TechSpot

[Closed] Computer infected: Keep getting Trojan:Win32/Sirefef.AH and Pup.MyWebSE

By Boker
Apr 10, 2012
  1. This computer has had issues for awhile and has been used by many people. Am running Microsoft Security Essentials and MWB. I have tried cleaning the computer and running MWB but these two keep popping back up. When I open IE I am redirected and have not been able to open Firefox at all. A friend told me about you so I thought I'd give it a shot before I shoot the computer...no really, can you help?
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'll be glad to help with the malware. Is it possible to limit the use of the system to just yourself while I'm helping you?

    MyWebSearce will show up in Malwarebytes. In addition to having Mbam remove those entries:
    Go to Add/Remove Programs> Look for any of the following:
    * My Web Search (Smiley Central or FWP product as applicable)
    * My Way Speedbar (Smiley Central or other FWP as applicable)
    * My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
    * My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
    * Search Assistant - My Way

    If any of the above are installed, uninstall them. Then us Windows Explorer to access Computer> Local Drive(C)> Programs> find the program Folder for each of the programs you uninstalled and do a Right Click> Delete.
    =========================================
    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ===================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  3. Boker

    Boker TS Rookie Topic Starter

    Reformat/reinstall

    In reading your threads it appears we should probably reinstall, but I have some questions. First, my name is Patty, I am helping my husband with his computer as he doesn't navigate through programs, folders, etc. very well. I will communicate with you through my laptop except to do what is necessary on his pc. In the past several people have used his computer and God only knows what is on it. It has been running slow for a very long time, but this particular infection seems to have appeared in the last day or two.
    I'm thinking we need to do a complete reinstall as my husband does access his bank account from that computer. However, I was wondering if we should do the five step preliminary removal and send you the logs before we do that. We are not planning on saving anything on the computer because I'm afraid that if it is the wrong kind of trojan it may have infected the music, pictures, etc. What is your opinion on this?
    Also, can you provide a link that might help me with the reinstall process? I have not done one before and would like all the help I can get. I am not super with a computer, but can navigate around pretty well and should be able to pull this off.
    Thank you for your time.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Patty, why don't you run the preliminary scan so I can see the extent of the infection? I can also check to see what security is on the system also.
    ==========================================
    About (Sirefef) rootkit
    • You receive the message "Error communicating with kernel"
    • You believe you are infected with a rogue antivirus such as "Open Cloud Security"
    • This malware is also known as "Sirefef" and "Max++" and ESET detects this and its many variants as Win32/Sirefef
    =============================================
    If the infection is extensive enough, I will easily recommend the reformat/reinstall if I think that's what needs to be done. And I will give you a good reference site to take you through.
     
  5. Boker

    Boker TS Rookie Topic Starter

    logs

    Here you go, hope I got this right. I also included a log for MWB from a scan done the day before.
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.04.09.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    HP_Administrator :: SIEGFREIDS [administrator]

    4/9/2012 10:28:03 AM
    mbam-log-2012-04-09 (10-28-03).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 383707
    Time elapsed: 4 hour(s), 42 minute(s), 36 second(s)

    Memory Processes Detected: 1
    C:\WINDOWS\svcs.exe (Trojan.Downloader) -> 824 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 8
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8C875948-9C60-4381-9248-0DF180542D53} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
    HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETWORKLOG (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKLM\System\CurrentControlSet\Services\tnidriver (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Detected: 1
    HKLM\SYSTEM\CurrentControlSet\Services\NetworkLog|ImagePath (Trojan.Downloader) -> Data: C:\WINDOWS\svcs.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 7
    C:\Documents and Settings\HP_Administrator\Application Data\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Administrator\Application Data\ErrorSmart\Log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Administrator\Application Data\ErrorSmart\Registry Backups (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Administrator\Application Data\PrivacyControl (Rogue.PrivacyControl) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Administrator\Application Data\PrivacyControl\Log (Rogue.PrivacyControl) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Administrator\Application Data\PrivacyControl\Registry Backups (Rogue.PrivacyControl) -> Quarantined and deleted successfully.
    C:\Program Files\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.

    Files Detected: 3
    C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\svcs.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Documents and Settings\HP_Administrator\Application Data\ErrorSmart\Registry Backups\2008-02-22_08-01-39.reg (Rogue.ErrorSmart) -> Quarantined and deleted successfully.

    (end)
    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.10.11

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    HP_Administrator :: SIEGFREIDS [administrator]

    4/10/2012 8:34:36 PM
    mbam-log-2012-04-10 (20-34-36).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 231256
    Time elapsed: 23 minute(s), 28 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-04-11 09:18:31
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 Maxtor_6L200M0 rev.BANC1G10
    Running: c77pvzlg[1].exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ufdiyfod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Processes - GMER 1.0.15 ----

    Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 192
    Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 3776

    ---- EOF - GMER 1.0.15 ----
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
    Run by HP_Administrator at 9:36:11 on 2012-04-11
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.96 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    FW: AVG Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\iWin Games\iWinTrusted.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
    C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Patty, there is a second log from DDS. It's named Attach.txt. It should also be pasted in a reply and not zipped/
    ============================================
    There is one entry in Mbam that shows it wasn't removed:
    Registry Keys Detected: 8
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
    This usually means the entry was on a flash drive. If you have been using a flash drive, you should disinfect it:

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please also include the logs from Combofix and Eset.

    Mbam appears to have removed a good deal of the malware. The 2 scans above should also find any remaining entries. Let's continue.
     
  7. Boker

    Boker TS Rookie Topic Starter

    DDS Zip

    .Sorry, thought I got that one...I'll work on the other ones this evening. Thank you.


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 7/21/2005 8:11:22 PM
    System Uptime: 4/11/2012 4:07:12 PM (0 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | Goldfish3
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | CPU 1 | 3000/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 179 GiB total, 130.045 GiB free.
    D: is FIXED (FAT32) - 7 GiB total, 0.868 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP943: 1/12/2012 1:59:06 PM - Software Distribution Service 3.0
    RP944: 1/13/2012 10:23:57 PM - Software Distribution Service 3.0
    RP945: 1/15/2012 9:59:53 AM - Software Distribution Service 3.0
    RP946: 1/16/2012 10:11:40 AM - Software Distribution Service 3.0
    RP947: 1/17/2012 10:21:24 AM - Software Distribution Service 3.0
    RP948: 1/18/2012 2:00:14 PM - Software Distribution Service 3.0
    RP949: 1/19/2012 2:06:43 PM - Software Distribution Service 3.0
    RP950: 1/20/2012 6:35:25 PM - Software Distribution Service 3.0
    RP951: 1/22/2012 10:28:13 AM - Software Distribution Service 3.0
    RP952: 1/23/2012 10:31:20 AM - Software Distribution Service 3.0
    RP953: 1/24/2012 9:36:06 AM - Software Distribution Service 3.0
    RP954: 1/24/2012 11:34:40 AM - Software Distribution Service 3.0
    RP955: 1/25/2012 3:42:28 PM - Software Distribution Service 3.0
    RP956: 1/26/2012 6:18:31 PM - Software Distribution Service 3.0
    RP957: 1/27/2012 6:32:01 PM - Software Distribution Service 3.0
    RP958: 1/28/2012 9:46:13 AM - Software Distribution Service 3.0
    RP959: 1/29/2012 11:11:01 AM - Software Distribution Service 3.0
    RP960: 1/30/2012 6:55:41 PM - Software Distribution Service 3.0
    RP961: 1/31/2012 9:10:40 AM - Software Distribution Service 3.0
    RP962: 1/31/2012 11:38:51 PM - Software Distribution Service 3.0
    RP963: 2/2/2012 9:24:59 AM - Software Distribution Service 3.0
    RP964: 2/3/2012 1:20:49 PM - Software Distribution Service 3.0
    RP965: 2/4/2012 6:41:20 PM - Software Distribution Service 3.0
    RP966: 2/6/2012 9:54:30 AM - Software Distribution Service 3.0
    RP967: 2/7/2012 11:33:30 AM - Software Distribution Service 3.0
    RP968: 2/8/2012 3:05:36 PM - Software Distribution Service 3.0
    RP969: 2/9/2012 3:25:11 PM - Software Distribution Service 3.0
    RP970: 2/11/2012 2:34:55 AM - Software Distribution Service 3.0
    RP971: 2/12/2012 9:55:00 AM - Software Distribution Service 3.0
    RP972: 2/14/2012 3:08:16 PM - Software Distribution Service 3.0
    RP973: 2/15/2012 10:20:52 AM - Software Distribution Service 3.0
    RP974: 2/15/2012 3:13:13 PM - Software Distribution Service 3.0
    RP975: 2/15/2012 3:38:51 PM - Software Distribution Service 3.0
    RP976: 2/17/2012 7:57:54 AM - Software Distribution Service 3.0
    RP977: 2/18/2012 10:08:25 AM - Software Distribution Service 3.0
    RP978: 2/19/2012 7:17:12 PM - Software Distribution Service 3.0
    RP979: 2/20/2012 10:39:20 PM - Software Distribution Service 3.0
    RP980: 2/21/2012 11:47:59 PM - Software Distribution Service 3.0
    RP981: 2/23/2012 1:24:10 PM - Software Distribution Service 3.0
    RP982: 2/25/2012 8:08:37 AM - Software Distribution Service 3.0
    RP983: 2/26/2012 8:44:43 AM - Software Distribution Service 3.0
    RP984: 2/26/2012 9:08:41 AM - Removed Adobe Reader 9.5.0.
    RP985: 2/26/2012 9:10:55 AM - Removed Apple Application Support
    RP986: 2/27/2012 8:05:26 AM - Software Distribution Service 3.0
    RP987: 2/27/2012 9:25:27 AM - Printer Driver Microsoft XPS Document Writer Installed
    RP988: 2/27/2012 9:35:48 AM - Software Distribution Service 3.0
    RP989: 2/27/2012 9:44:42 AM - Software Distribution Service 3.0
    RP990: 2/27/2012 3:18:35 PM - Software Distribution Service 3.0
    RP991: 2/28/2012 9:17:22 AM - Software Distribution Service 3.0
    RP992: 2/29/2012 9:16:20 AM - Software Distribution Service 3.0
    RP993: 3/1/2012 10:19:13 AM - Software Distribution Service 3.0
    RP994: 3/2/2012 10:26:57 AM - Software Distribution Service 3.0
    RP995: 3/3/2012 8:51:42 PM - Software Distribution Service 3.0
    RP996: 3/4/2012 10:43:43 PM - Software Distribution Service 3.0
    RP997: 3/6/2012 9:50:36 AM - Software Distribution Service 3.0
    RP998: 3/7/2012 11:04:57 AM - Software Distribution Service 3.0
    RP999: 3/9/2012 8:21:42 AM - Software Distribution Service 3.0
    RP1000: 3/11/2012 10:16:16 AM - Software Distribution Service 3.0
    RP1001: 3/12/2012 1:06:37 PM - Software Distribution Service 3.0
    RP1002: 3/12/2012 2:42:11 PM - Installed Adobe Reader X (10.1.2).
    RP1003: 3/13/2012 1:46:35 PM - Software Distribution Service 3.0
    RP1004: 3/14/2012 6:55:04 AM - Software Distribution Service 3.0
    RP1005: 3/14/2012 5:52:37 PM - Software Distribution Service 3.0
    RP1006: 3/14/2012 5:54:15 PM - Software Distribution Service 3.0
    RP1007: 3/15/2012 8:22:19 PM - Software Distribution Service 3.0
    RP1008: 3/17/2012 12:58:43 AM - Software Distribution Service 3.0
    RP1009: 3/18/2012 9:25:44 AM - Software Distribution Service 3.0
    RP1010: 3/19/2012 10:19:34 AM - Software Distribution Service 3.0
    RP1011: 3/20/2012 12:11:18 PM - Software Distribution Service 3.0
    RP1012: 3/20/2012 12:24:40 PM - Software Distribution Service 3.0
    RP1013: 3/22/2012 10:08:50 AM - Software Distribution Service 3.0
    RP1014: 3/23/2012 4:00:26 PM - Software Distribution Service 3.0
    RP1015: 3/25/2012 9:06:34 AM - Software Distribution Service 3.0
    RP1016: 3/26/2012 11:25:32 AM - Software Distribution Service 3.0
    RP1017: 3/27/2012 3:13:16 PM - Software Distribution Service 3.0
    RP1018: 3/29/2012 8:50:18 AM - Software Distribution Service 3.0
    RP1019: 3/31/2012 2:42:06 AM - Software Distribution Service 3.0
    RP1020: 4/1/2012 9:04:39 AM - Software Distribution Service 3.0
    RP1021: 4/2/2012 10:26:20 AM - Software Distribution Service 3.0
    RP1022: 4/3/2012 4:54:22 PM - Software Distribution Service 3.0
    RP1023: 4/4/2012 10:40:17 PM - Software Distribution Service 3.0
    RP1024: 4/5/2012 11:23:26 PM - Software Distribution Service 3.0
    RP1025: 4/7/2012 1:00:39 AM - Software Distribution Service 3.0
    RP1026: 4/8/2012 9:33:11 AM - Software Distribution Service 3.0
    RP1027: 4/8/2012 9:37:37 AM - Software Distribution Service 3.0
    RP1028: 4/9/2012 12:55:30 AM - Software Distribution Service 3.0
    RP1029: 4/9/2012 10:07:48 AM - Installed Microsoft Fix it 50525
    RP1030: 4/9/2012 10:14:44 AM - Software Distribution Service 3.0
    RP1031: 4/9/2012 6:12:41 PM - Software Distribution Service 3.0
    RP1032: 4/10/2012 1:33:02 PM - Software Distribution Service 3.0
    RP1033: 4/11/2012 4:20:34 PM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    5600
    5600_Help
    5600Trb
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.2)
    Adobe Shockwave Player
    Advanced Registry Optimizer
    Agere Systems PCI Soft Modem
    AiO_Scan
    AiOSoftware
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Boggle
    Bonjour
    CameraDrivers
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    DeviceFunctionQFolder
    DocProc
    DocumentViewer
    DocumentViewerQFolder
    Fax
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    HP Deskjet Preloaded Printer Drivers
    HP Document Viewer 5.3
    HP Image Zone Express
    HP Officejet 5600 series
    HP Photosmart Cameras 4.0
    HP PSC & OfficeJet 5.3.B
    HP PSC 2350 series
    HP Smart Web Printing 4.60
    HP Tunes
    HP Update
    HPProductAssistant
    HpSdpAppCoreApp
    HPSSupply
    Intel(R) Graphics Media Accelerator Driver
    IntelliMover Data Transfer Demo
    InterVideo DiscLabel
    iTunes
    iWin Games (remove only)
    Java 2 Runtime Environment, SE v1.4.2_03
    Java Auto Updater
    Java(TM) 6 Update 29
    LS_HSI
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft .NET Framework 1.0 Hotfix (KB2572066)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Click-to-Run 2010
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Business 2010 - English
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual J# .NET Redistributable Package 1.1
    Microsoft Works
    Mozilla Firefox (3.6.28)
    MSVCSetup
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    NewCopy
    OLYMPUS Master
    OpenOffice.org 3.0
    Otto
    Photosmart 320,370,7400,8100,8400 Series
    PrintMaster 2.0 Platinum
    ProductContext
    PS2
    PSPrinters06
    QuickTime
    Readme
    Roxio Drag-to-Disc
    Roxio Easy CD and DVD Burning
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB975713)
    Shop for HP Supplies
    SmartWebPrinting
    Sonic Encoders
    Sonic Express Labeler
    Sonic RecordNow!
    Unload
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982664)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2616676-v2)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB971029)
    Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
    vanBasco's Karaoke Player
    Visual J# .NET Redistributable Package
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows Media Player 10 Hotfix [See KB889858 for more information]
    Windows XP Media Center Edition 2005 KB888316
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    Yahoo! Browser Services
    Yahoo! BrowserPlus 2.9.2
    Yahoo! Install Manager
    Yahoo! Internet Mail
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/9/2012 9:48:59 AM, error: Service Control Manager [7023] - The TMHIDSRV service terminated with the following error: Access is denied.
    4/9/2012 9:33:59 AM, error: Service Control Manager [7023] - The Sffp_sd service terminated with the following error: Access is denied.
    4/9/2012 9:22:16 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    4/9/2012 9:19:57 AM, error: Service Control Manager [7023] - The Arc service terminated with the following error: Access is denied.
    4/9/2012 9:18:58 AM, error: Service Control Manager [7023] - The Iaimtv1 service terminated with the following error: Access is denied.
    4/9/2012 9:04:58 AM, error: Service Control Manager [7023] - The Vetmonnt service terminated with the following error: Access is denied.
    4/9/2012 9:03:53 AM, error: Service Control Manager [7023] - The WmaCVideo32 service terminated with the following error: The specified procedure could not be found.
    4/9/2012 9:03:53 AM, error: Service Control Manager [7023] - The Ezplay service terminated with the following error: The specified module could not be found.
    4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The ZSMC211 service terminated with the following error: The specified module could not be found.
    4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The Wg5n service terminated with the following error: The specified module could not be found.
    4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The Uiusys service terminated with the following error: The specified module could not be found.
    4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The Slssvc service terminated with the following error: The specified module could not be found.
    4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The Interactivelogon service terminated with the following error: Access is denied.
    4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The EagleNT service terminated with the following error: The specified module could not be found.
    4/9/2012 9:01:55 AM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0013D408A78F has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    4/9/2012 3:04:05 PM, error: Service Control Manager [7023] - The Sdhelper service terminated with the following error: Access is denied.
    4/9/2012 2:49:05 PM, error: Service Control Manager [7023] - The Vaiomediaplatform-photoserver-appserver service terminated with the following error: Access is denied.
    4/9/2012 2:34:07 PM, error: Service Control Manager [7023] - The Cwafadminmonitor service terminated with the following error: Access is denied.
    4/9/2012 2:19:04 PM, error: Service Control Manager [7023] - The Xpagentserver service terminated with the following error: Access is denied.
    4/9/2012 2:04:04 PM, error: Service Control Manager [7023] - The FETNDIS service terminated with the following error: Access is denied.
    4/9/2012 12:57:40 AM, error: Service Control Manager [7023] - The ZSMC211 service terminated with the following error: Access is denied.
    4/9/2012 12:49:42 AM, error: Service Control Manager [7023] - The Winvnc service terminated with the following error: Access is denied.
    4/9/2012 12:49:38 AM, error: Service Control Manager [7023] - The Areschatserver service terminated with the following error: Access is denied.
    4/9/2012 12:46:56 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'mrxsmb.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    4/9/2012 12:34:01 PM, error: Service Control Manager [7023] - The Omniserv service terminated with the following error: Access is denied.
    4/9/2012 12:19:02 PM, error: Service Control Manager [7023] - The AcronisOSSReinstallSvc service terminated with the following error: Access is denied.
    4/9/2012 12:18:05 AM, error: Service Control Manager [7023] - The Ezplay service terminated with the following error: Access is denied.
    4/9/2012 12:15:58 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'mrxsmb.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    4/9/2012 12:04:02 PM, error: Service Control Manager [7023] - The Vulfntrs service terminated with the following error: Access is denied.
    4/9/2012 11:49:03 AM, error: Service Control Manager [7023] - The Msfwsvc service terminated with the following error: Access is denied.
    4/9/2012 11:34:05 AM, error: Service Control Manager [7023] - The LPCFilter service terminated with the following error: Access is denied.
    4/9/2012 11:19:06 AM, error: Service Control Manager [7023] - The SE27mgmt service terminated with the following error: Access is denied.
    4/9/2012 11:04:03 AM, error: Service Control Manager [7023] - The VIAPFD service terminated with the following error: Access is denied.
    4/9/2012 10:49:11 AM, error: Service Control Manager [7023] - The Oracleorahomemanagementserver service terminated with the following error: Access is denied.
    4/9/2012 10:34:11 AM, error: Service Control Manager [7023] - The Clisvc service terminated with the following error: Access is denied.
    4/9/2012 10:19:00 AM, error: Service Control Manager [7023] - The Defrag32b service terminated with the following error: Access is denied.
    4/9/2012 10:03:59 AM, error: Service Control Manager [7023] - The Ha10kx2k service terminated with the following error: Access is denied.
    4/9/2012 1:58:03 PM, error: Service Control Manager [7023] - The TUWinStylerThemeSvc service terminated with the following error: Access is denied.
    4/9/2012 1:49:04 PM, error: Service Control Manager [7023] - The Websenseusagemonitor service terminated with the following error: Access is denied.
    4/9/2012 1:34:03 PM, error: Service Control Manager [7023] - The Acprfmgrsvc service terminated with the following error: Access is denied.
    4/9/2012 1:33:45 AM, error: Service Control Manager [7023] - The Irbus service terminated with the following error: Access is denied.
    4/9/2012 1:19:41 AM, error: Service Control Manager [7023] - The Wg5n service terminated with the following error: Access is denied.
    4/9/2012 1:19:03 PM, error: Service Control Manager [7023] - The Machnm32 service terminated with the following error: Access is denied.
    4/9/2012 1:18:43 AM, error: Service Control Manager [7023] - The WmaCVideo32 service terminated with the following error: Access is denied.
    4/9/2012 1:04:41 AM, error: Service Control Manager [7023] - The Slssvc service terminated with the following error: Access is denied.
    4/9/2012 1:04:03 PM, error: Service Control Manager [7023] - The Usbcm service terminated with the following error: Access is denied.
    4/9/2012 1:03:42 AM, error: Service Control Manager [7023] - The Uiusys service terminated with the following error: Access is denied.
    4/8/2012 11:12:52 PM, error: Service Control Manager [7023] - The EagleNT service terminated with the following error: Access is denied.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Usbcm service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The U81xmdfl service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Transcode360 service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Toscosrv service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The TMHIDSRV service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The SWNC8U20 service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Sffp_sd service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The SaiU040B service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Rootmodem service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Prohlp02 service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Mps9 service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The LPCFilter service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Lkclassads service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Jsdaemon service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Iaimtv1 service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Houdinilicenseserver service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Evteng service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Epson_pm_rpcv4_01 service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Defrag32b service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Cwafadminmonitor service terminated with the following error: The specified module could not be found.
    4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Avgfwsrv service terminated with the following error: The specified module could not be found.
    4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Vulfntrs service terminated with the following error: The specified module could not be found.
    4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Se58bus service terminated with the following error: The specified module could not be found.
    4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Sdhelper service terminated with the following error: The specified module could not be found.
    4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Ipodsrv service terminated with the following error: The specified module could not be found.
    4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Clisvc service terminated with the following error: The specified module could not be found.
    4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Bh611 service terminated with the following error: The specified module could not be found.
    4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Acprfmgrsvc service terminated with the following error: The specified module could not be found.
    .
    ==== End Of File ===========================
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Patty, the first DDS.txt log you left isn't complete. It should continue with a section named ============== Pseudo HJT Report ===============
    When the log is complete, it will show ============= FINISH: (current time) ===============

    I note I forgot to leave the Eset scan instructions:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===========================================
    So I need the full DDS.txt log, Combofix log and Eset scan log.

    Please let me know if you do not plan to continue.
     
  9. Boker

    Boker TS Rookie Topic Starter

    Problem

    I ran the dds again and saved the reports, it took a few hours to run ESET, then I ran ComboFix and it gave me a message saying "you are badly infected with Rootkit Zero Access" that it is in the top something ip. (sorry I didn't write it all down) Then it said again that it was infected with Rootkit and that it needed to reboot the machine and to NOT try and manually reboot. However, it is not shutting down. I have not touched the machine and am going to leave it be until I hear from you. Also, I disabled Microsoft Security Essentials, but the red warning box keeps popping up with the one infection it found. ?? If it is disabled why is this. I also had a box pop up during this process that said "unclickable children of element" ? Thanks again. Patty
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You didn't have to run DDS again. Please search the system for DDS.txt dated>> Run by HP_Administrator at 9:36:11 on 2012-04-11

    Try running Combofix in Safe Mode:
    Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.

    Now try the scan. If it still won't work, do the following:
    1. Delete Combofix file, download fresh one, but rename combofix.exe to
      friday.exe BEFORE saving it to your desktop.
      Do NOT run it yet.
    2. Download one of these versions of RKill:
      (Note: You do not need to download all three versions> You only need to get one of these to run.You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.)
      Rkill.com
      Rkill.scr
      Rkill.exe
      [o] Double-click on the Rkill desktop icon to run the tool.(Vista/Win 7> right-click> choose Run As Administrator.
      [o] A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      [o] If not, delete the file, then download and use the one provided in Link 2.
      [o] If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      [o] Do not reboot until instructed.
      [o] If the tool does not run from any of the links provided, please let me know.

      Once you've gotten one of them to run, add the following:
    3. Please download exeHelper by Raktor and save desktop.
      [o] Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
      [o] A black window should pop up, press any key to close once the fix is completed.
      [o] A log file called exehelperlog.txt will be created and should open at the end of the scan)
      [o] A copy of that log will also be saved in the directory where you ran exeHelper.com
      [o] Copy and paste the contents of exehelperlog.txt in your next reply.

      Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
      (Directions courtesy bleeping computer)
    4. .With both RKill and exehelper on board:
      [o]Go right to the renamed (Combofix) and double click on friday.exe to run
      [o]If it won't run in Normal Mode, run BOTH tools from safe mode, then try the double click on friday.exe to run.

    If successful, please leave RKill, Exehelper and Combofix logs.
     
  11. Boker

    Boker TS Rookie Topic Starter

    Just got this post, it did not show up in the email, so I came here and saw this. Once I got to safe mode and safe mode with networking I got another window asking Windows XP Media Center Edition or Microsof Windows Recovery Console...which one should I use?
     
  12. Boker

    Boker TS Rookie Topic Starter

    Okay, when I started the computer in safe mode CF automatically ran successfully and I ran exeHelper. I cannot seem to locate the original DDS file. Any suggestions where I might find it? Here are the other two. The log for Raktor doesn't look right,,,did I do something wrong or do I need to locate that too?

    ComboFix 12-04-14.03 - Administrator 04/17/2012 21:19:47.1.2 - x86 NETWORK
    Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\All Users\Application Data\DragToDiscUserNameE.txt
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\HP_Administrator\WINDOWS
    c:\windows\$NtUninstallKB62280$\3572818124
    c:\windows\$NtUninstallKB62280$\485945278\@
    c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
    c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
    c:\windows\$NtUninstallKB62280$\485945278\L\nezyfjsm
    c:\windows\$NtUninstallKB62280$\485945278\oemid
    c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
    c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
    c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
    c:\windows\$NtUninstallKB62280$\485945278\version
    c:\windows\system32\config\systemprofile\WINDOWS
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\system32\ps2.bat
    D:\Autorun.inf
    c:\windows\$NtUninstallKB62280$ . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NETWORKLOG
    -------\Legacy_TNIDRIVER
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-18 to 2012-04-18 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-18 01:35 . 2012-04-18 01:35 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FC15389-017A-41F1-852E-1BB24E012FD4}\offreg.dll
    2012-04-18 01:18 . 2012-04-18 01:18 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2012-04-15 00:37 . 2012-04-15 00:37 42960 ----a-w- c:\windows\system32\drivers\vazmbxzg.sys
    2012-04-15 00:36 . 2004-06-29 10:07 1268204 ----a-w- c:\windows\system32\drivers\AGRSM.sys
    2012-04-15 00:34 . 2004-08-04 02:41 126686 ----a-w- c:\windows\system32\drivers\mtlmnt5.sys
    2012-04-15 00:34 . 2012-04-15 00:34 -------- d-----w- c:\windows\LastGood.Tmp
    2012-04-14 18:29 . 2012-04-14 18:29 -------- d-----w- c:\program files\ESET
    2012-04-14 18:15 . 2012-04-14 18:15 -------- d-sh--w- c:\documents and settings\HP_Administrator\UserData
    2012-04-14 17:58 . 2012-04-14 17:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2012-04-14 16:53 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FC15389-017A-41F1-852E-1BB24E012FD4}\mpengine.dll
    2012-04-11 00:31 . 2012-04-11 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-11 00:31 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-09 14:26 . 2012-04-09 14:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
    2012-04-09 14:26 . 2012-04-09 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-04 12:30 . 2012-04-04 12:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-04 12:30 . 2011-11-24 04:13 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-14 02:15 . 2012-01-28 14:46 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-03-01 11:01 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2004-08-10 11:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 14:10 . 2004-08-10 04:00 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 12:17 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
    2012-02-03 09:22 . 2004-08-10 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2009-10-02 20:32 237072 -c----w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-01 126976]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
    "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-15 98304]
    "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-11-15 1121016]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
    .
    c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
    backup=c:\windows\pss\SpySubtract.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
    backup=c:\windows\pss\Updates from HP.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    2004-06-29 10:06 88363 ----a-w- c:\windows\AGRSMMSG.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2004-10-13 16:00 57344 -c--a-w- c:\windows\ALCMTR.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
    2004-10-13 16:17 2742272 -c--a-w- c:\windows\ALCWZRD.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
    2008-08-22 20:33 2084480 -c--a-w- c:\program files\Advanced Registry Optimizer\ARO.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2004-08-10 11:04 59392 -c--a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
    2004-03-18 00:10 61952 -c--a-w- c:\windows\system32\Hdaudpropshortcut.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
    2004-06-07 11:42 659456 -c--a-w- c:\windows\system32\hphmon06.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
    2004-06-07 11:53 49152 -c--a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
    1998-05-07 09:04 52736 -c--a-w- c:\windows\system\hpsysdrv.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 14:54 253952 -c--a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
    2006-05-16 22:50 40960 -c--a-w- c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2005-03-15 19:11 98304 -c--a-w- c:\program files\QuickTime\qttask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    2004-12-14 02:23 663552 -c--a-w- c:\windows\CREATOR\Remind_XP.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-10-13 14:01 77824 -c--a-w- c:\windows\SOUNDMAN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\fxsclnt.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\iWin Games\\iWinGames.exe"=
    "c:\\Program Files\\iWin Games\\WebUpdater.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    .
    R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1/4/2012 3:22 PM 822624]
    R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [12/8/2009 12:40 PM 78104]
    R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [10/1/2011 9:30 AM 508776]
    R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 584680]
    R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 209512]
    R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]
    R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]
    R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [10/1/2011 9:30 AM 219496]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/4/2012 8:30 AM 253600]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    6to4
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    DHCP
    ERSvc
    EventSystem
    FastUserSwitchingCompatibility
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    Rasman
    UNDPX2A
    RTSTOR
    WinFl32
    knobserv
    gmer
    servicelayer
    carboniteservice
    ovsecurityserver
    dcstor32
    oracleformsserver-forms60server-oraform
    RMSvc
    MR97310_USB_DUAL_CAMERA
    vci
    nwlnkipx
    IntuitUpdateService
    tng-dts
    mssql$sqlexpress
    RIOUNIV
    z800mdm
    atimpab
    DC21x4
    lvuvc
    vstor2-ws60
    omnidrv
    NITaggerService
    wkscfgsrv
    govsrv
    wpshelper
    pav_service
    wltwo51b
    Xyz777s
    p17xfilt
    HBtnKey
    z800bus
    Freedom
    U81xbus
    BrScnUsb
    VrAcFil
    ADIDTSFiltService
    cdudf_xp
    itmrtsvc
    viaudio
    pdlnepkt
    smapint
    logonsvcid
    w810mdfl
    issm
    w810obex
    MTsensor
    HPFECP20
    s116bus
    elnkfwppservice
    usbmate
    ndiscm
    spbbcdrv
    PGPwded
    A88xTuner
    SQLAgent$MICROSOFTSMLBIZ
    mssql$pinnaclesys
    epstnt01
    ma763004
    sisnic
    syslogd
    Remoteaccess
    Schedule
    Seclogon
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Themes
    TrkWks
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    wscsvc
    xmlprov
    MHN
    BITS
    wuauserv
    ShellHWDetection
    helpsvc
    WmdmPmSN
    napagent
    hkmsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 12:30]
    .
    2012-04-18 c:\windows\Tasks\User_Feed_Synchronization-{26896CAC-0932-4854-BC93-06AF0AFEDD2A}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
    mWindow Title = Internet Explorer By Enter.Net
    uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/info/hho-hp-music-hpdesktop-icon
    uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ckrqxi89.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbf98f9&v=7.008.031.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{7BEDF996-5864-4505-B998-D7B5243E8C75} - c:\windows\system32\jkkKBQiH.dll
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKCU-Run-Akamai NetSession Interface - c:\documents and settings\HP_Administrator\Local Settings\Application Data\Akamai\netsession_win.exe
    MSConfigStartUp-93809662843331368666936102142566 - c:\program files\Antivirus 2009\av2009.exe
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    MSConfigStartUp-Antispyware - c:\program files\AntiSpyware\Antispyware.exe
    MSConfigStartUp-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE
    MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
    MSConfigStartUp-Propel Accelerator - c:\program files\Propel Accelerator\trayctl.exe
    MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
    MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-17 21:37
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3424)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\dllhost.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-17 21:43:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-18 01:43
    .
    Pre-Run: 139,761,401,856 bytes free
    Post-Run: 140,786,380,800 bytes free
    .
    - - End Of File - - 15677D3F4198967549CA839763B1F88C

    exeHelper by Raktor
    Build 20100414
    Run at 21:57:57 on 04/17/12
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
  13. Boker

    Boker TS Rookie Topic Starter

    found the file but cannot open it, says it's not supported or corrupt...
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'd like to see if we can get the Netsvcs repaired:

    First: Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    ----------------------------------------
    Next: Please download and extract the following file: XPSP3 netsvcs
    Then double click on it to merge it into the Registry.
    ----------------------------------------
    The download Combofix again and rescan. Please leave the new Combofix log in your next reply.
     
  15. Boker

    Boker TS Rookie Topic Starter

    I have uninstalled Combofix, but when I click on your link it says 404-file not found?
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  17. Boker

    Boker TS Rookie Topic Starter

    Success...

    ComboFix 12-04-18.02 - HP_Administrator 04/18/2012 20:48:28.2.2 - x86
    Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-19 to 2012-04-19 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-19 00:45 . 2012-04-19 00:45 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8510DC15-D677-4129-B5A3-F26BC2D001AD}\offreg.dll
    2012-04-14 18:29 . 2012-04-14 18:29 -------- d-----w- c:\program files\ESET
    2012-04-14 18:15 . 2012-04-14 18:15 -------- d-sh--w- c:\documents and settings\HP_Administrator\UserData
    2012-04-14 17:58 . 2012-04-14 17:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2012-04-11 00:31 . 2012-04-11 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-11 00:31 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-09 14:26 . 2012-04-09 14:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
    2012-04-09 14:26 . 2012-04-09 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-04 12:30 . 2012-04-04 12:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-04 12:30 . 2011-11-24 04:13 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-14 02:15 . 2012-01-28 14:46 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-03-01 11:01 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2004-08-10 11:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 14:10 . 2004-08-10 04:00 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 12:17 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
    2012-02-03 09:22 . 2004-08-10 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2009-10-02 20:32 237072 -c----w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-01 126976]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
    "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-15 98304]
    "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-11-15 1121016]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
    .
    c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
    backup=c:\windows\pss\SpySubtract.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
    backup=c:\windows\pss\Updates from HP.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    2004-06-29 10:06 88363 ----a-w- c:\windows\AGRSMMSG.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2004-10-13 16:00 57344 -c--a-w- c:\windows\ALCMTR.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
    2004-10-13 16:17 2742272 -c--a-w- c:\windows\ALCWZRD.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
    2008-08-22 20:33 2084480 -c--a-w- c:\program files\Advanced Registry Optimizer\ARO.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2004-08-10 11:04 59392 -c--a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
    2004-03-18 00:10 61952 -c--a-w- c:\windows\system32\Hdaudpropshortcut.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
    2004-06-07 11:42 659456 -c--a-w- c:\windows\system32\hphmon06.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
    2004-06-07 11:53 49152 -c--a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
    1998-05-07 09:04 52736 -c--a-w- c:\windows\system\hpsysdrv.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 14:54 253952 -c--a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
    2006-05-16 22:50 40960 -c--a-w- c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2005-03-15 19:11 98304 -c--a-w- c:\program files\QuickTime\qttask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    2004-12-14 02:23 663552 -c--a-w- c:\windows\CREATOR\Remind_XP.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-10-13 14:01 77824 -c--a-w- c:\windows\SOUNDMAN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\fxsclnt.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\iWin Games\\iWinGames.exe"=
    "c:\\Program Files\\iWin Games\\WebUpdater.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    .
    R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1/4/2012 3:22 PM 822624]
    R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [12/8/2009 12:40 PM 78104]
    R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [10/1/2011 9:30 AM 508776]
    R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 584680]
    R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 209512]
    R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]
    R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]
    R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [10/1/2011 9:30 AM 219496]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/4/2012 8:30 AM 253600]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-19 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 12:30]
    .
    2012-04-18 c:\windows\Tasks\User_Feed_Synchronization-{26896CAC-0932-4854-BC93-06AF0AFEDD2A}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
    mWindow Title = Internet Explorer By Enter.Net
    uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/info/hho-hp-music-hpdesktop-icon
    uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ckrqxi89.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbf98f9&v=7.008.031.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-18 20:59
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2012-04-18 21:03:55
    ComboFix-quarantined-files.txt 2012-04-19 01:03
    ComboFix2.txt 2012-04-18 01:43
    .
    Pre-Run: 147,490,074,624 bytes free
    Post-Run: 147,441,344,512 bytes free
    .
    - - End Of File - - 77C432A963041471607DE9FC03DF61F4
     
  18. Boker

    Boker TS Rookie Topic Starter

    Hi Bobbye, I just need to let you know that my husband has asked me to find the disks and restore the computer. He doesn't have the patience for this as he has a lot of music and stuff he needs to do with his computer. So, thank you for your time. It looks as though the thread will be deleted in a day anyway since they are closed after five days. Patty
     
  19. Boker

    Boker TS Rookie Topic Starter

    Hello Bobby, sorry we hadn't heard from you. I know you are probably very busy. We did a system restore on the computer and mbam and security essentials didn't find anything when we were all done. Computer works better but I was wondering if there is a way to improve the performance? Sorry I was impatient but I have work to do on here and people waiting on me. I do appreciate your time. Boker
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Patty, I am very sorry for the delay. I had some personal business that had to be handled- now I'm trying to catch up.

    Since a System Restore was done, basically everything we had done is gone. The problem is that I don't think you know just what date you first got the malware. Explain to him that it's likely Win32/Sirefef isn't getting completely removed, rather than coming back.
    ----------------------------------------------
    1. If you're still running this program, I advise removing it:
    Startup^SpySubtract.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk

    2. You don't need this to start on boot and run in the background. Advise uncheck ALL HP processes on Startup menu. To print, click on File> Print.
    Startup^HP Digital Imaging Monitor

    3. Advise remove this registry cleaner. We don't recommend a registry cleaner to anyone. The risks outweigh and small benefit you 'may' get:
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
    2008-08-22 20:33 2084480 -c--a-w- c:\program files\Advanced Registry Optimizer\ARO.exe

    4. 8 years ago, a reminder to register on the creative site was put on the Startup menu. It's still there. Advise remove:
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    2004-12-14 02:23 663552 -c--a-w- c:\windows\CREATOR\Remind_XP.exe

    5. There were 2 outdated version of Java on the system and no current version. These are vulnerabilities to the system.

    6. Lastly, we did not get an online virus scan. IF malware was in a restore point and IF you choose that restore point, you can reinfect the system.
    .
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...