Google link redirect and random audio playing

Inactive
By FHorn
Jan 11, 2012
  1. Hello - Whenever I search on Google and click a link I get redirected to random advertisements. In addition, random audio will play even without IE being open. Thank you in advance for you assistance. Here are the logs from teh 5-step process:

    MBAM-Log:

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.09.07

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Nicole :: PC677134193111 [administrator]

    1/9/2012 12:19:58 PM
    mbam-log-2012-01-09 (12-19-58).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 235531
    Time elapsed: 4 hour(s), 40 minute(s), 20 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 2
    HKCU\Software\avSofT (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKCU\Software\AVSuitE (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

    Registry Values Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|yyxjrdvb (Rogue.AntivirusSuite.Gen) -> Data: C:\Documents and Settings\Nicole\Local Settings\Application Data\kdbobjttp\cnxienqtssd.exe -> Quarantined and deleted successfully.
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer (PUM.Bad.Proxy) -> Data: http=127.0.0.1:5577 -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q5WFA4SN\MyFunCards[1].exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\p9pl7704702928480094313.tmp (Exploit.Drop.3) -> Quarantined and deleted successfully.

    (end)

    gmer:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-09 19:57:46
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST960812A rev.3.05
    Running: gybbwcx0.exe; Driver: C:\DOCUME~1\Nicole\LOCALS~1\Temp\fflirkod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

    ---- EOF - GMER 1.0.15 ----

    DDS:
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Nicole at 9:41:22 on 2012-01-10
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.997 [GMT -8:00]
    .
    AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\BUFFALO\Encrdisk\ENCRDLG.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\hphmon05.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Real\RealUpgrade\RealUpgrade.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
    BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No File
    BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
    BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [<NO NAME>]
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
    mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
    mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
    mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
    mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
    mRun: [Reminder] c:\windows\creator\Remind_XP.exe
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
    mRun: [HPHUPD05] c:\program files\hp\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
    mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [RegistryQuick.exe] c:\program files\rq\RegistryQuick.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    StartupFolder: c:\docume~1\nicole\startm~1\programs\startup\memeoa~1.lnk - c:\documents and settings\nicole\application data\microsoft\installer\{bd1f8143-c678-43cd-a296-a3a32a8c2976}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    mPolicies-system: HideFastUserSwitching = 1 (0x1)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.winkflash.com/photo/loaders/ImageUploader5.cab
    DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SecureLockWare_EncryptFilterDriver;SecureLockWare Encryption Filter driver;c:\windows\system32\drivers\ENCRFIL.SYS [2009-3-1 725120]
    R0 SecureLockWare_EncryptFilterDriver2;SecureLockWare Encryption Filter driver Ver.2;c:\windows\system32\drivers\SLWFIL.SYS [2009-3-1 725248]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2012-1-7 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2012-1-7 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20111223.001\BHDrvx86.sys [2011-11-30 820344]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2012-1-7 136312]
    R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]
    R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccSvcHst.exe [2012-1-7 130008]
    R2 SecureLockWare_InputPassword;SecureLockWare Service;c:\program files\buffalo\encrdisk\encrdlg.exe -service_execute --> c:\program files\buffalo\encrdisk\ENCRDLG.exe -Service_Execute [?]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-1-8 106104]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120107.001\IDSXpx86.sys [2012-1-9 356280]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120110.002\NAVENG.SYS [2012-1-10 86136]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120110.002\NAVEX15.SYS [2012-1-10 1576312]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-12 136176]
    S3 bautopw;BUFFALO eco manager for HD Filter;c:\windows\system32\drivers\bautopw.sys [2009-9-27 8960]
    S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]
    S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2009-9-27 17152]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-12 136176]
    S3 NUVision;Zoran USB Live! (1004);c:\windows\system32\drivers\NUVision.sys [2009-10-8 154976]
    S3 stv676;USB Video Camera;c:\windows\system32\drivers\stv676.sys [2009-10-8 64512]
    S3 stv676m;USB Video Cameram;c:\windows\system32\drivers\stv676m.sys [2009-10-8 6144]
    .
    =============== Created Last 30 ================
    .
    2012-01-10 17:29:05 887 ----a-w- c:\documents and settings\all users\application data\koznaaa.tmp
    2012-01-10 03:35:55 851 ----a-w- c:\documents and settings\all users\application data\klnnaaa.tmp
    2012-01-10 03:35:55 840 ----a-w- c:\documents and settings\all users\application data\ilnnaaa.tmp
    2012-01-10 03:34:39 816 ----a-w- c:\documents and settings\all users\application data\jlnnaaa.tmp
    2012-01-10 03:33:39 845 ----a-w- c:\documents and settings\all users\application data\hlnnaaa.tmp
    2012-01-10 03:23:35 809 ----a-w- c:\documents and settings\all users\application data\glnnaaa.tmp
    2012-01-09 20:17:00 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-09 20:17:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-09 12:45:09 852 ----a-w- c:\documents and settings\all users\application data\tyonaaa.tmp
    2012-01-09 05:43:09 -------- d-----w- c:\documents and settings\nicole\local settings\application data\NPE
    2012-01-09 05:32:48 -------- d-----w- C:\66ea9cec9032b4dc3d80e009ce3412
    2012-01-09 01:43:12 -------- d-----w- c:\documents and settings\nicole\application data\ElevatedDiagnostics
    2012-01-08 07:18:04 744568 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys
    2012-01-08 07:18:04 516216 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys
    2012-01-08 07:18:04 50168 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys
    2012-01-08 07:18:04 369784 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\symtdi.sys
    2012-01-08 07:18:04 340088 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys
    2012-01-08 07:18:04 331384 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys
    2012-01-08 07:18:04 296568 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\symnets.sys
    2012-01-08 07:18:03 136312 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys
    2012-01-08 07:17:19 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D
    .
    ==================== Find3M ====================
    .
    2012-01-08 07:22:43 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2012-01-08 07:22:43 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-12-14 18:16:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
    .
    ============= FINISH: 9:47:03.34 ===============

    DDS Attach: Edit: Duplicate of DDS.txt log left in error deleted by Bobbye.Requested correct log
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot! Can you please back up and find the other log from the DDS scan? It's named Attach.txt You have copied the other log, DDS.txt twice. Just paste the log into the next reply- no need to zip it either.

    It looks like you're running 2 Registry Cleaners, RegGuard and RegistryQuick. We don't recommend registry cleaner to anyone. The risk far outweights any benefit you think you may get.
    ===========================
    You have been using FunWebProducts site and their partner sites to get screenvers, cursor, wallpaper, Smilies and other 'cute' things to put on the system.

    Uninstall the FunWebProduct and My Web Search option from Add/Remove Programs
    1) Click on Start, Settings, Control Panel
    2) Double click on Add/Remove Programs
    3) Find any programs from in the list of installed programs and click on Change/Remove to uninstall it.
    • FunWebProducts
    • My Web Search (Smiley Central or FWP product as applicable)
    • My Way Speedbar (Smiley Central or other FWP as applicable)
    • My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
    • My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
    • Search Assistant -
    4) Reboot your Computer.
    5) Right click on Start> Choose Explore.
    6) My Computer> Local Drive (C)> double-click on the Program Files folder
    7) ]Right-click and delete the progrm folder fo each of the programs you uninstalled.:
    8) If you have FunWebProducts saved as a Bookmark or Favorite, delete it

    Stay away from: Other FunWebProducts
    ============================================
    It appears that you have been infected by the Rogue Antivirus, 2012
    1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
    2. Clicking on any executable loads the malware
    3. Display fake security alerts on the infected computer.
    4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
    5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

    To fix #5, you start here: Download a Registry file that will fix these changes.
    Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
    • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
    • Double click the FixNCR.reg file
    • You should now be able to run the .exe files.
    ====================================
    There may be a proxy enabled that can cause a redirect> please check this:
    Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click Ok to close the Local Area Network (LAN) Settings window.
      o Click Ok to close the Internet Options window.
    ===================================
    To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKill is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after running RKill as the malware programs will start again.
    ================================
    Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ==============================
    This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================================
    There are some other entries to remove, so please run the following-(Normal Mode) Note that you will need to disable Norton:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ====================================
    Please include logs from RKill, Full Mbam scan, Eset and Combofix in next reply.
    ===================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  3. FHorn

    FHorn Newcomer, in training Topic Starter

    Attach Log

    Sorry for the mistake of posting DDS twice. Here is the Attach log and I will get the other logs to you soon. Thank you.

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/26/2006 7:27:59 AM
    System Uptime: 1/10/2012 8:26:39 AM (1 hours ago)
    .
    Motherboard: Quanta | | 308F
    Processor: Intel(R) Celeron(R) M processor 1.60GHz | U1 | 1596/400mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 47 GiB total, 19.63 GiB free.
    D: is FIXED (FAT32) - 7 GiB total, 0.549 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 1/7/2012 10:51:31 PM - System Checkpoint
    RP2: 1/8/2012 5:32:04 PM - Installed %1 %2.
    RP3: 1/10/2012 3:00:40 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.4.7
    Adobe Shockwave Player 11.5
    AiO_Scan_CDA
    AiOSoftwareNPI
    AnyBizSoft PDF Password Remover (Build 1.0.4)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Applied Vision 2.0
    Bing Bar
    Broadcom 802.11 Wireless LAN Adapter
    BUFFALO eco Manager for HD
    BUFFALO INC. DISK FORMATTER
    BUFFALO Secure Lock Ware
    BUFFALO TurboUSB for FLASH/HDD
    BufferChm
    C4100
    c4100_Help
    Canon iP1600
    Compatibility Pack for the 2007 Office system
    Conexant AC-Link Audio
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    cp_LightScribeConfig
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CP_Panorama1Config
    cp_PosterPrintConfig
    cp_UpdateProjectsConfig
    Critical Update for Windows Media Player 11 (KB959772)
    CueTour
    Customer Experience Enhancement
    CustomerResearchQFolder
    Destinations
    DocProc
    DocProcQFolder
    DocumentViewer
    DocumentViewerQFolder
    Easy Internet Sign-up
    eMusic Download Manager 4.1.4
    eSupportQFolder
    EZ Calendar (remove only)
    Fax_CDA
    GearDrvs
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Customer Participation Program 7.0
    HP Document Viewer 7.0
    HP Game Console and games
    HP Help and Support
    HP Imaging Device Functions 7.0
    HP Photosmart Premier Software 6.5
    HP Photosmart, Officejet and Deskjet 7.0.A
    HP QuickPlay 2.0
    HP Solution Center 7.0
    HP User Guides--System Recovery
    HP User Guides 0001
    HP Wireless Assistant 2.00 B3
    HPPhotoSmartExpress
    HPProductAssistant
    HpSdpAppCoreApp
    Inspiration 8
    InstallMgr
    InstantShareDevices
    InstantShareDevicesMFC
    Intel(R) Graphics Media Accelerator Driver for Mobile
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java(TM) 6 Update 13
    LG Outlook Sync
    LG USB Modem driver
    LightScribe 1.4.56.1
    Malwarebytes Anti-Malware version 1.60.0.1800
    MarketResearch
    Memeo AutoBackup
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Default Manager
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Sounds
    Microsoft Office Standard 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Text-to-Speech Engine 4.0 (English)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    MicroWorlds EX Demo
    Move Media Player
    MSN Toolbar
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB925673)
    muvee autoProducer 4.5
    Netscape Browser (remove only)
    NewCopy_CDA
    Norton 360
    Nvu 1.0
    OaksSecureBrowser3.1 (3.1)
    OaksSecureBrowser4.0
    OCR Software by I.R.I.S 7.0
    Office 2003 Trial Assistant
    OpenOffice.org Installer 1.0
    OptionalContentQFolder
    Oracle JInitiator 1.3.1.22
    PanoStandAlone
    PhotoGallery
    Photosmart 140,240,7200,7600,7700,7900 Series
    ProductContextNPI
    PSShortcutsP
    PSUsage
    Quick Launch Buttons 5.20 F2
    Quicken 2006
    QuickTime
    RandMap
    Readme
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Scan
    ScannerCopy
    ScienceMatrix Demo v1.05 Demo Version 1.05
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SHARP MX Series PCL/PS Printer Driver
    SHARP PCL6 T1 Printer Driver
    SkinsHP1
    SlideShow
    SmartFTP Client
    SmartFTP Client 2.5 Setup Files (remove only)
    Soft Data Fax Modem with SmartCP
    SolutionCenter
    Sonic Audio Module
    Sonic Copy Module
    Sonic Data Module
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic Update Manager
    Sonic_PrimoSDK
    Spelling Dictionaries Support For Adobe Reader 9
    Status
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    Toolbox
    TourSetup
    TrayApp
    Unload
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Outlook 2007 Junk Email Filter (KB2596560)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USA Explorer
    USB Video Camera v221 Installation Files
    WebEx Support Manager for Internet Explorer
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 9 Series TweakMP PowerToy
    Windows PowerShell(TM) 1.0
    Windows Presentation Foundation
    Windows Search 4.0
    Windows XP Service Pack 3
    Winkflash Transporter
    Wireless Home Network Setup
    Woodalls 1.0
    Write-N-Cite
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/9/2012 7:58:11 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    1/9/2012 12:17:42 PM, error: PlugPlayManager [11] - The device Root\LEGACY_SMR210\0000 disappeared from the system without first being prepared for removal.
    1/9/2012 12:11:21 PM, error: Service Control Manager [7022] - The hpqwmiex service hung on starting.
    1/8/2012 10:27:25 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the TrkWks service.
    1/8/2012 10:25:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde PCIIde ViaIde
    1/6/2012 8:39:44 PM, error: Dhcp [1002] - The IP address lease 192.168.1.141 for the Network Card with network address 0014A57416D3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    1/6/2012 11:00:12 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .
    1/5/2012 8:20:12 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer FRONTOFFICE that believes that it is the master browser for the domain on transport NetBT_Tcpip_{36022206-A409-49. The master browser is stopping or an election is being forced.
    1/5/2012 5:34:32 PM, error: Dhcp [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 0014A57416D3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    1/4/2012 8:36:16 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer JEFF-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{36022206-A409-498B-B. The master browser is stopping or an election is being forced.
    1/4/2012 8:04:22 AM, error: Dhcp [1002] - The IP address lease 192.168.2.103 for the Network Card with network address 0014A57416D3 has been denied by the DHCP server 192.168.1.9 (The DHCP Server sent a DHCPNACK message).
    1/4/2012 4:56:54 PM, error: Dhcp [1002] - The IP address lease 192.168.1.109 for the Network Card with network address 0014A57416D3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    1/3/2012 11:13:59 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Pml Driver HPZ12 service to connect.
    1/3/2012 11:13:59 PM, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 8:06:47 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the N360 service.
    .
    ==== End Of File ===========================
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    No problem- happens frequently. Suggest you uninstall RegistryQuick in Add/Remove Programs. Then use Windows Explorer to access Computer> Local Drive(C)> Programs> do a right click> delete in it's program folder. We don't recommend a registry cleaner to anyone. Risk far outreach and benefit.

    Okay to go ahead with my instructions, then post logs when ready.
  5. FHorn

    FHorn Newcomer, in training Topic Starter

    Logs

    Thanks again for your help. Here are the logs. As a side note, when I do "Remove programs" or look at the Program files, I do not see the QuickRegistry nor the other malicious programs. Not sure if they were removed by the recent malware programs that have been ran. I did do one Google search and things appear to be working. Anyway, here are the logs:

    RKill

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/11/2012 at 20:41:17.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\WINDOWS\system32\verclsid.exe


    Rkill completed on 01/11/2012 at 20:44:29.


    MBAM

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.12.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Nicole :: PC677134193111 [administrator]

    1/12/2012 5:43:49 PM
    mbam-log-2012-01-12 (17-43-49).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 336669
    Time elapsed: 2 hour(s), 23 minute(s), 53 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    ESET

    C:\RECYCLER\S-1-5-21-4171789061-3901554716-3973874397-500\Dc1.exe Win32/Adware.RegistryQuick application

    Combofix

    ComboFix 12-01-13.03 - Nicole 01/13/2012 8:47.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1278 [GMT -8:00]
    Running from: c:\documents and settings\Nicole\Desktop\ComboFix.exe
    AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\amqnaaa.tmp
    c:\documents and settings\All Users\Application Data\emqnaaa.tmp
    c:\documents and settings\All Users\Application Data\glnnaaa.tmp
    c:\documents and settings\All Users\Application Data\hlnnaaa.tmp
    c:\documents and settings\All Users\Application Data\ilnnaaa.tmp
    c:\documents and settings\All Users\Application Data\ioznaaa.tmp
    c:\documents and settings\All Users\Application Data\jlnnaaa.tmp
    c:\documents and settings\All Users\Application Data\joznaaa.tmp
    c:\documents and settings\All Users\Application Data\klnnaaa.tmp
    c:\documents and settings\All Users\Application Data\koznaaa.tmp
    c:\documents and settings\All Users\Application Data\mkknaaa.tmp
    c:\documents and settings\All Users\Application Data\nkknaaa.tmp
    c:\documents and settings\All Users\Application Data\okknaaa.tmp
    c:\documents and settings\All Users\Application Data\pkknaaa.tmp
    c:\documents and settings\All Users\Application Data\qkknaaa.tmp
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\tyonaaa.tmp
    c:\documents and settings\Nicole\My Documents\~WRL0001.tmp
    c:\documents and settings\Nicole\My Documents\~WRL0230.tmp
    c:\documents and settings\Nicole\My Documents\~WRL0597.tmp
    c:\documents and settings\Nicole\My Documents\~WRL1067.tmp
    c:\documents and settings\Nicole\My Documents\~WRL1177.tmp
    c:\documents and settings\Nicole\My Documents\~WRL1428.tmp
    c:\documents and settings\Nicole\My Documents\~WRL1507.tmp
    c:\documents and settings\Nicole\My Documents\~WRL2029.tmp
    c:\documents and settings\Nicole\My Documents\~WRL2578.tmp
    c:\documents and settings\Nicole\My Documents\~WRL2731.tmp
    c:\documents and settings\Nicole\My Documents\~WRL3115.tmp
    c:\documents and settings\Nicole\My Documents\~WRL3368.tmp
    c:\documents and settings\Nicole\WINDOWS
    c:\windows\setupapi.log
    c:\windows\system32\_000009_.tmp.dll
    c:\windows\system32\_000025_.tmp.dll
    c:\windows\system32\_000111_.tmp.dll
    D:\Autorun.inf
    .
    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
    .
    Infected copy of c:\windows\system32\svchost.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
    .
    c:\windows\explorer.exe . . . is infected!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-13 04:31 . 2012-01-13 04:31 -------- d-----w- c:\program files\ESET
    2012-01-12 15:25 . 2012-01-12 15:25 -------- d-----w- c:\windows\system32\MpEngineStore
    2012-01-09 20:17 . 2012-01-09 20:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-09 20:17 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-09 05:43 . 2012-01-09 16:22 -------- d-----w- c:\documents and settings\Nicole\Local Settings\Application Data\NPE
    2012-01-09 05:32 . 2012-01-09 06:21 -------- d-----w- C:\66ea9cec9032b4dc3d80e009ce3412
    2012-01-09 01:43 . 2012-01-09 01:43 -------- d-----w- c:\documents and settings\Nicole\Application Data\ElevatedDiagnostics
    2012-01-08 07:17 . 2012-01-08 16:44 -------- d-----w- c:\windows\system32\drivers\N360\0501000.01D
    2012-01-08 06:54 . 2012-01-08 06:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2012-01-08 06:54 . 2012-01-08 06:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2012-01-03 16:22 . 2012-01-03 16:22 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-12 15:25 . 2004-08-04 08:00 1058816 ----a-w- c:\windows\explorer.exe
    2012-01-08 07:22 . 2010-12-30 04:10 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2012-01-08 07:22 . 2010-12-30 04:10 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-12-14 18:16 . 2011-07-07 16:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-25 21:57 . 2004-08-04 08:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2006-06-26 20:40 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2004-08-04 08:00 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-04 19:20 . 2004-08-04 08:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-03 15:28 . 2004-08-04 08:00 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28 . 2004-08-04 08:00 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 16:07 . 2004-08-04 08:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:33 . 2004-08-04 08:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2004-08-04 08:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-18 11:13 . 2004-08-04 08:00 186880 ----a-w- c:\windows\system32\encdec.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
    "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
    "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
    "Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2005-10-28 679936]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
    "HPHUPD05"="c:\program files\HP\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-12 273528]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-23 148888]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    .
    c:\documents and settings\Nicole\Start Menu\Programs\Startup\
    Memeo AutoBackup Launcher.lnk - c:\documents and settings\Nicole\Application Data\Microsoft\Installer\{BD1F8143-C678-43CD-A296-A3A32A8C2976}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2009-9-27 73728]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "HideFastUserSwitching"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R0 SecureLockWare_EncryptFilterDriver;SecureLockWare Encryption Filter driver;c:\windows\system32\drivers\ENCRFIL.SYS [3/1/2009 9:14 PM 725120]
    R0 SecureLockWare_EncryptFilterDriver2;SecureLockWare Encryption Filter driver Ver.2;c:\windows\system32\drivers\SLWFIL.SYS [3/1/2009 9:14 PM 725248]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [1/7/2012 11:18 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [1/7/2012 11:18 PM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 6:25 PM 820344]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [1/7/2012 11:18 PM 136312]
    R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 4:33 PM 249648]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [1/7/2012 11:17 PM 130008]
    R2 SecureLockWare_InputPassword;SecureLockWare Service;c:\program files\BUFFALO\Encrdisk\ENCRDLG.exe -Service_Execute --> c:\program files\BUFFALO\Encrdisk\ENCRDLG.exe -Service_Execute [?]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/8/2012 9:07 AM 106104]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120112.002\IDSXpx86.sys [1/12/2012 5:42 PM 356280]
    S1 hjflzhha;hjflzhha;\??\c:\windows\system32\drivers\hjflzhha.sys --> c:\windows\system32\drivers\hjflzhha.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/12/2011 10:33 AM 136176]
    S3 bautopw;BUFFALO eco manager for HD Filter;c:\windows\system32\drivers\bautopw.sys [9/27/2009 7:29 PM 8960]
    S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 6:31 PM 195336]
    S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [9/27/2009 7:27 PM 17152]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/12/2011 10:33 AM 136176]
    S3 NUVision;Zoran USB Live! (1004);c:\windows\system32\drivers\NUVision.sys [10/8/2009 1:18 PM 154976]
    S3 stv676;USB Video Camera;c:\windows\system32\drivers\stv676.sys [10/8/2009 1:06 PM 64512]
    S3 stv676m;USB Video Cameram;c:\windows\system32\drivers\stv676m.sys [10/8/2009 1:06 PM 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-12 18:33]
    .
    2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-12 18:33]
    .
    2012-01-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 21:40]
    .
    2012-01-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4171789061-3901554716-3973874397-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 21:40]
    .
    2012-01-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 21:40]
    .
    2012-01-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4171789061-3901554716-3973874397-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 21:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    HKLM-Run-RegistryQuick.exe - c:\program files\Rq\RegistryQuick.exe
    AddRemove-HP Game Console - c:\program files\WildTangent\Apps\hpuninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-13 09:23
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?@???? ?,?B?????????????hLC? ??????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7b,8e,8a,a6,9a,50,65,44,86,5f,59,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7b,8e,8a,a6,9a,50,65,44,86,5f,59,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(856)
    c:\windows\system32\WININET.dll
    c:\program files\NORTON 360\ENGINE\5.1.0.29\Microsoft.VC90.CRT\MSVCR90.dll
    c:\program files\NORTON 360\ENGINE\5.1.0.29\Microsoft.VC90.CRT\MSVCP90.dll
    c:\progra~1\WINDOW~1\wmpband.dll
    c:\program files\iTunes\iTunesMiniPlayer.dll
    c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
    c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\BUFFALO\Encrdisk\ENCRDLG.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\progra~1\HPQ\SHARED\HPQTOA~1.EXE
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\program files\Memeo\AutoBackup\MemeoBackup.exe
    c:\windows\system32\SearchProtocolHost.exe
    c:\windows\system32\SearchFilterHost.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-13 09:37:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-13 17:37
    .
    Pre-Run: 20,709,683,200 bytes free
    Post-Run: 20,885,422,080 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 5C6D6B935D1F99311DC1AFF2148AAA34
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay- found Registry Quick: it was deleted and is now in the Recycler Folder: I will have you remove it shortly:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      explorer.exe
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ================================
    I'd like you to run a special scan before we deal with Combofix:
    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org free on-line scan service
    • Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:
      Code:
          [b]c:\windows\system32\userinit.exe
      
          c:\windows\explorer.exe
      
          c:\window\system32\svchost.exe[/b]
      
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
  7. FHorn

    FHorn Newcomer, in training Topic Starter

    Thanks again for the help.

    Here is the System Look log:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 08:25 on 14/01/2012 by Nicole
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "explorer.exe"
    C:\WINDOWS\explorer.exe --a---- 1058816 bytes [08:00 04/08/2004] [15:25 12/01/2012] C921497CA89B781DA93E20219EC15044
    C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a---- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
    C:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c- 1033216 bytes [01:42 23/05/2009] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87
    C:\WINDOWS\$NtUninstallKB938828$\explorer.exe -----c- 1032192 bytes [05:30 16/08/2007] [08:00 04/08/2004] A0732187050030AE399B241436565E64
    C:\WINDOWS\ServicePackFiles\i386\explorer.exe ------- 1033728 bytes [04:53 06/08/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

    -= EOF =-

    The other was unable to do any scans. For all three .exe files, it stated:

    Error: returned status code 403 Forbidden

    Let me know what you advise. Thanks.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You got Error: returned status code 403 Forbidden when you accessed VirScan?

    The URL is good> http://virscan.org/. It brings up page:

    VirSCAN
    Suspicious file(s) to scan:

    1, You can UPLOAD any files, but there is 20Mb limit per file.
    2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
    3, VirSCAN can scan compressed files with password 'infected' or 'virus'.
    With the box to put each of the files in, one at a time.

    Please try it again. If that site, VirSCAN.org still causes a problem, try one of these:

    VirusTotal
    Jotti
  9. FHorn

    FHorn Newcomer, in training Topic Starter

    virscan.org logs

    Last time I tried it, I received the error message when I clicked "upload." I tried it again and it worked just fine. Looks like a trojan horse in explorer.exe. Here are the logs in order:

    Log for c:\windows\system32\userinit.exe


    VirSCAN.org Scanned Report :
    Scanned time : 2012/01/17 08:04:01 (CST)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 26112 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : a93aee1928a9d7ce3e16d24ec7380f89
    SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
    Online report : http://r.virscan.org/5b11e2d2af8d6f28112845314a3403c2

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.4 20120117080231 2012-01-17 0.27 -
    AhnLab V3 2012.01.16.03 2012.01.16 2012-01-16 5.47 -
    AntiVir 8.2.8.26 7.11.21.50 2012-01-16 0.25 -
    Antiy 2.0.18 20120116.15731644 2012-01-16 0.02 -
    Arcavir 2011 201201161326 2012-01-16 3.46 -
    Authentium 5.1.1 201201162023 2012-01-16 1.49 -
    AVAST! 4.7.4 120116-1 2012-01-16 0.01 -
    AVG 10.0.1405 2090/4147 2012-01-16 0.06 -
    BitDefender 7.90123.7930552 7.40621 2012-01-17 4.16 -
    ClamAV 0.97.1 14314 2012-01-16 0.00 -
    Comodo 5.1 11289 2012-01-16 2.12 -
    CP Secure 1.3.0.5 2012.01.17 2012-01-17 0.04 -
    Dr.Web 7.0.0.11250 2012.01.17 2012-01-17 11.64 -
    F-Prot 4.6.2.117 20120116 2012-01-16 0.76 -
    F-Secure 7.02.73807 2012.01.10.04 2012-01-10 10.85 -
    Fortinet 4.2.257 15.97 2012-01-14 0.10 -
    GData 22.3504 20120117 2012-01-17 4.85 -
    ViRobot 20120116 2012.01.16 2012-01-16 0.33 -
    Ikarus T3.1.32.20.0 2012.01.16.80250 2012-01-16 5.06 -
    JiangMin 13.0.900 2011.11.26 2011-11-26 1.93 -
    Kaspersky 5.5.10 2012.01.16 2012-01-16 0.19 -
    KingSoft 2009.2.5.15 2012.1.17.9 2012-01-17 0.87 -
    McAfee 5400.1158 6591 2012-01-16 10.73 -
    Microsoft 1.7903 2012.01.16 2012-01-16 3.29 -
    NOD32 3.0.21 6800 2012-01-16 0.00 -
    Panda 9.05.01 2012.01.16 2012-01-16 2.37 -
    Trend Micro 9.500-1005 8.712.13 2012-01-16 0.04 -
    Quick Heal 11.00 2012.01.16 2012-01-16 0.92 -
    Rising 20.0 23.93.00.02 2012-01-16 2.40 -
    Sophos 3.27.0 4.73 2012-01-17 4.52 -
    Sunbelt 3.9.2526.2 11407 2012-01-16 0.69 -
    Symantec 1.3.0.24 20120116.002 2012-01-16 0.05 -
    nProtect 20120116.02 11851100 2012-01-16 1.30 -
    The Hacker 6.7.0.1 v00380 2012-01-16 0.51 -
    VBA32 3.12.16.4 20120116.0721 2012-01-16 3.70 -
    VirusBuster 5.4.0.10 14.1.170.0/74162742012-01-17 0.01 -



    virscan.org - scan of c:\windows\explorer.exe


    VirSCAN.org Scanned Report :
    Scanned time : 2012/01/17 08:48:54 (CST)
    Scanner results: 3% Scanner(s) (1/36) found malware!
    File Name : explorer.exe
    File Size : 1058816 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : c921497ca89b781da93e20219ec15044
    SHA1 : 9c3dd108b62380ade06ad72c0322607f76b58c60
    Online report : http://r.virscan.org/eb6aa10b71864c93d87535b8e04deae8

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.4 20120117080231 2012-01-17 0.41 -
    AhnLab V3 2012.01.16.03 2012.01.16 2012-01-16 3.26 -
    AntiVir 8.2.8.26 7.11.21.50 2012-01-16 0.25 -
    Antiy 2.0.18 20120116.15731644 2012-01-16 0.02 -
    Arcavir 2011 201201161326 2012-01-16 3.53 -
    Authentium 5.1.1 201201162023 2012-01-16 1.49 -
    AVAST! 4.7.4 120116-1 2012-01-16 0.08 -
    AVG 10.0.1405 2090/4147 2012-01-16 0.08 -
    BitDefender 7.90123.7930552 7.40621 2012-01-17 4.10 -
    ClamAV 0.97.1 14314 2012-01-16 0.29 -
    Comodo 5.1 11289 2012-01-16 3.64 -
    CP Secure 1.3.0.5 2012.01.17 2012-01-17 0.40 -
    Dr.Web 7.0.0.11250 2012.01.17 2012-01-17 11.62 -
    F-Prot 4.6.2.117 20120116 2012-01-16 0.81 -
    F-Secure 7.02.73807 2012.01.10.04 2012-01-10 12.61 -
    Fortinet 4.2.257 15.105 2012-01-16 0.10 -
    GData 22.3506 20120117 2012-01-17 4.84 -
    ViRobot 20120116 2012.01.16 2012-01-16 0.36 -
    Ikarus T3.1.32.20.0 2012.01.16.80250 2012-01-16 5.20 -
    JiangMin 13.0.900 2011.11.26 2011-11-26 1.93 -
    Kaspersky 5.5.10 2012.01.16 2012-01-16 0.12 -
    KingSoft 2009.2.5.15 2012.1.17.9 2012-01-17 0.86 -
    McAfee 5400.1158 6591 2012-01-16 10.89 -
    Microsoft 1.7903 2012.01.17 2012-01-17 5.30 -
    NOD32 3.0.21 6800 2012-01-16 0.10 -
    Panda 9.05.01 2012.01.16 2012-01-16 2.62 -
    Trend Micro 9.500-1005 8.712.13 2012-01-16 0.04 -
    Quick Heal 11.00 2012.01.16 2012-01-16 1.43 -
    Rising 20.0 23.93.00.02 2012-01-16 2.26 Trojan.Win32.Generic.12ADF86E
    Sophos 3.27.0 4.73 2012-01-17 4.53 -
    Sunbelt 3.9.2526.2 11407 2012-01-16 1.31 -
    Symantec 1.3.0.24 20120116.002 2012-01-16 0.09 -
    nProtect 20120116.02 11851100 2012-01-16 1.69 -
    The Hacker 6.7.0.1 v00380 2012-01-16 0.87 -
    VBA32 3.12.16.4 20120116.0721 2012-01-16 3.92 -
    VirusBuster 5.4.0.10 14.1.170.0/74162742012-01-17 0.02 -



    virscan.org log of c:\windows\system32\svchost.exe

    VirSCAN.org Scanned Report :
    Scanned time : 2012/01/17 08:52:39 (CST)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 14336 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
    SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
    Online report : http://r.virscan.org/6b0c513cf7fc34877e3289c75c53566b

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.4 20120117080231 2012-01-17 0.26 -
    AhnLab V3 2012.01.16.03 2012.01.16 2012-01-16 2.84 -
    AntiVir 8.2.8.26 7.11.21.50 2012-01-16 0.25 -
    Antiy 2.0.18 20120116.15731644 2012-01-16 0.02 -
    Arcavir 2011 201201161326 2012-01-16 3.42 -
    Authentium 5.1.1 201201162023 2012-01-16 1.44 -
    AVAST! 4.7.4 120116-1 2012-01-16 0.01 -
    AVG 10.0.1405 2090/4147 2012-01-16 0.06 -
    BitDefender 7.90123.7930552 7.40621 2012-01-17 4.04 -
    ClamAV 0.97.1 14314 2012-01-16 0.01 -
    Comodo 5.1 11289 2012-01-16 2.05 -
    CP Secure 1.3.0.5 2012.01.17 2012-01-17 0.04 -
    Dr.Web 7.0.0.11250 2012.01.17 2012-01-17 11.37 -
    F-Prot 4.6.2.117 20120116 2012-01-16 0.76 -
    F-Secure 7.02.73807 2012.01.10.04 2012-01-10 0.20 -
    Fortinet 4.2.257 15.105 2012-01-16 0.10 -
    GData 22.3506 20120117 2012-01-17 4.73 -
    ViRobot 20120116 2012.01.16 2012-01-16 0.33 -
    Ikarus T3.1.32.20.0 2012.01.16.80250 2012-01-16 5.07 -
    JiangMin 13.0.900 2011.11.26 2011-11-26 2.08 -
    Kaspersky 5.5.10 2012.01.16 2012-01-16 0.11 -
    KingSoft 2009.2.5.15 2012.1.17.9 2012-01-17 0.93 -
    McAfee 5400.1158 6591 2012-01-16 10.77 -
    Microsoft 1.7903 2012.01.17 2012-01-17 3.32 -
    NOD32 3.0.21 6800 2012-01-16 0.01 -
    Panda 9.05.01 2012.01.16 2012-01-16 2.32 -
    Trend Micro 9.500-1005 8.712.13 2012-01-16 0.03 -
    Quick Heal 11.00 2012.01.16 2012-01-16 1.31 -
    Rising 20.0 23.93.00.02 2012-01-16 2.53 -
    Sophos 3.27.0 4.73 2012-01-17 4.51 -
    Sunbelt 3.9.2526.2 11407 2012-01-16 0.67 -
    Symantec 1.3.0.24 20120116.002 2012-01-16 0.05 -
    nProtect 20120116.02 11851100 2012-01-16 1.35 -
    The Hacker 6.7.0.1 v00380 2012-01-16 0.52 -
    VBA32 3.12.16.4 20120116.0721 2012-01-16 3.79 -
    VirusBuster 5.4.0.10 14.1.170.0/74162742012-01-17 0.01 -


    Let me know what you think. Thank you again.
  10. FHorn

    FHorn Newcomer, in training Topic Starter

    updates?

    Just wanted to see if you have any more updates. As a side note, I am running Norton 360. Thank you.

    FHorn
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Got behind over the holidays- still trying to catch up! That you for your patience.

    I'm replacing the infected explorer.exe file below:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    C:\66ea9cec9032b4dc3d80e009ce3412
    DDS::
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
    BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No File
    BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
    BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    mRun: [RegistryQuick.exe] c:\program files\rq\RegistryQuick.exe
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Reminder"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    Clearjavacache::
    FCopy::
    C:\WINDOWS\$NtServicePackUninstall$\explorer.exe | c:\windows\explorer.exe 
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    =============================================
    You may have a flash drive infection, evident as a quarantine in Combofix for Drive D. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =======================================
    Note: Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..

    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Please update the Adobe Reader:Visit this Adobe Reader site make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    =================
    I recommend that you stop these Scheduled Tasks:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.:
    To delete a task> right-click the task> click Delete.
    (Duplicates of both)
    c:\windows\Tasks\RealUpgradeLogonTaskS
    c:\windows\Tasks\RealUpgradeLogonTaskS
    c:\windows\Tasks\RealUpgradeScheduledTaskS
    c:\windows\Tasks\RealUpgradeScheduledTaskS

    ======================================
    Since you had evidence of
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Got behind over the holidays- still trying to catch up! That you for your patience.

    I'm replacing the infected explorer.exe file below:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    C:\66ea9cec9032b4dc3d80e009ce3412
    DDS::
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
    BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No File
    BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
    BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    mRun: [RegistryQuick.exe] c:\program files\rq\RegistryQuick.exe
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Reminder"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    Clearjavacache::
    FCopy::
    C:\WINDOWS\$NtServicePackUninstall$\explorer.exe | c:\windows\explorer.exe 
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    =============================================
    You may have a flash drive infection, evident as a quarantine in Combofix for Drive D. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =======================================
    Note: Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..

    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Please update the Adobe Reader:Visit this Adobe Reader site make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    =================
    I recommend that you stop these Scheduled Tasks:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.:
    To delete a task> right-click the task> click Delete.
    (Duplicates of both)
    c:\windows\Tasks\RealUpgradeLogonTaskS
    c:\windows\Tasks\RealUpgradeLogonTaskS
    c:\windows\Tasks\RealUpgradeScheduledTaskS
    c:\windows\Tasks\RealUpgradeScheduledTaskS

    ======================================
    Since you had evidence of the rogue antivirus suite, I'd like to make sure it has been removed. Please go on to the next reply. (Save Combofix log, post in next reply)
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Let's make sure we got all the bad entries.

    Please do the following to help you run other programs:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Opti
      ons menu appears, using your up/down arrows to reach it and then press ENTER.

    This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
    • Access Internet Options through Tools> Connections tab
    • Click on the Lan Settings at the bottom
    • Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
    • Then click on OK> and OK again to close Internet Options.
    ===============================
    This malware frequently comes with the TDSS rootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Save the log to post in next reply.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    To end the processes that belong to the rogue program:
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one. (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
    Do not reboot until instructed. as it will start the malware again
    ==================================
    You will run another scan with Mbam, after it updates, but this time, on the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ========================================
    TDSSKiller
    RKill
    New Malwarebytes
    Combofix log from previous post.
    =======================================
    The Recycler folder is a hidden folder where the files you delete are stored, until you empty the Recycle Bin on NTFS partition. It will eventually get overwritten in time, but will show on scan until it is removed.

    The Recycler folder contains a Recycle Bin for each user that logs on to the computer, sorted by their security identifier (SID).Example: S-1-5-21-330564415-2671475969-752554860-1006. We need to remove the infected file that is still in the Recycler.

    Note: The Recycle Bin on the Desktop must be empty. Close any running programs

    1.How could you clear this area using Command Prompt?
    Start> Run> type in cm> enter
    At a Command Prompt type rd /s /q c:\recycler
    Windows will create a new recycler for the drive when the computer is rebooted.

    2.How could you clear this area using Windows explorer
    1. Right click on Start> Explore> Computer> Local Drive
    2. Go to Tools> Folder Options> View tab
    3. Check 'show hidden files and folders
    4. Uncheck 'hide protected systeem files (Recommended
    5. Click Yes to confirm
    6. Scroll down to and double click on the Recycler
    7. Highlight all the files> Hold shift and press the Delete key
    Go back to Folder Options> View tab
    • Check 'do not show hidden files and folders'
    • Recheck 'hide protected system files' (Recommended)
    • Click on OK> Apply> OK> Exit Windows Explorer.
     
  14. FHorn

    FHorn Newcomer, in training Topic Starter

    Logs

    Bobbye,

    Thanks for your response and here are the logs of the scans. I also believe I got the recycler cleaned out.

    TDSSkill Log

    04:54:05.0781 0248 TDSS rootkit removing tool 2.7.6.0 Jan 19 2012 13:09:04
    04:54:06.0203 0248 ============================================================
    04:54:06.0203 0248 Current date / time: 2012/01/21 04:54:06.0203
    04:54:06.0203 0248 SystemInfo:
    04:54:06.0203 0248
    04:54:06.0203 0248 OS Version: 5.1.2600 ServicePack: 3.0
    04:54:06.0203 0248 Product type: Workstation
    04:54:06.0203 0248 ComputerName: PC677134193111
    04:54:06.0203 0248 UserName: Nicole
    04:54:06.0203 0248 Windows directory: C:\WINDOWS
    04:54:06.0203 0248 System windows directory: C:\WINDOWS
    04:54:06.0203 0248 Processor architecture: Intel x86
    04:54:06.0203 0248 Number of processors: 1
    04:54:06.0203 0248 Page size: 0x1000
    04:54:06.0203 0248 Boot type: Safe boot with network
    04:54:06.0203 0248 ============================================================
    04:54:09.0843 0248 Drive \Device\Harddisk0\DR0 - Size: 0xDF8F90000 (55.89 Gb), SectorSize: 0x200, Cylinders: 0x1C80, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    04:54:10.0000 0248 Initialize success
    04:54:11.0796 1180 ============================================================
    04:54:11.0796 1180 Scan started
    04:54:11.0796 1180 Mode: Manual;
    04:54:11.0796 1180 ============================================================
    04:54:13.0203 1180 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
    04:54:13.0203 1180 61883 - ok
    04:54:13.0234 1180 Abiosdsk - ok
    04:54:13.0265 1180 abp480n5 - ok
    04:54:13.0359 1180 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    04:54:13.0375 1180 ACPI - ok
    04:54:13.0437 1180 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    04:54:13.0437 1180 ACPIEC - ok
    04:54:13.0453 1180 adpu160m - ok
    04:54:13.0515 1180 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    04:54:13.0515 1180 aec - ok
    04:54:13.0593 1180 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    04:54:13.0593 1180 AFD - ok
    04:54:13.0640 1180 Aha154x - ok
    04:54:13.0671 1180 aic78u2 - ok
    04:54:13.0703 1180 aic78xx - ok
    04:54:13.0796 1180 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    04:54:13.0796 1180 AliIde - ok
    04:54:13.0828 1180 amsint - ok
    04:54:13.0921 1180 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    04:54:13.0921 1180 Arp1394 - ok
    04:54:13.0953 1180 asc - ok
    04:54:13.0984 1180 asc3350p - ok
    04:54:14.0015 1180 asc3550 - ok
    04:54:14.0140 1180 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    04:54:14.0140 1180 AsyncMac - ok
    04:54:14.0203 1180 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    04:54:14.0203 1180 atapi - ok
    04:54:14.0234 1180 Atdisk - ok
    04:54:14.0281 1180 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    04:54:14.0281 1180 Atmarpc - ok
    04:54:14.0359 1180 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    04:54:14.0359 1180 audstub - ok
    04:54:14.0421 1180 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
    04:54:14.0437 1180 Avc - ok
    04:54:14.0546 1180 bautopw (635a3989ad02a75827dcf94ce61cf1f8) C:\WINDOWS\system32\drivers\bautopw.sys
    04:54:14.0546 1180 bautopw - ok
    04:54:14.0843 1180 BCM43XX (e9ea635b8432d68f0005b3f6cebab837) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
    04:54:14.0906 1180 BCM43XX - ok
    04:54:15.0015 1180 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    04:54:15.0015 1180 Beep - ok
    04:54:15.0093 1180 bfturboh (94a5e2424bc8b94d02f88dea0702246b) C:\WINDOWS\system32\drivers\bfturboh.sys
    04:54:15.0109 1180 bfturboh - ok
    04:54:15.0453 1180 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111223.001\BHDrvx86.sys
    04:54:15.0500 1180 BHDrvx86 - ok
    04:54:15.0750 1180 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
    04:54:15.0750 1180 Bridge - ok
    04:54:15.0765 1180 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
    04:54:15.0765 1180 BridgeMP - ok
    04:54:15.0921 1180 BTWUSB (e76dc88f00d50f46072feb2371769978) C:\WINDOWS\system32\Drivers\btwusb.sys
    04:54:15.0921 1180 BTWUSB - ok
    04:54:15.0984 1180 CAMCAUD (4ebc37b6677a6768b307ae40839d788f) C:\WINDOWS\system32\drivers\camc6aud.sys
    04:54:15.0984 1180 CAMCAUD - ok
    04:54:16.0031 1180 CAMCHALA (9a38fc432ad8b3400cefb70a7236979e) C:\WINDOWS\system32\drivers\camc6hal.sys
    04:54:16.0046 1180 CAMCHALA - ok
    04:54:16.0234 1180 catchme - ok
    04:54:16.0453 1180 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    04:54:16.0453 1180 cbidf2k - ok
    04:54:16.0531 1180 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    04:54:16.0531 1180 CCDECODE - ok
    04:54:16.0562 1180 cd20xrnt - ok
    04:54:16.0625 1180 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    04:54:16.0625 1180 Cdaudio - ok
    04:54:16.0656 1180 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    04:54:16.0656 1180 Cdfs - ok
    04:54:16.0703 1180 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    04:54:16.0703 1180 Cdrom - ok
    04:54:16.0734 1180 Changer - ok
    04:54:16.0828 1180 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    04:54:16.0828 1180 CmBatt - ok
    04:54:16.0859 1180 CmdIde - ok
    04:54:16.0906 1180 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    04:54:16.0906 1180 Compbatt - ok
    04:54:16.0968 1180 Cpqarray - ok
    04:54:17.0015 1180 dac2w2k - ok
    04:54:17.0046 1180 dac960nt - ok
    04:54:17.0125 1180 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    04:54:17.0125 1180 Disk - ok
    04:54:17.0218 1180 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    04:54:17.0265 1180 dmboot - ok
    04:54:17.0312 1180 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    04:54:17.0312 1180 dmio - ok
    04:54:17.0390 1180 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    04:54:17.0406 1180 dmload - ok
    04:54:17.0750 1180 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    04:54:17.0750 1180 DMusic - ok
    04:54:17.0875 1180 dpti2o - ok
    04:54:17.0921 1180 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    04:54:17.0921 1180 drmkaud - ok
    04:54:18.0015 1180 eabfiltr (c6aca0190ee7b614673ee0c91863b1eb) C:\WINDOWS\system32\drivers\EABFiltr.sys
    04:54:18.0015 1180 eabfiltr - ok
    04:54:18.0062 1180 eabusb (da1011db09ad641de40cd5cca70c0c43) C:\WINDOWS\system32\drivers\eabusb.sys
    04:54:18.0062 1180 eabusb - ok
    04:54:18.0312 1180 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    04:54:18.0328 1180 eeCtrl - ok
    04:54:18.0375 1180 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    04:54:18.0421 1180 EraserUtilRebootDrv - ok
    04:54:18.0671 1180 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    04:54:18.0671 1180 Fastfat - ok
    04:54:18.0765 1180 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    04:54:18.0765 1180 Fdc - ok
    04:54:18.0875 1180 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    04:54:18.0875 1180 Fips - ok
    04:54:18.0953 1180 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    04:54:18.0953 1180 Flpydisk - ok
    04:54:19.0015 1180 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    04:54:19.0031 1180 FltMgr - ok
    04:54:19.0093 1180 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    04:54:19.0093 1180 Fs_Rec - ok
    04:54:19.0140 1180 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    04:54:19.0140 1180 Ftdisk - ok
    04:54:19.0218 1180 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    04:54:19.0218 1180 GEARAspiWDM - ok
    04:54:19.0250 1180 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    04:54:19.0250 1180 Gpc - ok
    04:54:19.0578 1180 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    04:54:19.0578 1180 HidUsb - ok
    04:54:19.0640 1180 hjflzhha - ok
    04:54:19.0687 1180 hpn - ok
    04:54:19.0812 1180 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    04:54:19.0828 1180 HPZid412 - ok
    04:54:19.0859 1180 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    04:54:19.0859 1180 HPZipr12 - ok
    04:54:19.0968 1180 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    04:54:19.0984 1180 HPZius12 - ok
    04:54:20.0062 1180 HSFHWICH (a4877a17e87d6e6ab959b36b9ef3de8a) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
    04:54:20.0062 1180 HSFHWICH - ok
    04:54:20.0203 1180 HSF_DP (dfa8f86c0dbca7db948043aa3be6793b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    04:54:20.0265 1180 HSF_DP - ok
    04:54:20.0328 1180 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    04:54:20.0343 1180 HTTP - ok
    04:54:20.0390 1180 i2omgmt - ok
    04:54:20.0421 1180 i2omp - ok
    04:54:20.0484 1180 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    04:54:20.0484 1180 i8042prt - ok
    04:54:20.0640 1180 ialm (240d0f5d7caafd87bd8d801a97bbe041) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    04:54:20.0703 1180 ialm - ok
    04:54:21.0109 1180 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120120.002\IDSxpx86.sys
    04:54:21.0125 1180 IDSxpx86 - ok
    04:54:21.0328 1180 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    04:54:21.0328 1180 Imapi - ok
    04:54:21.0437 1180 ini910u - ok
    04:54:21.0484 1180 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    04:54:21.0484 1180 IntelIde - ok
    04:54:21.0531 1180 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    04:54:21.0531 1180 intelppm - ok
    04:54:21.0593 1180 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    04:54:21.0593 1180 Ip6Fw - ok
    04:54:21.0656 1180 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    04:54:21.0656 1180 IpFilterDriver - ok
    04:54:21.0703 1180 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    04:54:21.0703 1180 IpInIp - ok
    04:54:21.0750 1180 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    04:54:21.0750 1180 IpNat - ok
    04:54:21.0812 1180 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    04:54:21.0812 1180 IPSec - ok
    04:54:21.0875 1180 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    04:54:21.0875 1180 IRENUM - ok
    04:54:21.0937 1180 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    04:54:21.0937 1180 isapnp - ok
    04:54:21.0968 1180 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    04:54:21.0984 1180 Kbdclass - ok
    04:54:22.0031 1180 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    04:54:22.0031 1180 kbdhid - ok
    04:54:22.0078 1180 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    04:54:22.0093 1180 kmixer - ok
    04:54:22.0171 1180 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    04:54:22.0171 1180 KSecDD - ok
    04:54:22.0218 1180 lbrtfdc - ok
    04:54:22.0343 1180 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    04:54:22.0343 1180 mdmxsdk - ok
    04:54:22.0421 1180 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    04:54:22.0421 1180 mnmdd - ok
    04:54:22.0500 1180 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    04:54:22.0500 1180 Modem - ok
    04:54:22.0531 1180 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    04:54:22.0531 1180 Mouclass - ok
    04:54:22.0578 1180 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    04:54:22.0593 1180 mouhid - ok
    04:54:22.0687 1180 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    04:54:22.0687 1180 MountMgr - ok
    04:54:22.0718 1180 mraid35x - ok
    04:54:22.0765 1180 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    04:54:22.0765 1180 MRxDAV - ok
    04:54:22.0828 1180 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    04:54:22.0843 1180 MRxSmb - ok
    04:54:23.0093 1180 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
    04:54:23.0093 1180 MSDV - ok
    04:54:23.0156 1180 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    04:54:23.0156 1180 Msfs - ok
    04:54:23.0218 1180 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    04:54:23.0218 1180 MSKSSRV - ok
    04:54:23.0250 1180 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    04:54:23.0250 1180 MSPCLOCK - ok
    04:54:23.0281 1180 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    04:54:23.0296 1180 MSPQM - ok
    04:54:23.0390 1180 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    04:54:23.0390 1180 mssmbios - ok
    04:54:23.0468 1180 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    04:54:23.0468 1180 MSTEE - ok
    04:54:23.0515 1180 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    04:54:23.0515 1180 Mup - ok
    04:54:23.0578 1180 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    04:54:23.0578 1180 NABTSFEC - ok
    04:54:23.0968 1180 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120121.009\NAVENG.SYS
    04:54:23.0984 1180 NAVENG - ok
    04:54:24.0234 1180 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120121.009\NAVEX15.SYS
    04:54:24.0328 1180 NAVEX15 - ok
    04:54:24.0546 1180 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    04:54:24.0562 1180 NDIS - ok
    04:54:24.0656 1180 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    04:54:24.0656 1180 NdisIP - ok
    04:54:24.0718 1180 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    04:54:24.0718 1180 NdisTapi - ok
    04:54:24.0781 1180 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    04:54:24.0781 1180 Ndisuio - ok
    04:54:24.0828 1180 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    04:54:24.0828 1180 NdisWan - ok
    04:54:24.0890 1180 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    04:54:24.0890 1180 NDProxy - ok
    04:54:24.0953 1180 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    04:54:24.0953 1180 NetBIOS - ok
    04:54:25.0000 1180 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    04:54:25.0000 1180 NetBT - ok
    04:54:25.0093 1180 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    04:54:25.0093 1180 NIC1394 - ok
    04:54:25.0156 1180 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    04:54:25.0156 1180 Npfs - ok
    04:54:25.0203 1180 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    04:54:25.0218 1180 Ntfs - ok
    04:54:25.0312 1180 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    04:54:25.0312 1180 Null - ok
    04:54:25.0421 1180 NUVision (0abc9349a15a75c2ed6620cc5dacad4b) C:\WINDOWS\system32\DRIVERS\NUVision.sys
    04:54:25.0421 1180 NUVision - ok
    04:54:25.0500 1180 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    04:54:25.0500 1180 NwlnkFlt - ok
    04:54:25.0546 1180 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    04:54:25.0546 1180 NwlnkFwd - ok
    04:54:25.0812 1180 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    04:54:25.0812 1180 ohci1394 - ok
    04:54:25.0890 1180 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    04:54:25.0890 1180 Parport - ok
    04:54:25.0921 1180 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    04:54:25.0921 1180 PartMgr - ok
    04:54:25.0984 1180 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    04:54:25.0984 1180 ParVdm - ok
    04:54:26.0062 1180 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    04:54:26.0062 1180 PCI - ok
    04:54:26.0093 1180 PCIDump - ok
    04:54:26.0187 1180 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    04:54:26.0187 1180 PCIIde - ok
    04:54:26.0250 1180 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    04:54:26.0250 1180 Pcmcia - ok
    04:54:26.0281 1180 PDCOMP - ok
    04:54:26.0328 1180 PDFRAME - ok
    04:54:26.0359 1180 PDRELI - ok
    04:54:26.0390 1180 PDRFRAME - ok
    04:54:26.0421 1180 perc2 - ok
    04:54:26.0453 1180 perc2hib - ok
    04:54:26.0609 1180 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    04:54:26.0609 1180 PptpMiniport - ok
    04:54:26.0656 1180 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    04:54:26.0656 1180 PSched - ok
    04:54:26.0718 1180 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    04:54:26.0718 1180 Ptilink - ok
    04:54:26.0796 1180 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    04:54:26.0796 1180 PxHelp20 - ok
    04:54:26.0828 1180 ql1080 - ok
    04:54:26.0859 1180 Ql10wnt - ok
    04:54:26.0890 1180 ql12160 - ok
    04:54:26.0921 1180 ql1240 - ok
    04:54:26.0953 1180 ql1280 - ok
    04:54:27.0000 1180 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    04:54:27.0000 1180 RasAcd - ok
    04:54:27.0078 1180 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
    04:54:27.0078 1180 Rasirda - ok
    04:54:27.0140 1180 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    04:54:27.0140 1180 Rasl2tp - ok
    04:54:27.0171 1180 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    04:54:27.0171 1180 RasPppoe - ok
    04:54:27.0234 1180 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    04:54:27.0234 1180 Raspti - ok
    04:54:27.0312 1180 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    04:54:27.0312 1180 Rdbss - ok
    04:54:27.0343 1180 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    04:54:27.0343 1180 RDPCDD - ok
    04:54:27.0562 1180 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    04:54:27.0578 1180 RDPWD - ok
    04:54:27.0687 1180 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    04:54:27.0687 1180 redbook - ok
    04:54:27.0796 1180 RimUsb - ok
    04:54:27.0859 1180 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    04:54:27.0859 1180 RimVSerPort - ok
    04:54:27.0906 1180 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    04:54:27.0906 1180 ROOTMODEM - ok
    04:54:28.0109 1180 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
    04:54:28.0109 1180 RTL8023xp - ok
    04:54:28.0234 1180 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    04:54:28.0234 1180 sdbus - ok
    04:54:28.0296 1180 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    04:54:28.0296 1180 Secdrv - ok
    04:54:28.0421 1180 SecureLockWare_EncryptFilterDriver (22a5647418cdfa56a53aad5ea12ee42d) C:\WINDOWS\system32\DRIVERS\ENCRFIL.SYS
    04:54:28.0453 1180 SecureLockWare_EncryptFilterDriver - ok
    04:54:28.0531 1180 SecureLockWare_EncryptFilterDriver2 (5378bda6cd8453ea32cad99ceaa9e485) C:\WINDOWS\system32\DRIVERS\SLWFIL.SYS
    04:54:28.0546 1180 SecureLockWare_EncryptFilterDriver2 - ok
    04:54:28.0640 1180 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    04:54:28.0640 1180 serenum - ok
    04:54:28.0671 1180 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    04:54:28.0687 1180 Serial - ok
    04:54:28.0953 1180 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    04:54:28.0953 1180 Sfloppy - ok
    04:54:29.0015 1180 Simbad - ok
    04:54:29.0062 1180 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    04:54:29.0062 1180 SLIP - ok
    04:54:29.0125 1180 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
    04:54:29.0125 1180 SMCIRDA - ok
    04:54:29.0203 1180 Sparrow - ok
    04:54:29.0281 1180 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    04:54:29.0296 1180 splitter - ok
    04:54:29.0343 1180 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    04:54:29.0343 1180 sr - ok
    04:54:29.0562 1180 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\N360\0501000.01D\SRTSP.SYS
    04:54:29.0578 1180 SRTSP - ok
    04:54:29.0687 1180 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS
    04:54:29.0687 1180 SRTSPX - ok
    04:54:29.0781 1180 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    04:54:29.0781 1180 Srv - ok
    04:54:29.0953 1180 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    04:54:29.0953 1180 streamip - ok
    04:54:30.0046 1180 stv676 (314d365f43a2114069bd69f1fb326aba) C:\WINDOWS\system32\drivers\stv676.sys
    04:54:30.0046 1180 stv676 - ok
    04:54:30.0078 1180 stv676m (05e17d53726f07d50870837929451e3f) C:\WINDOWS\system32\drivers\stv676m.sys
    04:54:30.0078 1180 stv676m - ok
    04:54:30.0140 1180 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    04:54:30.0140 1180 swenum - ok
    04:54:30.0187 1180 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    04:54:30.0187 1180 swmidi - ok
    04:54:30.0250 1180 symc810 - ok
    04:54:30.0281 1180 symc8xx - ok
    04:54:30.0421 1180 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS
    04:54:30.0421 1180 SymDS - ok
    04:54:30.0656 1180 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS
    04:54:30.0671 1180 SymEFA - ok
    04:54:30.0843 1180 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    04:54:30.0843 1180 SymEvent - ok
    04:54:30.0953 1180 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS
    04:54:30.0953 1180 SymIRON - ok
    04:54:31.0078 1180 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMTDI.SYS
    04:54:31.0093 1180 SYMTDI - ok
    04:54:31.0125 1180 sym_hi - ok
    04:54:31.0156 1180 sym_u3 - ok
    04:54:31.0250 1180 SynTP (23fe1f173996b8bad4b9ed74003676d8) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    04:54:31.0250 1180 SynTP - ok
    04:54:31.0296 1180 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    04:54:31.0312 1180 sysaudio - ok
    04:54:31.0406 1180 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    04:54:31.0421 1180 Tcpip - ok
    04:54:31.0562 1180 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    04:54:31.0562 1180 TDPIPE - ok
    04:54:31.0593 1180 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    04:54:31.0609 1180 TDTCP - ok
    04:54:31.0671 1180 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    04:54:31.0671 1180 TermDD - ok
    04:54:31.0781 1180 tifm21 (9179e07503630d6fb2e4162ff0196191) C:\WINDOWS\system32\drivers\tifm21.sys
    04:54:31.0781 1180 tifm21 - ok
    04:54:31.0828 1180 TosIde - ok
    04:54:31.0921 1180 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    04:54:31.0921 1180 Udfs - ok
    04:54:31.0968 1180 ultra - ok
    04:54:32.0046 1180 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    04:54:32.0062 1180 Update - ok
    04:54:32.0187 1180 usbbus (5aadc9297c39aa249cd994acdba19034) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
    04:54:32.0187 1180 usbbus - ok
    04:54:32.0296 1180 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    04:54:32.0296 1180 usbccgp - ok
    04:54:32.0375 1180 UsbDiag (4650ffe04e5922399b0e932319e6b215) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
    04:54:32.0375 1180 UsbDiag - ok
    04:54:32.0437 1180 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    04:54:32.0437 1180 usbehci - ok
    04:54:32.0515 1180 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    04:54:32.0515 1180 usbhub - ok
    04:54:32.0671 1180 USBModem (2666fe171e0c2e7085ccd5fe0bac09e3) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
    04:54:32.0671 1180 USBModem - ok
    04:54:32.0750 1180 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    04:54:32.0765 1180 usbprint - ok
    04:54:32.0843 1180 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    04:54:32.0843 1180 usbscan - ok
    04:54:32.0921 1180 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    04:54:32.0921 1180 USBSTOR - ok
    04:54:32.0984 1180 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    04:54:32.0984 1180 usbuhci - ok
    04:54:33.0015 1180 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    04:54:33.0015 1180 VgaSave - ok
    04:54:33.0062 1180 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    04:54:33.0062 1180 ViaIde - ok
    04:54:33.0093 1180 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    04:54:33.0093 1180 VolSnap - ok
    04:54:33.0328 1180 w29n51 (9ee38ffcb4cbe5bee6c305700ddc4725) C:\WINDOWS\system32\DRIVERS\w29n51.sys
    04:54:33.0484 1180 w29n51 - ok
    04:54:33.0625 1180 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    04:54:33.0625 1180 Wanarp - ok
    04:54:33.0656 1180 WDICA - ok
    04:54:33.0703 1180 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    04:54:33.0703 1180 wdmaud - ok
    04:54:33.0828 1180 winachsf (473ee64c368ce2eed110376c11960259) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    04:54:33.0875 1180 winachsf - ok
    04:54:34.0000 1180 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    04:54:34.0000 1180 WmiAcpi - ok
    04:54:34.0109 1180 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
    04:54:34.0109 1180 WpdUsb - ok
    04:54:34.0187 1180 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    04:54:34.0187 1180 WS2IFSL - ok
    04:54:34.0296 1180 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    04:54:34.0296 1180 WSTCODEC - ok
    04:54:34.0375 1180 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    04:54:34.0375 1180 WudfPf - ok
    04:54:34.0453 1180 WUDFRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\WUDFRd.sys
    04:54:34.0453 1180 WUDFRd - ok
    04:54:34.0609 1180 MBR (0x1B8) (665277635dc8ba83deae12eadedb75a0) \Device\Harddisk0\DR0
    04:54:34.0656 1180 \Device\Harddisk0\DR0 - ok
    04:54:34.0656 1180 Boot (0x1200) (8ffd04c05d98011bafdc09fb7ff7e69d) \Device\Harddisk0\DR0\Partition0
    04:54:34.0671 1180 \Device\Harddisk0\DR0\Partition0 - ok
    04:54:34.0687 1180 Boot (0x1200) (04e220d70684d769d0ef0ccf95f83f55) \Device\Harddisk0\DR0\Partition1
    04:54:34.0687 1180 \Device\Harddisk0\DR0\Partition1 - ok
    04:54:34.0703 1180 ============================================================
    04:54:34.0703 1180 Scan finished
    04:54:34.0703 1180 ============================================================
    04:54:34.0734 1136 Detected object count: 0
    04:54:34.0734 1136 Actual detected object count: 0


    RKill Log

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/22/2012 at 11:43:28.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 01/22/2012 at 11:43:33.


    Malwarebytes Log

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.22.03

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Nicole :: PC677134193111 [administrator]

    1/22/2012 11:48:56 AM
    mbam-log-2012-01-22 (11-48-56).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 347563
    Time elapsed: 1 hour(s), 1 minute(s), 39 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    Combofix log

    ComboFix 12-01-21.02 - Nicole 01/20/2012 10:45:06.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1217 [GMT -8:00]
    Running from: c:\documents and settings\Nicole\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Nicole\Desktop\CFScript.txt
    AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\66ea9cec9032b4dc3d80e009ce3412
    c:\66ea9cec9032b4dc3d80e009ce3412\mrt.exe
    c:\66ea9cec9032b4dc3d80e009ce3412\mrtstub.exe
    c:\windows\expl.dat
    c:\windows\system32\svch.dat
    c:\windows\system32\winl.dat
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\$NtServicePackUninstall$\explorer.exe --> c:\windows\explorer.exe
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-20 to 2012-01-20 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-20 18:44 . 2012-01-20 18:44 -------- d-----w- c:\windows\LastGood
    2012-01-20 18:44 . 2007-06-13 10:23 1033216 ----a-w- c:\windows\OLD41.tmp
    2012-01-13 04:31 . 2012-01-13 04:31 -------- d-----w- c:\program files\ESET
    2012-01-12 15:25 . 2012-01-12 15:25 -------- d-----w- c:\windows\system32\MpEngineStore
    2012-01-09 20:17 . 2012-01-09 20:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-09 20:17 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-09 05:43 . 2012-01-09 16:22 -------- d-----w- c:\documents and settings\Nicole\Local Settings\Application Data\NPE
    2012-01-09 01:43 . 2012-01-09 01:43 -------- d-----w- c:\documents and settings\Nicole\Application Data\ElevatedDiagnostics
    2012-01-08 07:17 . 2012-01-08 16:44 -------- d-----w- c:\windows\system32\drivers\N360\0501000.01D
    2012-01-08 06:54 . 2012-01-08 06:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2012-01-08 06:54 . 2012-01-08 06:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2012-01-03 16:22 . 2012-01-03 16:22 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-08 07:22 . 2010-12-30 04:10 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2012-01-08 07:22 . 2010-12-30 04:10 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-12-14 18:16 . 2011-07-07 16:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-25 21:57 . 2004-08-04 08:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2006-06-26 20:40 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2004-08-04 08:00 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 14:21 . 2004-08-04 08:00 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21 . 2004-08-04 08:00 152064 ----a-w- c:\windows\system32\schannel.dll
    2011-11-04 19:20 . 2004-08-04 08:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-03 15:28 . 2004-08-04 08:00 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28 . 2004-08-04 08:00 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 16:07 . 2004-08-04 08:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:33 . 2004-08-04 08:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2004-08-04 08:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
    "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
    "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
    "HPHUPD05"="c:\program files\HP\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-12 273528]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-23 148888]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    .
    c:\documents and settings\Nicole\Start Menu\Programs\Startup\
    Memeo AutoBackup Launcher.lnk - c:\documents and settings\Nicole\Application Data\Microsoft\Installer\{BD1F8143-C678-43CD-A296-A3A32A8C2976}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2009-9-27 73728]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "HideFastUserSwitching"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R0 SecureLockWare_EncryptFilterDriver;SecureLockWare Encryption Filter driver;c:\windows\system32\drivers\ENCRFIL.SYS [3/1/2009 9:14 PM 725120]
    R0 SecureLockWare_EncryptFilterDriver2;SecureLockWare Encryption Filter driver Ver.2;c:\windows\system32\drivers\SLWFIL.SYS [3/1/2009 9:14 PM 725248]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [1/7/2012 11:18 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [1/7/2012 11:18 PM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 6:25 PM 820344]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [1/7/2012 11:18 PM 136312]
    R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 4:33 PM 249648]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [1/7/2012 11:17 PM 130008]
    R2 SecureLockWare_InputPassword;SecureLockWare Service;c:\program files\BUFFALO\Encrdisk\ENCRDLG.exe -Service_Execute --> c:\program files\BUFFALO\Encrdisk\ENCRDLG.exe -Service_Execute [?]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/8/2012 9:07 AM 106104]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120120.002\IDSXpx86.sys [1/19/2012 1:39 PM 356280]
    S1 hjflzhha;hjflzhha;\??\c:\windows\system32\drivers\hjflzhha.sys --> c:\windows\system32\drivers\hjflzhha.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/12/2011 10:33 AM 136176]
    S3 bautopw;BUFFALO eco manager for HD Filter;c:\windows\system32\drivers\bautopw.sys [9/27/2009 7:29 PM 8960]
    S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 6:31 PM 195336]
    S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [9/27/2009 7:27 PM 17152]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/12/2011 10:33 AM 136176]
    S3 NUVision;Zoran USB Live! (1004);c:\windows\system32\drivers\NUVision.sys [10/8/2009 1:18 PM 154976]
    S3 stv676;USB Video Camera;c:\windows\system32\drivers\stv676.sys [10/8/2009 1:06 PM 64512]
    S3 stv676m;USB Video Cameram;c:\windows\system32\drivers\stv676m.sys [10/8/2009 1:06 PM 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    2012-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-12 18:33]
    .
    2012-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-12 18:33]
    .
    2012-01-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 21:40]
    .
    2012-01-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4171789061-3901554716-3973874397-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 21:40]
    .
    2012-01-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 21:40]
    .
    2012-01-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4171789061-3901554716-3973874397-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 21:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    TCP: DhcpNameServer = 192.168.1.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-20 11:11
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?`???? ?,?B?????????????hLC? ??????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7b,8e,8a,a6,9a,50,65,44,86,5f,59,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7b,8e,8a,a6,9a,50,65,44,86,5f,59,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(716)
    c:\windows\system32\igfxdev.dll
    .
    Completion time: 2012-01-20 11:17:42
    ComboFix-quarantined-files.txt 2012-01-20 19:17
    ComboFix2.txt 2012-01-13 17:37
    .
    Pre-Run: 20,805,128,192 bytes free
    Post-Run: 20,748,349,440 bytes free
    .
    - - End Of File - - A28F222B4188687C3A381BC1E7E29716


    Thank you again for all of your help.

    FHorn
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You're welcome. Tell me about these:

    2012-01-20 18:44 . 2012-01-20 18:44 -------- d-----w- c:\windows\LastGood>> Did you restore to Last Good Configuration?

    2012-01-20 18:44 . 2007-06-13 10:23 1033216 ----a-w- c:\windows\OLD41.tmp Please do a right click> Properties on this file. Tell me how many bytes, files and/or folder and any other info you find.
    ===========================================
    Repeating: Recommend you delete these Scheduled Tasks:
    ===========================================
    Consider: Install Date: 6/26/2006. All manufacturers pre-load processes before shipping. Rarely does anyone use all, nor know theses can be uninstalled if not needed/wanted/used. Check them out when you can:
    ================================
    Have the redirects stopped? And the audio in the background?
  16. FHorn

    FHorn Newcomer, in training Topic Starter

    response

    Yes, the redirects and audio have stopped, so thank you SO much.

    The system restore was asked during safe mode and I thought I hit "No" but I didn't read the whole paragraph, so it asked me if I wanted again to restore and I did not. Not sure why it states that I did.

    Thanks for letting me know about all of the HP programs. I have removed most of them so far.

    Thank you again for everything, seems to be working well. Take care.

    F Horn
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You're welcome. Glad we resolved the problems. I still advise stopping all those useless auto-updates.

    About System Restore> I'm not sure what's happening here. I'm not aware of a system requesting a System Restore in Safe More.
    ----------------------------------------------
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    ===========================================
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.