Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo(?)


  • This topic is locked This topic is locked
93 replies to this topic

#1 killvundo

killvundo

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 01 December 2009 - 09:35 AM

I am having trouble removing Vundo(?) from my Dad's computer. He was getting pop-ups and blank black/gray pages when attempting to load some (non security related) websites in Firefox. When I tried to update Malwarebytes Anti-Malware I got an error when attempting to launch the program/update the database. I uninstalled the program, downloaded and attempted to install it again, and saw that the malware was deleting mbam.exe. I then found and was able to install a randomly named Anti-Malware file, which found and removed several Vundo files. Upon restarting the computer and scanning with HijackThis, I found some randomly named .dlls, one of which (keyemate.dll) could not be removed, even in safe mode with the modem turned off. After leaving the problem for a week, I tried to run Malwarebytes Anti-Malware again and got an error. I uninstalled and tried to re-install with a new randomly named file and got another error, in safe mode as well as the regular logon. I then used Vundo Fix and VirtumondoBegone, with neither finding any infected files. I downloaded all four versions of rkill, with none being able to run successfully. Here is his latest HijackThis log. I am looking forward to your help.
Thank you.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:36 PM, on 11/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\AOL\1183605601\ee\AOLSoftware.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
c:\program files\common files\aol\1183605601\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1183605601\ee\aolsoftware.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccUpdUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\fhiehf.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1183605601\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SC3300CC] C:\WINDOWS\twain_32\SiPix\SC-3300\SC3300CC.exe
O4 - HKLM\..\Run: [USBPNP] C:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\MWBAMW\h8haR20C6.exe" /runcleanupscript
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208112130030
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: keyemate.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.eset.com/images/page_bg.jpg

--
End of file - 10486 bytes

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 14 December 2009 - 04:16 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 19 December 2009 - 03:35 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic to be re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 19 December 2009 - 08:16 AM

Re-opened upon users request.

Please post your logs. Note - please do NOT attach any logs, just paste them in the reply box, thanks :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 killvundo

killvundo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 19 December 2009 - 08:58 AM

Hello elise025, thank you for reopening the thread.
Since my first post my dad was able to install MBAM and run a scan, which found several randomly named .dll files listed as Trojan.Vundo.H, as well as RD2010.exe, listed as Rogue.RegDefender. I am not sure whether these were deleted. He emailed me the log file which says no action was taken for any of the files, but I had him run another scan which showed no malware. His computer apparently not been showing any signs of a problem recently, other than being generally much slower than it should be, as it has been since before these latest issues. I had him run DDS and I have his logs, but he was having problems running GMER. First, running it on his regular login, it scanned for a few minutes, then there was some error that caused the computer to reboot. I had him boot in safe mode and scan, it ran for several minutes again, then he told me that it seemed to be done, at which point the computer restarted again on its own. I had him try once more on his regular login, and this time the scan was running much longer without any problem, but he had to go to bed before it finished. I will post his DDS logs now, and if the GMER scan finished without issue I will get that log from him and post it later today. Thank you for your help.


DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Owner at 19:12:43.48 on Wed 12/16/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.544 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Trend Micro PC-cillin Internet Security 2007 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\AOL\1183605601\ee\AOLSoftware.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
c:\program files\common files\aol\1183605601\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1183605601\ee\aolsoftware.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uStart Page = about:blank
mDefault_Page_URL = hxxp://www.yahoo.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Acme.PCHButton] c:\progra~1\helpan~1\hpq\xpxwwpp5\plugin\bin\PCHButton.exe
uRun: [AOL Fast Start] "c:\program files\aol 9.1\AOL.EXE" -b
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [OE] "c:\program files\trend micro\internet security 2007\tmas_oe\TMAS_OEMon.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [HostManager] c:\program files\common files\aol\1183605601\ee\AOLSoftware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [Nitro PDF Printer Monitor] "c:\program files\nitro pdf\professional\NitroPDFPrinterMonitor.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SC3300CC] c:\windows\twain_32\sipix\sc-3300\SC3300CC.exe
mRun: [USBPNP] c:\windows\twain_32\sipix\sc-3300\USBPNP.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 2007\pccguide.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: microsoft.com\www.update
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208112130030
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: keyemate.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli newubogo.dll linupage.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\uas34qxm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\hp_owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-9 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-9 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-9 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-9 297752]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-8-16 31248]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-8-25 503808]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-8-24 561220]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\common files\bcl technologies\nitropdf5\bepldr.exe [2008-2-11 151552]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\hp_owner\locals~1\temp\pchc_1_1\anti-virus\fsgk.sys --> c:\docume~1\hp_owner\locals~1\temp\pchc_1_1\anti-virus\fsgk.sys [?]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-12-13 19:55:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-13 19:54:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-13 19:54:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 02:39:19 0 d-----w- C:\VundoFix Backups
2009-11-30 02:31:07 0 d--h--w- c:\windows\PIF
2009-11-27 08:34:45 0 ----a-w- c:\windows\system32\disesobe
2009-11-23 03:49:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Trend Micro

==================== Find3M ====================

2005-05-18 16:34:35 10135688 -c--a-w- c:\program files\MPSetupXP.exe
2005-02-07 01:42:25 4918270 ----a-w- c:\program files\Firefox Setup 1.0.exe
2005-02-07 00:29:30 1775104 -c--a-w- c:\program files\epson10002.exe
2005-02-07 00:19:45 4322816 -c--a-w- c:\program files\epson10001.exe
2005-02-06 22:50:16 9228440 -c--a-w- c:\program files\spf.exe
2005-02-06 22:07:00 8680872 -c--a-w- c:\program files\setupeng.exe
2005-02-06 21:33:04 2636408 -c--a-w- c:\program files\aawsepersonal.exe
2005-02-04 21:53:52 0 -csha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 19:13:17.20 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/4/2007 6:11:48 PM
System Uptime: 12/13/2009 4:32:47 PM (75 hours ago)

Motherboard: ASUSTeK Computer INC. | | Grouper
Processor: Intel® Pentium® 4 CPU 2.80GHz | CPU 1 | 2800/200mhz
Processor: Intel® Pentium® 4 CPU 2.80GHz | CPU 1 | 2800/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 142 GiB total, 112.812 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 1.95 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP96: 9/15/2009 3:01:05 AM - Software Distribution Service 3.0
RP97: 9/16/2009 3:01:46 AM - Software Distribution Service 3.0
RP98: 9/17/2009 3:02:49 AM - Software Distribution Service 3.0
RP99: 9/18/2009 3:02:56 AM - Software Distribution Service 3.0
RP100: 9/19/2009 3:01:45 AM - Software Distribution Service 3.0
RP101: 9/19/2009 5:16:26 PM - Software Distribution Service 3.0
RP102: 9/20/2009 3:02:19 AM - Software Distribution Service 3.0
RP103: 9/21/2009 5:15:35 AM - System Checkpoint
RP104: 9/23/2009 5:17:57 AM - System Checkpoint
RP105: 9/24/2009 6:32:36 PM - System Checkpoint
RP106: 9/26/2009 7:16:06 PM - Software Distribution Service 3.0
RP107: 9/27/2009 3:02:06 AM - Software Distribution Service 3.0
RP108: 9/28/2009 3:01:39 AM - Software Distribution Service 3.0
RP109: 9/29/2009 3:01:03 AM - Software Distribution Service 3.0
RP110: 9/30/2009 3:02:20 AM - Software Distribution Service 3.0
RP111: 10/1/2009 3:03:08 AM - Software Distribution Service 3.0
RP112: 10/2/2009 3:04:05 AM - Software Distribution Service 3.0
RP113: 10/3/2009 3:02:08 AM - Software Distribution Service 3.0
RP114: 10/4/2009 3:02:42 AM - Software Distribution Service 3.0
RP115: 10/6/2009 3:01:03 AM - Software Distribution Service 3.0
RP116: 10/6/2009 9:47:05 AM - Avg8 Update
RP117: 10/6/2009 9:50:19 AM - Avg8 Update
RP118: 10/7/2009 3:06:50 AM - Software Distribution Service 3.0
RP119: 10/7/2009 8:13:53 AM - Avg8 Update
RP120: 10/8/2009 3:10:49 AM - Software Distribution Service 3.0
RP121: 10/9/2009 3:07:51 AM - Software Distribution Service 3.0
RP122: 10/11/2009 3:04:19 AM - Software Distribution Service 3.0
RP123: 10/12/2009 3:01:43 AM - Software Distribution Service 3.0
RP124: 10/13/2009 3:01:49 AM - Software Distribution Service 3.0
RP125: 10/15/2009 3:02:34 AM - Software Distribution Service 3.0
RP126: 10/16/2009 3:02:24 AM - Software Distribution Service 3.0
RP127: 10/16/2009 8:48:54 PM - Software Distribution Service 3.0
RP128: 10/17/2009 3:01:24 AM - Software Distribution Service 3.0
RP129: 10/17/2009 8:01:54 AM - Avg8 Update
RP130: 10/18/2009 3:04:24 AM - Software Distribution Service 3.0
RP131: 10/19/2009 3:02:04 AM - Software Distribution Service 3.0
RP132: 10/20/2009 3:02:10 AM - Software Distribution Service 3.0
RP133: 10/21/2009 3:03:18 AM - Software Distribution Service 3.0
RP134: 10/21/2009 8:01:33 AM - Avg8 Update
RP135: 10/22/2009 3:06:05 AM - Software Distribution Service 3.0
RP136: 10/23/2009 3:02:40 AM - Software Distribution Service 3.0
RP137: 10/24/2009 3:02:50 AM - Software Distribution Service 3.0
RP138: 10/25/2009 3:01:19 AM - Software Distribution Service 3.0
RP139: 10/26/2009 3:04:02 AM - Software Distribution Service 3.0
RP140: 10/27/2009 3:02:15 AM - Software Distribution Service 3.0
RP141: 10/28/2009 3:02:06 AM - Software Distribution Service 3.0
RP142: 10/29/2009 10:55:39 AM - System Checkpoint
RP143: 10/31/2009 11:06:08 AM - System Checkpoint
RP144: 11/1/2009 5:45:58 PM - System Checkpoint
RP145: 11/2/2009 10:29:17 AM - Avg8 Update
RP146: 11/3/2009 2:11:17 PM - System Checkpoint
RP147: 11/6/2009 6:12:06 AM - System Checkpoint
RP148: 11/6/2009 10:43:41 AM - Avg8 Update
RP149: 11/6/2009 4:59:35 PM - Software Distribution Service 3.0
RP150: 11/6/2009 5:26:33 PM - Restore Operation
RP151: 11/6/2009 5:32:33 PM - Restore Operation
RP152: 11/6/2009 5:44:29 PM - Restore Operation
RP153: 11/6/2009 5:46:27 PM - 10/30/2009
RP154: 11/6/2009 5:52:23 PM - Restore Operation
RP155: 11/6/2009 6:00:11 PM - Restore Operation
RP156: 11/6/2009 6:08:23 PM - Software Distribution Service 3.0
RP157: 11/7/2009 4:01:58 AM - Software Distribution Service 3.0
RP158: 11/8/2009 10:21:14 AM - System Checkpoint
RP159: 11/9/2009 7:06:50 PM - System Checkpoint
RP160: 11/9/2009 8:15:56 PM - Restore Operation
RP161: 11/9/2009 9:11:06 PM - Restore Operation
RP162: 11/10/2009 4:39:47 AM - Restore Operation
RP163: 11/10/2009 4:44:20 AM - Restore Operation
RP164: 11/10/2009 4:48:42 AM - Restore Operation
RP165: 11/10/2009 4:52:59 AM - Restore Operation
RP166: 11/10/2009 5:50:11 AM - Restore Operation
RP167: 11/10/2009 3:32:05 PM - Restore Operation
RP168: 11/10/2009 3:38:03 PM - Restore Operation
RP169: 11/12/2009 6:24:11 AM - System Checkpoint
RP170: 11/14/2009 1:02:50 PM - System Checkpoint
RP171: 11/16/2009 11:37:09 AM - System Checkpoint
RP172: 11/22/2009 10:40:55 AM - System Checkpoint
RP173: 11/22/2009 7:49:40 PM - Installed TMASOEDL
RP174: 11/22/2009 7:50:18 PM - Installed TMASOLDL
RP175: 11/22/2009 7:50:47 PM - Installed Trend Micro PC-cillin Internet Security 2007
RP176: 11/25/2009 7:55:01 AM - System Checkpoint
RP177: 11/26/2009 9:33:54 AM - Avg8 Update
RP178: 11/27/2009 11:54:00 AM - System Checkpoint
RP179: 11/28/2009 12:35:54 PM - System Checkpoint
RP180: 11/29/2009 1:11:55 PM - System Checkpoint
RP181: 12/1/2009 6:02:37 AM - System Checkpoint
RP182: 12/2/2009 10:21:48 AM - System Checkpoint
RP183: 12/3/2009 1:52:23 PM - System Checkpoint
RP184: 12/5/2009 4:41:05 AM - System Checkpoint
RP185: 12/6/2009 5:17:33 AM - System Checkpoint
RP186: 12/7/2009 6:31:37 AM - System Checkpoint
RP187: 12/8/2009 8:07:22 AM - System Checkpoint
RP188: 12/9/2009 9:41:44 AM - Avg8 Update
RP189: 12/10/2009 2:03:53 PM - System Checkpoint
RP190: 12/11/2009 9:40:36 AM - Avg8 Update
RP191: 12/11/2009 9:43:06 AM - Avg8 Update
RP192: 12/12/2009 1:51:49 PM - System Checkpoint
RP193: 12/13/2009 6:20:56 PM - System Checkpoint

==== Installed Programs ======================


Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
AOL (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
Bonjour
BufferChm
CameraDrivers
Copy
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Destinations
Director
DocProc
DocumentViewer
Download Updater (AOL LLC)
Easy Internet Sign-up
EPSON Printer Software
ESET Online Scanner
ESET Online Scanner v3
Fax
ffdshow [rev 2527] [2008-12-19]
Haali Media Splitter
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB970653-v3)
HP Deskjet Preloaded Printer Drivers
HP Diagnostic Assistant
HP Image Zone 4.2.3
HP Image Zone Plus 4.2.3
HP Organize
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZ423
HpSdpAppCoreApp
InstantShare
Intel® Graphics Media Accelerator Driver
InterVideo DiscLabel
InterVideo WinDVD Creator
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 15
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
KBD
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Works
Move Media Player
Mozilla Firefox (3.5.6)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 3.5 magicMoments - HPD
MyDSC2
Nitro PDF Professional
Norton Personal Firewall
OpenOffice.org Installer 1.0
PC-Doctor for Windows
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
PrintScreen
PS2
PSPrinters06
Pure Networks Port Magic
Python 2.2 combined Win32 extensions
Python 2.2.1
QFolder
QuickProjects
QuickTime
Readme
RealPlayer Basic
SC-3300
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB941569)
SkinsHP1
Sonic Express Labeler
Sonic RecordNow!
Sonic Update Manager
Sygate Personal Firewall
TaxCut Standard + Efile 2008
TrayApp
Trend Micro PC-cillin Internet Security 2007
Ulead Photo Explorer 8.0 SE Basic
Unload
Updates from HP
URGE
Viewpoint Media Player
Vivitar Experience Image Manager
VLC media player 0.9.4
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB883667
WinWay Resume - Express Edition
XoftSpySE
Yahoo! Messenger

==== End Of File ===========================

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 19 December 2009 - 09:18 AM

Hello killvundo,

Indeed, a few vundo leftovers in the logs, but we should be able to get rid of them :( If you are able to complete the GMER scan, post the results, otherwise, just let me know.

TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Trend Micro. In this case I recommend to remove AVG since its an outdated version anyway.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on kittyfix.exe and follow the prompts.
    You will get a big disclaimer about Combofix still being in beta version, just continue there.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 killvundo

killvundo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 20 December 2009 - 02:04 AM

Apparently the last scan failed as well. When my dad checked on the computer this morning GMER was not open and he also did not see the icon on his desktop anymore. I will be going to his house tomorrow and will try to run it myself, as well as ComboFix. Hopefully I will have the log(s) for you tomorrow night. My dad also decided on his own to uninstall the Trend Micro antivirus yesterday. When we are through with this problem I will make sure that AVG gets updated.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 20 December 2009 - 02:54 AM

Okay, thats no problem :(

Make sure to upgrade to aVG 9.

If GMER still is causing trouble, try to run it with the Devices box unchecked.

I will wait for your logs.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 killvundo

killvundo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 21 December 2009 - 12:23 AM

Alright, I downloaded a new GMER file and the scan ran fine this time. Here is the log from that, as well as the ComboFix log.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-20 14:10:16
Windows 5.1.2600 Service Pack 2
Running: hxtbim35.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\uxlyqfow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xA9DB8B30]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xA9DB86F0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xA9DB8470]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xA9DB8C50]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xA9DB8990]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xA9DB88D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xA9DB8D60]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7240C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7240BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7240B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F72408E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F72408E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7240BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7240C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7240B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7240B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F72408E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7240BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7240C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F72408E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7240C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7240BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7240B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7240C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F72408E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7240BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7240B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F72408E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7240BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7240C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F7240C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F7240BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F7240B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F72408E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F72408E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7240B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7240C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7240BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1396] @ C:\WINDOWS\system32\secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----


ComboFix 09-12-18.03 - HP_Owner 12/20/2009 14:47:53.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.530 [GMT -8:00]
Running from: c:\documents and settings\HP_Owner\Desktop\KittyFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_Owner\LOCALS~1\Temp\1.wmv
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\All Users\Application Data\91873586.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\ujen.bat
c:\documents and settings\HP_Owner\Local Settings\Temp\IadHide5.dll
C:\LOG.TXT
c:\windows\helemuqofe.exe
c:\windows\puzily.vbs
c:\windows\system32\nyxosewawe.exe
c:\windows\system32\ps2.bat
c:\windows\system32\voxyxupure.inf
c:\windows\Tasks\jpkqenwn.job
c:\windows\Tasks\lczyupzn.job
c:\windows\Tasks\plhtwdhu.job
c:\windows\Tasks\pvelhwjr.job
c:\windows\viassary-hp.reg

.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-11-23 03:49 . 2009-12-19 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-14 00:30 . 2009-10-31 00:21 -------- d-----w- c:\program files\Angle Interactive
2009-12-13 19:55 . 2009-12-13 19:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 00:14 . 2009-12-13 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13 . 2009-12-13 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 13:57 . 2008-12-10 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-30 02:00 . 2009-11-16 02:08 -------- d-----w- c:\program files\MWBAMW
2009-11-26 17:30 . 2009-12-11 17:43 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-26 17:30 . 2009-12-11 17:43 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-26 17:30 . 2009-12-11 17:43 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-25 08:25 . 2007-03-03 14:56 -------- d-----w- c:\program files\IEpal
2009-11-23 03:49 . 2007-05-24 05:30 -------- d-----w- c:\program files\Trend Micro
2009-11-21 03:29 . 2008-10-15 22:43 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\vlc
2009-11-16 07:05 . 2007-01-09 17:57 -------- d-----w- c:\program files\NoAdware5.0
2009-11-16 04:18 . 2009-11-16 04:18 -------- d-----w- c:\program files\ESET
2009-11-16 04:06 . 2006-12-31 22:23 -------- d-----w- c:\program files\hjt
2005-05-18 16:34 . 2005-05-18 16:34 10135688 -c--a-w- c:\program files\MPSetupXP.exe
2005-02-07 01:42 . 2005-02-07 01:42 4918270 ----a-w- c:\program files\Firefox Setup 1.0.exe
2005-02-07 00:29 . 2005-02-07 00:29 1775104 -c--a-w- c:\program files\epson10002.exe
2005-02-07 00:19 . 2005-02-07 00:19 4322816 -c--a-w- c:\program files\epson10001.exe
2005-02-06 22:50 . 2005-02-06 22:50 9228440 -c--a-w- c:\program files\spf.exe
2005-02-06 22:07 . 2005-02-06 22:07 8680872 -c--a-w- c:\program files\setupeng.exe
2005-02-06 21:33 . 2005-02-06 21:33 2636408 -c--a-w- c:\program files\aawsepersonal.exe
2005-02-04 21:53 . 2005-02-04 22:53 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

------- Sigcheck -------

[-] 2009-02-08 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 . FACEBB0CA3154F77009CDFEE78A00BBB . 2180480 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntoskrnl.exe
[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntoskrnl.exe
[-] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntoskrnl.exe
[-] 2008-08-15 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3GDR\ntoskrnl.exe
[-] 2008-08-14 . 21C91DA9CB53AA8A37041BA9684A8458 . 2180352 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2GDR\ntoskrnl.exe
[-] 2008-08-14 . CE69DBD54221F2D40E49FF6DB77C6507 . 2185984 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 . 582A8DBAA58C3B1F176EB2817DAEE77C . 2180352 . . [5.1.2600.3093] . . c:\windows\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\SP2GDR\ntoskrnl.exe
[-] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2005-03-02 . 4D4CF2C14550A4B7718E94A6E581856E . 2179328 . . [5.1.2600.2622] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2005-03-02 . 48B3E89AF7074CEE0314A3E0C7FAFFDB . 2135552 . . [5.1.2600.2622] . . c:\windows\system32\ntoskrnl.exe
[7] 2004-08-04 . CE218BC7088681FAA06633E218596CA7 . 2180992 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\ntoskrnl.exe
[7] 2004-08-04 . 626309040459C3915997EF98EC1C8D40 . 2148352 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\ntoskrnl.exe

[-] 2009-02-08 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntkrnlpa.exe
[-] 2009-02-06 . 3006410E24772CC6953F0B5C01BEB35F . 2057728 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntkrnlpa.exe
[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntkrnlpa.exe
[-] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntkrnlpa.exe
[-] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3GDR\ntkrnlpa.exe
[-] 2008-08-14 . BA002228743B6824D87F0551DBC86D45 . 2057728 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2GDR\ntkrnlpa.exe
[-] 2008-08-14 . 63EC865DFF6CCFC7BEF94B5C50297CAD . 2062976 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 . 515D30E2C90A3665A2739309334C9283 . 2057600 . . [5.1.2600.3093] . . c:\windows\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\SP2GDR\ntkrnlpa.exe
[-] 2007-02-28 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . c:\windows\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\SP2QFE\ntkrnlpa.exe
[-] 2005-03-02 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2005-03-02 . 3CD941E472DDF3534E53038535719771 . 2015232 . . [5.1.2600.2622] . . c:\windows\system32\ntkrnlpa.exe
[-] 2005-03-02 . 81013F36B21C7F72CF784CC6731E0002 . 2056832 . . [5.1.2600.2622] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2004-08-04 . 947FB1D86D14AFCFFDB54BF837EC25D0 . 2056832 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\ntkrnlpa.exe
[7] 2004-08-04 . FB142B7007CA2EEA76966C6C5CC12150 . 2015232 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="c:\progra~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe" [2004-10-22 159744]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"SoundMan"="SOUNDMAN.EXE" [2004-07-29 77824]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-07 2805248]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"HostManager"="c:\program files\Common Files\AOL\1183605601\ee\AOLSoftware.exe" [2008-06-24 41824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-24 99480]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-05-06 210224]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-07-17 26112]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"SC3300CC"="c:\windows\twain_32\SiPix\SC-3300\SC3300CC.exe" [2002-08-16 139264]
"USBPNP"="c:\windows\twain_32\SiPix\SC-3300\USBPNP.exe" [2002-05-15 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\Administrator.LONEWOL555\Start Menu\Programs\Startup\
HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-10-21 36864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-2-26 108544]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 15:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-08 03:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\1183605601\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\1183605601\\ee\\anotify.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/9/2008 7:28 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/9/2008 7:28 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/9/2008 7:27 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/9/2008 7:27 PM 297752]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe [2/11/2008 10:58 AM 151552]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\PCHC_1_1\Anti-Virus\fsgk.sys --> c:\docume~1\HP_Owner\LOCALS~1\Temp\PCHC_1_1\Anti-Virus\fsgk.sys [?]
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uStart Page = about:blank
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\www.update
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\uas34qxm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\HP_Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.
- - - - ORPHANS REMOVED - - - -

AddRemove-AOL Toolbar 5.0 - c:\program files\AOL\AOL Toolbar 5.0\uninstall.exe
AddRemove-EsetOnlineScanner - c:\windows\system32\OnlineScannerUninstaller.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 15:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3356)
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\smc.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\wanmpsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\AGRSMMSG.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Updates from HP\309731\Program\Updates from HP.exe
c:\program files\common files\aol\1183605601\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
.
**************************************************************************
.
Completion time: 2009-12-20 15:15:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-20 23:15
ComboFix2.txt 2009-01-20 22:25

Pre-Run: 121,096,110,080 bytes free
Post-Run: 121,793,093,632 bytes free

- - End Of File - - B82735230B8D319F96993C527F806B22

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 21 December 2009 - 02:36 AM

Hello killvundo,

Your combofix log indicates it was run twice. Can you please post me the first log also. You can find it at c:\qoobox\combofix2.txt

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
FCopy::
c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\ntoskrnl.exe | c:\windows\system32\ntoskrnl.exe
c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\ntkrnlpa.exe | c:\windows\system32\ntkrnlpa.exe
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • Combofix.txt and the old combofix log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 killvundo

killvundo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 December 2009 - 12:24 AM

I had my dad drag CFScript.txt into the ComboFix icon (kittyfix.exe), and it told him that ComboFix had expired, and gave him an option to run in reduced functionality mode. I had him click no and wait for me to get your input. Should I have him run it with reduced functionality or does he need to download a new ComboFix file? I will post the other ComboFix log now. It is from earlier this year when he had a TDSS infection.

ComboFix 09-01-18.01 - HP_Owner 2009-01-20 14:01:33.1 - NTFSx86
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Sygate Personal Firewall *enabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\cyjygynyby.reg
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\jesizuwany._dl
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\sahejojek.bin
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\sytybum._sy
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\zijaxex.reg
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\TDSSxxou.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-19 17:54 . 2009-01-19 17:55 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555\Application Data\vlc
2009-01-19 07:38 . 2009-01-19 07:38 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555\Application Data\AdobeUM
2009-01-18 20:36 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-18 19:38 . 2009-01-18 19:38 <DIR> d-------- c:\documents and settings\HP_Owner\log
2009-01-18 19:38 . 2009-01-18 19:38 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-15 08:19 . 2009-01-15 08:19 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555\Application Data\Viewpoint
2009-01-15 08:02 . 2009-01-15 08:02 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555\Application Data\AOL
2009-01-14 18:57 . 2009-01-14 18:57 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555\Application Data\Malwarebytes
2009-01-13 17:05 . 2009-01-19 11:07 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-10 22:05 . 2009-01-14 20:45 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 22:05 . 2009-01-10 22:05 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-01-10 22:05 . 2009-01-10 22:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-10 22:05 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 22:05 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-10 20:14 . 2009-01-10 20:14 <DIR> d-------- c:\program files\XoftSpySE
2009-01-10 15:56 . 2009-01-10 15:56 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555\Application Data\Lavasoft
2009-01-10 15:02 . 2004-10-21 17:59 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555\WINDOWS
2009-01-10 15:02 . 2004-10-22 13:12 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555\Application Data\Symantec
2009-01-10 15:02 . 2004-10-21 18:52 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555\Application Data\Sonic
2009-01-10 15:02 . 2004-10-21 18:52 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555\Application Data\SampleView
2009-01-10 15:02 . 2004-10-21 17:58 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555\Application Data\Apple Computer
2009-01-10 15:02 . 2009-01-19 07:21 <DIR> d-------- c:\documents and settings\Administrator.LONEWOL555
2009-01-03 16:47 . 2009-01-06 15:14 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Move Networks
2008-12-24 11:16 . 2009-01-20 06:51 <DIR> d--h----- C:\$AVG8.VAULT$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 15:16 3,645 ----a-w c:\windows\viassary-hp.reg
2009-01-18 15:08 --------- d-----w c:\program files\AOL 9.1
2009-01-11 04:41 --------- d-----w c:\program files\Trend Micro
2009-01-11 03:42 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-11 00:24 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Lavasoft
2009-01-04 03:14 --------- d-----w c:\program files\iTunes
2009-01-04 01:27 --------- d-----w c:\program files\livetvbar
2009-01-04 01:27 --------- d-----w c:\program files\Conduit
2008-12-10 12:54 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-10 03:28 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-12-10 03:28 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-12-10 03:27 --------- d-----w c:\program files\AVG
2008-12-06 04:40 49,152 ----a-w c:\windows\~DFE381.tmp
2008-12-06 02:17 16,384 ----a-w c:\windows\~DF7894.tmp
2008-11-29 04:24 --------- d-----w c:\program files\QuickTime
2008-11-22 15:05 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-29 00:46 18,316 ----a-w c:\windows\uriqimi.pif
2008-10-29 00:46 17,819 ----a-w c:\documents and settings\All Users\Application Data\avyxynaxok.dat
2008-10-29 00:46 15,681 ----a-w c:\windows\helemuqofe.exe
2008-10-29 00:46 15,507 ----a-w c:\documents and settings\HP_Owner\Application Data\ysaki.dat
2008-10-29 00:46 12,015 ----a-w c:\documents and settings\All Users\Application Data\exycixewi.reg
2008-10-29 00:46 11,219 ----a-w c:\windows\dujopatum.com
2008-10-29 00:46 10,817 ----a-w c:\windows\puzily.vbs
2008-07-01 16:21 1,022 -c--a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2005-05-18 16:34 10,135,688 -c--a-w c:\program files\MPSetupXP.exe
2005-02-07 01:42 4,918,270 ----a-w c:\program files\Firefox Setup 1.0.exe
2005-02-07 00:29 1,775,104 -c--a-w c:\program files\epson10002.exe
2005-02-07 00:19 4,322,816 -c--a-w c:\program files\epson10001.exe
2005-02-06 22:50 9,228,440 -c--a-w c:\program files\spf.exe
2005-02-06 22:07 8,680,872 -c--a-w c:\program files\setupeng.exe
2005-02-06 21:33 2,636,408 -c--a-w c:\program files\aawsepersonal.exe
2005-02-04 21:53 0 -csha-w c:\windows\SMINST\HPCD.sys
.

------- Sigcheck -------

2005-03-01 16:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2004-08-03 22:59 2015232 fb142b7007ca2eea76966c6c5cc12150 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 16:34 2056832 81013f36b21c7f72cf784cc6731e0002 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 00:38 2057600 515d30e2c90a3665a2739309334c9283 c:\windows\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\SP2GDR\ntkrnlpa.exe
2007-02-28 00:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba c:\windows\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\SP2QFE\ntkrnlpa.exe
2008-08-14 01:22 2057728 ba002228743b6824d87f0551dbc86d45 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2GDR\ntkrnlpa.exe
2008-08-14 01:18 2062976 63ec865dff6ccfc7bef94b5c50297cad c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2QFE\ntkrnlpa.exe
2008-08-14 01:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3GDR\ntkrnlpa.exe
2008-08-14 15:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3QFE\ntkrnlpa.exe
2005-03-01 16:34 2015232 3cd941e472ddf3534e53038535719771 c:\windows\system32\ntkrnlpa.exe
2004-08-04 11:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\ntkrnlpa.exe

2005-03-01 17:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2004-08-03 23:18 2148352 626309040459c3915997ef98ec1c8d40 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 16:59 2179328 4d4cf2c14550a4b7718e94a6e581856e c:\windows\Driver Cache\i386\ntoskrnl.exe
2007-02-28 01:10 2180352 582a8dbaa58c3b1f176eb2817daee77c c:\windows\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\SP2GDR\ntoskrnl.exe
2007-02-28 01:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 c:\windows\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\SP2QFE\ntoskrnl.exe
2008-08-14 02:00 2180352 21c91da9cb53aa8a37041ba9684a8458 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2GDR\ntoskrnl.exe
2008-08-14 01:57 2185984 ce69dbd54221f2d40e49ff6db77c6507 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2QFE\ntoskrnl.exe
2008-08-14 02:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3GDR\ntoskrnl.exe
2008-08-14 16:11 2189184 31914172342bff330063f343ac6958fe c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3QFE\ntoskrnl.exe
2005-03-01 16:57 2135552 48b3e89af7074cee0314a3e0c7faffdb c:\windows\system32\ntoskrnl.exe
2004-08-04 04:00 2180992 ce218bc7088681faa06633e218596ca7 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Acme.PCHButton"="c:\progra~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe" [2004-10-21 159744]
"AOL Fast Start"="c:\progra~1\AOL9~1.1\AOL.EXE" [2008-06-02 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"HostManager"="c:\program files\Common Files\AOL\1183605601\ee\AOLSoftware.exe" [2007-05-25 42032]
"SC3300CC"="c:\windows\twain_32\SiPix\SC-3300\SC3300CC.exe" [2002-08-16 139264]
"USBPNP"="c:\windows\twain_32\SiPix\SC-3300\USBPNP.exe" [2002-05-15 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-24 99480]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-05-06 210224]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-07-17 26112]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-09 1261336]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-28 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 c:\windows\ALCWZRD.EXE]

c:\documents and settings\Administrator.LONEWOL555\Start Menu\Programs\Startup\
HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-10-21 36864]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= JpegCode.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 19:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\1183605601\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-09 97928]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-09 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-09 76040]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe [2008-02-11 151552]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-10 38496]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-09 875288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-20 c:\windows\Tasks\RegCure Program Check.job
- c:\documents and settings\HP_Owner\Desktop\RegCure\RegCure.exe [2008-11-27 10:55]

2009-01-20 c:\windows\Tasks\RegCure.job
- c:\documents and settings\HP_Owner\Desktop\RegCure\RegCure.exe [2008-11-27 10:55]

2009-01-20 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-07 07:47]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-VTTimer - VTTimer.exe
SafeBoot-TDSSmxwt.sys
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: www.update.microsoft.com
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\uas34qxm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 14:18:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3304)
c:\program files\BackWeb\BackWeb Client\6.3.2.62\Program\temp\IadHide5.dll
c:\program files\Common Files\AOL\ACS\WLHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\Smc.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\wanmpsvc.exe
c:\progra~1\AOL9~1.1\waol.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Updates from HP\309731\Program\Updates from HP.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\AOL\1183605601\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\progra~1\AOL9~1.1\shellmon.exe
.
**************************************************************************
.
Completion time: 2009-01-20 14:25:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-20 22:24:51

Pre-Run: 131,897,421,824 bytes free
Post-Run: 132,052,979,712 bytes free

258 --- E O F --- 2009-01-20 11:07:30

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 22 December 2009 - 03:55 AM

Have him delete the old copy and download a new one and then drage CFScript.txt on the newly downloaded combofix.exe

Since we started this fix Combofix has been released normally again (no beta any longer), so the download link is as follows

Combofix

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 25 December 2009 - 06:46 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 killvundo

killvundo
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 26 December 2009 - 01:39 AM

Yes, I'm here, and I've got a bigger problem now. My dad never got around to downloading the new ComboFix, so I did it today when I went to his house for Christmas. The scan ran for about 10-15 minutes and went fine until it said it was going to reboot the computer, at which point an error box popped up. It wasn't up for long before the computer restarted, so I'm not sure exactly what it said, but it had something to do with some catchme file and I believe it mentioned that a .dll file was unable to be initialized. The computer then failed to load Windows and I was given a screen with the option to boot into safe mode, boot normally, or switch to the last known good configuration. I tried booting normally, then each type of safe mode, and each time the computer just restarted itself when it got to the point where Windows would start to load. I then tried using the last known good configuration, which did nothing. Hopefully you have some idea how I might be able to get it back to normal without reformatting. Thanks again for your help, and happy holidays to you.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 26 December 2009 - 08:54 AM

Okay, thats not good news :(

Did you run the CFscript or just a new run of Combofix? Its important for me to know that, so I know where to look for the problem.

Just to let you know, if Combofix caused this, we will be able to undo it, so no worries yet :(
  • Restart your computer
  • Before Windows loads, you will be prompted to choose which Operating System to start
  • Use the up and down arrow key to select Microsoft Windows Recovery Console
  • You must enter which Windows installation to log onto. Type 1 and press enter.
  • At the C:\Windows prompt, type the following bolded text, and press Enter (don't forget to include the word "type" as well:

    type c:\qoobox\ComboFix-quarantined-files.txt

    This should show you the contents of a textfile. Please list its contents here.

    If you get an error message that access is denied or something, type the following line, press enter, and try again:

    set allowallpaths = true

    Type exit and press enter to restart.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users