-04-27 c:\windows\Tasks\User_Feed_Synchronization-{DBF522DE-E863-4160-8F68-AE20937E41A5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
2009-11-10 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-11-10 22:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uInternet Settings,ProxyOverride = *.local
TCP: {14A59767-3B74-4BD3-A4F2-6DD9C92B5BAB} = 198.153.192.1,198.153.194.1
.
- - - - ORPHANS REMOVED - - - -
.
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-28 08:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS548080M9AT00 rev.MG4OA5EA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89DA733B
user & kernel MBR OK 
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-1767777339-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
@DACL=(02 0000)
"Status"=dword:00000000
"RsopStatus"=dword:00000000
"LastPolicyTime"=dword:00efa3b7
"PrevSlowLink"=dword:00000000
"PrevRsopLogging"=dword:00000001
"ForceRefreshFG"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'lsass.exe'(1092)
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-28 08:52:17
ComboFix-quarantined-files.txt 2011-04-28 15:52
ComboFix2.txt 2011-04-24 18:08
.
Pre-Run: 32,743,038,976 bytes free
Post-Run: 33,125,879,808 bytes free
.
- - End Of File - - 20F0F60FCE3894681CCCAC4BB2C47C27


----------



## egroj (Apr 22, 2011)

the reason I am asking about the ATAPI folder is because I was looking at the file catchme in Qoobox/quarantine and it says:

http://forums.techguy.org/virus-oth...03-redirected-other-sites-generic-host-2.html
read file error: C:\WINDOWS\System32\Drivers\dump_atapi.sys, The system cannot find the file specified.
read file error: C:\WINDOWS\system32\drivers\Suspect_dump_atapi.sys.vir, The system cannot find the file specified.
read file error: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, The system cannot find the file specified.
read file error: C:\WINDOWS\system32\drivers\Suspect_dump_WMILIB.SYS.vir, The system cannot find the file specified.

I am tempted to run the script again and then combofix, but I don't want to screw things up any further. I'll wait for further instructions.

I am sorry if I did screw things up, my head is truly spinning trying to follow all this. I thank you for your steady patience.


----------



## dvk01 (Dec 14, 2002)

yes they should be directly on the desktop 
please move them to the desktop & run the script again please


----------



## egroj (Apr 22, 2011)

Ran combofix again, as per your last post. As in previous times desktop dissappeared after .txt log opened up, so turned computer off and back on. Still nothing in Qoobox other than the old zip file and the other exixting stuff.

Ran combofix again with windows firewall off, and still no new zip file, or new catchme file for that matter. I don't think I am performing any missteps...

COMBOFIX log:

ComboFix 11-04-28.01 - Jorge 28/04/2011 11:52:03.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1554 [GMT -7:00]
Running from: c:\documents and settings\Jorge\Desktop\username123.exe
Command switches used :: c:\documents and settings\Jorge\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\documents and settings\Jorge\Desktop\atapi.sys --> c:\windows\system32\drivers\atapi.sys
c:\documents and settings\Jorge\Desktop\wmilib.sys --> c:\windows\system32\drivers\wmilib.sys
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-28 )))))))))))))))))))))))))))))))
.
.
2011-04-28 05:15 . 2011-04-28 05:15 -------- d-----w- c:\program files\Common Files\Java
2011-04-27 22:01 . 2011-04-27 22:02 -------- d-----w- c:\documents and settings\Administrator
2011-04-26 18:38 . 2011-04-26 18:38 -------- d-----w- C:\_OTS
2011-04-25 18:30 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 18:30 . 2011-04-25 18:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 18:30 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 18:08 . 2011-04-25 18:08 -------- d-----w- c:\program files\Norton DNS
2011-04-25 18:08 . 2011-04-25 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-04-21 20:46 . 2011-04-21 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-04-21 20:46 . 2011-04-21 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-21 17:31 . 2011-04-21 17:31 -------- d-----w- C:\Settings
2011-04-21 08:42 . 2011-04-21 08:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-04-21 08:42 . 2011-04-21 08:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-15 01:20 . 2011-04-15 01:20 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2011-04-07 07:21 . 2011-04-14 15:15 -------- d-----w- c:\documents and settings\Jorge\Application Data\HpUpdate
2011-04-07 07:21 . 2011-04-07 07:21 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-06 04:51 . 2011-04-06 04:51 -------- d-----w- c:\program files\ScreenRecorder
2011-04-06 04:50 . 2011-04-06 04:50 -------- d-----w- c:\windows\system32\windows media
2011-04-06 04:50 . 2011-04-06 04:50 -------- d-----w- c:\program files\Windows Media Components
2011-04-06 04:47 . 2011-04-06 04:49 -------- d-----w- C:\UtilityOnlineMarch09
2011-04-03 02:11 . 2011-04-03 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\mytaxexpress
2011-04-03 02:11 . 2011-04-03 02:11 -------- d-----w- C:\myTaxExpress
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-28 15:25 . 2004-08-10 11:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-04-28 15:25 . 2004-08-10 11:00 4352 ----a-w- c:\windows\system32\drivers\wmilib.sys
2011-04-26 21:44 . 2008-08-28 11:05 90112 ----a-w- c:\windows\DUMP3fd7.tmp
2011-04-26 21:40 . 2008-08-28 11:05 90112 ----a-w- c:\windows\DUMP4100.tmp
2011-03-07 05:33 . 2008-08-28 19:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-07 01:50 . 2008-08-29 05:22 41 ----a-w- c:\windows\WFXDEL.BAT
2011-03-04 06:37 . 2004-08-10 11:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 11:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-10 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-10 11:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 11:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 02:42 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 11:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2008-08-29 02:51 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 11:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 01:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-03 04:40 . 2010-05-07 17:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 02:19 . 2010-04-02 17:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2008-08-28 19:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-04-28_18.25.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-28 18:41 . 2011-04-28 18:41 16384 c:\windows\Temp\Perflib_Perfdata_5a8.dat
+ 2011-04-28 18:41 . 2011-04-28 18:41 16384 c:\windows\Temp\Perflib_Perfdata_1ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-04-18 520192]
"WFXSwtch"="c:\progra~1\WinFax\WFXSWTCH.exe" [2001-09-10 27648]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2001-09-10 45568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 05:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-02 05:45 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1179:UDP"= 1179:UDP:Windows Media Format SDK (wmplayer.exe)
"1178:UDP"= 1178:UDP:Windows Media Format SDK (wmplayer.exe)
"1181:UDP"= 1181:UDP:Windows Media Format SDK (wmplayer.exe)
"1078:TCP"= 1078:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/11/2009 11:24 AM 64288]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/08/2004 4:00 AM 14336]
R2 Norton DNS;Norton DNS;c:\program files\Norton DNS\NortonDNSSvc.exe [13/10/2010 1:32 PM 97664]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2010 9:10 PM 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\Jorge\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Jorge\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2010 9:10 PM 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 04:10]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 04:10]
.
2011-04-27 c:\windows\Tasks\User_Feed_Synchronization-{DBF522DE-E863-4160-8F68-AE20937E41A5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
2009-11-10 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-11-10 22:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uInternet Settings,ProxyOverride = *.local
TCP: {14A59767-3B74-4BD3-A4F2-6DD9C92B5BAB} = 198.153.192.1,198.153.194.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-28 12:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS548080M9AT00 rev.MG4OA5EA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89DA733B
user & kernel MBR OK 
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-1767777339-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
@DACL=(02 0000)
"Status"=dword:00000000
"RsopStatus"=dword:00000000
"LastPolicyTime"=dword:00efa3b7
"PrevSlowLink"=dword:00000000
"PrevRsopLogging"=dword:00000001
"ForceRefreshFG"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'lsass.exe'(1084)
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-28  12:06:50
ComboFix-quarantined-files.txt 2011-04-28 19:06
ComboFix2.txt 2011-04-28 18:29
ComboFix3.txt 2011-04-28 15:52
ComboFix4.txt 2011-04-24 18:08
.
Pre-Run: 33,105,547,264 bytes free
Post-Run: 33,100,722,176 bytes free
.
- - End Of File - - EE52218AF4859F487633D2246ABF2168


----------



## dvk01 (Dec 14, 2002)

please run dds again so we can see what that shoiws & are you still getting diverts & pop ups or have we managed to cure them


----------



## egroj (Apr 22, 2011)

I turned the computer off after I sent the last post. I am trying to reboot but the first 1st time I got the IRQL message, the second time: INVALID_QUEUE, the third and fourth times I lost everything on the desktop except the background picture and after a minute or so I got the

"Windows cannot find '(null)'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search."

I will try to start in safe mode.


----------



## egroj (Apr 22, 2011)

I tried to reboot twice on safe mode and I got the IRQL message once and theINVALID_WORK_QUEUE one the second time, then I tried normal booting the third time and it did work ??

I will monitor for redirects and pop-ups. Running DDS next.


----------



## egroj (Apr 22, 2011)

Yes, I am still getting new browser windows popping up, and the bell sound too (just once, a while after rebooted).The "generic host process..." error happens after a longer while, and then I loose all "non-computer" sound, ie: any media". No redirections yet, but when I hit a link in my personalized google page I am taken to a "standard looking" google page.

DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by Jorge at 17:36:54.56 on 28/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1560 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton DNS\NortonDNSSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton DNS\NortonDNSTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\Jorge\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uInternet Settings,ProxyOverride = *.local
BHO: AutorunsDisabled - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-unins...zEtRkwxMCsxLVNVRCsx"&"prod=55"&"ver=10.0.1321
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\norton~1.lnk - c:\program files\norton dns\NortonDNSTray.exe
uPolicies-explorer: GreyMSIAds = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219981782196
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://ec2-174-129-18-125.compute-1.amazonaws.com/intel-systeminfo-api/receivers/FMSI.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: {14A59767-3B74-4BD3-A4F2-6DD9C92B5BAB} = 198.153.192.1,198.153.194.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-8 64288]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
R2 Norton DNS;Norton DNS;c:\program files\norton dns\NortonDNSSvc.exe [2010-10-13 97664]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-2 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\jorge\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\jorge\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\jorge\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\jorge\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-2 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-04-26 18:38:22 -------- d-----w- C:\_OTS
2011-04-25 18:30:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 18:30:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 18:30:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 18:08:38 -------- d-----w- c:\program files\Norton DNS
2011-04-25 18:08:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-04-24 08:54:37 -------- d-sha-r- C:\cmdcons
2011-04-24 08:50:09 98816 ----a-w- c:\windows\sed.exe
2011-04-24 08:50:09 89088 ----a-w- c:\windows\MBR.exe
2011-04-24 08:50:09 256512 ----a-w- c:\windows\PEV.exe
2011-04-24 08:50:09 161792 ----a-w- c:\windows\SWREG.exe
2011-04-21 17:31:20 -------- d-----w- C:\Settings
2011-04-15 01:20:30 -------- d-----w- c:\program files\common files\Futuremark Shared
2011-04-07 07:21:21 -------- d-----w- c:\docume~1\jorge\applic~1\HpUpdate
2011-04-07 07:21:15 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-06 04:51:06 -------- d-----w- c:\program files\ScreenRecorder
2011-04-06 04:50:27 -------- d-----w- c:\windows\system32\windows media
2011-04-06 04:50:06 -------- d-----w- c:\program files\Windows Media Components
2011-04-06 04:47:38 -------- d-----w- C:\UtilityOnlineMarch09
2011-04-03 02:11:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\mytaxexpress
2011-04-03 02:11:34 -------- d-----w- C:\myTaxExpress
.
==================== Find3M ====================
.
2011-04-26 21:44:03 90112 ----a-w- c:\windows\DUMP3fd7.tmp
2011-04-26 21:40:04 90112 ----a-w- c:\windows\DUMP4100.tmp
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-07 01:50:11 41 ----a-w- c:\windows\WFXDEL.BAT
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 01:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-03 04:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 02:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS548080M9AT00 rev.MG4OA5EA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89DA74F0]<< 
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89dad7d0]; MOV EAX, [0x89dad84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89D9FAB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89DC6330]
\Driver\atapi[0x89DD3B70] -> IRP_MJ_CREATE -> 0x89DA74F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89DA733B
user & kernel MBR OK 
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:39:21.87 ===============


----------



## dvk01 (Dec 14, 2002)

do you have your windows CD/dvd as we need to boot from it to fix this

you have the new TDL4 bootkit that can only be fixed from recovery console on teh cd/dvd at this time, not the inbuilt windows recovery console


----------



## egroj (Apr 22, 2011)

well, my computer, being a DELL, came with a very nice looking cardboard look-alike CD that says:
"Your new computer does not require an operating system CD or drivers CD. Insteda, if you ever need to reinstall your software, use one of the following methods."

However being a DELL I eventually had some technical problems and they agreed to send a bunch of, mostly, useless CDs. There are two:
- drivers and utilities.
- reinstallation DVD
that might have what you are looking for?


----------



## dvk01 (Dec 14, 2002)

I doubt if the dell reinsatll dvd has got recovery console on it & will normally jsut be an ISO image of the drive 

lets see if the inbuilt recovery console will work first 
boot computer & watch the black screen as it boots
yopu should see an option to booot to revery console that only lasts for 3 or 4 seconds
select that & when the black recovery screen comes up 
type fixmbr press ok/enter & it should reboot 

when it boots up then run dds & lets see if it worked


----------



## egroj (Apr 22, 2011)

booted up the computer, the recovery console screen lasted for a fraction of a second! but was able, eventually, to latch on to it. I have the windows command prompt now asking:

"which windows installation would you like to log onto" I am allowed to input only 1 character.

awaiting for further instructions...


----------



## dvk01 (Dec 14, 2002)

you should be able to use the up down arrow keys on keyboard to highlight the one that is showing & then press return


----------



## egroj (Apr 22, 2011)

this is what I see on the screen:

Microsoft Windows XP(TM) Recovery Console.
The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows installation would you like to log onto
<To cancel, press ENTER>?_


----------



## dvk01 (Dec 14, 2002)

type 1


----------



## egroj (Apr 22, 2011)

i got it.

typed FIXMBR and this is what I got:

** CAUTION **

This computer appears to have a non-standard or invalid master boot record.

FIXMBR may damage your partition tables if you proceed.

This could cause all the partitions on the current hard disk to become inaccessible.

If you are not having problems accessing your drive, do not continue.

Are you sure you want to write a new MBR? _


----------



## dvk01 (Dec 14, 2002)

yes you need to do it, the malware has infected the MBR so we need to restore a default one


----------



## egroj (Apr 22, 2011)

DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by Jorge at 11:24:06.00 on 29/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1570 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton DNS\NortonDNSSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton DNS\NortonDNSTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\Jorge\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uInternet Settings,ProxyOverride = *.local
BHO: AutorunsDisabled - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-unins...zEtRkwxMCsxLVNVRCsx"&"prod=55"&"ver=10.0.1321
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\norton~1.lnk - c:\program files\norton dns\NortonDNSTray.exe
uPolicies-explorer: GreyMSIAds = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219981782196
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://ec2-174-129-18-125.compute-1.amazonaws.com/intel-systeminfo-api/receivers/FMSI.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: {14A59767-3B74-4BD3-A4F2-6DD9C92B5BAB} = 198.153.192.1,198.153.194.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-8 64288]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
R2 Norton DNS;Norton DNS;c:\program files\norton dns\NortonDNSSvc.exe [2010-10-13 97664]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-2 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\jorge\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\jorge\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\jorge\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\jorge\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-2 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-04-29 05:52:15 -------- d-----w- C:\cabs
2011-04-29 05:46:35 -------- d-----w- c:\docume~1\jorge\applic~1\Easeware
2011-04-26 18:38:22 -------- d-----w- C:\_OTS
2011-04-25 18:30:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 18:30:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 18:30:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 18:08:38 -------- d-----w- c:\program files\Norton DNS
2011-04-25 18:08:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-04-24 08:54:37 -------- d-sha-r- C:\cmdcons
2011-04-24 08:50:09 98816 ----a-w- c:\windows\sed.exe
2011-04-24 08:50:09 89088 ----a-w- c:\windows\MBR.exe
2011-04-24 08:50:09 256512 ----a-w- c:\windows\PEV.exe
2011-04-24 08:50:09 161792 ----a-w- c:\windows\SWREG.exe
2011-04-21 17:31:20 -------- d-----w- C:\Settings
2011-04-15 01:20:30 -------- d-----w- c:\program files\common files\Futuremark Shared
2011-04-07 07:21:21 -------- d-----w- c:\docume~1\jorge\applic~1\HpUpdate
2011-04-07 07:21:15 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-06 04:51:06 -------- d-----w- c:\program files\ScreenRecorder
2011-04-06 04:50:27 -------- d-----w- c:\windows\system32\windows media
2011-04-06 04:50:06 -------- d-----w- c:\program files\Windows Media Components
2011-04-06 04:47:38 -------- d-----w- C:\UtilityOnlineMarch09
2011-04-03 02:11:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\mytaxexpress
2011-04-03 02:11:34 -------- d-----w- C:\myTaxExpress
.
==================== Find3M ====================
.
2011-04-26 21:44:03 90112 ----a-w- c:\windows\DUMP3fd7.tmp
2011-04-26 21:40:04 90112 ----a-w- c:\windows\DUMP4100.tmp
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-07 01:50:11 41 ----a-w- c:\windows\WFXDEL.BAT
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 01:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-03 04:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 02:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 11:25:36.98 ===============


----------



## dvk01 (Dec 14, 2002)

that looks like it did get it 

are you still getting any diverts or pop ups etc or have they stopped


----------



## egroj (Apr 22, 2011)

not so far. possibly a bit too early to say. i still have some issues with sound, which maybe legacy from damage caused by the bug/s?

where do we go from here? should I use the computer for a few days to see how things go?


----------



## dvk01 (Dec 14, 2002)

give it a couple of days before we clean up 

what sound problems do you have


----------



## egroj (Apr 22, 2011)

I am positive they have/had to do with the generic host process for win32 problem, as every time that window popped up I would loose all non-windows sound (from media). I would also loose the "boot up windows tune" and the one for when you turn the computer off.

I should have had a generic host process problem by now, but nothing has happened and still have sound. However I am not able to see the onscreen sound bar when I turn the sound up or down. I know it is a minor problem, I just wonder if it may be indicative of anything else still going on?


----------



## dvk01 (Dec 14, 2002)

see if this helps 
http://en.kioskea.net/forum/affich-48679-green-volume-control-bar-is-missing


----------



## egroj (Apr 22, 2011)

yes, sound bar is back, thanks. Derek, I couldn't help it and run AVG out of curiosity. I did get something:

"";"C:\_OTS\MovedFiles\04262011_113822\C_WINDOWS\Temp\qqbf\setup.exe";"Trojan horse Dropper.Generic3.BITP";"Moved to Virus Vault"


----------



## egroj (Apr 22, 2011)

by the way, no pop-ups, redirections, or generic host process problems yet...


----------



## dvk01 (Dec 14, 2002)

anything in ots moved files is what we have already removed and are there as a backup, in case we made amistake

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then


 Please double-click *OTScanIt.exe* to run it.
press cleanup & it will will delete/uninstall all the other tools we have used to fix your problems and all their backup folders and then delete itself when you next reboot

if it doesn't tell you to reboot , please reboot now

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place. * If windows update doesn't work, please come back & tell us*


----------



## egroj (Apr 22, 2011)

hi,

after running OTS I still have HJT, GMER (under a random name), MBRcheck, the SysProt folder (with everything in it), and the RootRepeal folder (with all its stuff as well).

The only one I see in the add/remove list is HJT, can I just drop all the oter ones in the recycling bin?


----------



## dvk01 (Dec 14, 2002)

yes, just delete all of them, Drop them in recycle bin
uninstall HJT from add/remove programs


----------



## egroj (Apr 22, 2011)

add/remove didn't unistall HTJ, it just removed from its list. I clicked on the HTJ icon on the desktop and it still seems functional..


----------



## egroj (Apr 22, 2011)

ok, ran REVO uninstaller and got rid of HJT. Then, as per TheSpyKiller web site, I only had to update Java from 1.6.0_24 to 25. I have auto updates for IE and Windows so nothing new. However:

Custom Level in Internet Options/Security/Internet is greyed out. There is a beige information window at the bottom saying: "Some settings are managed by your system administrator" However I have administrator rights??

Also, next step, going to the Secunia web site: I click on Start Scanner and nothing happens...


----------



## dvk01 (Dec 14, 2002)

I don't know about secunia but lots of XP users have had problems with that recently, with it freezing & not running properly 

There are entries in yoirt logs that suggest that this is or was a compnay computer with group policy settings enabled, that prevent access to some registry keys & settings. Those entries are very common in a company computer & lock it down to prevent malware altering them. Also Dell are known to lock some keys as they conflict with dell software that does the same job 

We can remove the locks but we need to install combofix again to do it


----------



## egroj (Apr 22, 2011)

ok. I bought my computer brand new from DELL and has always been a home computer. However, I remember a few years back having some silly malware that would not allow me to turn on pop-up blocker in Internet Options/Privacy, the same beige window about administrator rights had turned up again.This problem with admin rights must have ocurred when I got infected this time, as I don't recall having that specific problem for the past few years.I'll reinstall COMBOFIX. Do you want me to run it as before, or wait for further instructions?


----------



## dvk01 (Dec 14, 2002)

yes 

please run combofix again & post its log
once I see the locked entries I can attempt to prepare a script to unlock them


----------



## egroj (Apr 22, 2011)

COMBOFIX log:

ComboFix 11-04-30.06 - Jorge 01/05/2011 10:49:06.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1561 [GMT -7:00]
Running from: c:\documents and settings\Jorge\Desktop\123username.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jorge\Application Data\Yahoo!
.
.
((((((((((((((((((((((((( Files Created from 2011-04-01 to 2011-05-01 )))))))))))))))))))))))))))))))
.
.
2011-05-01 03:52 . 2011-05-01 03:52 -------- d-----w- c:\program files\Common Files\Java
2011-05-01 02:21 . 2011-05-01 02:21 -------- d-----w- c:\documents and settings\Jorge\Local Settings\Application Data\VS Revo Group
2011-05-01 02:20 . 2009-12-30 18:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-05-01 02:20 . 2011-05-01 02:20 -------- d-----w- c:\program files\VS Revo Group
2011-04-29 05:52 . 2011-04-29 05:52 -------- d-----w- C:\cabs
2011-04-29 05:46 . 2011-04-29 05:46 -------- d-----w- c:\documents and settings\Jorge\Application Data\Easeware
2011-04-27 22:01 . 2011-04-27 22:02 -------- d-----w- c:\documents and settings\Administrator
2011-04-25 18:30 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 18:30 . 2011-04-25 18:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 18:30 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 18:08 . 2011-04-25 18:08 -------- d-----w- c:\program files\Norton DNS
2011-04-25 18:08 . 2011-04-25 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-04-21 20:46 . 2011-04-21 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-04-21 20:46 . 2011-04-21 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-21 17:31 . 2011-04-21 17:31 -------- d-----w- C:\Settings
2011-04-21 08:42 . 2011-04-21 08:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-04-21 08:42 . 2011-04-21 08:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-15 01:20 . 2011-04-15 01:20 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2011-04-07 07:21 . 2011-04-14 15:15 -------- d-----w- c:\documents and settings\Jorge\Application Data\HpUpdate
2011-04-07 07:21 . 2011-04-07 07:21 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-06 04:51 . 2011-04-06 04:51 -------- d-----w- c:\program files\ScreenRecorder
2011-04-06 04:50 . 2011-04-06 04:50 -------- d-----w- c:\windows\system32\windows media
2011-04-06 04:50 . 2011-04-06 04:50 -------- d-----w- c:\program files\Windows Media Components
2011-04-06 04:47 . 2011-04-06 04:49 -------- d-----w- C:\UtilityOnlineMarch09
2011-04-03 02:11 . 2011-04-03 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\mytaxexpress
2011-04-03 02:11 . 2011-04-03 02:11 -------- d-----w- C:\myTaxExpress
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-28 15:25 . 2004-08-10 11:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-04-28 15:25 . 2004-08-10 11:00 4352 ----a-w- c:\windows\system32\drivers\wmilib.sys
2011-04-26 21:44 . 2008-08-28 11:05 90112 ----a-w- c:\windows\DUMP3fd7.tmp
2011-04-26 21:40 . 2008-08-28 11:05 90112 ----a-w- c:\windows\DUMP4100.tmp
2011-04-14 12:07 . 2010-05-07 17:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 09:40 . 2010-04-02 17:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-07 05:33 . 2008-08-28 19:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-07 01:50 . 2008-08-29 05:22 41 ----a-w- c:\windows\WFXDEL.BAT
2011-03-04 06:37 . 2004-08-10 11:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 11:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-10 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-10 11:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 11:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 02:42 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 11:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2008-08-29 02:51 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 11:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 01:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2008-08-28 19:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-04-18 520192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-08-04 1032192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Norton DNS Tray Icon.lnk - c:\program files\Norton DNS\NortonDNSTray.exe [2010-10-13 75136]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 05:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-02 05:45 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1260:TCP"= 1260:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/11/2009 11:24 AM 64288]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/08/2004 4:00 AM 14336]
R2 Norton DNS;Norton DNS;c:\program files\Norton DNS\NortonDNSSvc.exe [13/10/2010 1:32 PM 97664]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2010 9:10 PM 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\Jorge\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Jorge\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2010 9:10 PM 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [30/04/2011 7:20 PM 27064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 04:10]
.
2011-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 04:10]
.
2011-05-01 c:\windows\Tasks\User_Feed_Synchronization-{DBF522DE-E863-4160-8F68-AE20937E41A5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
2009-11-10 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-11-10 22:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uInternet Settings,ProxyOverride = *.local
TCP: {14A59767-3B74-4BD3-A4F2-6DD9C92B5BAB} = 198.153.192.1,198.153.194.1
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-01 10:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-1767777339-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
@DACL=(02 0000)
"Status"=dword:00000000
"RsopStatus"=dword:00000000
"LastPolicyTime"=dword:00efa3b7
"PrevSlowLink"=dword:00000000
"PrevRsopLogging"=dword:00000001
"ForceRefreshFG"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(3864)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-05-01 10:59:28
ComboFix-quarantined-files.txt 2011-05-01 17:59
.
Pre-Run: 38,966,366,208 bytes free
Post-Run: 39,014,428,672 bytes free
.
- - End Of File - - 12DD5C67A3F7055E8D9E83D1182E9513


----------



## dvk01 (Dec 14, 2002)

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply .

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *


----------



## egroj (Apr 22, 2011)

COMBOFIX log:

ComboFix 11-04-30.06 - Jorge 01/05/2011 11:48:40.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1488 [GMT -7:00]
Running from: c:\documents and settings\Jorge\Desktop\123username.exe
Command switches used :: c:\documents and settings\Jorge\Desktop\CFScript.txt
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-01 to 2011-05-01 )))))))))))))))))))))))))))))))
.
.
2011-05-01 03:52 . 2011-05-01 03:52 -------- d-----w- c:\program files\Common Files\Java
2011-05-01 02:21 . 2011-05-01 02:21 -------- d-----w- c:\documents and settings\Jorge\Local Settings\Application Data\VS Revo Group
2011-05-01 02:20 . 2009-12-30 18:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-05-01 02:20 . 2011-05-01 02:20 -------- d-----w- c:\program files\VS Revo Group
2011-04-29 05:52 . 2011-04-29 05:52 -------- d-----w- C:\cabs
2011-04-29 05:46 . 2011-04-29 05:46 -------- d-----w- c:\documents and settings\Jorge\Application Data\Easeware
2011-04-27 22:01 . 2011-04-27 22:02 -------- d-----w- c:\documents and settings\Administrator
2011-04-25 18:30 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 18:30 . 2011-04-25 18:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 18:30 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 18:08 . 2011-04-25 18:08 -------- d-----w- c:\program files\Norton DNS
2011-04-25 18:08 . 2011-04-25 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-04-21 20:46 . 2011-04-21 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-04-21 20:46 . 2011-04-21 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-21 17:31 . 2011-04-21 17:31 -------- d-----w- C:\Settings
2011-04-21 08:42 . 2011-04-21 08:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-04-21 08:42 . 2011-04-21 08:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-15 01:20 . 2011-04-15 01:20 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2011-04-07 07:21 . 2011-04-14 15:15 -------- d-----w- c:\documents and settings\Jorge\Application Data\HpUpdate
2011-04-07 07:21 . 2011-04-07 07:21 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-06 04:51 . 2011-04-06 04:51 -------- d-----w- c:\program files\ScreenRecorder
2011-04-06 04:50 . 2011-04-06 04:50 -------- d-----w- c:\windows\system32\windows media
2011-04-06 04:50 . 2011-04-06 04:50 -------- d-----w- c:\program files\Windows Media Components
2011-04-06 04:47 . 2011-04-06 04:49 -------- d-----w- C:\UtilityOnlineMarch09
2011-04-03 02:11 . 2011-04-03 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\mytaxexpress
2011-04-03 02:11 . 2011-04-03 02:11 -------- d-----w- C:\myTaxExpress
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-28 15:25 . 2004-08-10 11:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-04-28 15:25 . 2004-08-10 11:00 4352 ----a-w- c:\windows\system32\drivers\wmilib.sys
2011-04-26 21:44 . 2008-08-28 11:05 90112 ----a-w- c:\windows\DUMP3fd7.tmp
2011-04-26 21:40 . 2008-08-28 11:05 90112 ----a-w- c:\windows\DUMP4100.tmp
2011-04-14 12:07 . 2010-05-07 17:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 09:40 . 2010-04-02 17:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-07 05:33 . 2008-08-28 19:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-07 01:50 . 2008-08-29 05:22 41 ----a-w- c:\windows\WFXDEL.BAT
2011-03-04 06:37 . 2004-08-10 11:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 11:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-10 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-10 11:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 11:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 02:42 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 11:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2008-08-29 02:51 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 11:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 01:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2008-08-28 19:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-04-18 520192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-08-04 1032192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Norton DNS Tray Icon.lnk - c:\program files\Norton DNS\NortonDNSTray.exe [2010-10-13 75136]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 05:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-02 05:45 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1388:TCP"= 1388:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/11/2009 11:24 AM 64288]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/08/2004 4:00 AM 14336]
R2 Norton DNS;Norton DNS;c:\program files\Norton DNS\NortonDNSSvc.exe [13/10/2010 1:32 PM 97664]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2010 9:10 PM 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\Jorge\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Jorge\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2010 9:10 PM 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [30/04/2011 7:20 PM 27064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 04:10]
.
2011-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 04:10]
.
2011-05-01 c:\windows\Tasks\User_Feed_Synchronization-{DBF522DE-E863-4160-8F68-AE20937E41A5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
2009-11-10 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-11-10 22:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uInternet Settings,ProxyOverride = *.local
TCP: {14A59767-3B74-4BD3-A4F2-6DD9C92B5BAB} = 198.153.192.1,198.153.194.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-01 11:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-1767777339-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(2180)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-05-01 11:53:41
ComboFix-quarantined-files.txt 2011-05-01 18:53
ComboFix2.txt 2011-05-01 17:59
.
Pre-Run: 39,020,519,424 bytes free
Post-Run: 39,009,521,664 bytes free
.
- - End Of File - - 20DC25DB10E92B357D2E56C27F4C8D1C


----------



## dvk01 (Dec 14, 2002)

please reboot & see if you can you change the IE security settings now


----------



## egroj (Apr 22, 2011)

no luck


----------



## dvk01 (Dec 14, 2002)

first try this 
http://windowsxp.mvps.org/ie/secchangesettings.htm
if that doesn't work then

open regedit again & navigate to 
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 
scroll down to flags & right click it 
look for decimal & make sure it says 1 
if it says 0 then change it to 1 & press OK 
exit out & try then


----------



## egroj (Apr 22, 2011)

tried first method:

HKEY_CURRENT_USER \ Software \ Policies \ Microsoft \ Internet Explorer \ Control Panel
there are 3 columns only in the right pane:
name= default
type= REG_SZ
data= (value not set), couldn't find anything about SecChangeSettings

HKEY_LOCAL_MACHINE \ Software\ Policies \ Microsoft \ Internet Explorer \
does not have Control Panel after IE, only Phishing filter, and Restrictions

HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ CurrentVersion \ Internet Settings has only two values on the right pane:
(Default)
Security_HKLM_Only, there is no Security_options_edit

will now try second method.


----------



## egroj (Apr 22, 2011)

no HKCU/... ????
when I open regedit I only get:

HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG


----------



## egroj (Apr 22, 2011)

ok, I figured out the HKCU acronim eventually. HKCU/...../3 already has a value of 1.


----------



## dvk01 (Dec 14, 2002)

in that case try 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\\Flags and see if decimal is set as 1


----------



## egroj (Apr 22, 2011)

that one is set to 1 already as well.


----------



## dvk01 (Dec 14, 2002)

in that case I have no idea at all 

go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rght click the key & select export
save it to desktop 
then go to 
the same key in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 
& export that 

then 
HKEY_LOCAL_MACHINE \ Software\ Policies \ Microsoft \ Internet Explorer 
then
HKEY_CURRENT_USER \ Software \ Policies \ Microsoft \ Internet Explorer
zip the 4 reg files up & upload them here so I can look & see if I see something


----------



## egroj (Apr 22, 2011)

I'm not sure whether you wanted .txt or .reg files. Here is in .reg,

next in .txt...


----------



## egroj (Apr 22, 2011)

here they are as text. They differ a bit in that they have a "last write entry" at 4/30/2011 - 9:42 AM.

I don't know where that comes from, but I haven't done any last write entries knowingly (or otherwise!).


----------



## dvk01 (Dec 14, 2002)

That is fine in reg format


----------



## dvk01 (Dec 14, 2002)

I can see nothing obvious to cause it 
the only thing that I can think of is Spybot immunize function has somehow locked it, but it isn't supposed to 
You can try to open spybot, select immunize & undo & see if that solves it, if nopt then re immunize again to add all the blocked domains that are supposed to protect you


----------



## egroj (Apr 22, 2011)

sorry, that didn't do it either.


----------



## dvk01 (Dec 14, 2002)

In that case I have absolutely no idea

You have 2 choices 
leave it as it is or format & reinstall windows so you get a clean working version

if you decide to leave it then 
*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.


----------



## egroj (Apr 22, 2011)

last night, after I tried the immunize undo option I decided to run Spybot first thing in the morning. I got:

Problem: Click.GiftLoad Kind: HijackersC

Click.GiftLoad: [SBI $89783858] User settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe
Anyway, whatever it was Spybot fixed it. This, however, did not change the problem with IE security tab in internet options.

Would it be worthwhile opening a new thread in Operating System / Windows XP, or other suitable forum?


----------



## dvk01 (Dec 14, 2002)

You can certainly try a new post in XP asking about it


----------



## egroj (Apr 22, 2011)

well, as far as I can tell, and other than the above issue, everything else seems to be fine. should I mark the thread as solved?


----------



## dvk01 (Dec 14, 2002)

yes , you can mark as solved


----------

