Inactive Computer constantly crashes with 100008 driver error

[sumdawgy]

Sis in Law got hit.
Not knowing all of the programs she uses exactly it's hard for me to verify I've cleaned it out as completely as it needs to be. She has a game dear to her heart installed and really didn't want a complete reload...

I'd set her up with AVG anti-virus (updated to avg8 last year), the intruder tried to install an anti-virus override... & the computer began to crash regularly ....then when that failed, they seem to have tried to re-program her bios.. this forced her video to go black w/ANSI chars..AND it wouldn't restart.....this is when she finally involved me... Somewhere along the way, they managed to get & use a Limewire version in her tmp directory...

Compounding the issue, she only ran HP's updates not Microsoft's in a misguided attempt to be pro-active about safety. Sigh. As it turns out intruder tried to get full control....but, failed and failed and failed.... bad for her & them both...Better for me (able save her comp w/o reload)....

I didn't re-install Bios but rather, ran a reset of settings. which cleared up the restart issue.

Need help to verify I've closed all the door's (& windows) left open by the intruder.... besides the limewire EXE, I came across a cmdconsole directory in her %user% directory.

I've saved copies of her mini-dumps for my reference & can post if you want to see. them.

Most of the repair, I'm doing through a third-party remote console. (Which I suspect also tripped them up for their own efforts) But, this makes it hard for me to effectively run Gmer without an internet connection. It did complete & the rootkit/malware it reported all looked good to me (That said, I am here for advice.)

I'm posting the required logs in a reply to this post.

 

[sumdawgy]

Log run 1

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5623

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/27/2011 3:31:48 PM
mbam-log-2011-01-27 (15-31-48).txt

Scan type: Quick scan
Objects scanned: 163691
Time elapsed: 11 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-27 15:58:37
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-16 ST3802110A rev.3.AHL
Running: h54biglm.exe; Driver: C:\DOCUME~1\CHAS-R~1\LOCALS~1\Temp\kxdyypob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----



DDS (Ver_10-12-12.02) - NTFSx86
Run by chas-repair at 16:00:43.64 on Thu 01/27/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1366 [GMT -5:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\FarStone\GameDrive\vdtask.exe
C:\WINDOWS\vcdplayx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\All Users\Documents\repair\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [VirtualDrive] c:\program files\farstone\gamedrive\vdtask.exe /AutoRestore
mRun: [vcdplayx] "c:\windows\vcdplayx.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: {7341C099-0E90-4947-9843-609126B2B89C} = 71.242.0.12,71.252.0.12
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chas-r~1\applic~1\mozilla\firefox\profiles\7281mo0z.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\google updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg8\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-27 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-2-2 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-27 108552]
R1 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys [2002-11-22 48111]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-27 127768]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-27 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-5 297752]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-1-3 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-7-27 47640]
S2 gupdate1c9bd1521cc7982;Google Update Service (gupdate1c9bd1521cc7982);c:\program files\google\update\GoogleUpdate.exe [2009-4-14 133104]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-9-18 30192]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2011-01-27 20:16:24 -------- d-----w- c:\docume~1\chas-r~1\applic~1\Malwarebytes
2011-01-27 20:16:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-27 20:16:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-27 20:16:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-27 20:16:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-26 20:56:24 -------- d-----w- c:\docume~1\chas-r~1\locals~1\applic~1\Mozilla
2011-01-26 20:38:07 -------- d-----w- c:\docume~1\chas-r~1\locals~1\applic~1\Apple Computer
2011-01-26 20:37:36 -------- d-----w- c:\docume~1\chas-r~1\locals~1\applic~1\Google
2011-01-26 20:37:29 -------- d-----w- c:\docume~1\chas-r~1\locals~1\applic~1\LogMeIn
2011-01-26 20:36:38 -------- d-sh--w- c:\documents and settings\chas-repair\IETldCache

==================== Find3M ====================

2010-12-16 07:33:11 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-16 07:33:11 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-12-16 07:33:10 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-12-16 07:33:10 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

============= FINISH: 16:02:39.68 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/20/2006 6:58:37 PM
System Uptime: 1/27/2011 3:33:35 PM (1 hours ago)

Motherboard: ECS | | Alhena
Processor: Intel(R) Celeron(R) D CPU 3.33GHz | CPU 1 | 3331/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 67 GiB total, 20.88 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 0.326 GiB free.
E: is CDROM (CDFS)
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1048: 10/31/2010 5:07:33 AM - System Checkpoint
RP1049: 11/1/2010 2:22:47 PM - System Checkpoint
RP1050: 11/2/2010 2:31:14 PM - System Checkpoint
RP1051: 11/3/2010 3:20:18 PM - System Checkpoint
RP1052: 11/5/2010 9:09:56 AM - System Checkpoint
RP1053: 11/6/2010 10:23:59 AM - System Checkpoint
RP1054: 11/7/2010 9:33:05 AM - System Checkpoint
RP1055: 11/8/2010 1:19:58 PM - System Checkpoint
RP1056: 11/9/2010 2:55:58 PM - System Checkpoint
RP1057: 11/11/2010 1:42:42 AM - System Checkpoint
RP1058: 11/12/2010 1:48:30 AM - System Checkpoint
RP1059: 11/12/2010 11:54:02 PM - Software Distribution Service 3.0
RP1060: 11/14/2010 9:03:01 AM - System Checkpoint
RP1061: 11/17/2010 6:20:01 AM - System Checkpoint
RP1062: 11/18/2010 10:09:12 PM - System Checkpoint
RP1063: 11/21/2010 10:55:06 AM - System Checkpoint
RP1064: 11/24/2010 4:03:47 AM - System Checkpoint
RP1065: 11/26/2010 6:26:48 AM - System Checkpoint
RP1066: 11/29/2010 8:48:00 PM - System Checkpoint
RP1067: 12/1/2010 7:47:02 AM - System Checkpoint
RP1068: 12/2/2010 8:38:06 AM - System Checkpoint
RP1069: 12/4/2010 10:56:34 AM - System Checkpoint
RP1070: 12/5/2010 11:03:48 AM - System Checkpoint
RP1071: 12/6/2010 12:39:25 PM - System Checkpoint
RP1072: 12/8/2010 4:26:35 AM - System Checkpoint
RP1073: 12/11/2010 5:04:53 AM - System Checkpoint
RP1074: 12/12/2010 5:39:46 AM - System Checkpoint
RP1075: 12/13/2010 7:28:06 AM - System Checkpoint
RP1076: 12/14/2010 3:41:01 PM - System Checkpoint
RP1077: 12/16/2010 2:45:53 AM - System Checkpoint
RP1078: 12/17/2010 2:58:58 AM - System Checkpoint
RP1079: 12/18/2010 3:39:46 AM - System Checkpoint
RP1080: 12/18/2010 5:01:19 PM - Software Distribution Service 3.0
RP1081: 12/19/2010 5:10:09 PM - System Checkpoint
RP1082: 12/21/2010 5:38:07 AM - System Checkpoint
RP1083: 12/22/2010 1:15:30 PM - System Checkpoint
RP1084: 12/24/2010 2:50:25 AM - System Checkpoint
RP1085: 12/25/2010 5:10:45 AM - System Checkpoint
RP1086: 12/26/2010 6:09:07 AM - System Checkpoint
RP1087: 12/27/2010 6:21:07 AM - System Checkpoint
RP1088: 12/28/2010 7:06:22 AM - System Checkpoint
RP1089: 12/29/2010 7:09:05 AM - System Checkpoint
RP1090: 12/30/2010 8:09:05 AM - System Checkpoint
RP1091: 12/31/2010 9:29:44 AM - System Checkpoint
RP1092: 1/1/2011 10:18:51 AM - System Checkpoint
RP1093: 1/3/2011 2:10:02 PM - Printer Driver LogMeIn Printer Driver Installed
RP1094: 1/7/2011 2:45:31 AM - System Checkpoint
RP1095: 1/8/2011 7:05:07 AM - System Checkpoint
RP1096: 1/9/2011 7:13:11 AM - System Checkpoint
RP1097: 1/10/2011 8:13:13 AM - System Checkpoint
RP1098: 1/11/2011 8:14:18 AM - System Checkpoint
RP1099: 1/12/2011 9:41:14 AM - System Checkpoint
RP1100: 1/13/2011 10:14:18 AM - System Checkpoint
RP1101: 1/13/2011 12:18:42 PM - Software Distribution Service 3.0
RP1102: 1/14/2011 12:41:26 PM - System Checkpoint
RP1103: 1/15/2011 1:41:24 PM - System Checkpoint
RP1104: 1/16/2011 2:42:29 PM - System Checkpoint
RP1105: 1/17/2011 4:51:05 PM - System Checkpoint
RP1106: 1/18/2011 6:32:02 PM - System Checkpoint
RP1107: 1/20/2011 5:38:03 AM - System Checkpoint
RP1108: 1/21/2011 5:40:21 AM - System Checkpoint
RP1109: 1/22/2011 10:08:47 AM - System Checkpoint
RP1110: 1/26/2011 3:42:55 PM - Removed iTunes

==== Installed Programs ======================

2002 Space Out Games
Ad-Aware SE Personal
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.6
AiO_Scan_CDA
AiOSoftwareNPI
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AutoUpdate
AVG Free 8.5
Belarc Advisor 7.2
Boggle
Bonjour
BufferChm
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
CustomerResearchQFolder
Data Fax SoftModem with SmartCP
Destinations
DivX Codec
DivX Player
DivX Version Checker
EA Download Manager
EA Download Manager UI
eSupportQFolder
F300
F300_Help
Fax_CDA
FullDPAppQFolder
GameDrive
Google Chrome
Google Desktop
Google Earth
Google Photos Screensaver
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP Customer Participation Program 7.0
HP DVD Play 2.1
HP Games
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Solution Center 7.0
HP Support Overview
HP Update
HP Web Helper
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
InstantShareDevices
InstantShareDevicesMFC
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 21
Java(TM) 6 Update 3
Java(TM) 6 Update 7
JumpStart Around the World - Kindergarten
JumpStart Math for First Graders v1.3
LogMeIn
Malwarebytes' Anti-Malware
MarketResearch
Masquerade Mysteries - Case of the Copycat Curator
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Microsoft WSE 3.0 Runtime
Monopoly
Monopoly (remove only)
Mozilla Firefox (3.5.16)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
My HP Games
MyDSC2
Mystery P.I. - Stolen in San Francisco
Netscape Browser (remove only)
Network Play System (Patching)
NewCopy_CDA
OpenOffice.org 2.0
OptionalContentQFolder
PC-Doctor 5 for Windows
PhoTags Express
PhotoGallery
Picasa 2
ProductContextNPI
Puzzle Quest 2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
QuickTime
RandMap
Reader Rabbit 2nd Grade
Readme
RealPlayer
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Sandlot Games Client Services
Scan
ScannerCopy
SCRABBLE
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SkinsHP1
SlideShow
SlideShowMusic
SolutionCenter
Sonic Express Labeler
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Status
The Sims 2 Open For Business
The Sims Livin' Large
The Sims™ 2 Deluxe
The Sims™ 2 FreeTime
The Sims™ 2 Kitchen & Bath Interior Design Stuff
The Sims™ 2 Seasons
The Sims™ 3
Toolbox
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Updates from HP (remove only)
VC80CRTRedist - 8.0.50727.762
Watchtower Library 2006 - English Edition
Watchtower Library 2007 - English
Watchtower Library 2008 - English
Watchtower Library 2009 - English
Watchtower Library 2010 - English
WebFldrs XP
WebReg
Wedding Dash (R) 4-Ever
WildTangent Web Driver
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
ZoneAlarm

==== Event Viewer Messages From Past Week ========

1/27/2011 6:11:08 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 bf81fb4a, parameter3 b16c9b4c, parameter4 00000000.
1/27/2011 2:56:15 PM, error: Service Control Manager [7034] - The Yahoo! Updater service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:56:15 PM, error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:56:15 PM, error: Service Control Manager [7034] - The LogMeIn Maintenance Service service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:56:15 PM, error: Service Control Manager [7034] - The LMIGuardianSvc service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:56:15 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:56:15 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:56:15 PM, error: Service Control Manager [7034] - The AVG Free8 E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:56:14 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:56:14 PM, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
1/27/2011 2:56:14 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/26/2011 4:39:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/26/2011 4:39:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX BANTExt Fips intelppm IPSec KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
1/26/2011 4:39:12 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/26/2011 4:39:12 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/26/2011 4:39:12 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/26/2011 4:39:12 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/26/2011 4:39:12 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/26/2011 4:39:12 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/26/2011 3:44:50 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
1/26/2011 3:39:05 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 e2a05000, parameter3 e2a05408, parameter4 0c810400.
1/23/2011 4:29:41 AM, error: atapi [9] - The device, \Device\Ide\IdePort5, did not respond within the timeout period.
1/23/2011 4:14:29 AM, error: System Error [1003] - Error code 00000024, parameter1 001902fe, parameter2 b1282468, parameter3 b1282164, parameter4 805446dc.
1/23/2011 2:52:34 PM, error: System Error [1003] - Error code 100000d1, parameter1 cceb7fb2, parameter2 000000ff, parameter3 00000008, parameter4 cceb7fb2.
1/23/2011 2:50:08 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 e2a408d8, parameter3 e2a40930, parameter4 0c0b0205.
1/23/2011 1:31:26 AM, error: Service Control Manager [7003] - The TrueVector Internet Monitor service depends on the following nonexistent service: vsdatant
1/22/2011 10:21:14 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 024aff81, parameter3 b1126d6c, parameter4 00000000.

==== End Of File ===========================

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================================================

You have Norton's leftovers.
Please, run this tool to remove them: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

=======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[sumdawgy]

Understood. I am running Norton removal tool now.
Will complete the other 2 asap.

(Also, the system hasn't crashed since completing the initial steps.
This system DOES have a restore partition. I am not certain if it is undisturbed.)

 

[Broni]

Very well

 

[Broni]

Reopened....

 

[sumdawgy]

Sorry for the delay.. Needed to get to her Computer.

AFIK I only had 2 logs to submit...

I ran the Norton Removal Tool.... then MBRCheck & ComboFiX.
All ran normally w/o needing safe mode....

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 viaide.sys
0xBA5AE000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9F11000 fltmgr.sys
0xB9EFF000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9EE8000 KSecDD.sys
0xB9ED5000 WudfPf.sys
0xB9E48000 Ntfs.sys
0xB9E1B000 NDIS.sys
0xB9E01000 Mup.sys
0xBA288000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB98EB000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB98D7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3F8000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB98B3000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA400000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA298000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9890000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA550000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB9868000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA408000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA410000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB9823000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0xB972C000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0xB9676000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xBA418000 \SystemRoot\System32\Drivers\Modem.SYS
0xB9662000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xBA6E8000 \SystemRoot\system32\DRIVERS\lmimirr.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\CDAWDM.sys
0xB964A000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0xBA6E9000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA558000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9633000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA420000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9582000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA318000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA428000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA430000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA168000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA438000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5BA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9524000 \SystemRoot\system32\DRIVERS\update.sys
0xBA568000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA178000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA1A8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5BC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB43B1000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB438D000 \SystemRoot\system32\drivers\portcls.sys
0xBA1D8000 \SystemRoot\system32\drivers\drmk.sys
0xB42A2000 \SystemRoot\system32\DRIVERS\klif.sys
0xB9A75000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA458000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA5C8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7F5000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5CA000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA460000 \SystemRoot\System32\drivers\vga.sys
0xBA5CC000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5CE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA468000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA470000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9A71000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB426F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB4216000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB41D5000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB41AF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA208000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA53C000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB4187000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB4165000 \SystemRoot\System32\drivers\afd.sys
0xBA218000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB413A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB40CA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA228000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA6A4000 \SystemRoot\System32\Drivers\BANTExt.sys
0xBA478000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB4079000 \SystemRoot\System32\Drivers\avgldx86.sys
0xB402D000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBA258000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB4015000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5F0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB4202000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA380000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA69D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0D0000 \SystemRoot\System32\ati3duag.dll
0xBF362000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB1DD5000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB1B50000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB1940000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA5B0000 \??\C:\Program Files\LogMeIn\x86\RaInfo.sys
0xB9593000 \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
0xB1A58000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB16E0000 \SystemRoot\system32\drivers\sysaudio.sys
0xB142D000 \SystemRoot\system32\drivers\wdmaud.sys
0xB12D4000 \SystemRoot\System32\Drivers\HTTP.sys
0xBF4BA000 \SystemRoot\System32\lmimirr.dll
0xBF4BF000 \SystemRoot\System32\lmimirr2.dll
0xB054A000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 52):
0 System Idle Process
4 System
456 C:\WINDOWS\system32\smss.exe
512 csrss.exe
540 C:\WINDOWS\system32\winlogon.exe
584 C:\WINDOWS\system32\services.exe
596 C:\WINDOWS\system32\lsass.exe
748 C:\WINDOWS\system32\ati2evxx.exe
764 C:\WINDOWS\system32\svchost.exe
824 svchost.exe
892 C:\WINDOWS\system32\svchost.exe
936 C:\WINDOWS\system32\svchost.exe
1108 svchost.exe
1176 svchost.exe
1304 C:\WINDOWS\system32\spoolsv.exe
1432 svchost.exe
1468 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1488 C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
1504 C:\Program Files\Bonjour\mDNSResponder.exe
1680 C:\Program Files\Java\jre6\bin\jqs.exe
1712 C:\Program Files\Google\Update\GoogleUpdate.exe
1744 C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
1868 C:\Program Files\LogMeIn\x86\ramaint.exe
1980 C:\Program Files\LogMeIn\x86\LogMeIn.exe
224 C:\Program Files\AVG\AVG8\avgrsx.exe
340 C:\PROGRA~1\AVG\AVG8\avgnsx.exe
784 C:\WINDOWS\system32\svchost.exe
972 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
1344 C:\PROGRA~1\AVG\AVG8\avgemc.exe
2180 C:\Program Files\AVG\AVG8\avgcsrvx.exe
2572 alg.exe
2996 C:\WINDOWS\system32\svchost.exe
3536 C:\Program Files\LogMeIn\x86\LogMeIn.exe
3824 C:\WINDOWS\system32\ati2evxx.exe
3976 C:\WINDOWS\explorer.exe
1768 C:\WINDOWS\RTHDCPL.EXE
1932 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
2080 C:\Program Files\FarStone\GameDrive\vdtask.exe
2092 C:\WINDOWS\vcdplayx.exe
2136 C:\PROGRA~1\AVG\AVG8\avgtray.exe
2144 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
2388 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2532 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
2592 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
2604 C:\Program Files\Messenger\msmsgs.exe
2728 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
2744 C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
2852 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
2900 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
1864 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
3288 C:\WINDOWS\system\hpsysdrv.exe
4088 C:\Documents and Settings\All Users\Documents\repair\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000010`dd45cc00 (FAT32)

PhysicalDrive0 Model Number: ST3802110A, Rev: 3.AHL

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 4A3BF69CA3259413E25A52D6E01242850E3B0E3A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!


ComboFix 11-01-28.01 - HP_Owner 01/28/2011 18:48:19.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1490 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Owner\Desktop\Translator.url
c:\documents and settings\HP_Owner\Favorites\Download programs.url
c:\documents and settings\HP_Owner\Favorites\Games.url
c:\documents and settings\HP_Owner\Favorites\Translator.url
c:\documents and settings\HP_Owner\Favorites\Videos.url
c:\documents and settings\HP_Owner\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Owner\Start Menu\Programs\Download programs.url
c:\documents and settings\HP_Owner\Start Menu\Programs\Games.url
c:\documents and settings\HP_Owner\Start Menu\Programs\Translator.url
c:\documents and settings\HP_Owner\Start Menu\Programs\Videos.url
c:\program files\Internet Explorer\SET296.tmp
c:\program files\Internet Explorer\SET297.tmp
c:\program files\Internet Explorer\SET299.tmp
c:\program files\Internet Explorer\SET2FD.tmp
c:\program files\Internet Explorer\SET2FE.tmp
c:\program files\Internet Explorer\SET2FF.tmp
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))
.

2011-01-27 21:24 . 2011-01-27 21:24 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2011-01-27 20:16 . 2011-01-27 20:16 -------- d-----w- c:\documents and settings\chas-repair\Application Data\Malwarebytes
2011-01-27 20:16 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-27 20:16 . 2011-01-27 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-27 20:16 . 2011-01-27 20:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-27 20:16 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-26 21:38 . 2011-01-26 21:38 -------- d-----w- c:\documents and settings\Administrator
2011-01-26 20:56 . 2011-01-26 20:56 -------- d-----w- c:\documents and settings\chas-repair\Local Settings\Application Data\Mozilla
2011-01-26 20:38 . 2011-01-26 20:38 -------- d-----w- c:\documents and settings\chas-repair\Application Data\HP
2011-01-26 20:38 . 2011-01-26 20:43 -------- d-----w- c:\documents and settings\chas-repair\Application Data\Apple Computer
2011-01-26 20:38 . 2011-01-26 20:43 -------- d-----w- c:\documents and settings\chas-repair\Local Settings\Application Data\Apple Computer
2011-01-26 20:37 . 2011-01-26 20:37 -------- d-----w- c:\documents and settings\chas-repair\Local Settings\Application Data\Google
2011-01-26 20:37 . 2011-01-26 20:37 -------- d-----w- c:\documents and settings\chas-repair\Local Settings\Application Data\LogMeIn
2011-01-26 20:36 . 2011-01-26 20:36 -------- d-sh--w- c:\documents and settings\chas-repair\IETldCache
2011-01-02 04:45 . 2011-01-02 04:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-16 07:33 . 2008-07-27 20:06 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-16 07:33 . 2008-07-27 20:06 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-16 07:33 . 2008-07-27 20:06 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-16 07:33 . 2008-07-27 20:06 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-11-18 18:12 . 2004-08-04 04:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-04 04:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 04:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 04:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-09-19 00:03 . 2010-09-19 00:03 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-02 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"VirtualDrive"="c:\program files\FarStone\GameDrive\vdtask.exe" [2002-11-22 86016]
"vcdplayx"="c:\windows\vcdplayx.exe" [2002-06-10 57344]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-13 185896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-19 30192]
"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2004-07-28 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-02 68856]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-12-13 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-12-13 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-16 07:33 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys [11/22/2002 5:58 PM 48111]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [1/3/2011 2:08 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2/28/2008 2:31 PM 12856]
S2 gupdate1c9bd1521cc7982;Google Update Service (gupdate1c9bd1521cc7982);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2009 10:24 AM 133104]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/18/2010 7:02 PM 30192]
.
Contents of the 'Scheduled Tasks' folder

2011-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 15:23]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 15:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://sg.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://sg.search.yahoo.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {7341C099-0E90-4947-9843-609126B2B89C} = 71.242.0.12,71.252.0.12
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\va3c4vwp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.toggle.com/index.php?rvs=hompag
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-PCDrProfiler - (no file)
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 19:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3716)
c:\windows\system32\WININET.dll
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.


Completion time: 2011-01-28 19:10:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-29 00:10

Pre-Run: 22,602,944,512 bytes free
Post-Run: 22,581,080,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C43D35B5EFC7D44A6CAC41D7AB8236D6

 

[Broni]

We need to double check your MBR.

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[sumdawgy]

ok bootkit remover says
(there was also a debug log file that i wouldn't include unless instructed.)

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 74c9b8a519aa05c22f46e134715d1f6f

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

 

[Broni]

We need to fix it.

Restart computer
When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

You should get a black screen with a C:\> prompt. Type with an Enter after each line:

fixmbr

(If it asks you if you are sure then say "Y".)

exit

Reboot computer.

Post fresh MBRCheck log.

 

[sumdawgy]

Sorry for the delay.

This step requires that I again get physical acess to the computer...
I am working on it... She's a very private person, so I can't just drop in on her.


But I am working on it.

 

[Broni]

No problem