PDA

View Full Version : "File Loader", loader.exe/smss.exe, iexplore.exe, and Volume Control bugs.


RMIII
2010-07-06, 20:33
As several other users have posted about, I too seem to be having a problem with this "Black Internet" File Loader program that I have witnessed do the following:
- Mutes the system volume by turning the Wave category down to zero.
- Opens several instances of iexplore.exe that can be ended via the Task Manager but simply reappear.
- Has added loader.exe and smss.exe to the list of processes seen in Task Manager.
- My active window (usually FireFox) loses focus occasionally and I have to click it again so I can continue typing.

Like the other reports, I use FireFox exclusively as my browser.

I have a unique twist on the infection, though, that when I woke up today I saw that I had 4 Internet Explorer pop ups but also an error notification that "File Loader has caused a problem and needs to close". I was able to end the IE processes and they did NOT return during the duration that I had the computer on. However, once I installed Spybot S&D and rebooted, they came back and now cannot be terminated.

Like other users before me I have run virus scanners and they turn up blank. I am not sure as to the severity of the infection but after reading about things such as rootkits I would like to try and get this infection removed without having to reformat my OS and/or HD. As for what I have done personally to try and stifle the infection, I have attempted to disable it via Task Manager as well as using StartupCPL to try and end the processes at startup, neither one worked.

I have completed all the necessary steps as per the sticky ("Before you post a log) and here are the DDS.txt and Attach.txt logs requested:

DDS LOG
DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 13:22:25.98 on Tue 07/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1115 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

svchost.exe 4
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe 4
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\dvrmstoolbox\dvrmsfilewatcherservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\trutil01.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MCTCIDUtil.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\TEMP\Google Toolbar\gtb4.tmp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HP\KBD\KBD.EXE
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
C:\WINDOWS\ALCXMNTR.EXE

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MCTCIDUtil] c:\windows\system32\MCTCIDUtil.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [D-Link Air USB Utility] c:\program files\d-link\air usb utility\AirCFG.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [amd_dc_opt] "c:\program files\amd\amd_dc_opt\amd_dc_opt.exe"
mRun: [trutil0] c:\windows\system32\trutil01.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\hp_administrator\start menu\programs\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: trymedia.com
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/chnz/default/mjolauncher.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - hxxp://asp.mathxl.com/books/_Players/EconPlayer.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\t445rp2p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\hp_administrator\application

data\mozilla\firefox\profiles\t445rp2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\progra~1\mozill~1\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\progra~1\mozill~1\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-6 64288]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-3 11608]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-3 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-3 151297]
R2 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\dvrmstoolbox\DVRMSFileWatcherService.exe [2006-6-2 32768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-6-21 1352832]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NIOC;NIOC Service;c:\windows\system32\NIOC.sys [2002-9-27 22912]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2008-1-23 23200]
R2 WZCBDLService;WZCBDL Service;c:\program files\wzcbdl service\WZCBDLS.exe [2002-3-19 36864]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2006-8-22 31744]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-3 52056]
R3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\drivers\PRISMUSB.sys [2006-6-2 636416]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-6-9 223128]
R3 xMrMINI;xMrMINI;c:\windows\system32\drivers\xMrMINI.sys [2009-8-3 247808]
R3 xVGAMINI;xVGAMINI;c:\windows\system32\drivers\xVGAMINI.sys [2009-8-3 253184]
R3 xVGAUSB;USB 2.0 VGA DEVICE-1;c:\windows\system32\drivers\xvgausb.sys [2009-8-3 34944]
S2 gupdate1c997c7df809ca6;Google Update Service (gupdate1c997c7df809ca6);c:\program files\google\update\GoogleUpdate.exe [2009-2-25 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-07-06 18:12:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-06 17:57:45 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-06 17:57:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-06 17:47:33 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{90FF8911-FC06-4E49-8959-C3CF1CA226BB}

==================== Find3M ====================

2010-06-17 21:22:10 8654 ----a-w- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2006-10-24 05:29:02 2199552 ----a-w- c:\program files\tb_triforce_1_6.dll
2006-10-24 05:11:06 3223552 ----a-w- c:\program files\tb_toad_1_2.dll
2006-10-24 04:38:10 4542464 ----a-w- c:\program files\tb_peach_1_2.dll
2001-09-10 15:00:26 139264 ----a-w- c:\windows\inf\i386\Rtscan.dll
2001-09-10 14:10:36 61440 ----a-w- c:\windows\inf\i386\onetUSD.dll
2001-08-18 00:43:24 32768 ----a-w- c:\windows\inf\i386\Wiamicro.dll
2001-08-04 00:29:18 13824 ----a-w- c:\windows\inf\i386\usbscan.sys
2001-06-29 14:10:24 163840 ----a-w- c:\windows\inf\i386\viceo.dll
2010-03-22 03:40:38 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:23:12.76 ===============

Attach LOG

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/2/2006 7:30:28 PM
System Uptime: 7/6/2010 1:16:01 PM (0 hours ago)

Motherboard: MSI | | AMETHYST-M
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket 939 | 2188/200mhz
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket 939 | 2188/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 271 GiB total, 43.535 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 0.46 GiB free.
E: is CDROM ()
F: is CDROM (CDFS)
G: is Removable
H: is Removable
I: is Removable
J: is Removable
L: is CDROM ()
M: is CDROM (CDFS)
N: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1260: 4/7/2010 11:27:59 PM - System Checkpoint
RP1261: 4/9/2010 1:02:43 AM - System Checkpoint
RP1262: 4/10/2010 3:37:31 AM - System Checkpoint
RP1263: 4/11/2010 7:28:49 AM - System Checkpoint
RP1264: 4/12/2010 11:28:50 AM - System Checkpoint
RP1265: 4/13/2010 3:28:50 PM - System Checkpoint
RP1266: 4/14/2010 3:30:07 PM - System Checkpoint
RP1267: 4/15/2010 7:11:13 PM - System Checkpoint
RP1268: 4/16/2010 7:31:10 PM - System Checkpoint
RP1269: 4/17/2010 7:32:36 PM - System Checkpoint
RP1270: 4/18/2010 11:32:36 PM - System Checkpoint
RP1271: 4/20/2010 3:30:55 AM - System Checkpoint
RP1272: 4/21/2010 3:32:37 AM - System Checkpoint
RP1273: 4/22/2010 7:33:02 AM - System Checkpoint
RP1274: 4/23/2010 11:29:34 AM - System Checkpoint
RP1275: 4/24/2010 11:34:01 AM - System Checkpoint
RP1276: 4/25/2010 11:34:20 AM - System Checkpoint
RP1277: 4/26/2010 3:30:46 PM - System Checkpoint
RP1278: 4/27/2010 7:01:10 PM - System Checkpoint
RP1279: 4/28/2010 7:30:05 PM - System Checkpoint
RP1280: 4/29/2010 7:33:20 PM - System Checkpoint
RP1281: 4/30/2010 7:34:09 PM - System Checkpoint
RP1282: 5/1/2010 11:34:11 PM - System Checkpoint
RP1283: 5/2/2010 11:35:10 PM - System Checkpoint
RP1284: 5/3/2010 11:35:25 PM - System Checkpoint
RP1285: 5/4/2010 11:35:47 PM - System Checkpoint
RP1286: 5/5/2010 11:36:12 PM - System Checkpoint
RP1287: 5/6/2010 11:50:39 PM - System Checkpoint
RP1288: 5/8/2010 4:06:45 AM - System Checkpoint
RP1289: 5/9/2010 7:36:55 AM - System Checkpoint
RP1290: 5/10/2010 7:37:35 AM - System Checkpoint
RP1291: 5/11/2010 11:35:37 AM - System Checkpoint
RP1292: 5/12/2010 11:37:50 AM - System Checkpoint
RP1293: 5/13/2010 3:37:47 PM - System Checkpoint
RP1294: 5/14/2010 3:38:04 PM - System Checkpoint
RP1295: 5/15/2010 4:53:35 PM - System Checkpoint
RP1296: 5/16/2010 11:20:25 PM - System Checkpoint
RP1297: 5/18/2010 12:53:06 AM - System Checkpoint
RP1298: 5/19/2010 1:33:00 AM - System Checkpoint
RP1299: 5/20/2010 4:53:59 AM - System Checkpoint
RP1300: 5/21/2010 7:48:24 AM - System Checkpoint
RP1301: 5/22/2010 11:48:23 AM - System Checkpoint
RP1302: 5/23/2010 3:48:24 PM - System Checkpoint
RP1303: 5/24/2010 7:48:23 PM - System Checkpoint
RP1304: 5/25/2010 9:03:02 PM - System Checkpoint
RP1305: 5/26/2010 11:48:31 PM - System Checkpoint
RP1306: 5/27/2010 11:49:26 PM - System Checkpoint
RP1307: 5/29/2010 4:15:56 AM - System Checkpoint
RP1308: 5/30/2010 7:49:26 AM - System Checkpoint
RP1309: 5/31/2010 12:29:39 PM - System Checkpoint
RP1310: 6/1/2010 5:07:37 PM - System Checkpoint
RP1311: 6/2/2010 8:01:20 PM - System Checkpoint
RP1312: 6/4/2010 12:37:46 AM - System Checkpoint
RP1313: 6/5/2010 1:40:08 AM - System Checkpoint
RP1314: 6/6/2010 5:39:25 AM - System Checkpoint
RP1315: 6/7/2010 5:40:27 AM - System Checkpoint
RP1316: 6/8/2010 9:40:29 AM - System Checkpoint
RP1317: 6/9/2010 9:41:07 AM - System Checkpoint
RP1318: 6/10/2010 1:40:32 PM - System Checkpoint
RP1319: 6/11/2010 1:40:45 PM - System Checkpoint
RP1320: 6/12/2010 1:41:10 PM - System Checkpoint
RP1321: 6/13/2010 5:40:55 PM - System Checkpoint
RP1322: 6/14/2010 10:47:06 PM - System Checkpoint
RP1323: 6/15/2010 11:08:51 PM - System Checkpoint
RP1324: 6/17/2010 12:54:04 AM - System Checkpoint
RP1325: 6/18/2010 4:54:00 AM - System Checkpoint
RP1326: 6/19/2010 8:54:02 AM - System Checkpoint
RP1327: 6/20/2010 12:54:03 PM - System Checkpoint
RP1328: 6/21/2010 4:54:00 PM - System Checkpoint
RP1329: 6/22/2010 8:54:01 PM - System Checkpoint
RP1330: 6/24/2010 12:54:05 AM - System Checkpoint
RP1331: 6/25/2010 12:57:33 AM - System Checkpoint
RP1332: 6/26/2010 1:08:38 AM - System Checkpoint
RP1333: 6/27/2010 4:54:08 AM - System Checkpoint
RP1334: 6/28/2010 4:55:05 AM - System Checkpoint
RP1335: 6/29/2010 8:55:06 AM - System Checkpoint
RP1336: 6/30/2010 9:43:31 AM - System Checkpoint
RP1337: 6/30/2010 9:23:50 PM - Configured easy Internet sign-up
RP1338: 6/30/2010 9:35:55 PM - Configured Hidden & Dangerous 2
RP1339: 6/30/2010 10:07:59 PM - Removed Ask Toolbar.
RP1340: 7/2/2010 2:24:04 AM - System Checkpoint
RP1341: 7/3/2010 4:51:43 AM - System Checkpoint
RP1342: 7/4/2010 4:55:43 AM - System Checkpoint
RP1343: 7/5/2010 8:55:09 AM - System Checkpoint

==== Installed Programs ======================


2Wire Wireless Client
Ad-Aware
Adobe Acrobat 5.0
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color Common Settings
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Common File Installer
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS3
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Media Encoder 2.5
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Center 2.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro 2.0
Adobe Reader 7.0
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Agere Systems PCI-SV92PP Soft Modem
AiO_Scan
AiO_Scan_CDA
AiOSoftware
AiOSoftwareNPI
Air USB Utility
AMD Dual-Core Optimizer
ATI Control Panel
ATI Display Driver
AutoUpdate
Avira AntiVir Personal - Free Antivirus
Babarosa Gif Animator 3.6 (Remove only)
BitLord 1.1
Borland C++Builder 6
BufferChm
CameraDrivers
CamStudio
Camtasia Studio 3
Camtasia Studio 5
Compatibility Pack for the 2007 Office system
Connect
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
D-Fend v2
DefilerPak 1.22 (Remove Only)
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DiscAPI (Studio 10)
DISCover
DivX
DocProc
DocumentViewer
DocumentViewerQFolder
DVRMSToolbox
Edmark 2D 3D Blox
ERUNT 1.1j
EXPStudio Audio Editor FREE 3.99a
Fax
Fax_CDA
FL Studio 6
Flash Decompiler
FTP Surfer
FullDPAppQFolder
Garry's Mod
GemMaster Mystic
Google Earth
Google Gears
Google Talk (remove only)
Google Toolbar for Internet Explorer
Google Update Helper
Google Video Uploader
GraphicsGale FreeEdition version 1.93.09
Half-Life(R) 2
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP Deskjet 5400 series
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP DVD Play 1.0
HP Image Zone Express
HP Imaging Device Functions 6.0
HP Multimedia Keyboard Software
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.0
HP PSC & OfficeJet 5.3.A
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP Web Helper
HPDeskjet5400Series
HPProductAssistant
HpSdpAppCoreApp
HUNT 1.0
Image Resizer Powertoy for Windows XP
InstantShareDevices
InterActual Player
InterBase 6.5
InterVideo DeviceService
InterVideo WinDVD 8
J2SE Runtime Environment 5.0 Update 5
Java(TM) 6 Update 11
Junk Mail filter update
Kid Pix Deluxe 3
kuler
Lernout & Hauspie TruVoice American English TTS Engine
LightScribe 1.4.62.1
LimeWire 5.1.3
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash MX 2004
Macromedia Shockwave Player
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Application Error Reporting
Microsoft Away Mode
Microsoft Choice Guard
Microsoft Money 2006
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Plus! for Windows XP
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.5.10)
MP3 Audio Sound Recoder 1.42
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB925673)
MTV Music Generator
muvee autoProducer 4.5
muvee autoProducer unPlugged 1.2
MyDSC2
NanoQuest
NewCopy
NewCopy_CDA
NIOC Service
OneTouch Version 3.0
OptionalContentQFolder
Otto
PanoStandAlone
PaperPort 7.02
PDF Settings CS4
PhotoGallery
Photoshop Camera Raw
Pinnacle Instant DVD Recorder
Portal
proDAD Heroglyph 2.5
Project64 1.6
PS2
PSPrinters08
PSTAPlugin
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
RandMap
RAPID (Studio 10)
Readme
Remove IntelliMover Demo
Ricochet Lost Worlds
Roblox for HP_Administrator
Robot Arena
Robot Arena 2
Robot Wars Extreme Destruction
Robot Wars: Arenas of Destruction
RPG Maker 2000 1.05
RTP for RM2K (Png, Wav, Midi, Fonts)
Scan
ScannerCopy
ScreenPrint32 v3.5
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
SEE2 USB 2.0 VGA Adapter (Multiple) 9.02.0311.1153
Segoe UI
SkinsHP1
Skype™ 3.6
SmartFTP Client
SmartFTP Client 2.5 Setup Files (remove only)
SmartFTP Client 3.0 Setup Files (remove only)
SmartSound Quicktracks Plugin
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Source SDK Base
Spybot - Search & Destroy
Status
Steam
Steam(TM)
Stella 2.5.1
Studio 10
Studio 10 Bonus DVD
Suite Shared Configuration CS4
SWiSHmax
The Typing of The Dead
TrayApp
Trillian
Turbo Lister 2
Ulead VideoStudio 11
Uninstall TONKA Monster Trucks
Unload
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
VideoStudio
VisiBroker for Cpp 4.5
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 0.9.8a
WebFldrs XP
WebReg
Winamp (remove only)
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Live Writer
Windows Media Connect
Windows Media Format Runtime
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB908250
WinFF v0.28
WinRAR archiver
WZCBDL Service
XML Paper Specification Shared Components Pack 1.0
XviD MPEG-4 Video Codec
Yahoo! Install Manager
Zombie Driver

==== Event Viewer Messages From Past Week ========

7/6/2010 10:10:34 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer GBARDIN that believes that it is the master browser

for the domain on transport NetBT_Tcpip_{AB0F7788-10E2-4D56-9. The master browser is stopping or an election is being forced.
7/2/2010 10:27:23 PM, error: NetBT [4321] - The name "HOME :1d" could not be registered on the Interface with IP address 192.168.1.71. The machine with the IP

address 192.168.1.64 did not allow the name to be claimed by this machine.
6/30/2010 9:09:44 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'.

NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6/30/2010 9:08:59 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server:

{E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/30/2010 10:23:02 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server:

{9B1F122C-2982-4E91-AA8B-E071D54F2A4D}

==== End Of File ===========================

Thanks in advance,
RMIII :)
RMIII
2010-07-06, 21:57
I sincerely apologize for the double post, but every so often Ad-Aware will pop up with a notification that an .exe with various garbled names (that is a Trojan) has been blocked/quarantined. Not sure if this is related to the various iexplorer.exe process that continue to run or not, but I thought I would point this out.
IndiGenus
2010-07-11, 00:13
Hello RMIII and welcome to the forums.

:snwelcome:

Sorry for the delay in getting to your post.

Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop
Double click on MBRCheck.exe to run it

It will show a black screen with some data on it
Click on the black C:\ in the upper left hand corner of the black screen
Choose Edit > Select All > Press Enter to copy the data to your clip board
Press Enter again to close MBRCheck
Now open up notepad or wordpad and paste the data in (press Control+V)

Post the results in your reply
RMIII
2010-07-11, 02:48
Hey IndiGenus thanks for the reply! Here's the MBR log you requested. :)

MBRCheck, version 1.0.3
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive0 Unknown MBR code


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
IndiGenus
2010-07-11, 02:50
What type of hard drive setup do you have? Single drive? 2 Drives? Is it a raid setup?
RMIII
2010-07-11, 02:54
What type of hard drive setup do you have? Single drive? 2 Drives? Is it a raid setup?

Drive C is my primary drive, Drive D is reserved for recovery and isn't used, it can't be written to. The reason why I have about a million drives that all say "Removable" is because my computer is a giant Media Center edition PC that has a built in card reader and two CD drives, plus an additional two virtual drives I set up, and finally that drive "N" is my flash drive.
RMIII
2010-07-11, 02:55
Drive C is my primary drive, Drive D is reserved for recovery and isn't used, it can't be written to. The reason why I have about a million drives that all say "Removable" is because my computer is a giant Media Center edition PC that has a built in card reader and two CD drives, plus an additional two virtual drives I set up, and finally that drive "N" is my flash drive.

Ah, shoot I can't edit posts. They do not show up in the report because they are currently disconnected (disconnected before malware infection) but Drives K and O are 500GB removable hard drives used for video storage for my work/job.
IndiGenus
2010-07-11, 03:00
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Please read through all of the instructions before running the tool. Also make sure to allow it to install the recovery console.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
RMIII
2010-07-11, 03:24
I disabled Avira and Ad-Aware, ran ComboFix and it rebooted the PC. When I entered my admin password to log in it began its scan and prompted me to download a new Windows Update. I clicked "Yes" and ComboFix appears to be stuck now, with a blue screen filled with a line of #####'s and "100%" next to it, saying "Connecting to http://download.microsoft.com".

It's been like this for about 10 mins.
IndiGenus
2010-07-11, 03:31
Is it still stuck? Or did you close down the window?
RMIII
2010-07-11, 03:34
Is it still stuck? Or did you close down the window?

I didn't close anything, the instructions on the Bleeping Computer site said to leave it completely alone so I went to check on dinner and when I came back ComboFix had another prompt that said the installation was successful. It just didn't show any signs that it was doing anything, so it appears to be continuing as normal. Scared me for a second though, I thought perhaps the infection had stifled the ComboFix application.
IndiGenus
2010-07-11, 03:36
Okay good, that's what I was hoping. Is it still running? Post the log once done and I'll get back to you ASAP.
RMIII
2010-07-11, 03:41
Okay good, that's what I was hoping. Is it still running? Post the log once done and I'll get back to you ASAP.

Okay, no log yet, it just finished Stage 50 of the scan and is deleting files, it is currently deleting "Autorun.inf" from my D drive (the recovery drive) which has me kind of worried. The D drive cannot be written to, so unless perhaps this is part of the infection I'm slightly worried if this has the potential to kill my recovery capabilities in the future.
RMIII
2010-07-11, 03:56
ComboFix.txt Log:

ComboFix 10-07-10.01 - HP_Administrator 07/10/2010 20:30:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1458 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-11 to 2010-07-11 )))))))))))))))))))))))))))))))
.

2010-07-11 01:18 . 2010-07-06 18:12 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 01:08 . 2010-07-11 01:08 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Sunbelt Software
2010-07-07 18:19 . 2010-07-07 18:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-07 01:07 . 2010-07-07 01:07 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-06 18:18 . 2010-07-06 18:18 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-06 18:12 . 2010-06-21 17:44 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-06 18:10 . 2010-07-06 18:11 -------- d-----w- c:\program files\ERUNT
2010-07-06 17:57 . 2010-07-06 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-06 17:57 . 2010-07-06 18:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-06 17:48 . 2010-07-06 17:48 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Sunbelt Software
2010-07-06 17:47 . 2010-07-06 17:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{90FF8911-FC06-4E49-8959-C3CF1CA226BB}
2010-07-06 17:47 . 2010-06-21 17:52 2978768 -c--a-w- c:\documents and settings\All Users\Application Data\{90FF8911-FC06-4E49-8959-C3CF1CA226BB}\Ad-AwareInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-06 19:04 . 2006-02-22 15:28 -------- d-----w- c:\program files\Google
2010-07-06 19:01 . 2008-04-21 02:56 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 18:16 . 2006-11-02 21:25 -------- d-----w- c:\program files\Virtools
2010-07-06 17:45 . 2009-01-04 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-06 17:45 . 2006-06-03 20:43 -------- d-----w- c:\program files\Lavasoft
2010-07-05 04:38 . 2009-12-22 04:22 -------- d-----w- c:\program files\Trillian
2010-07-01 02:59 . 2006-06-09 07:27 -------- d-----w- c:\program files\Clash N Slash
2010-07-01 02:56 . 2006-09-16 04:31 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-07-01 02:56 . 2008-08-22 19:05 -------- d-----w- c:\program files\AVS4YOU
2010-07-01 02:54 . 2006-02-22 15:03 -------- d-----w- c:\program files\WildTangent
2010-07-01 02:36 . 2006-02-22 14:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-01 02:29 . 2009-05-14 00:24 -------- d-----w- c:\program files\The Crystal Key
2010-07-01 01:59 . 2006-06-05 03:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\LimeWire
2010-06-27 21:17 . 2007-03-30 03:02 -------- d-----w- c:\program files\WinFF
2010-06-17 21:22 . 2006-11-11 01:03 8654 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2006-10-24 05:29 . 2007-04-22 23:07 2199552 ----a-w- c:\program files\tb_triforce_1_6.dll
2006-10-24 05:11 . 2007-04-22 23:07 3223552 ----a-w- c:\program files\tb_toad_1_2.dll
2006-10-24 04:38 . 2007-04-22 23:07 4542464 ----a-w- c:\program files\tb_peach_1_2.dll
2007-05-23 00:14 . 2007-07-30 05:16 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-23 00:17 . 2007-07-30 05:16 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2010-03-22 03:40 . 2010-03-22 03:40 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

<pre>
c:\program files\BitLord\Downloads\Reflexive Arcade Games\Strategy\Age of Castles .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCTCIDUtil"="c:\windows\system32\MCTCIDUtil.exe" [2007-11-14 315392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"D-Link Air USB Utility"="c:\program files\D-Link\Air USB Utility\AirCFG.exe" [2003-07-23 2695168]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"amd_dc_opt"="c:\program files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 106496]
"trutil0"="c:\windows\system32\trutil01.exe" [2008-02-26 253952]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2003-11-10 406016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
c:\program files\AIM6\aim6.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 00:19 77312 ----a-w- c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camfrog]
c:\program files\Camfrog\Camfrog Video Chat\CamfrogNet.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
2005-11-11 21:11 1064960 ----a-w- c:\program files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
2005-11-11 21:10 61440 ----a-w- c:\program files\DISC\DISCUpdateMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2005-11-01 10:01 90112 ----a-w- c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gizmo Project]
c:\program files\Gizmo Project\Gizmo.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
c:\program files\LogMeIn\x86\LogMeInSystray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
2001-09-10 14:08 86016 ----a-w- c:\program files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
c:\program files\SiteAdvisor\6261\SiteAdv.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-12 19:57 1238352 ----a-w- c:\program files\Valve\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2006-06-21 17:14 35328 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\radiofsoftware\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\radiofsoftware\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\zombie driver\\Release\\ZombieDriver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1626:TCP"= 1626:TCP:Robotrage
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R?2 WZCBDLService;WZCBDL Service;c:\program files\WZCBDL Service\WZCBDLS.exe [3/19/2002 12:15 PM 36864]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/6/2010 1:12 PM 64288]
R2 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\DVRMSToolbox\DVRMSFileWatcherService.exe [6/2/2006 9:58 AM 32768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [6/21/2010 12:44 PM 1352832]
R2 NIOC;NIOC Service;c:\windows\system32\NIOC.sys [9/27/2002 6:21 PM 22912]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [1/23/2008 12:50 AM 23200]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [8/22/2006 2:55 AM 31744]
R3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\drivers\PRISMUSB.sys [6/2/2006 7:39 PM 636416]
R3 xMrMINI;xMrMINI;c:\windows\system32\drivers\xMrMINI.sys [8/3/2009 3:52 PM 247808]
R3 xVGAMINI;xVGAMINI;c:\windows\system32\drivers\xVGAMINI.sys [8/3/2009 3:52 PM 253184]
R3 xVGAUSB;USB 2.0 VGA DEVICE-1;c:\windows\system32\drivers\xvgausb.sys [8/3/2009 3:53 PM 34944]
S2 gupdate1c997c7df809ca6;Google Update Service (gupdate1c997c7df809ca6);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2009 11:08 PM 133104]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [6/9/2006 2:19 AM 223128]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/2/2006 11:49 PM 643072]
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-06-21 18:11]

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 04:08]

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 04:08]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\t445rp2p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\t445rp2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
c:\progra~1\MOZILL~1\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\progra~1\MOZILL~1\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\progra~1\MOZILL~1\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\progra~1\MOZILL~1\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-EXPStudio Audio Editor FREE 3.99a - c:\windows\EXPStudio Audio Editor FREE 3.99a



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-10 20:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,6f,05,12,ab,21,8b,40,9e,81,a7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,6f,05,12,ab,21,8b,40,9e,81,a7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-10 20:48:32
ComboFix-quarantined-files.txt 2010-07-11 01:48

Pre-Run: 46,659,485,696 bytes free
Post-Run: 47,856,984,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - E4BECE04FDB85344844B93D9013BB33B

----------------------------
[b]Addendum:
I noticed that after the reboot Internet Explorer now has a shortcut on my desktop, which it did not before. (FireFox also asked me to check if it's the default browser.) I have read from other people who have this infection that this has happened to them as well.
IndiGenus
2010-07-11, 04:09
Addendum:
I noticed that after the reboot Internet Explorer now has a shortcut on my desktop, which it did not before. (FireFox also asked me to check if it's the default browser.) I have read from other people who have this infection that this has happened to them as well.
That is part of the combofix routine, as it resets many things back to default settings. You can certainly remove the shortcut to IE if you don't want it there. I'm not sure why it's created?

How is it running at this point? My gut tells me you still have an infected MBR. aka the Black Internet you referred to in your initial post.

Please run the MBRCheck tool again and post the log. I would also like to run another tool from eSage to give us a "second opinion" on this.

Download Bootkit remover (http://www.esagelab.com/files/bootkit_remover.rar) to your desktop
This is a rar file if you do not have a programme to open it then download and install Peazip (http://www.filehippo.com/download_peazip/)

Extract Remover.exe to your desktop
Right click Remover.exe and select Run as Administrator
It will show a Black screen with some data on it
Right click on the screen and select > Select All
Press Control+C
Open a notepad and press Control+V

Post the resultant log here please
IndiGenus
2010-07-11, 04:11
Also, forgot to mention...


c:\program files\BitLord\Downloads\Reflexive Arcade Games\Strategy\Age of Castles .exe
This is part of another infection (note the space after Castles). I don't see the game still installed so I would suggest you go ahead and delete the Reflexive Arcade Games folder. Let me know if that's a problem.

I do see the Bitlord, along with Limewire installed. I can almost guarantee that's where the infection is from. Any thoughts on that?
RMIII
2010-07-11, 04:19
MBR Log:
MBRCheck, version 1.0.3
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive0 Unknown MBR code


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

--------------------
Remover.exe
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 74c9b8a519aa05c22f46e134715d1f6f
\\.\D: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...
RMIII
2010-07-11, 04:23
Also, forgot to mention...
This is part of another infection (note the space after Castles). I don't see the game still installed so I would suggest you go ahead and delete the Reflexive Arcade Games folder. Let me know if that's a problem.

I do see the Bitlord, along with Limewire installed. I can almost guarantee that's where the infection is from. Any thoughts on that?

I did download the Reflexive Arcade game pack at the suggestion of a friend who said that Ricochet Lost Worlds was a good game, I couldn't find the download for just the 1 game though. I deleted the entire folder since I don't play the game these days. For the most part I downloaded BitLord because I download video game walkthroughs from tasvideos.org, which has HUGE filesizes so Torrent was the only reasonable way to go about doing it.

As for LimeWire, at the risk of having the RIAA sue me into third world poverty yes I have downloaded a few songs but I'm aware of the red flag signs of viruses from LimeWire. Unless it's possible to encode an executable into a file that can also be played in a media player everything I've ever downloaded should be safe. I never download movies, files, or executables from the service. I can remove both, though, if that is part of the clean up. :)
IndiGenus
2010-07-11, 04:34
I can remove both, though, if that is part of the clean up.

No need to uninstall them. I just like to make sure I warn people when I see them. P2P, bittorrents, etc... are probably one of the top ways people get infected with Malware. As you probably know all it takes is one innocent looking file and boom, you're infected.

Okay we're going to boot into the recovery console now to fix the Master Boot Record (MBR), which appears to be infected. We could use the other tools I have had you run to check them but I think this is the safest way to do it.

Reboot your computer and you will see the option to start the recovery console now. Select that and choose your windows installation. Enter an Admin. password if needed.

At the prompt type in fixmbr.

You will get a big ugly warning about non-standard mbr's and such but that's why I asked so many questions and I think we're good here.

Answer yes by typing Y then reboot. Run both of those MBR tools I had you run previously again and post the logs. Let me know how it's running too please.
RMIII
2010-07-11, 04:51
Currently I think it's hung on this screen:


1. C:\WINDOWS
2. I:\MiniNT
3. I:\I386

Which Windows installation would you like to log onto
(To cancel press ENTER)?

I am not sure what options 2 and 3 are, so I pressed 1. The screen displays a 1 followed by the underscore cursor (solid, not blinking) but other than that it's not doing anything.

I pressed 1 again to see if I'm supposed to hit Enter or something but it appears to be frozen, pressing 1 a second time didn't do anything. The HD light on the front of the computer also isn't flashing to imply that it's loading something.
IndiGenus
2010-07-11, 05:02
Yes, it will be number 1. Then press enter. That should bring up the prompt:

C:\WINDOWS>

Where you type fixmbr, then press enter.
RMIII
2010-07-11, 05:13
Yes, it will be number 1. Then press enter. That should bring up the prompt:

C:\WINDOWS>

Where you type fixmbr, then press enter.

Well I sure feel dumb. :P I didn't press Enter because I thought it would cancel the recovery console. It's been a while since I've used Command Prompt for anything, last time was on Windows 95 or 98 I think.

Anyway here are those two logs, different results this time it looks like!:

MBR Log
MBRCheck, version 1.0.3
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive0 Windows XP MBR code detected


Done! Press ENTER to exit...

-----------------

Remover.exe
MBRCheck, version 1.0.3
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive0 Windows XP MBR code detected


Done! Press ENTER to exit...
IndiGenus
2010-07-11, 05:17
Outstanding! :rockon:

Looks like the MBR is clean now. How's it running?

Use ATF Cleaner to remove temp files, cookies, cache, ect...
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php)
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan", then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply along with a new DDS log.
RMIII
2010-07-11, 05:40
Malwarebytes Log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4301

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

7/10/2010 10:37:08 PM
mbam-log-2010-07-10 (22-37-08).txt

Scan type: Quick scan
Objects scanned: 143899
Time elapsed: 13 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------

DDS Log

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 22:38:12.87 on Sat 07/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1012 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\dvrmstoolbox\dvrmsfilewatcherservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\trutil01.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\MCTCIDUtil.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MCTCIDUtil] c:\windows\system32\MCTCIDUtil.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [D-Link Air USB Utility] c:\program files\d-link\air usb utility\AirCFG.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [amd_dc_opt] "c:\program files\amd\amd_dc_opt\amd_dc_opt.exe"
mRun: [trutil0] c:\windows\system32\trutil01.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\hp_administrator\start menu\programs\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: trymedia.com
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/chnz/default/mjolauncher.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - hxxp://asp.mathxl.com/books/_Players/EconPlayer.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\t445rp2p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\t445rp2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\progra~1\mozill~1\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\progra~1\mozill~1\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-6 64288]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-3 11608]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-3 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-3 151297]
R2 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\dvrmstoolbox\DVRMSFileWatcherService.exe [2006-6-2 32768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-6-21 1352832]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NIOC;NIOC Service;c:\windows\system32\NIOC.sys [2002-9-27 22912]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2008-1-23 23200]
R2 WZCBDLService;WZCBDL Service;c:\program files\wzcbdl service\WZCBDLS.exe [2002-3-19 36864]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2006-8-22 31744]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-3 52056]
R3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\drivers\PRISMUSB.sys [2006-6-2 636416]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-6-9 223128]
R3 xMrMINI;xMrMINI;c:\windows\system32\drivers\xMrMINI.sys [2009-8-3 247808]
R3 xVGAMINI;xVGAMINI;c:\windows\system32\drivers\xVGAMINI.sys [2009-8-3 253184]
R3 xVGAUSB;USB 2.0 VGA DEVICE-1;c:\windows\system32\drivers\xvgausb.sys [2009-8-3 34944]
S2 gupdate1c997c7df809ca6;Google Update Service (gupdate1c997c7df809ca6);c:\program files\google\update\GoogleUpdate.exe [2009-2-25 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-07-11 03:22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-11 03:22:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-11 03:22:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 01:18:44 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 01:13:55 0 d-sha-r- C:\cmdcons
2010-07-11 01:09:07 77312 ----a-w- c:\windows\MBR.exe
2010-07-11 01:09:06 98816 ----a-w- c:\windows\sed.exe
2010-07-11 01:09:06 256512 ----a-w- c:\windows\PEV.exe
2010-07-11 01:09:06 161792 ----a-w- c:\windows\SWREG.exe
2010-07-06 18:12:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-06 17:57:45 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-06 17:57:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-06 17:47:33 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{90FF8911-FC06-4E49-8959-C3CF1CA226BB}

==================== Find3M ====================

2010-06-17 21:22:10 8654 ----a-w- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2006-10-24 05:29:02 2199552 ----a-w- c:\program files\tb_triforce_1_6.dll
2006-10-24 05:11:06 3223552 ----a-w- c:\program files\tb_toad_1_2.dll
2006-10-24 04:38:10 4542464 ----a-w- c:\program files\tb_peach_1_2.dll
2001-09-10 15:00:26 139264 ----a-w- c:\windows\inf\i386\Rtscan.dll
2001-09-10 14:10:36 61440 ----a-w- c:\windows\inf\i386\onetUSD.dll
2001-08-18 00:43:24 32768 ----a-w- c:\windows\inf\i386\Wiamicro.dll
2001-08-04 00:29:18 13824 ----a-w- c:\windows\inf\i386\usbscan.sys
2001-06-29 14:10:24 163840 ----a-w- c:\windows\inf\i386\viceo.dll
2010-03-22 03:40:38 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 22:39:25.17 ===============
-------------------------------------

Attach Log
(see attachment)

---------------------------------------


Good news is I haven't had to reset the Wave levels once since we started the fix. :)
RMIII
2010-07-11, 05:48
Also, I just realized it is 11PM my time so I'm going to be out for the night, but any messages left here I will check for immediately tomorrow. :) Thank you so much for all your help thus far IndiGenus!
IndiGenus
2010-07-11, 15:45
1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:



DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

Reglock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]




3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new DDS log. Just DDS.txt. .

***********************

Go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.


Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases

Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
RMIII
2010-07-11, 19:32
I performed the CFScript steps, but apparently between last night and today in Sleep Mode my computer re-activated Avira and Ad-Aware on me so when I ran it, Ad-Aware said that "pev.exe" is trying to modify the registry Allow/Deny, so I disabled AdWatch Live and followed suit with Avira. According to Task Manager there are 4 instances of pev.exe running as well as two instances of cmd.cfxxe, which I assume is Command Prompt.

Every few seconds my cursor turns into an hourglass but other than that there's no evidence of ComboFix doing anything, is it still running?
IndiGenus
2010-07-11, 19:45
Avira probably blocked it if it's still not doing anything. Try again, after disabling.
RMIII
2010-07-11, 19:50
Avira probably blocked it if it's still not doing anything. Try again, after disabling.

I tried again after turning everything off and it looks like it's working, the ComboFix loading bars appeared to load the program but after that it vanished, unless it's working in the background.
RMIII
2010-07-11, 19:54
The blue window is open now, titled "." and with nothing in it except a blinking cursor. It looks like I'm going to have to deal with Windows Update, though, because it keeps trying to reboot the computer and pops up with that countdown timer every 10 minutes.
IndiGenus
2010-07-11, 20:00
Please run and post a new DDS log. We're not doing very much new with combofix. Just cleaning up some dead entries and unlocking a reg key.

You can also let Win update do it's thing and run.
RMIII
2010-07-11, 20:02
Please run and post a new DDS log. We're not doing very much new with combofix. Just cleaning up some dead entries and unlocking a reg key.

You can also let Win update do it's thing and run.

Is it safe to close the window and reboot? It won't stop the middle of an important process and potentially mess anything up will it? Just want to make sure because I read about 3 warnings about ComboFix before I ran it.
IndiGenus
2010-07-11, 20:09
Is it safe to close the window and reboot? It won't stop the middle of an important process and potentially mess anything up will it? Just want to make sure because I read about 3 warnings about ComboFix before I ran it.
How long has it been going for? We probably want to let it finish whatever it's doing.
RMIII
2010-07-11, 20:11
How long has it been going for? We probably want to let it finish whatever it's doing.

Judging by the post where I mentioned it, plus the time required for me to get to my laptop and post I'd estimate about 20 minutes, but it just recently (while I was typing this) kicked back into action and said it had to disable my virtual CD drives for ComboFix to work, so apparently it IS still doing something.
RMIII
2010-07-11, 20:13
Er, now it appears to be displaying various errors of things failing to initialize because "the workstation is shutting down".

I didn't let Windows Update count all the way down, and it certainly doesn't LOOK like anything is getting ready to reboot or shut down.
IndiGenus
2010-07-11, 20:21
Alright, I have to head out for the next several hours. Let it do it's thing. If it shuts down or restarts just let it update and run DDS. Post the logs you have.
RMIII
2010-07-11, 20:43
Despite the blips ComboFix did it's thing, here is the log and the DDS report:

ComboFix.txt
ComboFix 10-07-10.01 - HP_Administrator 07/11/2010 13:24:10.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1435 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2010-06-11 to 2010-07-11 )))))))))))))))))))))))))))))))
.

2010-07-11 18:24 . 2010-07-11 18:24 -------- d-----w- c:\windows\LastGood
2010-07-11 17:28 . 2010-07-11 17:28 -------- d-----w- c:\program files\MSXML 6.0
2010-07-11 09:06 . 2010-07-11 09:06 -------- d-----w- c:\windows\ServicePackFiles
2010-07-11 09:05 . 2010-07-11 09:05 -------- d-----w- c:\windows\ie8updates
2010-07-11 03:44 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-11 03:44 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-11 03:44 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-07-11 03:44 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-11 03:44 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-11 03:44 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-07-11 03:44 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-07-11 03:22 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-11 03:22 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-11 03:22 . 2010-07-11 03:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 01:18 . 2010-07-06 18:12 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 01:08 . 2010-07-11 01:08 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Sunbelt Software
2010-07-07 18:19 . 2010-07-07 18:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-07 01:07 . 2010-07-07 01:07 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-06 18:18 . 2010-07-06 18:18 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-06 18:12 . 2010-06-21 17:44 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-06 18:10 . 2010-07-06 18:11 -------- d-----w- c:\program files\ERUNT
2010-07-06 17:57 . 2010-07-06 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-06 17:57 . 2010-07-06 18:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-06 17:48 . 2010-07-06 17:48 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Sunbelt Software
2010-07-06 17:47 . 2010-07-06 17:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{90FF8911-FC06-4E49-8959-C3CF1CA226BB}
2010-07-06 17:47 . 2010-06-21 17:52 2978768 -c--a-w- c:\documents and settings\All Users\Application Data\{90FF8911-FC06-4E49-8959-C3CF1CA226BB}\Ad-AwareInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-11 18:16 . 2008-12-18 23:58 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-06 19:04 . 2006-02-22 15:28 -------- d-----w- c:\program files\Google
2010-07-06 19:01 . 2008-04-21 02:56 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 18:16 . 2006-11-02 21:25 -------- d-----w- c:\program files\Virtools
2010-07-06 17:45 . 2009-01-04 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-06 17:45 . 2006-06-03 20:43 -------- d-----w- c:\program files\Lavasoft
2010-07-05 04:38 . 2009-12-22 04:22 -------- d-----w- c:\program files\Trillian
2010-07-01 02:59 . 2006-06-09 07:27 -------- d-----w- c:\program files\Clash N Slash
2010-07-01 02:56 . 2006-09-16 04:31 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-07-01 02:56 . 2008-08-22 19:05 -------- d-----w- c:\program files\AVS4YOU
2010-07-01 02:54 . 2006-02-22 15:03 -------- d-----w- c:\program files\WildTangent
2010-07-01 02:36 . 2006-02-22 14:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-01 02:29 . 2009-05-14 00:24 -------- d-----w- c:\program files\The Crystal Key
2010-07-01 01:59 . 2006-06-05 03:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\LimeWire
2010-06-27 21:17 . 2007-03-30 03:02 -------- d-----w- c:\program files\WinFF
2010-06-17 21:22 . 2006-11-11 01:03 8654 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2010-05-06 10:41 . 2004-08-09 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2006-10-24 05:29 . 2007-04-22 23:07 2199552 ----a-w- c:\program files\tb_triforce_1_6.dll
2006-10-24 05:11 . 2007-04-22 23:07 3223552 ----a-w- c:\program files\tb_toad_1_2.dll
2006-10-24 04:38 . 2007-04-22 23:07 4542464 ----a-w- c:\program files\tb_peach_1_2.dll
2007-05-23 00:14 . 2007-07-30 05:16 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-23 00:17 . 2007-07-30 05:16 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2010-03-22 03:40 . 2010-03-22 03:40 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-07-11_01.46.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-11 18:17 . 2010-07-11 18:17 16384 c:\windows\Temp\Perflib_Perfdata_358.dat
+ 2005-05-26 09:16 . 2009-08-07 00:24 44768 c:\windows\system32\wups2.dll
+ 2004-08-09 21:00 . 2009-08-07 00:24 35552 c:\windows\system32\wups.dll
+ 2004-08-09 21:00 . 2009-08-07 00:24 53472 c:\windows\system32\wuauclt.exe
+ 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
+ 2010-07-11 03:12 . 2009-08-07 00:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-07-11 03:12 . 2009-08-07 00:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
- 2005-08-30 21:07 . 2010-07-11 01:12 71844 c:\windows\system32\perfc009.dat
+ 2005-08-30 21:07 . 2010-07-11 18:22 71844 c:\windows\system32\perfc009.dat
+ 2009-03-08 09:31 . 2010-05-06 10:41 55296 c:\windows\system32\msfeedsbs.dll
- 2009-03-08 09:31 . 2009-03-08 09:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 25600 c:\windows\system32\jsproxy.dll
- 2004-08-09 21:00 . 2009-03-08 09:33 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-09 21:00 . 2009-08-07 00:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2004-08-09 21:00 . 2009-08-07 00:24 53472 c:\windows\system32\dllcache\wuauclt.exe
- 2004-08-09 21:00 . 2009-03-08 09:33 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-09 21:00 . 2009-08-07 00:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-09 21:00 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll
+ 2004-08-09 21:00 . 2009-08-07 00:24 96480 c:\windows\system32\cdm.dll
+ 2004-08-09 21:00 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll
+ 2009-06-25 00:56 . 2009-06-25 00:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
- 2007-04-14 01:58 . 2007-04-14 01:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2004-09-29 23:11 . 2009-06-24 17:56 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\ToGac.exe
+ 2004-10-07 22:36 . 2009-06-24 17:56 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\SetRegNI.exe
- 2004-08-03 21:12 . 2007-01-02 21:29 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
+ 2004-08-03 21:12 . 2009-06-24 03:01 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
- 2004-08-03 21:12 . 2007-01-02 21:29 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
+ 2004-08-03 21:12 . 2009-06-24 03:01 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
- 2004-08-03 21:11 . 2007-01-02 21:34 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
+ 2004-08-03 21:11 . 2009-06-24 03:12 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
+ 2002-06-21 16:31 . 2009-06-24 03:12 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe
- 2002-06-21 16:31 . 2002-06-21 16:31 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe
+ 2010-07-11 09:05 . 2010-07-11 09:05 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2006-02-22 15:13 . 2010-07-11 17:21 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-02-22 15:13 . 2008-12-11 09:07 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-02-22 15:13 . 2010-07-11 17:21 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-02-22 15:13 . 2008-12-11 09:07 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-02-22 15:13 . 2010-07-11 17:21 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-02-22 15:13 . 2008-12-11 09:07 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-02-22 15:13 . 2010-07-11 17:21 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-02-22 15:13 . 2008-12-11 09:07 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-03-23 00:05 . 2007-03-23 00:05 97632 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
+ 2007-03-23 00:13 . 2007-03-23 00:13 23904 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\IPDMCTRL.DLL
+ 2010-07-11 17:22 . 2009-03-08 09:33 12288 c:\windows\ie8updates\KB982381-IE8\xpshims.dll
+ 2010-07-11 17:22 . 2009-03-08 09:31 55296 c:\windows\ie8updates\KB982381-IE8\msfeedsbs.dll
+ 2010-07-11 17:22 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB982381-IE8\jsproxy.dll
+ 2010-07-11 17:17 . 2010-07-11 17:17 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_ecfb2d75\System.Drawing.Design.dll
+ 2010-07-11 17:17 . 2010-07-11 17:17 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_fa95f330\CustomMarshalers.dll
+ 2010-07-11 09:02 . 2010-07-11 09:02 90112 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing.Design\1.0.3300.0__b03f5f7f11d50a3a_c1e00650\System.Drawing.Design.dll
+ 2010-07-11 09:02 . 2010-07-11 09:02 61440 c:\windows\assembly\NativeImages1_v1.0.3705\CustomMarshalers\1.0.3300.0__b03f5f7f11d50a3a_33431662\CustomMarshalers.dll
+ 2004-07-19 17:54 . 2009-06-29 16:57 8192 c:\windows\Microsoft.NET\Framework\v1.0.3705\IEExec.exe
- 2004-07-19 17:54 . 2007-01-02 21:29 8192 c:\windows\Microsoft.NET\Framework\v1.0.3705\IEExec.exe
- 2006-02-22 15:13 . 2008-12-11 09:07 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-02-22 15:13 . 2010-07-11 17:21 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2004-08-09 21:00 . 2009-08-07 00:24 209632 c:\windows\system32\wuweb.dll
+ 2004-08-09 21:00 . 2009-08-07 00:24 327896 c:\windows\system32\wucltui.dll
+ 2004-08-09 21:00 . 2009-08-07 00:23 575704 c:\windows\system32\wuapi.dll
+ 2004-08-09 21:00 . 2009-07-13 15:08 286720 c:\windows\system32\wmpdxm.dll
+ 2004-08-09 21:00 . 2009-12-24 07:05 177664 c:\windows\system32\wintrust.dll
+ 2004-08-09 21:00 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll
- 2004-08-09 21:00 . 2009-03-08 09:33 420352 c:\windows\system32\vbscript.dll
- 2005-08-30 21:07 . 2010-07-11 01:12 440936 c:\windows\system32\perfh009.dat
+ 2005-08-30 21:07 . 2010-07-11 18:22 440936 c:\windows\system32\perfh009.dat
+ 2004-08-09 21:00 . 2010-05-06 10:41 206848 c:\windows\system32\occache.dll
+ 2008-03-14 00:56 . 2009-08-07 00:23 215920 c:\windows\system32\muweb.dll
+ 2008-03-14 00:56 . 2009-08-07 00:23 274288 c:\windows\system32\mucltui.dll
+ 2004-08-09 21:00 . 2009-06-05 07:42 655872 c:\windows\system32\mstscax.dll
- 2004-08-09 21:00 . 2009-03-08 09:32 611840 c:\windows\system32\mstime.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 611840 c:\windows\system32\mstime.dll
+ 2009-03-08 09:32 . 2010-05-06 10:41 599040 c:\windows\system32\msfeeds.dll
+ 2004-08-09 21:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2004-08-09 21:00 . 2009-03-08 09:33 726528 c:\windows\system32\jscript.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 184320 c:\windows\system32\iepeers.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-09 21:00 . 2009-03-08 09:32 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-09 21:00 . 2010-05-05 13:30 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-09 21:00 . 2009-08-07 00:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2004-08-09 21:00 . 2009-08-07 00:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2004-08-09 21:00 . 2009-08-07 00:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2004-08-09 21:00 . 2008-04-21 10:02 215552 c:\windows\system32\dllcache\wordpad.exe
+ 2004-08-09 21:00 . 2009-07-13 15:08 286720 c:\windows\system32\dllcache\wmpdxm.dll
+ 2004-08-09 21:00 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 916480 c:\windows\system32\dllcache\wininet.dll
- 2004-08-09 21:00 . 2009-03-08 09:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2004-08-09 21:00 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 206848 c:\windows\system32\dllcache\occache.dll
+ 2004-08-09 21:00 . 2009-06-05 07:42 655872 c:\windows\system32\dllcache\mstscax.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 611840 c:\windows\system32\dllcache\mstime.dll
- 2004-08-09 21:00 . 2009-03-08 09:32 611840 c:\windows\system32\dllcache\mstime.dll
- 2004-08-09 21:00 . 2009-03-08 09:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2004-08-09 21:00 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-09 21:00 . 2010-05-05 13:30 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-09 21:00 . 2009-03-08 09:32 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 01:56 . 2007-04-14 01:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-07-19 17:54 . 2004-07-19 17:54 303104 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorjit.dll
+ 2004-07-19 17:54 . 2009-06-24 02:59 303104 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorjit.dll
+ 2004-08-03 21:11 . 2009-06-24 03:12 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
- 2004-08-03 21:11 . 2007-01-02 21:34 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
+ 2010-07-11 17:42 . 2010-07-11 17:42 969728 c:\windows\Installer\3090ca7.msi
+ 2010-07-11 17:15 . 2010-07-11 17:15 195584 c:\windows\Installer\3090c27.msi
+ 2010-07-11 09:05 . 2010-07-11 09:05 429568 c:\windows\Installer\145b8ea.msi
- 2006-02-22 15:13 . 2008-12-11 09:07 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-02-22 15:13 . 2010-07-11 17:21 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-02-22 15:13 . 2008-12-11 09:07 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-02-22 15:13 . 2010-07-11 17:21 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-02-22 15:13 . 2008-12-11 09:07 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-02-22 15:13 . 2010-07-11 17:21 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-02-22 15:13 . 2008-12-11 09:07 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-02-22 15:13 . 2010-07-11 17:21 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-02-22 15:13 . 2010-07-11 17:21 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-02-22 15:13 . 2008-12-11 09:07 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-09-01 01:29 . 2008-12-11 09:06 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2006-09-01 01:29 . 2010-07-11 17:21 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-07-23 21:10 . 2008-07-23 21:10 103776 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\IPATHPIA.DLL
+ 2010-07-11 17:22 . 2009-03-08 09:34 914944 c:\windows\ie8updates\KB982381-IE8\wininet.dll
+ 2010-07-11 17:22 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB982381-IE8\spuninst\updspapi.dll
+ 2010-07-11 17:22 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB982381-IE8\spuninst\spuninst.exe
+ 2010-07-11 17:22 . 2009-03-08 09:34 109568 c:\windows\ie8updates\KB982381-IE8\occache.dll
+ 2010-07-11 17:22 . 2009-03-08 09:32 611840 c:\windows\ie8updates\KB982381-IE8\mstime.dll
+ 2010-07-11 17:22 . 2009-03-08 09:32 594432 c:\windows\ie8updates\KB982381-IE8\msfeeds.dll
+ 2010-07-11 17:22 . 2009-03-08 09:33 246784 c:\windows\ie8updates\KB982381-IE8\ieproxy.dll
+ 2010-07-11 17:22 . 2009-03-08 09:31 183808 c:\windows\ie8updates\KB982381-IE8\iepeers.dll
+ 2010-07-11 17:22 . 2009-03-08 09:35 742912 c:\windows\ie8updates\KB982381-IE8\iedvtool.dll
+ 2010-07-11 17:22 . 2009-03-08 19:09 391536 c:\windows\ie8updates\KB982381-IE8\iedkcs32.dll
+ 2010-07-11 17:22 . 2009-03-08 09:32 173056 c:\windows\ie8updates\KB982381-IE8\ie4uinit.exe
+ 2010-07-11 17:20 . 2009-03-08 09:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-07-11 17:20 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-07-11 17:20 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2010-07-11 09:05 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2010-07-11 09:05 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2010-07-11 09:05 . 2009-03-08 09:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2004-08-10 03:11 . 2009-08-18 15:55 179712 c:\windows\ehome\ehkeyctl.dll
+ 2010-07-11 17:18 . 2010-07-11 17:18 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_1fbc7524\System.Drawing.dll
+ 2010-07-11 17:23 . 2010-07-11 17:23 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_6547e81b\System.Drawing.Design.dll
+ 2010-07-11 17:22 . 2010-07-11 17:22 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_2a82bbd0\CustomMarshalers.dll
+ 2010-07-11 09:02 . 2010-07-11 09:02 847872 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing\1.0.3300.0__b03f5f7f11d50a3a_4b56e27b\System.Drawing.dll
+ 2010-07-11 09:03 . 2010-07-11 09:03 111624 c:\windows\assembly\GAC\Microsoft.Office.Interop.InfoPath\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.dll
+ 2010-07-11 18:18 . 2010-07-11 18:18 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
- 2006-02-22 14:30 . 2006-02-22 14:30 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
+ 2009-07-21 05:03 . 2009-07-21 05:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2004-08-09 21:00 . 2009-08-07 00:23 1929952 c:\windows\system32\wuaueng.dll
+ 2004-08-09 21:00 . 2010-04-03 09:27 2334720 c:\windows\system32\WMVCore.dll
+ 2004-08-09 21:00 . 2009-07-13 15:08 5537792 c:\windows\system32\wmp.dll
- 2004-08-09 21:00 . 2007-04-30 13:20 5537792 c:\windows\system32\wmp.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 1209344 c:\windows\system32\urlmon.dll
+ 2009-08-19 22:07 . 2009-08-19 22:07 1415000 c:\windows\system32\msxml6.dll
+ 2009-07-21 05:05 . 2009-07-21 05:05 1348432 c:\windows\system32\msxml4.dll
+ 2004-08-09 21:00 . 2009-07-31 04:57 1172480 c:\windows\system32\msxml3.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 5950976 c:\windows\system32\mshtml.dll
+ 2009-03-08 09:32 . 2010-05-06 10:41 1985536 c:\windows\system32\iertutil.dll
+ 2004-08-09 21:00 . 2009-08-07 00:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2004-08-09 21:00 . 2010-04-03 09:27 2334720 c:\windows\system32\dllcache\WMVCore.dll
+ 2004-08-09 21:00 . 2009-07-13 15:08 5537792 c:\windows\system32\dllcache\wmp.dll
- 2004-08-09 21:00 . 2007-04-30 13:20 5537792 c:\windows\system32\dllcache\wmp.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 1209344 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-09 21:00 . 2009-07-31 04:57 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2004-08-09 21:00 . 2010-05-06 10:41 5950976 c:\windows\system32\dllcache\mshtml.dll
- 2004-08-09 21:00 . 2004-08-09 21:00 3555328 c:\windows\system32\dllcache\moviemk.exe
+ 2004-08-09 21:00 . 2009-10-23 14:27 3555328 c:\windows\system32\dllcache\moviemk.exe
- 2007-04-14 02:35 . 2007-04-14 02:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2007-04-14 01:50 . 2007-04-14 01:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2004-07-19 17:54 . 2009-06-29 16:58 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
- 2004-07-19 17:54 . 2007-01-02 21:40 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
- 2004-07-19 17:54 . 2007-01-02 21:28 2281472 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
+ 2004-07-19 17:54 . 2009-06-24 03:00 2281472 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
+ 2004-07-19 17:54 . 2009-06-24 03:00 2273280 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll
- 2004-07-19 17:54 . 2007-01-02 21:28 2273280 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll
- 2004-07-19 17:54 . 2007-01-02 21:21 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
+ 2004-07-19 17:54 . 2009-06-29 16:58 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
+ 2009-12-17 03:58 . 2009-12-17 03:58 5382144 c:\windows\Installer\3090c7c.msp
+ 2009-09-29 14:08 . 2009-09-29 14:08 6747648 c:\windows\Installer\3090c53.msp
+ 2010-05-03 21:06 . 2010-05-03 21:06 5053952 c:\windows\Installer\145b8d0.msp
+ 2010-03-30 17:34 . 2010-03-30 17:34 3826688 c:\windows\Installer\145b8b8.msp
+ 2007-04-19 18:49 . 2007-04-19 18:49 1661280 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PPTVIEW.EXE
+ 2007-04-30 19:57 . 2007-04-30 19:57 7084384 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\INFOPATH.EXE
+ 2010-07-11 17:22 . 2009-03-08 09:34 1206784 c:\windows\ie8updates\KB982381-IE8\urlmon.dll
+ 2010-07-11 17:22 . 2009-03-08 09:41 5937152 c:\windows\ie8updates\KB982381-IE8\mshtml.dll
+ 2010-07-11 17:22 . 2009-03-08 09:32 1985024 c:\windows\ie8updates\KB982381-IE8\iertutil.dll
+ 2010-07-11 17:17 . 2010-07-11 17:17 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_fa5d297b\System.dll
+ 2010-07-11 17:22 . 2010-07-11 17:22 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_1c83db5f\System.dll
+ 2010-07-11 17:17 . 2010-07-11 17:17 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_e88cfbaa\System.Xml.dll
+ 2010-07-11 17:23 . 2010-07-11 17:23 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_e325d47f\System.Xml.dll
+ 2010-07-11 17:17 . 2010-07-11 17:17 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_b9557784\System.Windows.Forms.dll
+ 2010-07-11 17:23 . 2010-07-11 17:23 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_67c8a858\System.Windows.Forms.dll
+ 2010-07-11 17:24 . 2010-07-11 17:24 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_0fab4b1f\System.Drawing.dll
+ 2010-07-11 17:24 . 2010-07-11 17:24 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_e1485b98\System.Design.dll
+ 2010-07-11 17:18 . 2010-07-11 17:18 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_56d9d2e0\System.Design.dll
+ 2010-07-11 17:19 . 2010-07-11 17:19 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_e91d86a1\mscorlib.dll
+ 2010-07-11 17:25 . 2010-07-11 17:25 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_bd06077e\mscorlib.dll
+ 2010-07-11 09:02 . 2010-07-11 09:02 1855488 c:\windows\assembly\NativeImages1_v1.0.3705\System\1.0.3300.0__b77a5c561934e089_d7474b41\System.dll
+ 2010-07-11 09:02 . 2010-07-11 09:02 2027520 c:\windows\assembly\NativeImages1_v1.0.3705\System.Xml\1.0.3300.0__b77a5c561934e089_f0f6e3be\System.Xml.dll
+ 2010-07-11 09:02 . 2010-07-11 09:02 2953216 c:\windows\assembly\NativeImages1_v1.0.3705\System.Windows.Forms\1.0.3300.0__b77a5c561934e089_2bfc1407\System.Windows.Forms.dll
+ 2010-07-11 09:02 . 2010-07-11 09:02 1454080 c:\windows\assembly\NativeImages1_v1.0.3705\System.Design\1.0.3300.0__b03f5f7f11d50a3a_6408680c\System.Design.dll
+ 2010-07-11 09:02 . 2010-07-11 09:02 3301376 c:\windows\assembly\NativeImages1_v1.0.3705\mscorlib\1.0.3300.0__b77a5c561934e089_734534f4\mscorlib.dll
- 2007-07-11 18:28 . 2007-07-11 18:28 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2010-07-11 17:16 . 2010-07-11 17:16 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2010-07-11 17:16 . 2010-07-11 17:16 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2007-07-11 18:28 . 2007-07-11 18:28 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2007-07-11 18:27 . 2007-07-11 18:27 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-07-11 09:02 . 2010-07-11 09:02 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-03-08 09:39 . 2010-05-06 10:41 11076096 c:\windows\system32\ieframe.dll
+ 2009-08-11 02:08 . 2009-08-11 02:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2010-07-11 17:29 . 2010-07-11 17:29 15710720 c:\windows\Installer\3090ca0.msp
+ 2009-08-10 19:09 . 2009-08-10 19:09 17254912 c:\windows\Installer\3090c3e.msp
+ 2010-07-11 17:22 . 2009-03-08 09:39 11063808 c:\windows\ie8updates\KB982381-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCTCIDUtil"="c:\windows\system32\MCTCIDUtil.exe" [2007-11-14 315392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"D-Link Air USB Utility"="c:\program files\D-Link\Air USB Utility\AirCFG.exe" [2003-07-23 2695168]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"amd_dc_opt"="c:\program files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 106496]
"trutil0"="c:\windows\system32\trutil01.exe" [2008-02-26 253952]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2003-11-10 406016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 00:19 77312 ----a-w- c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
2005-11-11 21:11 1064960 ----a-w- c:\program files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
2005-11-11 21:10 61440 ----a-w- c:\program files\DISC\DISCUpdateMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2005-11-01 10:01 90112 ----a-w- c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
2001-09-10 14:08 86016 ----a-w- c:\program files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-12 19:57 1238352 ----a-w- c:\program files\Valve\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2006-06-21 17:14 35328 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\radiofsoftware\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\radiofsoftware\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\zombie driver\\Release\\ZombieDriver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1626:TCP"= 1626:TCP:Robotrage
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R?2 WZCBDLService;WZCBDL Service;c:\program files\WZCBDL Service\WZCBDLS.exe [3/19/2002 12:15 PM 36864]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/6/2010 1:12 PM 64288]
R2 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\DVRMSToolbox\DVRMSFileWatcherService.exe [6/2/2006 9:58 AM 32768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [6/21/2010 12:44 PM 1352832]
R2 NIOC;NIOC Service;c:\windows\system32\NIOC.sys [9/27/2002 6:21 PM 22912]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [1/23/2008 12:50 AM 23200]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [8/22/2006 2:55 AM 31744]
R3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\drivers\PRISMUSB.sys [6/2/2006 7:39 PM 636416]
R3 xMrMINI;xMrMINI;c:\windows\system32\drivers\xMrMINI.sys [8/3/2009 3:52 PM 247808]
R3 xVGAMINI;xVGAMINI;c:\windows\system32\drivers\xVGAMINI.sys [8/3/2009 3:52 PM 253184]
R3 xVGAUSB;USB 2.0 VGA DEVICE-1;c:\windows\system32\drivers\xvgausb.sys [8/3/2009 3:53 PM 34944]
S2 gupdate1c997c7df809ca6;Google Update Service (gupdate1c997c7df809ca6);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2009 11:08 PM 133104]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [6/9/2006 2:19 AM 223128]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/2/2006 11:49 PM 643072]
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-06-21 18:11]

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 04:08]

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 04:08]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\t445rp2p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\t445rp2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
c:\progra~1\MOZILL~1\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\progra~1\MOZILL~1\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\progra~1\MOZILL~1\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\progra~1\MOZILL~1\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-Camfrog - c:\program files\Camfrog\Camfrog Video Chat\CamfrogNet.exe
MSConfigStartUp-Gizmo Project - c:\program files\Gizmo Project\Gizmo.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-SiteAdvisor - c:\program files\SiteAdvisor\6261\SiteAdv.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 13:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-11 13:39:41
ComboFix-quarantined-files.txt 2010-07-11 18:39
ComboFix2.txt 2010-07-11 01:48

Pre-Run: 46,906,613,760 bytes free
Post-Run: 46,886,268,928 bytes free

- - End Of File - - E44D27E023662B2328C812353CC7A134


------------------------------------------------
DDS Log

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 13:42:58.70 on Sun 07/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1256 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\program files\dvrmstoolbox\dvrmsfilewatcherservice.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MCTCIDUtil] c:\windows\system32\MCTCIDUtil.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [D-Link Air USB Utility] c:\program files\d-link\air usb utility\AirCFG.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [amd_dc_opt] "c:\program files\amd\amd_dc_opt\amd_dc_opt.exe"
mRun: [trutil0] c:\windows\system32\trutil01.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\hp_administrator\start menu\programs\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: trymedia.com
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/chnz/default/mjolauncher.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - hxxp://asp.mathxl.com/books/_Players/EconPlayer.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\t445rp2p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\t445rp2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\progra~1\mozill~1\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\progra~1\mozill~1\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\progra~1\mozill~1\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R?2 WZCBDLService;WZCBDL Service;c:\program files\wzcbdl service\WZCBDLS.exe [2002-3-19 36864]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-6 64288]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-3 11608]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-3 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-3 151297]
R2 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\dvrmstoolbox\DVRMSFileWatcherService.exe [2006-6-2 32768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-6-21 1352832]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NIOC;NIOC Service;c:\windows\system32\NIOC.sys [2002-9-27 22912]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2008-1-23 23200]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2006-8-22 31744]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-3 52056]
R3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\drivers\PRISMUSB.sys [2006-6-2 636416]
R3 xMrMINI;xMrMINI;c:\windows\system32\drivers\xMrMINI.sys [2009-8-3 247808]
R3 xVGAMINI;xVGAMINI;c:\windows\system32\drivers\xVGAMINI.sys [2009-8-3 253184]
R3 xVGAUSB;USB 2.0 VGA DEVICE-1;c:\windows\system32\drivers\xvgausb.sys [2009-8-3 34944]
S2 gupdate1c997c7df809ca6;Google Update Service (gupdate1c997c7df809ca6);c:\program files\google\update\GoogleUpdate.exe [2009-2-25 133104]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-6-9 223128]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-07-11 17:28:46 0 d-----w- c:\program files\MSXML 6.0
2010-07-11 09:06:39 0 d-----w- c:\windows\ServicePackFiles
2010-07-11 09:05:53 0 d-----w- c:\windows\ie8updates
2010-07-11 03:44:51 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-11 03:44:51 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-11 03:44:50 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-07-11 03:44:49 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-11 03:44:49 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-11 03:44:48 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-07-11 03:44:46 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-07-11 03:22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-11 03:22:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-11 03:22:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 01:18:44 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 01:13:55 0 d-sha-r- C:\cmdcons
2010-07-11 01:09:07 77312 ----a-w- c:\windows\MBR.exe
2010-07-11 01:09:06 98816 ----a-w- c:\windows\sed.exe
2010-07-11 01:09:06 256512 ----a-w- c:\windows\PEV.exe
2010-07-11 01:09:06 161792 ----a-w- c:\windows\SWREG.exe
2010-07-06 18:12:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-06 17:57:45 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-06 17:57:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-06 17:47:33 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{90FF8911-FC06-4E49-8959-C3CF1CA226BB}

==================== Find3M ====================

2010-06-17 21:22:10 8654 ----a-w- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-05-06 10:41:52 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-05-06 10:41:52 5950976 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-05-06 10:41:52 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-05-06 10:41:52 1209344 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-05-06 10:41:51 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2010-05-06 10:41:50 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-05-06 10:41:48 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2006-10-24 05:29:02 2199552 ----a-w- c:\program files\tb_triforce_1_6.dll
2006-10-24 05:11:06 3223552 ----a-w- c:\program files\tb_toad_1_2.dll
2006-10-24 04:38:10 4542464 ----a-w- c:\program files\tb_peach_1_2.dll
2001-09-10 15:00:26 139264 ----a-w- c:\windows\inf\i386\Rtscan.dll
2001-09-10 14:10:36 61440 ----a-w- c:\windows\inf\i386\onetUSD.dll
2001-08-18 00:43:24 32768 ----a-w- c:\windows\inf\i386\Wiamicro.dll
2001-08-04 00:29:18 13824 ----a-w- c:\windows\inf\i386\usbscan.sys
2001-06-29 14:10:24 163840 ----a-w- c:\windows\inf\i386\viceo.dll
2010-03-22 03:40:38 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:43:11.20 ===============
IndiGenus
2010-07-12, 01:39
Looks like it did what we needed it to.

One more scan in order I think, unless there are any problems.

Go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.


Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases

Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Also,
Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
RMIII
2010-07-12, 07:39
Just checking in to say that I started the scan a few minutes after you posted the directions for them, but it has taken a painstakingly long time, currently it's 79% and that's after about 4 hours - two of which were devoted to downloading updates I believe. I'm going to let it run overnight and should be able to post the logs in the morning, but from the afternoon of the 12th until the evening of the 14th I will be out of town.
RMIII
2010-07-12, 16:17
Well apparently Windows Update rebooted the computer sometime between now and my last post so I didn't get the log, and since the scan last time had taken about 7 hours before I decided to go to bed I cannot run it again until I return home in a couple of days, but whenever I return I'll start it up first thing.
IndiGenus
2010-07-12, 16:21
Okay no problem. We'll keep the thread open for you.
RMIII
2010-07-16, 09:25
Yikes, that was a commitment. The final scan time for the Kaspersky scanner was more than 300K files and almost 12 hours total. Here is that log, though. :)

Kaspersky Log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, July 16, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, July 15, 2010 16:43:23
Records in database: 4223335
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\
M:\
N:\

Scan statistics:
Objects scanned: 300941
Threats found: 20
Infected objects found: 22
Suspicious objects found: 0
Scan duration: 11:39:42


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\43F6283A.wmf Infected: Trojan-Downloader.Win32.Agent.acd 1
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\49\3bbfbd71-7d48124c Infected: Trojan-Downloader.Java.Agent.y 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0147962.exe Infected: Trojan-Downloader.Win32.Agent.dilc 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148008.exe Infected: Trojan-Downloader.Win32.Agent.doag 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148051.exe Infected: Trojan-Downloader.Win32.Agent.cflj 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148056.exe Infected: Trojan-Downloader.Win32.Agent.dobj 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148078.exe Infected: Trojan-Downloader.Win32.Agent.dhbh 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148097.exe Infected: Trojan-Downloader.Win32.Agent.eawr 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148107.exe Infected: Trojan-Downloader.Win32.Agent.doag 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148154.exe Infected: Trojan-Downloader.Win32.Agent.eacj 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148186.exe Infected: Trojan-Downloader.Win32.Agent.eawo 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148196.exe Infected: Trojan-Downloader.Win32.Agent.ddfc 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148201.exe Infected: Trojan-Downloader.Win32.Agent.dilc 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148213.exe Infected: Trojan-Downloader.Win32.Agent.czat 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148222.exe Infected: Trojan-Downloader.Win32.Agent.dsyq 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148229.exe Infected: Trojan-Downloader.Win32.Agent.bmad 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148254.exe Infected: Trojan-Downloader.Win32.Agent.dkcc 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148263.exe Infected: Trojan-Clicker.Win32.VBiframe.js 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148277.exe Infected: Trojan-Downloader.Win32.Agent.dlqa 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148298.exe Infected: Trojan-Downloader.Win32.Agent.dxrd 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148304.exe Infected: Trojan-Downloader.Win32.Agent.eaus 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1347\A0149180.com Infected: Trojan-Dropper.Win32.Delf.fqn 1

Selected area has been scanned.

--------------------------------------------------

Ad-Aware AdWatch is currently telling me that SecurityCheck.exe is Trojan.Win32.Generic!BT - is it safe to run if I disable my antivirus program(s)?
IndiGenus
2010-07-16, 15:04
Ad-Aware AdWatch is currently telling me that SecurityCheck.exe is Trojan.Win32.Generic!BT - is it safe to run if I disable my antivirus program(s)?
Yes, that's a false positive. You shouldn't need to disable anything else. Just Adwatch. I'll get back to you on the items Kaspersky found.
IndiGenus
2010-07-16, 16:18
Uninstall Combofix

Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

The above procedure will:

Delete the following: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

++++++++++++++++++++++++++

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "Java Runtime Environment (JRE) 6u20 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.


On this one, it looks like you had Norton AV at one time?

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\43F6283A.wmf Infected: Trojan-Downloader.Win32.Agent.acd 1

You can delete the folder:

C:\Documents and Settings\All Users\Application Data\Symantec

Once you post the security check log we'll see if there's anything else that needs doing.
RMIII
2010-07-16, 19:13
ComboFix is now gone, Java has been updated, and the Symantec folder has been deleted. A long LONG time ago I had a Norton AV/PC Suite program but I uninstalled it when my subscription ran out. I found it weird that it STILL showed up as "Firewall" in those early reports I posted.

Security Check Log
Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 2
Out of date service pack!! (http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 21
Out of date Java installed!
Adobe Flash Player 9 (Out of date Flash Player installed!)
Adobe Flash Player 10.0.42.34
Adobe Reader 7.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.10) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````


Look like a lot of red, but I JUST updated Java?
IndiGenus
2010-07-16, 20:46
Yes, Java is up to date, must be a bug.

The rest do need updating. Let me know if you need help with that.

So you do not have any Norton products on here any more? If so you should probably run the removal tool.

http://service1.symantec.com/support/tsgeninfo.nsf/docid/2005033108162039

Let me know how you make out and if you have any other questions.
RMIII
2010-07-17, 00:21
Yes, Java is up to date, must be a bug.

The rest do need updating. Let me know if you need help with that.

So you do not have any Norton products on here any more? If so you should probably run the removal tool.

http://service1.symantec.com/support/tsgeninfo.nsf/docid/2005033108162039

Let me know how you make out and if you have any other questions.

I skipped over the Java thing since that appears to be a blip, but I have upgraded to Service Pack 3 and updated Adobe Reader and FireFox to the newest editions.

I noticed on the Flash Player thing, though, that both 9 AND 10 show up in that list, and 10 is the newest I believe, so would it be safe to uninstall Version 9?

Also in regards to the Symantec program - I purchased this computer back in 2006 and Norton was the first antivirus I had... I honestly have NO idea what the exact version/suite I bought was called.
IndiGenus
2010-07-17, 01:35
I noticed on the Flash Player thing, though, that both 9 AND 10 show up in that list, and 10 is the newest I believe, so would it be safe to uninstall Version 9?Yes, you can remove 9.


Also in regards to the Symantec program - I purchased this computer back in 2006 and Norton was the first antivirus I had... I honestly have NO idea what the exact version/suite I bought was called.

Probably you would use this one:

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080828154508EN
RMIII
2010-07-17, 02:03
Alright, Flash Version 9 has been uninstalled and I've run the Symantec Removal Tool. :)
IndiGenus
2010-07-17, 02:08
Good enough. Just some final words of "wisdom" then.

Now that you are clean please take some time to read through TonyKlein's So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279)
RMIII
2010-07-17, 05:29
Good enough. Just some final words of "wisdom" then.

Now that you are clean please take some time to read through TonyKlein's So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279)

Will do, thank you so much for all your help! I'm going over to the Donate page right now. ;)

Cheers,
- RM3
IndiGenus
2010-07-17, 05:41
:bigthumb::bigthumb: