TechSpot

Poor perfromance - various issues

By JAllman
Mar 27, 2011
  1. The PC is acting buggy again. It locks up frequently, sometimes it boots up to no icons on the desktop. I get an error about high memory use by svchost.exe

    I appreciate any help you can offer. Here are the logs:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6174

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    3/26/2011 10:08:47 AM
    mbam-log-2011-03-26 (10-08-47).txt

    Scan type: Quick scan
    Objects scanned: 204584
    Time elapsed: 10 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-03-27 19:10:19
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST3200822AS rev.3.02
    Running: lzcgnt2n.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\ugldipow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A32C27F
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A32C27F
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A32C27F
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A32C27F
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-1b 8A32C27F
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-13 8A32C27F
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Device\Ide\IdeDeviceP2T0L0-5 -> \??\IDE#DiskST3200822AS_____________________________3.02____#5&22185c32&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----


    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Compaq_Owner at 19:16:16.06 on Sun 03/27/2011
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1407.947 [GMT -5:00]
    .
    AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com/
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
    mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
    mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.5.0.125\ips\IPSBHO.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    uPolicies-system: EnableProfileQuota = 1 (0x1)
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mianotes5.notes.assurant.com/dwa85W.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://mianotes5.notes.assurant.com/iNotes6W.cab
    DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://mianotes5.notes.assurant.com/dwa8W.cab
    DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attwm.webex.com/client/T25L10NSP41EP15-attwm/webex/ieatgpc.cab
    Filter: text/html - {658bb697-7be1-4711-9739-4f7f78ea3636} -
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    Hosts: 63.135.80.49 ilovemrsyoubear.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\13zt6r9k.default user\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\IPSFFPlgn
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1205000.07d\symds.sys [2010-12-27 340016]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1205000.07d\symefa.sys [2010-12-27 652336]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-14 800376]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1205000.07d\ironx86.sys [2010-12-27 136312]
    R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.5.0.125\ccsvchst.exe [2010-12-27 130000]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-3-24 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20110325.001\IDSXpx86.sys [2011-3-25 341944]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110327.001\NAVENG.SYS [2011-3-27 86008]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110327.001\NAVEX15.SYS [2011-3-27 1360760]
    .
    =============== Created Last 30 ================
    .
    2011-03-25 04:15:17 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-03-25 02:22:50 -------- d-sh--w- C:\found.000
    .
    ==================== Find3M ====================
    .
    2009-10-02 02:56:25 13899 ----a-w- c:\program files\common files\xikikoli.bin
    2009-10-02 02:56:25 13567 ----a-w- c:\program files\common files\roryruni.exe
    2009-10-02 02:56:25 13317 ----a-w- c:\program files\common files\zacaji.reg
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3200822AS rev.3.02 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-5
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A32C439]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a3327d0]; MOV EAX, [0x8a33284c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x8A34BAB8]
    3 CLASSPNP[0xBA90905B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\00000060[0x8A350F18]
    5 ACPI[0xBA77F620] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x8A361D98]
    \Driver\atapi[0x8A3901C0] -> IRP_MJ_CREATE -> 0x8A32C439
    kernel: MBR read successfully
    _asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
    detected disk devices:
    \Device\Ide\IdeDeviceP2T0L0-5 -> \??\IDE#DiskST3200822AS_____________________________3.02____#5&22185c32&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A32C27F
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 19:18:01.06 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/25/2008 10:21:21 AM
    System Uptime: 3/27/2011 6:59:25 PM (1 hours ago)
    .
    Motherboard: ASUSTek Computer INC. | | Salmon
    Processor: AMD Athlon(tm) 64 Processor 3400+ | Socket 754 | 2411/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 180 GiB total, 121.658 GiB free.
    D: is FIXED (FAT32) - 6 GiB total, 0.998 GiB free.
    E: is CDROM (CDFS)
    F: is CDROM (CDFS)
    H: is Removable
    I: is Removable
    J: is Removable
    K: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP584: 12/27/2010 6:38:02 PM - System Checkpoint
    RP585: 12/29/2010 10:14:56 AM - System Checkpoint
    RP586: 12/30/2010 10:47:00 AM - System Checkpoint
    RP587: 12/31/2010 4:41:34 PM - System Checkpoint
    RP588: 1/1/2011 5:28:15 PM - System Checkpoint
    RP589: 1/5/2011 8:27:46 PM - System Checkpoint
    RP590: 1/6/2011 9:31:43 PM - System Checkpoint
    RP591: 1/8/2011 8:55:30 AM - System Checkpoint
    RP592: 1/9/2011 3:01:27 PM - System Checkpoint
    RP593: 1/10/2011 7:48:44 PM - System Checkpoint
    RP594: 1/11/2011 8:16:01 PM - System Checkpoint
    RP595: 1/12/2011 9:08:27 PM - System Checkpoint
    RP596: 1/14/2011 2:16:34 PM - System Checkpoint
    RP597: 1/15/2011 3:17:21 PM - System Checkpoint
    RP598: 1/16/2011 5:09:29 PM - System Checkpoint
    RP599: 1/17/2011 6:23:49 PM - System Checkpoint
    RP600: 1/23/2011 8:27:27 PM - System Checkpoint
    RP601: 1/24/2011 9:06:11 PM - System Checkpoint
    RP602: 1/26/2011 6:46:39 PM - System Checkpoint
    RP603: 1/27/2011 7:32:33 PM - System Checkpoint
    RP604: 1/29/2011 11:12:21 AM - System Checkpoint
    RP605: 1/30/2011 7:21:27 PM - System Checkpoint
    RP606: 2/3/2011 12:09:24 PM - System Checkpoint
    RP607: 2/4/2011 1:07:30 PM - System Checkpoint
    RP608: 2/5/2011 2:26:27 PM - System Checkpoint
    RP609: 2/6/2011 3:07:42 PM - System Checkpoint
    RP610: 2/7/2011 3:14:50 PM - System Checkpoint
    RP611: 2/8/2011 5:39:46 PM - System Checkpoint
    RP612: 2/9/2011 7:03:00 PM - System Checkpoint
    RP613: 2/10/2011 7:30:56 PM - System Checkpoint
    RP614: 2/12/2011 11:40:50 AM - System Checkpoint
    RP615: 2/13/2011 12:17:38 PM - System Checkpoint
    RP616: 2/18/2011 6:59:45 PM - System Checkpoint
    RP617: 2/19/2011 7:15:45 PM - System Checkpoint
    RP618: 2/20/2011 8:07:40 PM - System Checkpoint
    RP619: 2/21/2011 8:42:17 PM - System Checkpoint
    RP620: 2/22/2011 8:44:56 PM - System Checkpoint
    RP621: 2/23/2011 8:46:46 PM - System Checkpoint
    RP622: 2/25/2011 11:56:59 AM - System Checkpoint
    RP623: 2/26/2011 6:32:46 PM - System Checkpoint
    RP624: 2/27/2011 6:53:30 PM - System Checkpoint
    RP625: 2/28/2011 8:32:52 PM - System Checkpoint
    RP626: 3/5/2011 5:03:26 PM - System Checkpoint
    RP627: 3/6/2011 5:18:55 PM - System Checkpoint
    RP628: 3/8/2011 7:45:12 AM - System Checkpoint
    RP629: 3/16/2011 6:04:37 PM - System Checkpoint
    RP630: 3/19/2011 6:50:30 AM - System Checkpoint
    RP631: 3/20/2011 8:00:43 PM - System Checkpoint
    RP632: 3/26/2011 10:26:46 AM - System Checkpoint
    RP633: 3/27/2011 5:44:11 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0
    Adobe Shockwave Player
    Agere Systems PCI Soft Modem
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Blackhawk Striker 2 from Compaq (remove only)
    Blasterball 2 from Compaq (remove only)
    Blasterball 2 Holidays from Compaq (remove only)
    Blasterball 2 Remix from Compaq (remove only)
    Bounce Symphony from Compaq (remove only)
    Compaq Connections
    Critical Update for Windows Media Player 11 (KB959772)
    Crystal Maze from Compaq (remove only)
    D-Link VGA Webcam
    Final Drive Nitro from Compaq (remove only)
    Help and Support Additions
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    HP Boot Optimizer
    HP Deskjet 3840
    HP Help and Support 4.0
    HP Software Update
    HpSdpAppCoreApp
    InterVideo WinDVD Player
    iTunes
    J2SE Runtime Environment 5.0
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) 6 Update 7
    KBD
    Lexibox Deluxe from Compaq (remove only)
    LightScribe System Software 1.17.90.1
    Malwarebytes' Anti-Malware
    Meeting Service
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Plus! Dancer LE
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    MLB.TV NexDef Plug-in
    Mozilla Firefox (3.6.16)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Norton AntiVirus
    Overball from Compaq (remove only)
    PC-Doctor for Windows
    Phoenix Assault from Compaq (remove only)
    Pinnacle Instant DVD Recorder
    Polar Bowler from Compaq (remove only)
    Polar Golfer from Compaq (remove only)
    PS2
    Python 2.2 pywin32 extensions (build 203)
    Python 2.2.3
    QuickTime
    RealPlayer
    Remove Adobe Photoshop Album 2.0 Starter Edition installer
    Remove Microsoft Money 2005 installer
    Remove Quicken New User Edition installer
    Remove WeatherBug installer
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB903235)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978706)
    Shooting Stars Pool from Compaq (remove only)
    SiS VGA Utilities
    Slyder from Compaq (remove only)
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    SpySubtract
    Super Granny from Compaq (remove only)
    Tradewinds from Compaq (remove only)
    TVAnts 1.0
    TVUPlayer 2.5.2.2
    Update for Windows XP (KB898461)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    WebFldrs XP
    Windows Installer 3.1 (KB893803)
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Hotfix - KB867282
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB883667
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888239
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB891781
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/25/2011 7:26:05 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
    3/24/2011 11:15:50 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'll say Welcome back- but you'd probably rather not be in this forum! It's been several months.

    Good indication of a rootkit!
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    =====================================
    There are only 2 threads on the internet with Host: ilovemrsyoubear.com> this one and your from last Novemver! And the IP is for My Space?
     
  3. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    Yes, I wish I didnt have to come back here. Anyway, the help was great last time and I am impressed with the quick response again.

    what exactly does Host: ilovemrsyoubear.com mean?

    Any, here is the log from TDSKiller. I guess it quarantined a root kit

    2011/03/27 21:02:22.0625 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
    2011/03/27 21:02:22.0625 ================================================================================
    2011/03/27 21:02:22.0625 SystemInfo:
    2011/03/27 21:02:22.0625
    2011/03/27 21:02:22.0625 OS Version: 5.1.2600 ServicePack: 2.0
    2011/03/27 21:02:22.0625 Product type: Workstation
    2011/03/27 21:02:22.0625 ComputerName: HOME
    2011/03/27 21:02:22.0625 UserName: Compaq_Owner
    2011/03/27 21:02:22.0625 Windows directory: C:\WINDOWS
    2011/03/27 21:02:22.0625 System windows directory: C:\WINDOWS
    2011/03/27 21:02:22.0625 Processor architecture: Intel x86
    2011/03/27 21:02:22.0625 Number of processors: 1
    2011/03/27 21:02:22.0625 Page size: 0x1000
    2011/03/27 21:02:22.0625 Boot type: Normal boot
    2011/03/27 21:02:22.0625 ================================================================================
    2011/03/27 21:02:23.0921 Initialize success
    2011/03/27 21:02:29.0734 ================================================================================
    2011/03/27 21:02:29.0734 Scan started
    2011/03/27 21:02:29.0734 Mode: Manual;
    2011/03/27 21:02:29.0734 ================================================================================
    2011/03/27 21:02:30.0859 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/03/27 21:02:31.0140 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/03/27 21:02:31.0609 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2011/03/27 21:02:31.0890 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2011/03/27 21:02:32.0531 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    2011/03/27 21:02:34.0437 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2011/03/27 21:02:35.0546 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    2011/03/27 21:02:35.0968 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/03/27 21:02:36.0859 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/03/27 21:02:37.0109 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/03/27 21:02:37.0578 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/03/27 21:02:37.0796 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/03/27 21:02:38.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/03/27 21:02:38.0406 BHDrvx86 (32d6e07922d17bed40ae746fc86b8a68) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110309.001\BHDrvx86.sys
    2011/03/27 21:02:39.0140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/03/27 21:02:39.0406 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/03/27 21:02:39.0843 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/03/27 21:02:40.0078 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/03/27 21:02:40.0296 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/03/27 21:02:41.0562 DCamUSBEMPIA (5118ea8a2f55fa4d4295516500b78229) C:\WINDOWS\system32\DRIVERS\emDevice.sys
    2011/03/27 21:02:41.0828 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/03/27 21:02:42.0281 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/03/27 21:02:42.0812 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/03/27 21:02:43.0062 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/03/27 21:02:43.0312 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/03/27 21:02:43.0734 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/03/27 21:02:43.0968 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2011/03/27 21:02:44.0328 emAudio (200da4f1964c11b3c19a07f937394624) C:\WINDOWS\system32\drivers\emAudio.sys
    2011/03/27 21:02:44.0484 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    2011/03/27 21:02:44.0859 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/03/27 21:02:45.0125 fasttx2k (1e580770bdece924494b368ac980749e) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys
    2011/03/27 21:02:45.0406 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/03/27 21:02:45.0640 FiltUSBEMPIA (6f87e4706f59463b74bc4fad0f67338f) C:\WINDOWS\system32\DRIVERS\emFilter.sys
    2011/03/27 21:02:45.0968 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/03/27 21:02:46.0187 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/03/27 21:02:46.0453 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/03/27 21:02:46.0734 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/03/27 21:02:47.0046 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/03/27 21:02:47.0281 gagp30kx (4216cd545e5c30807b560c5dcaa812e6) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
    2011/03/27 21:02:47.0515 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/03/27 21:02:47.0843 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/03/27 21:02:48.0078 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/03/27 21:02:48.0578 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/03/27 21:02:49.0468 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/03/27 21:02:49.0703 IDSxpx86 (0308238c582a55d83d34feee39542793) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110325.001\IDSxpx86.sys
    2011/03/27 21:02:50.0156 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/03/27 21:02:50.0593 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/03/27 21:02:51.0046 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/03/27 21:02:51.0296 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/03/27 21:02:51.0500 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/03/27 21:02:51.0781 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/03/27 21:02:52.0046 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/03/27 21:02:52.0265 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/03/27 21:02:52.0484 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/03/27 21:02:52.0734 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/03/27 21:02:53.0031 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/03/27 21:02:53.0312 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/03/27 21:02:53.0781 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/03/27 21:02:54.0015 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/03/27 21:02:54.0218 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/03/27 21:02:54.0453 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/03/27 21:02:54.0687 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/03/27 21:02:54.0953 MPE (55a9a7e6bb297bf0f5b144029dcb79cc) C:\WINDOWS\system32\DRIVERS\MPE.sys
    2011/03/27 21:02:55.0484 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/03/27 21:02:55.0859 MRxSmb (f9692be777822ab3f1a91c34728786da) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/03/27 21:02:56.0218 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/03/27 21:02:56.0437 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/03/27 21:02:56.0640 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/03/27 21:02:56.0843 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/03/27 21:02:57.0078 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/03/27 21:02:57.0312 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/03/27 21:02:57.0578 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/03/27 21:02:57.0859 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/03/27 21:02:58.0078 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110327.001\NAVENG.SYS
    2011/03/27 21:02:58.0515 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110327.001\NAVEX15.SYS
    2011/03/27 21:02:58.0921 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/03/27 21:02:59.0250 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/03/27 21:02:59.0515 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/03/27 21:02:59.0734 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/03/27 21:02:59.0953 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/03/27 21:03:00.0187 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/03/27 21:03:00.0421 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/03/27 21:03:00.0671 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/03/27 21:03:00.0937 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/03/27 21:03:01.0187 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/03/27 21:03:01.0546 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/03/27 21:03:01.0953 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/03/27 21:03:02.0171 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/03/27 21:03:02.0375 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/03/27 21:03:02.0625 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/03/27 21:03:02.0953 ovt519 (4cdadec3dc1300ee1d313ea5494e6472) C:\WINDOWS\system32\Drivers\ov519vid.sys
    2011/03/27 21:03:03.0234 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/03/27 21:03:03.0453 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/03/27 21:03:03.0750 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/03/27 21:03:03.0984 PcdrNdisuio (505cba425df3bb230f244e1c23221058) C:\WINDOWS\system32\DRIVERS\pcdrndisuio.sys
    2011/03/27 21:03:04.0203 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/03/27 21:03:04.0609 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/03/27 21:03:04.0859 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/03/27 21:03:06.0359 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/03/27 21:03:06.0609 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/03/27 21:03:06.0859 Ps2 (9b793a1ffd480155fe9ee5261153f21b) C:\WINDOWS\system32\DRIVERS\PS2.sys
    2011/03/27 21:03:07.0093 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/03/27 21:03:07.0296 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/03/27 21:03:07.0531 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/03/27 21:03:08.0718 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/03/27 21:03:08.0968 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/03/27 21:03:09.0187 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/03/27 21:03:09.0390 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/03/27 21:03:09.0656 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/03/27 21:03:09.0906 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/03/27 21:03:10.0187 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/03/27 21:03:10.0437 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/03/27 21:03:10.0687 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    2011/03/27 21:03:10.0921 ScanUSBEMPIA (f5a633609777c212ec5ff19927fc5955) C:\WINDOWS\system32\DRIVERS\emScan.sys
    2011/03/27 21:03:11.0156 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/03/27 21:03:11.0437 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/03/27 21:03:11.0656 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/03/27 21:03:11.0859 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/03/27 21:03:12.0375 SiS315 (509d96916c7d9218e4083940b8711b9b) C:\WINDOWS\system32\DRIVERS\sisgrp.sys
    2011/03/27 21:03:12.0718 SiSkp (2c921a4cce0b3eb372ebf448939fa3bf) C:\WINDOWS\system32\DRIVERS\srvkp.sys
    2011/03/27 21:03:12.0937 SISNIC (5529b51aacff16fbdde4b34ff0af2b76) C:\WINDOWS\system32\DRIVERS\sisnic.sys
    2011/03/27 21:03:13.0187 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/03/27 21:03:13.0671 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2011/03/27 21:03:13.0937 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/03/27 21:03:14.0359 SRTSP (a7a104a61c4e30de9c58f8c372a5c209) C:\WINDOWS\System32\Drivers\NAV\1205000.07D\SRTSP.SYS
    2011/03/27 21:03:14.0843 SRTSPX (2833445f786bd000bb14c84a9d91347a) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SRTSPX.SYS
    2011/03/27 21:03:15.0171 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/03/27 21:03:15.0515 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/03/27 21:03:15.0734 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/03/27 21:03:15.0953 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/03/27 21:03:16.0765 SymDS (bdf077b897b5f9f929b6bf0cfd436962) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMDS.SYS
    2011/03/27 21:03:17.0468 SymEFA (7732298ad2eddd364c1d4f439d99ae7c) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMEFA.SYS
    2011/03/27 21:03:18.0156 SymEvent (5c76a63fac8a5580c5a1c4a4ed827782) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    2011/03/27 21:03:18.0640 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NAV\1205000.07D\Ironx86.SYS
    2011/03/27 21:03:19.0218 SYMTDI (8c07683bf02b63ad71bcb2cf28af2d06) C:\WINDOWS\System32\Drivers\NAV\1205000.07D\SYMTDI.SYS
    2011/03/27 21:03:20.0000 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/03/27 21:03:20.0328 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/03/27 21:03:20.0656 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/03/27 21:03:20.0921 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/03/27 21:03:21.0187 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/03/27 21:03:21.0718 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/03/27 21:03:22.0218 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/03/27 21:03:22.0484 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/03/27 21:03:22.0734 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/03/27 21:03:22.0968 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/03/27 21:03:23.0218 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/03/27 21:03:23.0437 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/03/27 21:03:23.0703 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2011/03/27 21:03:23.0906 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/03/27 21:03:24.0140 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/03/27 21:03:24.0375 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/03/27 21:03:24.0609 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/03/27 21:03:24.0875 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/03/27 21:03:25.0125 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/03/27 21:03:25.0359 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/03/27 21:03:25.0593 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/03/27 21:03:26.0109 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/03/27 21:03:26.0375 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/03/27 21:03:26.0609 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/03/27 21:03:26.0875 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/03/27 21:03:27.0234 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/03/27 21:03:27.0343 \HardDisk0 - detected Rootkit.Win32.BackBoot.gen (1)
    2011/03/27 21:03:27.0343 ================================================================================
    2011/03/27 21:03:27.0343 Scan finished
    2011/03/27 21:03:27.0343 ================================================================================
    2011/03/27 21:03:27.0359 Detected object count: 1
    2011/03/27 21:04:00.0328 \HardDisk0 - quarantined
    2011/03/27 21:04:00.0328 Rootkit.Win32.BackBoot.gen(\HardDisk0) - User select action: Quarantine
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Bootkit Remover:

    Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      NOTE: The tool should be run from a command line with Administrator privileges.
    3. Scanning should be completed quickly
    4. Paste the output in your next reply.
    [​IMG]
    =====================================
    We can deal with some of this now, but please read the following:

    I reviewed the thread you posted in November, 2010 and I see you deserted it. You were instructed to 'Please Run the ESET Online Scanner and post the ScanLog with your post for assistance'.
    There was no reply and the thread should have been closed. With the number of and types of malware found in the Mbam scan on that thread, I would have been tempted to suggest a reformat/reinstall. Although the TDSS and MBR scans came out clean, that only meant that the malware you had wasn't a rootkit- at least not at that time. But because of the multiple infections that were found- although they were quarantined and deleted in Mbam, you most surely would have been instructed to run either Combofix or OTL to look for any remaining entries or other malware.

    You posted this on the previous thread:
    Then left the Mbam log with:
    Malware
    Registry Keys Infected: 4>> (Worm.AutoRun)
    Registry Values Infected: 16>> (Hijack.SecurityCenter), (Hijack.ControlPanelStyle), (Backdoor.Bot)
    Folders Infected: 7>> Assorted malware & Adware
    Files Infected: 17>> (Trojan.Downloader), (Rogue.AntiVirusPro2010), (Rootkit.TDSS), (Torjan.Vundo), other assorted malware & adware.

    Security:
    1. You had/have Norton Antivirus.
    2. You had/have SpySubtract which was renamed to Trend Micro Anti-Spyware 3.0 which has now been discontinued in favor of a new Internet Security Suite.
    3. This means you are relying on the Norton AV for security. No firewall, no current anti- malware programs.

    Outdated Programs:
    1. You had/have Adobe Reader 7.0> outdated, a vulnerability
    2. You had/have J2SE Runtime Environment 5.0, Java(TM) 6 Update 7> both outdated, a vulnerability
    You have now added Java(TM) 6 Update 22 which is now outdated.
    3. You had Mozilla Firefox (3.0.19) and have now updated to Mozilla Firefox (3.6.16)> which is now outdated, a vulnerability [/B]
    =======================================
    This was found currently and quarantined: Rootkit.Win32.BackBoot.gen(\HardDisk0)
    =======================================
    So, we make a pact: You follow through with directions I give which will include additional scans and outdated programs get removed and current versions get installed. If you are willing to do this, proceed:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===========================================
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    If you do not plan to follow this through, please let me know and I will close the thread.
     
  5. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`7fe80000

    Size Device Name MBR Status
    --------------------------------------------
    186 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  6. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    Ok, we have a pact. I will follow your instructions completely.
     
  7. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent.HZHBURL trojan
    C:\Program Files\InterMute\SpySubtract\ssengine.dll probably a variant of Win32/Agent.HVEUCPZ trojan
    D:\I386\Apps\APP09527\src\SpyInstall_HPPre.exe probably a variant of Win32/Agent.HVEUCPZ trojan
     
  8. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    ComboFix 11-03-28.03 - Compaq_Owner 03/28/2011 22:05:32.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1407.1067 [GMT -5:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
    AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\-1945201032
    c:\documents and settings\All Users.\documents\settings
    c:\documents and settings\All Users.\documents\settings\desktop.ini
    c:\documents and settings\All Users\Documents\Settings\desktop.ini
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\Compaq_Owner\GoToAssistDownloadHelper.exe
    C:\install.exe
    c:\program files\ISM2
    c:\program files\ISM2\dictionary.gz
    c:\program files\ISM2\targets.gz
    c:\program files\Shared
    c:\temp\1cb
    c:\temp\1cb\syscheck.log
    c:\temp\tn3
    c:\windows\explorer(2).exe
    c:\windows\IA
    c:\windows\system32\Install.txt
    c:\windows\system32\Thumbs.db
    c:\windows\tempf.txt
    D:\Autorun.inf
    .
    c:\windows\system32\proquota.exe . . . is missing!!
    .
    .
    \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-29 00:52 . 2011-03-29 00:52 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\NetAssistant
    2011-03-29 00:51 . 2011-03-29 00:51 -------- d-----w- c:\program files\Itibiti Soft Phone
    2011-03-29 00:51 . 2011-03-29 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder
    2011-03-29 00:51 . 2011-03-29 00:51 -------- d-----w- c:\program files\7-Zip
    2011-03-29 00:51 . 2011-03-29 00:51 -------- d-----w- c:\program files\Free Offers from Freeze.com
    2011-03-29 00:50 . 2011-03-29 00:51 -------- d-----w- c:\program files\PriceGong
    2011-03-25 04:15 . 2011-03-25 04:15 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-03-25 02:22 . 2011-03-25 02:22 -------- d-----w- C:\found.000
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-10-02 02:56 . 2009-10-02 02:56 13899 ----a-w- c:\program files\Common Files\xikikoli.bin
    2009-10-02 02:56 . 2009-10-02 02:56 13567 ----a-w- c:\program files\Common Files\roryruni.exe
    2009-10-02 02:56 . 2009-10-02 02:56 13317 ----a-w- c:\program files\Common Files\zacaji.reg
    .
    .
    ------- Sigcheck -------
    .
    [-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\msft\windows\common\controls\comctl32.dll
    [-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\comctl32.dll
    [7] 2004-08-04 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
    [7] 2004-08-04 . 5AF68A5E44734A082442668E9C787743 . 1050624 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
    [7] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtUninstallKB923191$\comctl32.dll
    [7] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\Copy of system32\comctl32.dll
    [7] 2004-08-04 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\I386\ASMS\6000\MSFT\WINDOWS\COMMON\CONTROLS\COMCTL32.DLL
    [-] 2004-08-04 . F7B47E54AFEA44E21E745A1249D7C384 . 611328 . . [5.82] . . c:\windows\system32\comctl32.dll
    [7] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]
    2010-03-28 19:53 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-05 180269]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
    backup=c:\windows\pss\SpySubtract.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
    path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk
    backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    2004-09-07 19:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    2003-12-22 14:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2004-02-18 17:55 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
    2005-02-26 05:34 245760 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    2004-03-04 15:46 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-11-20 19:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2008-12-07 05:21 2387968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 20:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
    2005-01-04 23:54 49152 ----a-w- c:\windows\system32\SiSPower.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-06-10 09:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2005-05-05 17:48 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]
    2006-11-06 19:31 81920 ----a-w- c:\windows\system32\PCLECoInst.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "LightScribeService"=2 (0x2)
    "iPod Service"=3 (0x3)
    "gusvc"=3 (0x3)
    "Apple Mobile Device"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
    "c:\\Program Files\\TVAnts\\Tvants.exe"=
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\symds.sys [12/27/2010 3:58 PM 340016]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys [12/27/2010 3:58 PM 652336]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110309.001\BHDrvx86.sys [3/14/2011 3:38 PM 800376]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys [12/27/2010 3:58 PM 136312]
    R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe [12/27/2010 3:58 PM 130000]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/24/2011 8:53 PM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110325.001\IDSXpx86.sys [3/25/2011 7:50 PM 341944]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-12-07 05:18 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com/
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mianotes5.notes.assurant.com/dwa85W.cab
    FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\13zt6r9k.Default User\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)
    MSConfigStartUp-Antivirus Pro 2010 - c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
    MSConfigStartUp-iLike - c:\program files\iLike\1.2.16\ilikesidebar.exe
    MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    MSConfigStartUp-mserv - c:\documents and settings\Compaq_Owner\Application Data\svcst.exe
    MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    MSConfigStartUp-svchost - c:\documents and settings\Compaq_Owner\Application Data\svcst.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-28 22:15
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
    "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-03-28 22:18:04
    ComboFix-quarantined-files.txt 2011-03-29 03:17
    .
    Pre-Run: 130,420,826,112 bytes free
    Post-Run: 133,893,578,752 bytes free
    .
    - - End Of File - - 1BCEDB691F8ED761E5199AB2B69A85A2
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay then! My d... internet went missing- again- then came back up after 4 hours! Sorry- catching up-again!
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
    Code:
    
    @ECHO OFF
    START 
    remover.exe fix  \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • Then in the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double clicking.Run fix.bat to run.
      You may see a black box appear; this is normal.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    When done, run remover.exe again and post its output.

    Do NOT reboot computer!
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\program files\Common Files\xikikoli.bin
    c:\program files\Common Files\roryruni.exe
    c:\program files\Common Files\zacaji.reg
    Folder::
    c:\program files\Free Offers from Freeze.com
    c:\program files\PriceGong
    C:\TDSSKiller_Quarantine
    C:\found.000
    DDS::
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
    mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
    mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    Hosts: 63.135.80.49 ilovemrsyoubear.com
    
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      D:\I386\Apps\APP09527\src\SpyInstall_HPPre.exe 
      :Files  
      C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe 
      C:\Program Files\InterMute\SpySubtract\ssengine.dll 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==========================================
    Replace the Host Files
    ==========================================
    Give me a few minutes, then go on to next reply.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you did not reboot the computer when finished with previous post:

    Part 1. Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Part 2.Show Hidden Folders/Files
    • Right click on Taskbar> Explore to open Windows Explorer
    • Go to Tools > Folder Options.
    • Select the View tab.
    • Scroll down to Hidden files and folders.
    • Select Show hidden files and folders.
    • Uncheck Hide extensions of known file types.
    • Uncheck Hide protected operating system files (Recommended).
    • Click Yes when prompted.
    • Click OK.
    • Click on My Computer.
    • Double click on the Local Drive(C)
    • Click on Programs
    • Find each of the following folder and do a Right Click> Delete
      [o] PriceGong
      [o] Freeze.com (Or FreeOffers)
      [o] SpySubtract
    When finished Click on Apply> OK> Rehide the files & folders!!
    Exit Explorer

    Part 3. Uninstall:Go to Control Panel> Add/Remove Programs> Find each
    • PriceGong
    • Freeze.com (or Free Offers)
    • SpySubtract
    and Uninstall.

    If you get any errors removing the program folders before uninstalling the programs, just reverse Part 2 & 3.

    Reboot into Normal Mode.
    =========================================
    What is Drive D? If it's a flash drive you will need to disinfect it> let me know.
    (D:\I386\Apps\APP09527\src\SpyInstall_HPPre.exe)
    =========================================
    Let me know how the system is running.
     
  12. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`7fe80000
    Restoring boot code at \\.\PhysicalDrive0...
    OK

    Done;
    Press any key to quit...
     
  13. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`7fe80000
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    186 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  14. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    ComboFix 11-03-29.03 - Compaq_Owner 03/29/2011 20:10:05.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1407.979 [GMT -5:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
    AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    FILE ::
    "c:\program files\Common Files\roryruni.exe"
    "c:\program files\Common Files\xikikoli.bin"
    "c:\program files\Common Files\zacaji.reg"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\z.xml
    C:\found.000
    c:\found.000\dir0000.chk\plugin-amf
    c:\found.000\dir0000.chk\plugin-control-1
    c:\found.000\dir0000.chk\plugin-crossdomain-1.xml
    c:\found.000\dir0000.chk\plugin-crossdomain.xml
    c:\found.000\dir0000.chk\plugin-f76a07be2aa53fc53c59c0c4eb0522f9.swf
    c:\program files\Common Files\roryruni.exe
    c:\program files\Common Files\xikikoli.bin
    c:\program files\Common Files\zacaji.reg
    c:\program files\Free Offers from Freeze.com
    c:\program files\Free Offers from Freeze.com\101_Free_Songs.ico
    c:\program files\Free Offers from Freeze.com\6840.url
    c:\program files\Free Offers from Freeze.com\6862.url
    c:\program files\Free Offers from Freeze.com\6884.url
    c:\program files\Free Offers from Freeze.com\clickfinderror.ico
    c:\program files\Free Offers from Freeze.com\control.txt
    c:\program files\Free Offers from Freeze.com\musicoasis.ico
    c:\program files\PriceGong
    c:\program files\PriceGong\2.1.0\FF\chrome.manifest
    c:\program files\PriceGong\2.1.0\FF\components\PriceGong.xpt
    c:\program files\PriceGong\2.1.0\FF\components\PriceGongFF.dll
    c:\program files\PriceGong\2.1.0\FF\content\options.js
    c:\program files\PriceGong\2.1.0\FF\content\options.xul
    c:\program files\PriceGong\2.1.0\FF\content\PriceGong.png
    c:\program files\PriceGong\2.1.0\FF\install.rdf
    c:\program files\PriceGong\2.1.0\PriceGongIE.dll
    c:\program files\PriceGong\uninst.exe
    C:\TDSSKiller_Quarantine
    c:\tdsskiller_quarantine\24.03.2011_23.12.57\boot0000\mbr0000\object.ini
    c:\tdsskiller_quarantine\24.03.2011_23.12.57\boot0000\mbr0000\tsk0000.dta
    c:\tdsskiller_quarantine\24.03.2011_23.12.57\boot0000\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\24.03.2011_23.12.57\boot0000\object.ini
    c:\tdsskiller_quarantine\27.03.2011_21.02.22\boot0000\mbr0000\object.ini
    c:\tdsskiller_quarantine\27.03.2011_21.02.22\boot0000\mbr0000\tsk0000.dta
    c:\tdsskiller_quarantine\27.03.2011_21.02.22\boot0000\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\27.03.2011_21.02.22\boot0000\object.ini
    c:\tdsskiller_quarantine\27.03.2011_21.02.22\boot0001\mbr0000\object.ini
    c:\tdsskiller_quarantine\27.03.2011_21.02.22\boot0001\mbr0000\tsk0000.dta
    c:\tdsskiller_quarantine\27.03.2011_21.02.22\boot0001\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\27.03.2011_21.02.22\boot0001\object.ini
    .
    c:\windows\system32\proquota.exe was missing
    Restored copy from - c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\proquota.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-30 01:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
    2011-03-30 01:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
    2011-03-29 00:52 . 2011-03-29 00:52 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\NetAssistant
    2011-03-29 00:51 . 2011-03-29 00:51 -------- d-----w- c:\program files\Itibiti Soft Phone
    2011-03-29 00:51 . 2011-03-29 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder
    2011-03-29 00:51 . 2011-03-29 00:51 -------- d-----w- c:\program files\7-Zip
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ------- Sigcheck -------
    .
    [7] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\msft\windows\common\controls\comctl32.dll
    [7] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\comctl32.dll
    [7] 2004-08-04 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
    [7] 2004-08-04 . 5AF68A5E44734A082442668E9C787743 . 1050624 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
    [7] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtUninstallKB923191$\comctl32.dll
    [7] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\Copy of system32\comctl32.dll
    [7] 2004-08-04 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\I386\ASMS\6000\MSFT\WINDOWS\COMMON\CONTROLS\COMCTL32.DLL
    [-] 2004-08-04 . F7B47E54AFEA44E21E745A1249D7C384 . 611328 . . [5.82] . . c:\windows\system32\comctl32.dll
    [7] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-29_03.15.47 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-30 01:01 . 2011-03-30 01:01 16384 c:\windows\Temp\Perflib_Perfdata_5b0.dat
    + 2011-03-30 01:00 . 2011-03-30 01:00 16384 c:\windows\Temp\Perflib_Perfdata_580.dat
    + 2008-10-22 09:47 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
    - 2008-10-22 09:47 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
    - 2004-08-04 12:00 . 2009-12-22 05:42 39424 c:\windows\system32\pngfilt.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 39424 c:\windows\system32\pngfilt.dll
    + 2009-11-06 03:17 . 2009-11-06 03:17 11600 c:\windows\system32\mui\0409\mscorees.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 16384 c:\windows\system32\jsproxy.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 16384 c:\windows\system32\jsproxy.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 96256 c:\windows\system32\inseng.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 96256 c:\windows\system32\inseng.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 81920 c:\windows\system32\ieencode.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 81920 c:\windows\system32\ieencode.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 55808 c:\windows\system32\extmgr.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 55808 c:\windows\system32\extmgr.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 39424 c:\windows\system32\dllcache\pngfilt.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 39424 c:\windows\system32\dllcache\pngfilt.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 16384 c:\windows\system32\dllcache\jsproxy.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 16384 c:\windows\system32\dllcache\jsproxy.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 96256 c:\windows\system32\dllcache\inseng.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 96256 c:\windows\system32\dllcache\inseng.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 81920 c:\windows\system32\dllcache\ieencode.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 81920 c:\windows\system32\dllcache\ieencode.dll
    + 2004-08-04 12:00 . 2010-04-16 13:36 18432 c:\windows\system32\dllcache\iedw.exe
    - 2004-08-04 12:00 . 2009-12-16 12:57 18432 c:\windows\system32\dllcache\iedw.exe
    - 2004-08-04 12:00 . 2009-12-22 05:42 55808 c:\windows\system32\dllcache\extmgr.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 55808 c:\windows\system32\dllcache\extmgr.dll
    + 2004-08-04 12:00 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll
    + 2004-08-04 12:00 . 2010-03-05 14:57 65536 c:\windows\system32\dllcache\asycfilt.dll
    + 2004-08-04 12:00 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll
    + 2004-08-04 12:00 . 2010-03-05 14:57 65536 c:\windows\system32\asycfilt.dll
    + 2010-04-01 16:42 . 2010-04-01 16:42 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
    + 2010-03-31 19:51 . 2010-03-31 19:51 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
    - 2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
    - 2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
    + 2010-03-31 19:51 . 2010-03-31 19:51 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
    - 2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
    + 2010-03-31 19:51 . 2010-03-31 19:51 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
    + 2010-03-31 20:32 . 2010-03-31 20:32 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    - 2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    - 2003-02-21 09:19 . 2003-02-21 09:19 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
    + 2010-03-31 20:32 . 2010-03-31 20:32 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
    + 2011-03-29 23:34 . 2011-03-29 23:34 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_df50a8f8\System.Drawing.Design.dll
    + 2011-03-29 23:34 . 2011-03-29 23:34 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_a2f74945\CustomMarshalers.dll
    + 2011-03-29 03:55 . 2011-03-29 03:55 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
    - 2009-04-16 22:14 . 2009-12-16 13:33 352768 c:\windows\system32\xpsp3res.dll
    + 2009-04-16 22:14 . 2010-04-16 13:21 352768 c:\windows\system32\xpsp3res.dll
    + 2004-08-04 12:00 . 2009-12-24 07:05 177664 c:\windows\system32\wintrust.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 662016 c:\windows\system32\wininet.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 662016 c:\windows\system32\wininet.dll
    + 2004-08-04 12:00 . 2010-03-10 08:02 417792 c:\windows\system32\vbscript.dll
    - 2004-08-04 12:00 . 2007-12-18 14:40 417792 c:\windows\system32\vbscript.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 624640 c:\windows\system32\urlmon.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 624640 c:\windows\system32\urlmon.dll
    - 2004-08-04 11:00 . 2009-12-08 09:13 474112 c:\windows\system32\shlwapi.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 474112 c:\windows\system32\shlwapi.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 532480 c:\windows\system32\mstime.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 532480 c:\windows\system32\mstime.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 146432 c:\windows\system32\msrating.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 146432 c:\windows\system32\msrating.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 449024 c:\windows\system32\mshtmled.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 449024 c:\windows\system32\mshtmled.dll
    - 2004-08-04 12:00 . 2008-04-11 18:50 683520 c:\windows\system32\inetcomm.dll
    + 2004-08-04 12:00 . 2010-01-29 15:08 683520 c:\windows\system32\inetcomm.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 251392 c:\windows\system32\iepeers.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 251392 c:\windows\system32\iepeers.dll
    + 2005-01-27 04:56 . 2011-03-30 00:24 239144 c:\windows\system32\FNTCACHE.DAT
    - 2005-01-27 04:56 . 2009-11-12 01:57 239144 c:\windows\system32\FNTCACHE.DAT
    - 2004-08-04 12:00 . 2009-12-22 05:42 205312 c:\windows\system32\dxtrans.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 205312 c:\windows\system32\dxtrans.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 357888 c:\windows\system32\dxtmsft.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 357888 c:\windows\system32\dxtmsft.dll
    + 2004-08-04 12:00 . 2010-02-11 12:01 226880 c:\windows\system32\drivers\tcpip6.sys
    + 2004-08-04 11:00 . 2010-02-24 12:31 454016 c:\windows\system32\drivers\mrxsmb.sys
    + 2004-08-04 12:00 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 662016 c:\windows\system32\dllcache\wininet.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 662016 c:\windows\system32\dllcache\wininet.dll
    - 2004-08-04 12:00 . 2007-12-18 14:40 417792 c:\windows\system32\dllcache\vbscript.dll
    + 2004-08-04 12:00 . 2010-03-10 08:02 417792 c:\windows\system32\dllcache\vbscript.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 624640 c:\windows\system32\dllcache\urlmon.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 624640 c:\windows\system32\dllcache\urlmon.dll
    + 2004-08-04 12:00 . 2010-02-11 12:01 226880 c:\windows\system32\dllcache\tcpip6.sys
    - 2004-08-04 11:00 . 2009-12-08 09:13 474112 c:\windows\system32\dllcache\shlwapi.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 474112 c:\windows\system32\dllcache\shlwapi.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 532480 c:\windows\system32\dllcache\mstime.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 532480 c:\windows\system32\dllcache\mstime.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 146432 c:\windows\system32\dllcache\msrating.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 146432 c:\windows\system32\dllcache\msrating.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 449024 c:\windows\system32\dllcache\mshtmled.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 449024 c:\windows\system32\dllcache\mshtmled.dll
    + 2009-02-07 16:08 . 2010-02-24 12:31 454016 c:\windows\system32\dllcache\mrxsmb.sys
    - 2004-08-04 12:00 . 2008-04-11 18:50 683520 c:\windows\system32\dllcache\inetcomm.dll
    + 2004-08-04 12:00 . 2010-01-29 15:08 683520 c:\windows\system32\dllcache\inetcomm.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 251392 c:\windows\system32\dllcache\iepeers.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 251392 c:\windows\system32\dllcache\iepeers.dll
    - 2004-08-04 12:00 . 2004-08-04 12:00 743936 c:\windows\system32\dllcache\helpsvc.exe
    + 2004-08-04 12:00 . 2010-06-14 14:30 743936 c:\windows\system32\dllcache\helpsvc.exe
    - 2004-08-04 12:00 . 2009-12-22 05:42 205312 c:\windows\system32\dllcache\dxtrans.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 205312 c:\windows\system32\dllcache\dxtrans.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 357888 c:\windows\system32\dllcache\dxtmsft.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 357888 c:\windows\system32\dllcache\dxtmsft.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 151040 c:\windows\system32\dllcache\cdfview.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 151040 c:\windows\system32\dllcache\cdfview.dll
    + 2004-08-04 12:00 . 2010-04-20 05:51 285696 c:\windows\system32\dllcache\atmfd.dll
    - 2004-08-04 12:00 . 2004-08-04 12:00 285696 c:\windows\system32\dllcache\atmfd.dll
    + 2004-08-04 12:00 . 2010-02-12 04:47 100864 c:\windows\system32\dllcache\6to4svc.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 151040 c:\windows\system32\cdfview.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 151040 c:\windows\system32\cdfview.dll
    + 2004-08-04 12:00 . 2010-04-20 05:51 285696 c:\windows\system32\atmfd.dll
    - 2004-08-04 12:00 . 2004-08-04 12:00 285696 c:\windows\system32\atmfd.dll
    + 2004-08-04 12:00 . 2010-02-12 04:47 100864 c:\windows\system32\6to4svc.dll
    - 2004-08-04 12:00 . 2004-08-04 12:00 743936 c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
    + 2004-08-04 12:00 . 2010-06-14 14:30 743936 c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    - 2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
    + 2010-03-31 19:51 . 2010-03-31 19:51 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
    + 2010-03-31 19:49 . 2010-03-31 19:49 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
    - 2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
    + 2010-03-31 20:32 . 2010-03-31 20:32 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
    - 2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
    + 2005-05-05 17:36 . 2010-02-24 12:31 454016 c:\windows\Driver Cache\i386\mrxsmb.sys
    + 2011-03-29 23:35 . 2011-03-29 23:35 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_163e0e39\System.Drawing.dll
    + 2011-03-29 23:36 . 2011-03-29 23:36 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_acd5541a\System.Drawing.Design.dll
    + 2011-03-29 23:36 . 2011-03-29 23:36 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_3cf78c3a\CustomMarshalers.dll
    + 2004-08-04 11:00 . 2010-04-06 09:52 2462720 c:\windows\system32\WMVCore.dll
    + 2004-08-04 12:00 . 2010-05-02 05:56 1850880 c:\windows\system32\win32k.sys
    + 2004-08-04 11:00 . 2010-04-16 15:36 1506304 c:\windows\system32\shdocvw.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 1506304 c:\windows\system32\shdocvw.dll
    + 2004-08-04 12:00 . 2010-02-05 18:40 1291264 c:\windows\system32\quartz.dll
    - 2004-08-04 12:00 . 2009-11-27 17:33 1291264 c:\windows\system32\quartz.dll
    + 2004-08-04 12:00 . 2010-02-16 13:19 2181376 c:\windows\system32\ntoskrnl.exe
    + 2004-08-04 18:00 . 2010-02-16 12:39 2058368 c:\windows\system32\ntkrnlpa.exe
    + 2004-08-04 11:00 . 2010-04-16 15:36 3065344 c:\windows\system32\mshtml.dll
    + 2004-08-04 11:00 . 2010-04-06 09:52 2462720 c:\windows\system32\dllcache\WMVCore.dll
    + 2004-08-04 12:00 . 2010-05-02 05:56 1850880 c:\windows\system32\dllcache\win32k.sys
    + 2004-08-04 11:00 . 2010-04-16 15:36 1506304 c:\windows\system32\dllcache\shdocvw.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 1506304 c:\windows\system32\dllcache\shdocvw.dll
    - 2004-08-04 12:00 . 2009-11-27 17:33 1291264 c:\windows\system32\dllcache\quartz.dll
    + 2004-08-04 12:00 . 2010-02-05 18:40 1291264 c:\windows\system32\dllcache\quartz.dll
    + 2009-02-07 16:10 . 2010-02-16 13:19 2181376 c:\windows\system32\dllcache\ntoskrnl.exe
    + 2009-02-07 16:10 . 2010-02-16 12:39 2016768 c:\windows\system32\dllcache\ntkrpamp.exe
    + 2009-02-07 16:10 . 2010-02-16 12:39 2058368 c:\windows\system32\dllcache\ntkrnlpa.exe
    + 2009-02-07 16:10 . 2010-02-16 13:17 2137088 c:\windows\system32\dllcache\ntkrnlmp.exe
    + 2004-08-04 12:00 . 2010-01-29 15:08 1315840 c:\windows\system32\dllcache\msoe.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 3065344 c:\windows\system32\dllcache\mshtml.dll
    - 2004-08-04 12:00 . 2004-08-04 12:00 3555328 c:\windows\system32\dllcache\moviemk.exe
    + 2004-08-04 12:00 . 2009-10-23 14:27 3555328 c:\windows\system32\dllcache\moviemk.exe
    - 2004-08-04 12:00 . 2009-12-22 05:42 1054208 c:\windows\system32\dllcache\danim.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 1054208 c:\windows\system32\dllcache\danim.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 1023488 c:\windows\system32\dllcache\browseui.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 1023488 c:\windows\system32\dllcache\browseui.dll
    - 2004-08-04 12:00 . 2009-12-22 05:42 1054208 c:\windows\system32\danim.dll
    + 2004-08-04 12:00 . 2010-04-16 15:36 1054208 c:\windows\system32\danim.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 1023488 c:\windows\system32\browseui.dll
    - 2004-08-04 11:00 . 2009-12-22 05:42 1023488 c:\windows\system32\browseui.dll
    - 2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
    + 2010-04-01 16:42 . 2010-04-01 16:42 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
    - 2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
    + 2010-04-01 16:42 . 2010-04-01 16:42 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
    - 2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
    + 2010-03-31 19:50 . 2010-03-31 19:50 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
    + 2010-03-31 19:50 . 2010-03-31 19:50 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
    - 2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
    + 2010-04-01 16:42 . 2010-04-01 16:42 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
    + 2005-03-02 00:59 . 2010-02-16 13:19 2181376 c:\windows\Driver Cache\i386\ntoskrnl.exe
    + 2005-03-02 00:34 . 2010-02-16 12:39 2016768 c:\windows\Driver Cache\i386\ntkrpamp.exe
    + 2005-03-02 00:34 . 2010-02-16 12:39 2058368 c:\windows\Driver Cache\i386\ntkrnlpa.exe
    + 2005-03-02 00:57 . 2010-02-16 13:17 2137088 c:\windows\Driver Cache\i386\ntkrnlmp.exe
    + 2011-03-29 03:56 . 2011-03-29 03:56 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_391f4b1e\System.dll
    + 2011-03-29 23:36 . 2011-03-29 23:36 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_055d7ce0\System.dll
    + 2011-03-29 23:36 . 2011-03-29 23:36 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_c235e3f4\System.Xml.dll
    + 2011-03-29 23:34 . 2011-03-29 23:34 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_3de89447\System.Xml.dll
    + 2011-03-29 23:36 . 2011-03-29 23:36 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_ffb61ee7\System.Windows.Forms.dll
    + 2011-03-29 23:34 . 2011-03-29 23:34 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_20029734\System.Windows.Forms.dll
    + 2011-03-29 23:37 . 2011-03-29 23:37 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_baa6edd6\System.Drawing.dll
    + 2011-03-29 23:35 . 2011-03-29 23:35 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_bd4fd532\System.Design.dll
    + 2011-03-29 23:37 . 2011-03-29 23:37 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_6f846892\System.Design.dll
    + 2011-03-29 23:35 . 2011-03-29 23:35 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_ba04c71a\mscorlib.dll
    + 2011-03-29 23:37 . 2011-03-29 23:37 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_23ccc13a\mscorlib.dll
    - 2009-10-15 00:08 . 2009-10-15 00:08 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
    + 2011-03-29 03:55 . 2011-03-29 03:55 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
    - 2009-10-15 00:08 . 2009-10-15 00:08 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
    + 2011-03-29 03:55 . 2011-03-29 03:55 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
    + 2010-04-03 00:29 . 2010-04-03 00:29 11413504 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M979906\M979906Uninstall.msp
    + 2010-04-02 17:30 . 2010-04-02 17:30 17456640 c:\windows\Installer\2f2bd6.msp
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-05 180269]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
    backup=c:\windows\pss\SpySubtract.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
    path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk
    backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    2004-09-07 19:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    2003-12-22 14:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2004-02-18 17:55 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
    2005-02-26 05:34 245760 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    2004-03-04 15:46 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-11-20 19:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2008-12-07 05:21 2387968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 20:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
    2005-01-04 23:54 49152 ----a-w- c:\windows\system32\SiSPower.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-06-10 09:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2005-05-05 17:48 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]
    2006-11-06 19:31 81920 ----a-w- c:\windows\system32\PCLECoInst.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "LightScribeService"=2 (0x2)
    "iPod Service"=3 (0x3)
    "gusvc"=3 (0x3)
    "Apple Mobile Device"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
    "c:\\Program Files\\TVAnts\\Tvants.exe"=
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\symds.sys [12/27/2010 3:58 PM 340016]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys [12/27/2010 3:58 PM 652336]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys [12/27/2010 3:58 PM 136312]
    R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe [12/27/2010 3:58 PM 130000]
    S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110309.001\BHDrvx86.sys [3/14/2011 3:38 PM 800376]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/24/2011 8:53 PM 102448]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110325.002\IDSXpx86.sys [3/14/2011 1:58 PM 341944]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-12-07 05:18 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mianotes5.notes.assurant.com/dwa85W.cab
    FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\13zt6r9k.Default User\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{1631550F-191D-4826-B069-D9439253D926} - c:\program files\PriceGong\2.1.0\PriceGongIE.dll
    AddRemove-PriceGong - c:\program files\PriceGong\uninst.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-29 20:16
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
    "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-03-29 20:18:22
    ComboFix-quarantined-files.txt 2011-03-30 01:18
    ComboFix2.txt 2011-03-29 03:18
    .
    Pre-Run: 133,429,030,912 bytes free
    Post-Run: 133,408,710,656 bytes free
    .
    - - End Of File - - FE7F534BDAFDF2DC4BE388F69DBE0C6F
     
  15. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    All processes killed
    ========== PROCESSES ==========
    No active process named D:\I386\Apps\APP09527\src\SpyInstall_HPPre.exe was found!
    ========== FILES ==========
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe moved successfully.
    C:\Program Files\InterMute\SpySubtract\ssengine.dll moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Admin
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Administrator.HOME
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes

    User: All Users

    User: Compaq_Owner
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 251698 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 54721835 bytes
    ->Flash cache emptied: 14346 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Jessica
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: John
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 65536 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 5034 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 14928 bytes

    User: test
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 53.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 03292011_202308

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
  16. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    The system seems to be running stable now. You asked about drive D:. It is not a flash drive. It is just the recovery partition of the HDD. Is that the correct term?

    I did not understand the part about
    ==========================================
    Replace the Host Files
    ==========================================

    what exactly did you want me to do?
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I want you to click on the blue text that says Replace Host Files and follow the prompts. The link is embedded in the words.

    Hyperlinks appear in blue. Placing the cursor on the link makes the gloved hand finger point icon show. Doing a left click take you to the link. This will be standard in all internet text.

    Edit: Adding text:
    What ever you're using to backup, included an infected file:
    D:\I386\Apps\APP09527\src\SpyInstall_HPPre.exe

    See if you can open Drive D: select this file and press the button Shift together with Del (Delete)
     
  18. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    Thank you but I do know what a hyperlink is. I was offended when I read your reply at first but upon further review i dont think that was your intention. I guess you may deal with some people who dont know this type of thing. I just cant resist pointing that out, sorry.

    I was able to delete D:\I386\Apps\APP09527\src\SpyInstall_HPPre.exe

    I will follow the instructions about replacing the host file. I guess I was hoping you didnt actually want me to read that whole thing. All of your instructions have been straightforward. This article is a different story. Wish me luck.
     
  19. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    I ran mvps.bat. This article is really confusing. Is that all you wanted me to do?
     
  20. JAllman

    JAllman TS Rookie Topic Starter Posts: 17

    also, firefox is telling me an add on for freeze.com was installed. I am given the option to ENABLE but UNINSTALL is greyed out.

    never mind, i uninstalled it thru add/remove programs
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Be forewarned! Don't mess with me today! Yesterday my damn internet was down- again and today I'm working between squall lines and a tornado watch!

    And I will mention that each one of the replies send me email feedback. If I haven't replied yet and you have something to add- other than logs- use Edit and add to existing reply. That won't send another email but I'll see it when I'm back on the thread.

    I've done a pretty good job of cleaning up your system. Did you go back to the Free Offers from Freeze.com?

    Shutting down- later or in AM. Storm,.

    Sorry about host file confusion. I usually just leave the link. I had a short description but no one reads it.
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well, I have put one very tough week behind me! Did you want to continue? Or has the performance issue been resolved?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...