TechSpot

Can't seem to remove Trojan.ZeroAccess.B

By masterchief34
Jul 17, 2012
  1. Hi, I am having trouble removing trojan.zeroaccess.b from my Aunt's computer. I've gone through all the fixes suggested on other sites and it's still showing up. Symantec has a removal tool that I've tried, but when I run the program it says 'No Infections Found." RougeKiller and Norton 360 are the saying the opposite. Some websites say that some files have to be manually removed but I can't seem to find those files on the computer. Any ideas?

    Thanks for your help!
     
  2. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    Thank you for responding! Here are the scan results:

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.17.15

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    HP_Administrator :: SANDY [administrator]

    7/17/2012 6:45:39 PM
    mbam-log-2012-07-17 (18-45-39).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 247960
    Time elapsed: 10 minute(s), 8 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    GMER LOG

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-07-17 19:05:13
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST332083 rev.3.AH
    Running: oki11onj[1].exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fxldypob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  4. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by HP_Administrator at 19:07:55 on 2012-07-17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.801 [GMT -5:00]
    .
    AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\windows\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\windows\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
    C:\Program Files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
    C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
    C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    svchost.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\windows\RTHDCPL.EXE
    C:\Program Files\Web Assistant\ExtensionUpdaterService.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\IncrediMail\bin\IncMail.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    C:\Program Files\IncrediMail\Bin\ImApp.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
    C:\windows\system32\dllhost.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.comcast.net/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - c:\program files\incredimail_mediabar_2\prxtbInc0.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.2.2.3\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.2.2.3\ips\IPSBHO.DLL
    BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - c:\program files\incredimail_mediabar_2\prxtbInc0.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
    TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.2.2.3\coIEPlg.dll
    TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
    TB: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - c:\program files\incredimail_mediabar_2\prxtbInc0.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
    mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
    mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
    StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\_unins~1.lnk - c:\documents and settings\hp_administrator\local settings\temp\_uninst_46628355.bat
    StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\_unins~2.lnk - c:\documents and settings\hp_administrator\local settings\temp\_uninst_87143468.bat
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
    IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
    DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1291073412375
    DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1 192.168.0.1
    TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
    TCP: Interfaces\{CC1879E4-B962-4BB9-B2FD-B9776E1D1CE5} : DhcpNameServer = 192.168.1.1 192.168.0.1
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: LMIinit - LMIinit.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    IFEO: ehshell.exe - "c:\program files\logmein\x86\LogMeInSystray.exe" -MceShellRedirect
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 46628355;46628355;c:\windows\system32\drivers\46628355.sys [2012-7-12 133208]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003\symds.sys [2012-6-12 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502020.003\symefa.sys [2012-6-12 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20120711.002\BHDrvx86.sys [2012-7-12 821920]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003\ironx86.sys [2012-6-12 136312]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374184]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-7-15 47640]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 N360;Norton 360;c:\program files\norton 360\engine\5.2.2.3\ccsvchst.exe [2012-6-12 130008]
    R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup 3.0\SymcPCCULaunchSvc.exe [2012-5-4 131512]
    R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-7-11 126904]
    R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\ccSvcHst.exe [2009-12-10 126392]
    R2 Web Assistant Updater;Web Assistant Updater;c:\program files\web assistant\ExtensionUpdaterService.exe [2012-6-3 185856]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-31 106656]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20120715.001\IDSXpx86.sys [2012-7-16 369632]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20120717.004\NAVENG.SYS [2012-7-17 87928]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20120717.004\NAVEX15.SYS [2012-7-17 1589752]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-18 250056]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    .
    =============== Created Last 30 ================
    .
    2012-07-18 00:01:02 -------- d-----w- c:\documents and settings\hp_administrator\application data\PriceGong
    2012-07-17 10:52:36 -------- d-----w- c:\program files\HitmanPro
    2012-07-17 10:52:32 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
    2012-07-17 01:00:22 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\NPE
    2012-07-16 21:56:38 21504 ----a-w- c:\windows\system32\hidserv.dll
    2012-07-16 21:56:38 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
    2012-07-16 21:53:18 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
    2012-07-16 21:53:18 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
    2012-07-16 21:53:10 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
    2012-07-16 21:53:10 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
    2012-07-13 00:10:45 98816 ----a-w- c:\windows\sed.exe
    2012-07-13 00:10:45 518144 ----a-w- c:\windows\SWREG.exe
    2012-07-13 00:10:45 256000 ----a-w- c:\windows\PEV.exe
    2012-07-13 00:10:45 208896 ----a-w- c:\windows\MBR.exe
    2012-07-12 20:12:10 133208 ----a-w- c:\windows\system32\drivers\46628355.sys
    2012-07-12 20:08:34 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-07-12 18:50:50 -------- d-----w- c:\documents and settings\hp_administrator\application data\FixZeroAccess
    2012-07-12 16:47:10 9226440 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
    .
    ==================== Find3M ====================
    .
    2012-07-12 16:47:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-12 16:47:13 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-12 12:30:19 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2012-07-12 12:30:18 52128 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2012-07-12 12:30:17 87456 ----a-w- c:\windows\system32\LMIinit.dll
    2012-07-12 12:30:17 30624 ----a-w- c:\windows\system32\LMIport.dll
    2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
    2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
    2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 20:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
    2012-06-02 20:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
    2012-06-02 20:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 20:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
    2012-06-02 20:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2012-06-02 20:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
    2012-06-02 20:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
    2012-06-02 20:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
    2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
    2012-05-21 22:04:52 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
    2012-05-21 22:04:48 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
    2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
    2012-05-04 13:16:13 2148352 ------w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 12:32:19 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46:36 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
    2012-04-19 01:56:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2012-04-19 01:56:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .
    ============= FINISH: 19:09:04.14 ===============

    ATTACH

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/20/2006 2:11:43 PM
    System Uptime: 7/17/2012 6:38:20 PM (1 hours ago)
    .
    Motherboard: ASUSTek Computer INC. | | Buckeye
    Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | Socket 775 | 1866/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 289 GiB total, 251.078 GiB free.
    D: is FIXED (FAT32) - 9 GiB total, 0.384 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1883: 4/18/2012 11:40:16 AM - System Checkpoint
    RP1884: 4/21/2012 8:01:05 AM - System Checkpoint
    RP1885: 4/22/2012 10:19:01 AM - System Checkpoint
    RP1886: 4/25/2012 10:02:11 AM - System Checkpoint
    RP1887: 4/26/2012 11:14:11 AM - System Checkpoint
    RP1888: 4/27/2012 2:49:22 PM - System Checkpoint
    RP1889: 5/1/2012 11:29:14 AM - System Checkpoint
    RP1890: 5/2/2012 8:02:19 PM - System Checkpoint
    RP1891: 5/4/2012 7:51:35 PM - System Checkpoint
    RP1892: 5/6/2012 8:23:45 AM - Software Distribution Service 3.0
    RP1893: 5/7/2012 11:57:59 AM - System Checkpoint
    RP1894: 5/10/2012 9:01:43 AM - System Checkpoint
    RP1895: 5/11/2012 10:10:20 AM - Software Distribution Service 3.0
    RP1896: 5/12/2012 11:07:10 AM - System Checkpoint
    RP1897: 5/14/2012 10:23:57 AM - System Checkpoint
    RP1898: 5/15/2012 10:55:24 AM - System Checkpoint
    RP1899: 5/18/2012 10:39:36 AM - System Checkpoint
    RP1900: 5/19/2012 12:18:47 PM - System Checkpoint
    RP1901: 5/20/2012 1:52:07 PM - System Checkpoint
    RP1902: 5/21/2012 5:05:32 PM - Printer Driver LogMeIn Printer Driver Installed
    RP1903: 5/21/2012 5:21:22 PM - Software Distribution Service 3.0
    RP1904: 5/21/2012 6:05:26 PM - Software Distribution Service 3.0
    RP1905: 5/22/2012 8:02:50 AM - Software Distribution Service 3.0
    RP1906: 5/22/2012 8:26:23 AM - Software Distribution Service 3.0
    RP1907: 5/22/2012 8:37:01 AM - Software Distribution Service 3.0
    RP1908: 5/23/2012 9:09:17 AM - System Checkpoint
    RP1909: 5/25/2012 11:05:41 AM - System Checkpoint
    RP1910: 5/26/2012 12:08:33 PM - System Checkpoint
    RP1911: 5/27/2012 12:11:38 PM - System Checkpoint
    RP1912: 5/30/2012 9:19:26 AM - System Checkpoint
    RP1913: 5/31/2012 9:52:55 AM - System Checkpoint
    RP1914: 6/1/2012 10:42:53 AM - System Checkpoint
    RP1915: 6/2/2012 3:41:55 PM - System Checkpoint
    RP1916: 6/3/2012 4:46:31 PM - System Checkpoint
    RP1917: 6/4/2012 1:05:27 PM - Software Distribution Service 3.0
    RP1918: 6/5/2012 1:26:03 PM - System Checkpoint
    RP1919: 6/6/2012 4:57:01 PM - System Checkpoint
    RP1920: 6/8/2012 3:55:51 PM - System Checkpoint
    RP1921: 6/13/2012 7:33:38 AM - System Checkpoint
    RP1922: 6/13/2012 9:15:37 AM - Software Distribution Service 3.0
    RP1923: 6/14/2012 10:26:11 AM - System Checkpoint
    RP1924: 6/17/2012 12:04:25 PM - System Checkpoint
    RP1925: 6/19/2012 6:56:46 AM - System Checkpoint
    RP1926: 6/20/2012 10:09:18 AM - System Checkpoint
    RP1927: 6/23/2012 9:36:48 AM - System Checkpoint
    RP1928: 6/25/2012 9:38:25 AM - System Checkpoint
    RP1929: 6/27/2012 8:29:02 AM - System Checkpoint
    RP1930: 6/29/2012 5:49:07 PM - System Checkpoint
    RP1931: 7/1/2012 9:32:16 AM - System Checkpoint
    RP1932: 7/3/2012 8:40:38 AM - System Checkpoint
    RP1933: 7/4/2012 12:22:26 PM - System Checkpoint
    RP1934: 7/7/2012 8:03:45 AM - System Checkpoint
    RP1935: 7/8/2012 10:31:43 AM - System Checkpoint
    RP1936: 7/10/2012 7:57:27 AM - System Checkpoint
    RP1937: 7/10/2012 10:05:40 PM - Software Distribution Service 3.0
    RP1938: 7/12/2012 7:31:12 AM - Printer Driver LogMeIn Printer Driver Installed
    RP1939: 7/12/2012 3:49:14 PM - Restore Operation
    RP1940: 7/16/2012 4:57:22 PM - ComboFix created restore point
    RP1941: 7/16/2012 8:12:38 PM - Norton_Power_Eraser_20120716201234968
    RP1942: 7/17/2012 6:16:55 AM - OTL Restore Point - 7/17/2012 6:16:51 AM
    .
    ==== Installed Programs ======================
    .
    1912: Titanic Mystery
    ABBYY FineReader 6.0 Sprint
    Abra Academy: Returning Cast (remove only)
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.5.1
    Adobe Shockwave Player
    Adventures of Robinson Crusoe
    Amazing Adventures The Lost Tomb 1.0.0.5
    Amazing Adventures: The Caribbean Secret
    America Online (Choose which version to remove)
    AOL Coach Version 2.0(Build:20041026.5 en)
    AOL Deskbar
    AOL Toolbar
    AOL Uninstaller (Choose which Products to Remove)
    AOL You've Got Pictures Screensaver
    Apple Application Support
    Apple Software Update
    ArcSoft Print Creations
    ArcSoft Print Creations - Album Page
    ArcSoft Print Creations - Funhouse
    ArcSoft Print Creations - Greeting Card
    ArcSoft Print Creations - Photo Book
    ArcSoft Print Creations - Photo Calendar
    ArcSoft Print Creations - Scrapbook
    ArcSoft Print Creations - Slimline Card
    AutoUpdate
    Awakening: The Dreamless Castle
    Belarc Advisor 8.1
    Big Fish Games: Game Manager
    Bonjour
    BufferChm
    Cajun Cop: The French Quarter Caper
    CameraHelperMsi
    CardRd81
    CCleaner
    CCScore
    ClueFinders Mystery Mansion Arcade
    Comcast Desktop Software (v1.2.0.9)
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    cp_LightScribeConfig
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CP_Panorama1Config
    cp_PosterPrintConfig
    cp_UpdateProjectsConfig
    CR2
    Critical Update for Windows Media Player 11 (KB959772)
    CueTour
    Curse of the Pharaoh: Napoleon's Secret ™
    Customer Experience Enhancement
    Danger Next Door: Miss Teri Tale's Adventure
    Dark Parables: Curse of Briar Rose
    Dark Tales:™ Edgar Allan Poe`s Murders in the Rue Morgue Collector`s Edition
    Data Fax SoftModem with SmartCP
    Desktop Doctor
    Destinations
    DeviceManagementQFolder
    DinerTown Detective Agency
    DivX
    Doors of the Mind: Inner Mysteries
    Dream Chronicles: The Chosen Child
    Easy Internet Sign-up
    Enhanced Multimedia Keyboard Solution
    Epson CreativeZone
    Epson Easy Photo Print 2
    Epson Event Manager
    EPSON NX210 Series Printer Uninstall
    EPSON Scan
    erLT
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    FullDPAppQFolder
    GemMaster Mystic
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    Haunted Manor: Lord of Mirrors Collector's Edition
    Hawaiian Explorer Lost Island 1.0.0.9
    Hawaiian Explorer Pearl Harbor 1.0.0.30
    Hidden Expedition Titanic (remove only)
    Hidden Expedition: Amazon™
    Hidden in Time: Mirror Mirror
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows Media Player 10 (KB910393)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB945060-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Boot Optimizer
    HP DigitalMedia Archive
    HP DVD Play 2.1
    HP Games 3.43.97
    HP Imaging Device Functions 7.0
    HP Photosmart for Media Center PC
    HP Photosmart Premier Software 6.5
    HP Update
    HP Web Helper
    HPPhotoSmartExpress
    HpSdpAppCoreApp
    IncrediMail
    IncrediMail 2.0
    IncrediMail MediaBar 2 Toolbar
    InstantShareDevices
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Matrix Storage Manager
    Intel(R) PRO Network Connections Drivers
    Intel(R) Quick Resume Technology Drivers
    Intel® Viiv™ Software
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 2
    Java(TM) 6 Update 29
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
    Jewel Quest Mysteries Curse of the Emerald Tear (remove only)
    Joan Jade and the Gates of Xibalba
    Kodak EasyShare software
    LightScribe 1.4.105.1
    LiveUpdate (Symantec Corporation)
    LiveUpdate Notice (Symantec Corporation)
    Logitech Vid HD
    Logitech Webcam Software
    LogMeIn
    Lost Realms: The Curse of Babylon
    LWS Facebook
    LWS Gallery
    LWS Help_main
    LWS Launcher
    LWS Motion Detection
    LWS Pictures And Video
    LWS Twitter
    LWS Video Mask Maker
    LWS VideoEffects
    LWS Webcam Software
    LWS WLM Plugin
    LWS YouTube Plugin
    Malwarebytes Anti-Malware version 1.62.0.1300
    Microsoft .NET Framework 1.0 Hotfix (KB2572066)
    Microsoft .NET Framework 1.0 Hotfix (KB2604042)
    Microsoft .NET Framework 1.0 Hotfix (KB2656378)
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB2656370)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money 2006
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Standard Edition 2003 60 days trial
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Works
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Murder, She Wrote
    muvee autoProducer 5.0
    muvee autoProducer unPlugged 2.0
    Mystery Case Files - Huntsville (remove only)
    Mystery Case Files®: Dire Grove™ Collector's Edition
    Mystery Case Files®: Escape from Ravenhearst™ Collector's Edition
    Mystery Case Files: Madame Fate (remove only)
    Mystery Legends: Sleepy Hollow
    Mystery P.I.: The London Caper
    Mystery Stories: Berlin Nights
    Mysteryville 2 (remove only)
    Natalie Brooks - Secrets of Treasure House
    netbrdg
    Netscape Browser (remove only)
    Nightshift Legacy - The Jaguars Eye
    Norton 360
    Norton PC Checkup
    Norton Safe Web Lite
    Norton Security Scan
    OfotoXMI
    OptionalContentQFolder
    Otto
    Pathfinders: Lost at Sea
    PC-Doctor 5 for Windows
    Penny Dreadfuls: Sweeney Todd Collector`s Edition
    Photo Notifier and Animation Creator
    PhotoGallery
    Princess Isabella: A Witch's Curse
    Python 2.2 pywin32 extensions (build 203)
    Python 2.2.3
    Quicken 2006
    QuickTime
    RandMap
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.1
    Return to Mysterious Island
    Rhapsody
    Rhapsody Player Engine
    Rhianna Ford & The Da Vinci Letter
    Secret Mission: The Forgotten Island
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2655992)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2691442)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB2698365)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB2718523)
    Security Update for Windows XP (KB2719985)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SFR
    SFR2
    SHASTA
    skin0001
    SkinsHP1
    SKINXSDK
    Skype Toolbars
    Skype™ 5.3
    SlideShow
    SlideShowMusic
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    Sonic_PrimoSDK
    staticcr
    Strange Cases: The Tarot Card Mystery
    Symantec Technical Support Web Controls
    The Serpent of Isis ™
    The Sims Superstar
    The White House
    Treasure Masters, Inc.
    Treasure Seekers: Follow the Ghosts Collector's Edition
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows Media Player 10 (KB926251)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    Updates from HP (remove only)
    Valerie Porter and the Scarlet Scandal
    Viewpoint Media Player
    VPRINTOL
    Web Assistant 2.0.0.441
    WebFldrs XP
    WildTangent Web Driver
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows PowerShell(TM) 1.0
    Windows XP Media Center Edition 2005 KB2502898
    Windows XP Media Center Edition 2005 KB2619340
    Windows XP Media Center Edition 2005 KB2628259
    Windows XP Media Center Edition 2005 KB908246
    Windows XP Media Center Edition 2005 KB925766
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    WIRELESS
    Yahoo! Browser Services
    Yahoo! BrowserPlus 2.9.8
    Yahoo! Messenger
    Yahoo! Search Protection
    Yahoo! Software Update
    Yahoo! Toolbar
    ZenGems
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/17/2012 12:33:17 AM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
    7/16/2012 8:20:26 PM, error: PlugPlayManager [11] - The device Root\LEGACY_SMR300\0000 disappeared from the system without first being prepared for removal.
    7/16/2012 7:52:02 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    7/16/2012 7:44:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BANTExt BHDrvx86 eeCtrl Fips ftsata2 intelppm SRTSP SRTSPX SymIRON SYMTDI
    7/16/2012 7:43:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    7/16/2012 6:45:01 PM, error: DCOM [10005] - DCOM got error "%487" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
    7/16/2012 6:45:00 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\urlmon.dll. Reference error message: The operation completed successfully. .
    7/16/2012 6:30:31 PM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
    7/16/2012 6:28:41 PM, error: Service Control Manager [7034] - The Norton 360 service terminated unexpectedly. It has done this 3 time(s).
    7/16/2012 6:28:40 PM, error: SideBySide [59] - Generate Activation Context failed for C:\PROGRAM FILES\NORTON 360\ENGINE\5.2.2.3\AVPSVC32.DLL. Reference error message: Error Message is unavailable .
    7/16/2012 6:26:29 PM, error: Service Control Manager [7031] - The Norton 360 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    7/16/2012 6:24:49 PM, error: Service Control Manager [7031] - The Norton 360 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    7/12/2012 7:17:21 PM, error: Service Control Manager [7034] - The Web Assistant Updater service terminated unexpectedly. It has done this 1 time(s).
    7/12/2012 7:09:29 PM, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
    7/12/2012 1:56:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi ftsata2 IntelIde PCIIde ViaIde
    7/10/2012 8:19:37 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the N360 service.
    7/10/2012 8:19:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2
    7/10/2012 8:19:05 PM, error: Service Control Manager [7022] - The Intel(R) Quick Resume technology service hung on starting.
    7/10/2012 8:19:03 PM, error: Service Control Manager [7022] - The Bonjour Service service hung on starting.
    7/10/2012 8:18:27 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    .
    ==== End Of File ===========================
     
  5. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    =======================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  6. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    RogueKiller V7.6.4 [07/17/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User: HP_Administrator [Admin rights]
    Mode: Scan -- Date: 07/17/2012 19:20:03

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 4 ¤¤¤
    [SUSP PATH] _uninst_46628355.lnk @HP_Administrator : C:\Documents and Settings\HP_Administrator\Local Settings\Temp\_uninst_46628355.bat -> FOUND
    [SUSP PATH] _uninst_87143468.lnk @HP_Administrator : C:\Documents and Settings\HP_Administrator\Local Settings\Temp\_uninst_87143468.bat -> FOUND
    [IFEO] HKLM\[...]\Image File Execution Options : ehshell.exe ("C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" -MceShellRedirect) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] @ : c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\@ --> FOUND
    [ZeroAccess][FOLDER] U : c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\U --> FOUND
    [ZeroAccess][FOLDER] L : c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\L --> FOUND
    [ZeroAccess][FILE] @ : c:\documents and settings\hp_administrator\local settings\application data\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\@ --> FOUND
    [ZeroAccess][FOLDER] U : c:\documents and settings\hp_administrator\local settings\application data\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\U --> FOUND
    [ZeroAccess][FOLDER] L : c:\documents and settings\hp_administrator\local settings\application data\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\L --> FOUND

    ¤¤¤ Driver: [LOADED] ¤¤¤
    SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x89B12508)
    SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x89B125E8)
    SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x898D88F8)
    SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x897ABDD0)
    SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x89A1EA38)
    SSDT[43] : NtCreateMutant @ 0x8061758E -> HOOKED (Unknown @ 0x890D12E0)
    SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x897CC690)
    SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x89ADA0C8)
    SSDT[57] : NtDebugActiveProcess @ 0x80643A1C -> HOOKED (Unknown @ 0x897B12C8)
    SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8A7885E0)
    SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x89B30B48)
    SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x890F3908)
    SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x890F39E8)
    SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x897FEAB8)
    SSDT[108] : NtMapViewOfSection @ 0x805B2042 -> HOOKED (Unknown @ 0x89BAED50)
    SSDT[114] : NtOpenEvent @ 0x8060EF4C -> HOOKED (Unknown @ 0x893E6548)
    SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x8918D8F0)
    SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x89783C98)
    SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x897B4720)
    SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x898C9180)
    SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x897CC9A0)
    SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x89B2ED48)
    SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x893F0E00)
    SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x89BA2660)
    SSDT[240] : NtSetSystemInformation @ 0x8060FC04 -> HOOKED (Unknown @ 0x897B2D10)
    SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x897B55B8)
    SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x89B2EE08)
    SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x88FDE1F0)
    SSDT[258] : NtTerminateThread @ 0x805D24D2 -> HOOKED (Unknown @ 0x89B30F90)
    SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x89BAED18)
    SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x89B0B170)
    S_SSDT[307] : Unknown -> HOOKED (Unknown @ 0x897A8750)
    S_SSDT[383] : Unknown -> HOOKED (Unknown @ 0x893F92A0)
    S_SSDT[414] : Unknown -> HOOKED (Unknown @ 0x897A8970)
    S_SSDT[416] : Unknown -> HOOKED (Unknown @ 0x89AE0388)
    S_SSDT[428] : Unknown -> HOOKED (Unknown @ 0x897A9980)
    S_SSDT[460] : Unknown -> HOOKED (Unknown @ 0x89A11938)
    S_SSDT[475] : Unknown -> HOOKED (Unknown @ 0x89B79638)
    S_SSDT[476] : Unknown -> HOOKED (Unknown @ 0x89B83138)
    S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0x897CC098)
    S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0x88F521A8)

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST3320833AS +++++
    --- User ---
    [MBR] 32ee40c0deaf917452b588b469c0e38d
    [BSP] 05e3161cf4ce79602881f99911e8893d : Toshiba tatooed MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 296386 Mo
    1 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 607016025 | Size: 8848 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-07-17 19:21:53
    -----------------------------
    19:21:53.843 OS Version: Windows 5.1.2600 Service Pack 3
    19:21:53.843 Number of processors: 2 586 0xF06
    19:21:53.843 ComputerName: SANDY UserName:
    19:21:55.328 Initialize success
    19:25:14.265 AVAST engine defs: 12071701
    19:25:22.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    19:25:22.296 Disk 0 Vendor: ST332083 3.AH Size: 305245MB BusType: 3
    19:25:22.312 Disk 0 MBR read successfully
    19:25:22.328 Disk 0 MBR scan
    19:25:22.343 Disk 0 unknown MBR code
    19:25:22.343 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 296386 MB offset 63
    19:25:22.375 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 8848 MB offset 607016025
    19:25:22.406 Disk 0 scanning sectors +625137345
    19:25:22.468 Disk 0 scanning C:\windows\system32\drivers
    19:25:34.828 Service scanning
    19:25:55.500 Modules scanning
    19:26:04.812 Disk 0 trace - called modules:
    19:26:04.828 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    19:26:04.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a74d8c8]
    19:26:04.843 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a206030]
    19:26:05.531 AVAST engine scan C:\windows
    19:26:12.468 AVAST engine scan C:\windows\system32
    19:29:36.828 AVAST engine scan C:\windows\system32\drivers
    19:30:04.937 AVAST engine scan C:\Documents and Settings\HP_Administrator
    19:39:35.765 AVAST engine scan C:\Documents and Settings\All Users
    19:52:35.468 Scan finished successfully
    19:52:47.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
    19:52:47.156 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-07-17 19:21:53
    -----------------------------
    19:21:53.843 OS Version: Windows 5.1.2600 Service Pack 3
    19:21:53.843 Number of processors: 2 586 0xF06
    19:21:53.843 ComputerName: SANDY UserName:
    19:21:55.328 Initialize success
    19:25:14.265 AVAST engine defs: 12071701
    19:25:22.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    19:25:22.296 Disk 0 Vendor: ST332083 3.AH Size: 305245MB BusType: 3
    19:25:22.312 Disk 0 MBR read successfully
    19:25:22.328 Disk 0 MBR scan
    19:25:22.343 Disk 0 unknown MBR code
    19:25:22.343 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 296386 MB offset 63
    19:25:22.375 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 8848 MB offset 607016025
    19:25:22.406 Disk 0 scanning sectors +625137345
    19:25:22.468 Disk 0 scanning C:\windows\system32\drivers
    19:25:34.828 Service scanning
    19:25:55.500 Modules scanning
    19:26:04.812 Disk 0 trace - called modules:
    19:26:04.828 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    19:26:04.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a74d8c8]
    19:26:04.843 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a206030]
    19:26:05.531 AVAST engine scan C:\windows
    19:26:12.468 AVAST engine scan C:\windows\system32
    19:29:36.828 AVAST engine scan C:\windows\system32\drivers
    19:30:04.937 AVAST engine scan C:\Documents and Settings\HP_Administrator
    19:39:35.765 AVAST engine scan C:\Documents and Settings\All Users
    19:52:35.468 Scan finished successfully
    19:52:47.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
    19:52:47.156 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"
    19:52:59.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
    19:52:59.671 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"
     
  7. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  8. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    I downloaded the Farbar Recovery Scan Tool but I can't seem to locate the System Recovery options mentioned because it boots into HP's System Recovery. I would boot from the Windows XP CD but her CD drive doesn't appear to be reading discs (must not work).

    Is there a way to launch the command prompt from the HP System Recovery?

    Thanks
     
  9. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    My fault :)
    I didn't notice we're dealing with XP here.
    Sorry :)

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  10. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    ComboFix 12-07-16.01 - HP_Administrator 07/17/2012 21:11:29.6.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1697 [GMT -5:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
    AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\HP_Administrator\Application Data\PriceGong
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\1.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\a.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\b.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\c.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\d.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\e.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\f.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\g.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\h.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\I.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\j.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\k.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\l.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\m.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\n.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\o.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\p.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\q.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\r.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\s.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\t.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\u.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\v.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\w.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\wlu.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\x.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\y.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\z.txt
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-17 10:52 . 2012-07-17 10:52 -------- d-----w- c:\program files\HitmanPro
    2012-07-17 10:52 . 2012-07-17 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-07-17 02:32 . 2012-07-17 02:32 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2012-07-17 01:00 . 2012-07-17 01:15 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\NPE
    2012-07-17 00:52 . 2012-07-17 00:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
    2012-07-16 21:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
    2012-07-16 21:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
    2012-07-16 21:53 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
    2012-07-16 21:53 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
    2012-07-16 21:53 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
    2012-07-16 21:53 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
    2012-07-12 20:12 . 2012-07-13 03:54 133208 ----a-w- c:\windows\system32\drivers\46628355.sys
    2012-07-12 20:08 . 2012-07-12 20:08 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-07-12 18:50 . 2012-07-12 18:50 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FixZeroAccess
    2012-07-12 16:47 . 2012-07-12 16:47 9226440 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 16:47 . 2012-04-18 13:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-12 16:47 . 2011-05-15 13:10 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-12 12:30 . 2010-07-16 03:12 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2012-07-12 12:30 . 2010-07-16 03:12 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2012-07-12 12:30 . 2010-07-16 03:12 30624 ----a-w- c:\windows\system32\LMIport.dll
    2012-07-12 12:30 . 2010-07-16 03:12 87456 ----a-w- c:\windows\system32\LMIinit.dll
    2012-07-03 18:46 . 2011-02-18 05:42 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-13 13:19 . 2004-08-10 04:00 1866112 ----a-w- c:\windows\system32\win32k.sys
    2012-06-05 15:50 . 2008-08-18 21:20 1372672 ------w- c:\windows\system32\msxml6.dll
    2012-06-05 15:50 . 2004-08-10 04:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 04:32 . 2004-08-10 04:00 152576 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 20:19 . 2007-06-05 17:52 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
    2012-06-02 20:19 . 2007-06-05 17:52 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 20:19 . 2004-08-10 04:00 329240 ----a-w- c:\windows\system32\wucltui.dll
    2012-06-02 20:19 . 2004-08-10 04:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
    2012-06-02 20:19 . 2004-08-10 04:00 210968 ----a-w- c:\windows\system32\wuweb.dll
    2012-06-02 20:19 . 2007-06-05 17:52 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
    2012-06-02 20:19 . 2005-05-26 12:16 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 20:19 . 2004-08-10 04:00 97304 ----a-w- c:\windows\system32\cdm.dll
    2012-06-02 20:19 . 2004-08-10 04:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 20:19 . 2004-08-10 04:00 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 20:19 . 2007-06-05 17:52 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2012-06-02 20:19 . 2004-08-10 04:00 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 20:19 . 2004-08-10 04:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 20:18 . 2010-12-01 21:34 275696 ----a-w- c:\windows\system32\mucltui.dll
    2012-06-02 20:18 . 2010-12-01 21:34 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
    2012-06-02 20:18 . 2009-08-07 01:23 214256 ----a-w- c:\windows\system32\muweb.dll
    2012-05-31 13:22 . 2004-08-10 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2012-05-21 22:04 . 2010-07-16 03:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
    2012-05-21 22:04 . 2010-07-16 03:12 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
    2012-05-16 15:08 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-05-11 14:42 . 2004-08-10 04:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-05-11 14:42 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-05-11 11:38 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2012-05-04 13:16 . 2004-08-10 11:00 2148352 ------w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 12:32 . 2004-08-10 11:00 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46 . 2004-08-10 04:00 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
    2011-05-09 09:49 176936 ----a-w- c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2012-03-07 366024]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-19 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
    "ftutil2"="ftutil2.dll" [2004-06-07 106496]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
    "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2008-01-29 583048]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-23 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
    "ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
    "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "RTHDCPL"="RTHDCPL.EXE" [2012-03-14 20065896]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-05-22 296056]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
    .
    c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
    _uninst_46628355.lnk - c:\documents and settings\HP_Administrator\Local Settings\Temp\_uninst_46628355.bat [N/A]
    _uninst_87143468.lnk - c:\documents and settings\HP_Administrator\Local Settings\Temp\_uninst_87143468.bat [N/A]
    .
    c:\documents and settings\LogMeInRemoteUser\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-24 27136]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-24 27136]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-8-24 36903]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-24 27136]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-24 27136]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2012-07-12 12:30 87456 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-01-02 16:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
    2010-10-28 01:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
    2007-10-31 02:57 1095256 ----a-w- c:\program files\DISC\DISCover.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
    2008-12-04 18:24 665424 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
    2011-10-05 21:23 161336 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2007-04-12 21:23 42032 ----a-w- c:\program files\Common Files\AOL\1166656723\EE\aolsoftware.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2010-03-12 18:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
    2011-01-13 02:01 6129496 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2011-08-22 07:18 6276408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2012-04-19 01:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2012-05-22 15:25 499312 ----a-w- c:\program files\Real\realplayer\realplay.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-06-09 19:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2008-10-19 20:19 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\IncrediMail\\Bin\\IncMail.exe"=
    "c:\\Program Files\\IncrediMail\\Bin\\ImApp.exe"=
    .
    R0 46628355;46628355;c:\windows\system32\drivers\46628355.sys [7/12/2012 3:12 PM 133208]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502020.003\symds.sys [6/12/2012 7:24 AM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502020.003\symefa.sys [6/12/2012 7:24 AM 744568]
    S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120711.002\BHDrvx86.sys [7/12/2012 7:37 AM 821920]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502020.003\ironx86.sys [6/12/2012 7:24 AM 136312]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 12:26 PM 135664]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 12:46 PM 374184]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
    S2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.2.3\ccsvchst.exe [6/12/2012 7:24 AM 130008]
    S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe [5/4/2012 7:31 PM 131512]
    S2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe [7/11/2010 9:51 PM 126904]
    S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [12/10/2009 1:43 PM 126392]
    S2 Web Assistant Updater;Web Assistant Updater;c:\program files\Web Assistant\ExtensionUpdaterService.exe [6/3/2012 10:33 AM 185856]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/18/2012 8:29 AM 250056]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/31/2012 3:03 PM 106656]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 12:26 PM 135664]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120715.001\IDSXpx86.sys [7/16/2012 8:29 PM 369632]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MDMXSDK
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-18 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 16:47]
    .
    2012-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2012-07-12 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 21:23]
    .
    2012-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:26]
    .
    2012-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:26]
    .
    2012-07-08 c:\windows\Tasks\Norton Security Scan for HP_Administrator.job
    - c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2011-02-10 00:00]
    .
    2012-06-21 c:\windows\Tasks\PC Checkup 3 Weekly Scan.job
    - c:\program files\Norton PC Checkup 3.0\NLAppLauncher.exe [2012-05-05 01:06]
    .
    2012-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4156177612-2444206607-219807860-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
    .
    2012-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4156177612-2444206607-219807860-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.1 192.168.0.1
    DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-17 21:19
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
    --
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
    "ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"
    --
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]
    "ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(696)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2012-07-17 21:20:38
    ComboFix-quarantined-files.txt 2012-07-18 02:20
    ComboFix2.txt 2012-07-17 11:52
    ComboFix3.txt 2012-07-17 01:51
    ComboFix4.txt 2012-07-17 00:14
    ComboFix5.txt 2012-07-18 02:10
    .
    Pre-Run: 271,625,228,288 bytes free
    Post-Run: 271,677,870,080 bytes free
    .
    - - End Of File - - D1F0A05F2C026F7962FFAE6564EB3BCC
     
  11. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Any reason you didn't follow my instructions regarding Recovery Console installation?
     
  12. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    Yes, I clicked to install the recovery console and then received a error message regarding the C:\Boot.ini file (I believe it said it was missing or invalid). It then went on to the scanning part.

    Should I re-run the scan to see if it installs the recovery console this time?
     
  13. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Not yet.
    Make sure that if you have some issue let me know. Do not let it unaddressed.

    Download BootCheck.exe to your desktop.

    • Double click BootCheck.exe to run the check
    • When complete, a Notepad window will open with some text in it
    • Save the Notepad file to your desktop as BootCheck.txt
    • Copy the contents of BootCheck.txt and post it in your next reply
     
  14. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    Sorry about that.

    I'm getting a "404 not found" error on the link for BootCheck.exe. Is there another place I can download it from?

    Thanks again for your help!
     
  15. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Attached (zipped)
     

    Attached Files:

  16. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !
    Contents of C:\boot.ini:
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
     
  17. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Click Start, click Run, type sysdm.cpl, and then click OK.
    On the Advanced tab, click Settings under Startup and Recovery.
    Under System Startup, click Edit. This will open boot.ini file in Notepad.

    Delete all text inside.

    Copy and paste following text:

    and paste it into open Notepad window.
    Go File>Save
    Close Notepad.

    Re-run BootCheck so I can see it looks correct
     
  18. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    Ok, I have followed the steps and re-run Bootcheck.exe. Here is what it says now:

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !
    Contents of C:\boot.ini:
    [boot loader]
    timeout=30
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Media Center Edition" /fastdetect
     
  19. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Good :)

    Re-run Combofix and see if you can install Recovery Console.
     
  20. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    It's scanning right now. This time it successfully connected and installed the Recovery Console. I will post the log as soon as it completes!
     
  21. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Cool :)
     
  22. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    ComboFix 12-07-16.01 - HP_Administrator 07/17/2012 22:48:00.7.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1309 [GMT -5:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
    AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
    c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RarSFX0\h\iexplore.exe
    c:\documents and settings\HP_Administrator\Application Data\PriceGong
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\1.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\2229.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\a.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\b.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\c.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\d.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\e.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\f.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\g.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\h.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\I.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\j.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\k.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\l.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\m.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\n.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\o.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\p.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\q.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\r.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\s.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\t.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\u.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\v.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\w.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\wlu.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\x.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\y.txt
    c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\z.txt
    c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
    c:\documents and settings\HP_Administrator\Local Settings\Temp\RarSFX0\h\iexplore.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-17 10:52 . 2012-07-17 10:52 -------- d-----w- c:\program files\HitmanPro
    2012-07-17 10:52 . 2012-07-17 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-07-17 02:32 . 2012-07-17 02:32 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2012-07-17 01:00 . 2012-07-17 01:15 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\NPE
    2012-07-17 00:52 . 2012-07-17 00:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
    2012-07-16 21:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
    2012-07-16 21:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
    2012-07-16 21:53 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
    2012-07-16 21:53 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
    2012-07-16 21:53 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
    2012-07-16 21:53 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
    2012-07-12 20:12 . 2012-07-13 03:54 133208 ----a-w- c:\windows\system32\drivers\46628355.sys
    2012-07-12 20:08 . 2012-07-12 20:08 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-07-12 18:50 . 2012-07-12 18:50 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FixZeroAccess
    2012-07-12 16:47 . 2012-07-12 16:47 9226440 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 16:47 . 2012-04-18 13:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-12 16:47 . 2011-05-15 13:10 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-12 12:30 . 2010-07-16 03:12 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2012-07-12 12:30 . 2010-07-16 03:12 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2012-07-12 12:30 . 2010-07-16 03:12 30624 ----a-w- c:\windows\system32\LMIport.dll
    2012-07-12 12:30 . 2010-07-16 03:12 87456 ----a-w- c:\windows\system32\LMIinit.dll
    2012-07-03 18:46 . 2011-02-18 05:42 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-13 13:19 . 2004-08-10 04:00 1866112 ----a-w- c:\windows\system32\win32k.sys
    2012-06-05 15:50 . 2008-08-18 21:20 1372672 ------w- c:\windows\system32\msxml6.dll
    2012-06-05 15:50 . 2004-08-10 04:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 04:32 . 2004-08-10 04:00 152576 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 20:19 . 2007-06-05 17:52 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
    2012-06-02 20:19 . 2007-06-05 17:52 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 20:19 . 2004-08-10 04:00 329240 ----a-w- c:\windows\system32\wucltui.dll
    2012-06-02 20:19 . 2004-08-10 04:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
    2012-06-02 20:19 . 2004-08-10 04:00 210968 ----a-w- c:\windows\system32\wuweb.dll
    2012-06-02 20:19 . 2007-06-05 17:52 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
    2012-06-02 20:19 . 2005-05-26 12:16 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 20:19 . 2004-08-10 04:00 97304 ----a-w- c:\windows\system32\cdm.dll
    2012-06-02 20:19 . 2004-08-10 04:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 20:19 . 2004-08-10 04:00 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 20:19 . 2007-06-05 17:52 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2012-06-02 20:19 . 2004-08-10 04:00 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 20:19 . 2004-08-10 04:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 20:18 . 2010-12-01 21:34 275696 ----a-w- c:\windows\system32\mucltui.dll
    2012-06-02 20:18 . 2010-12-01 21:34 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
    2012-06-02 20:18 . 2009-08-07 01:23 214256 ----a-w- c:\windows\system32\muweb.dll
    2012-05-31 13:22 . 2004-08-10 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2012-05-21 22:04 . 2010-07-16 03:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
    2012-05-21 22:04 . 2010-07-16 03:12 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
    2012-05-16 15:08 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-05-11 14:42 . 2004-08-10 04:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-05-11 14:42 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-05-11 11:38 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2012-05-04 13:16 . 2004-08-10 11:00 2148352 ------w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 12:32 . 2004-08-10 11:00 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46 . 2004-08-10 04:00 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-16_22.51.17 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-07-18 03:58 . 2012-07-18 03:58 16384 c:\windows\temp\Perflib_Perfdata_93c.dat
    + 2012-07-18 03:56 . 2012-07-18 03:56 16384 c:\windows\temp\Perflib_Perfdata_578.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
    2011-05-09 09:49 176936 ----a-w- c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2012-03-07 366024]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-19 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
    "ftutil2"="ftutil2.dll" [2004-06-07 106496]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
    "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2008-01-29 583048]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-23 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
    "ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
    "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "RTHDCPL"="RTHDCPL.EXE" [2012-03-14 20065896]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-05-22 296056]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
    .
    c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
    _uninst_46628355.lnk - c:\documents and settings\HP_Administrator\Local Settings\Temp\_uninst_46628355.bat [N/A]
    _uninst_87143468.lnk - c:\documents and settings\HP_Administrator\Local Settings\Temp\_uninst_87143468.bat [N/A]
    .
    c:\documents and settings\LogMeInRemoteUser\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-24 27136]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-24 27136]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-8-24 36903]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-24 27136]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-24 27136]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2012-07-12 12:30 87456 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-01-02 16:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
    2010-10-28 01:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
    2007-10-31 02:57 1095256 ----a-w- c:\program files\DISC\DISCover.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
    2008-12-04 18:24 665424 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
    2011-10-05 21:23 161336 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2007-04-12 21:23 42032 ----a-w- c:\program files\Common Files\AOL\1166656723\EE\aolsoftware.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2010-03-12 18:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
    2011-01-13 02:01 6129496 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2011-08-22 07:18 6276408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2012-04-19 01:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2012-05-22 15:25 499312 ----a-w- c:\program files\Real\realplayer\realplay.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-06-09 19:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2008-10-19 20:19 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\IncrediMail\\Bin\\IncMail.exe"=
    "c:\\Program Files\\IncrediMail\\Bin\\ImApp.exe"=
    .
    R0 46628355;46628355;c:\windows\system32\drivers\46628355.sys [7/12/2012 3:12 PM 133208]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502020.003\symds.sys [6/12/2012 7:24 AM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502020.003\symefa.sys [6/12/2012 7:24 AM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120711.002\BHDrvx86.sys [7/12/2012 7:37 AM 821920]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502020.003\ironx86.sys [6/12/2012 7:24 AM 136312]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 12:46 PM 374184]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.2.3\ccsvchst.exe [6/12/2012 7:24 AM 130008]
    R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe [5/4/2012 7:31 PM 131512]
    R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe [7/11/2010 9:51 PM 126904]
    R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [12/10/2009 1:43 PM 126392]
    R2 Web Assistant Updater;Web Assistant Updater;c:\program files\Web Assistant\ExtensionUpdaterService.exe [6/3/2012 10:33 AM 185856]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/31/2012 3:03 PM 106656]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120715.001\IDSXpx86.sys [7/16/2012 8:29 PM 369632]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 12:26 PM 135664]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/18/2012 8:29 AM 250056]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 12:26 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-18 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 16:47]
    .
    2012-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2012-07-12 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 21:23]
    .
    2012-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:26]
    .
    2012-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:26]
    .
    2012-07-08 c:\windows\Tasks\Norton Security Scan for HP_Administrator.job
    - c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2011-02-10 00:00]
    .
    2012-06-21 c:\windows\Tasks\PC Checkup 3 Weekly Scan.job
    - c:\program files\Norton PC Checkup 3.0\NLAppLauncher.exe [2012-05-05 01:06]
    .
    2012-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4156177612-2444206607-219807860-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
    .
    2012-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4156177612-2444206607-219807860-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.1 192.168.0.1
    DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-17 23:00
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
    --
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
    "ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"
    --
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]
    "ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(816)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    - - - - - - - > 'explorer.exe'(5016)
    c:\windows\system32\WININET.dll
    c:\windows\system32\logishrd\LVPrcInj01.dll
    c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Common Files\aolshare\aolshcpy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
    c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\LogMeIn\x86\RaMaint.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\program files\IncrediMail\Bin\ImApp.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wbem\wmiapsrv.exe
    c:\windows\eHome\ehmsas.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-17 23:03:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-18 04:03
    ComboFix2.txt 2012-07-18 02:20
    ComboFix3.txt 2012-07-17 11:52
    ComboFix4.txt 2012-07-17 01:51
    ComboFix5.txt 2012-07-18 03:43
    .
    Pre-Run: 269,540,483,072 bytes free
    Post-Run: 269,524,979,712 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Media Center Edition" /fastdetect
    .
    - - End Of File - - B24E5B7F923292FA560D3C5CCD3F62D6
     
  23. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Looks good :)

    Any current issues?

    ====================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ===============================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  24. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    Everything seems to be going well.

    Here are the logs from MalwareBytes & OTL

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.07.18.01
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    HP_Administrator :: SANDY [administrator]
    7/17/2012 11:31:09 PM
    mbam-log-2012-07-17 (23-31-09).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 248072
    Time elapsed: 6 minute(s), 34 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
     
  25. masterchief34

    masterchief34 TS Rookie Topic Starter Posts: 26

    OTL logfile created on: 7/17/2012 11:38:50 PM - Run 2
    OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\HP_Administrator\Desktop
    Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 1.31 Gb Available Physical Memory | 65.76% Memory free
    5.28 Gb Paging File | 4.41 Gb Available in Paging File | 83.42% Paging File free
    Paging file location(s): C:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 289.44 Gb Total Space | 249.56 Gb Free Space | 86.22% Space Free | Partition Type: NTFS
    Drive D: | 8.63 Gb Total Space | 0.38 Gb Free Space | 4.44% Space Free | Partition Type: FAT32

    Computer Name: SANDY | User Name: HP_Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe (OldTimer Tools)
    PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
    PRC - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
    PRC - C:\Program Files\Real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
    PRC - C:\Program Files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe (Symantec Corporation)
    PRC - C:\Program Files\Web Assistant\ExtensionUpdaterService.exe ()
    PRC - C:\Program Files\IncrediMail\Bin\IncMail.exe (IncrediMail, Ltd.)
    PRC - C:\Program Files\IncrediMail\Bin\ImApp.exe (IncrediMail, Ltd.)
    PRC - C:\Program Files\Norton 360\Engine\5.2.2.3\ccsvchst.exe (Symantec Corporation)
    PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
    PRC - C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe (Symantec Corporation)
    PRC - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
    PRC - C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
    PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
    PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
    PRC - C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe (Symantec Corporation)
    PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
    PRC - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe (SupportSoft, Inc.)
    PRC - C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
    PRC - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)
    PRC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (AOL LLC)
    PRC - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe (Hewlett-Packard)
    PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
    PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
    PRC - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe (Intel Corporation)
    PRC - C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe (Sonic Solutions)
    PRC - C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
    PRC - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
    PRC - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe (America Online Inc)


    ========== Modules (No Company Name) ==========

    MOD - C:\Program Files\Web Assistant\ExtensionUpdaterService.exe ()
    MOD - C:\Program Files\IncrediMail\Bin\wlessfp1.dll ()
    MOD - C:\Program Files\IncrediMail\Bin\ImLookExU.dll ()
    MOD - C:\Program Files\IncrediMail\Bin\ImComUtlU.dll ()
    MOD - C:\Program Files\IncrediMail\Bin\ImAppRU.dll ()
    MOD - C:\Program Files\IncrediMail\Bin\IMHttpComm.dll ()
    MOD - C:\WINDOWS\system32\quartz.dll ()
    MOD - C:\WINDOWS\system32\encdec.dll ()
    MOD - C:\Program Files\IncrediMail\Bin\PMC.dll ()
    MOD - C:\WINDOWS\system32\sbe.dll ()
    MOD - C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QJpeg4.dll ()
    MOD - C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QGif4.dll ()
    MOD - C:\Program Files\Logitech\LWS\Webcam Software\QTXml4.dll ()
    MOD - C:\Program Files\Logitech\LWS\Webcam Software\QtNetwork4.dll ()
    MOD - C:\Program Files\Logitech\LWS\Webcam Software\QTGui4.dll ()
    MOD - C:\Program Files\Logitech\LWS\Webcam Software\QTCore4.dll ()
    MOD - C:\WINDOWS\system32\msdmo.dll ()
    MOD - C:\WINDOWS\system32\devenum.dll ()
    MOD - C:\Program Files\Updates from HP\9972322\6.3.2.116-9972322\Program\bwfiles.dll ()
    MOD - C:\Program Files\Updates from HP\9972322\6.3.2.116-9972322\Program\FrExt.dll ()
    MOD - C:\Program Files\Updates from HP\9972322\6.3.2.116-9972322\Program\clntutil.dll ()
    MOD - C:\Program Files\Updates from HP\9972322\Program\HPClientExt.dll ()
    MOD - C:\WINDOWS\system32\hcwXDS.dll ()
    MOD - C:\WINDOWS\system32\VBICodec.ax ()
    MOD - C:\WINDOWS\system32\mpg2splt.ax ()


    ========== Win32 Services (SafeList) ==========

    SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
    SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
    SRV - (LMIGuardianSvc) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
    SRV - (Norton PC Checkup Application Launcher) -- C:\Program Files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe (Symantec Corporation)
    SRV - (Web Assistant Updater) -- C:\Program Files\Web Assistant\ExtensionUpdaterService.exe ()
    SRV - (N360) -- C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe (Symantec Corporation)
    SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
    SRV - (NSL) -- C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe (Symantec Corporation)
    SRV - (LVPrcSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
    SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
    SRV - (PCCUJobMgr) -- C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe (Symantec Corporation)
    SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
    SRV - (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe (SupportSoft, Inc.)
    SRV - (LiveUpdate Notice Service) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe (Symantec Corporation)
    SRV - (Symantec RemoteAssist) -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (Symantec, Inc.)
    SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)
    SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE (Symantec Corporation)
    SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (AOL LLC)
    SRV - (IAANTMON) Intel(R) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
    SRV - (ELService) Intel(R) -- C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe (Intel Corporation)
    SRV - (AOL TopSpeedMonitor) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)


    ========== Driver Services (SafeList) ==========

    DRV - (WDICA) -- File not found
    DRV - (PDRFRAME) -- File not found
    DRV - (PDRELI) -- File not found
    DRV - (PDFRAME) -- File not found
    DRV - (PDCOMP) -- File not found
    DRV - (PCIDump) -- File not found
    DRV - (mbr) -- C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mbr.sys File not found
    DRV - (lbrtfdc) -- File not found
    DRV - (i2omgmt) -- File not found
    DRV - (ftsata2) -- system32\DRIVERS\ftsata2.sys File not found
    DRV - (Changer) -- File not found
    DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
    DRV - (46628355) -- C:\WINDOWS\system32\drivers\46628355.sys (Kaspersky Lab ZAO)
    DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
    DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120711.002\BHDrvx86.sys (Symantec Corporation)
    DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120715.001\IDSXpx86.sys (Symantec Corporation)
    DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
    DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
    DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20120717.018\NAVEX15.SYS (Symantec Corporation)
    DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20120717.018\NAVENG.SYS (Symantec Corporation)
    DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
    DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
    DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\N360\0502020.003\symtdi.sys (Symantec Corporation)
    DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\N360\0502020.003\srtsp.sys (Symantec Corporation)
    DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\WINDOWS\system32\drivers\N360\0502020.003\srtspx.sys (Symantec Corporation)
    DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\N360\0502020.003\symefa.sys (Symantec Corporation)
    DRV - (SymDS) -- C:\WINDOWS\system32\drivers\N360\0502020.003\symds.sys (Symantec Corporation)
    DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\N360\0502020.003\ironx86.sys (Symantec Corporation)
    DRV - (LVUVC) Logitech Webcam C210(UVC) -- C:\WINDOWS\system32\drivers\lvuvc.sys (Logitech Inc.)
    DRV - (LVRS) -- C:\WINDOWS\system32\drivers\lvrs.sys (Logitech Inc.)
    DRV - (LVPr2Mon) -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys ()
    DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
    DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)
    DRV - (BANTExt) -- C:\WINDOWS\system32\drivers\BANTExt.sys ()
    DRV - (ELacpi) -- C:\WINDOWS\system32\drivers\ELacpi.sys (Intel Corporation)
    DRV - (ELmon) -- C:\WINDOWS\system32\drivers\Elmon.sys (Intel Corporation)
    DRV - (ELkbd) -- C:\WINDOWS\system32\drivers\Elkbd.sys (Intel Corporation)
    DRV - (ELmou) -- C:\WINDOWS\system32\drivers\Elmou.sys (Intel Corporation)
    DRV - (ELhid) -- C:\WINDOWS\system32\drivers\Elhid.sys (Intel Corporation)
    DRV - (hcwPP2) -- C:\WINDOWS\system32\drivers\hcwPP2.sys (Hauppauge Computer Works, Inc.)
    DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)
    DRV - (HSXHWBS2) -- C:\WINDOWS\system32\drivers\HSXHWBS2.sys (Conexant Systems, Inc.)
    DRV - (HSX_DP) -- C:\WINDOWS\system32\drivers\HSX_DP.sys (Conexant Systems, Inc.)
    DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
    DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {780FE921-68B2-41A4-8B64-8CA67CAC9A95}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKLM\..\SearchScopes\{780FE921-68B2-41A4-8B64-8CA67CAC9A95}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7


    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = {2381E4B7-5C04-459E-9D46-2F9AC1608B66}
    IE - HKU\S-1-5-19\..\SearchScopes\{2381E4B7-5C04-459E-9D46-2F9AC1608B66}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp

    IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {2381E4B7-5C04-459E-9D46-2F9AC1608B66}
    IE - HKU\S-1-5-20\..\SearchScopes\{2381E4B7-5C04-459E-9D46-2F9AC1608B66}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp

    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DC 70 A9 15 5F 21 CC 01 [binary data]
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..\URLSearchHook: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files\IncrediMail_MediaBar_2\prxtbInc0.dll (Conduit Ltd.)
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..\SearchScopes,DefaultScope = {780FE921-68B2-41A4-8B64-8CA67CAC9A95}
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" =
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..\SearchScopes\{780FE921-68B2-41A4-8B64-8CA67CAC9A95}: "URL" = http://www.google.com/search?q={sea...={outputEncoding}&sourceid=ie7&rlz=1I7GPEA_en
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2559647
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredimail.com/?search={searchTerms}&loc=search_box&a=1pb8ZFL3HA5
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1008\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1008\..\SearchScopes,DefaultScope = {2381E4B7-5C04-459E-9D46-2F9AC1608B66}
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1008\..\SearchScopes\{2381E4B7-5C04-459E-9D46-2F9AC1608B66}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
    IE - HKU\S-1-5-21-4156177612-2444206607-219807860-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...