Redirecting on search results, popups, McAfee damaged

Solved
By R2D2B9
Apr 11, 2012
Topic Status:
Not open for further replies.
  1. McAfee gives an error:

    "The ordinal 1112 could not be located in the dynamic link library WSOCK32.dll"

    Computer constantly redirects or opens pop-ups during web browsing.

    Log files posted below:

    -----------------------------------------------

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.11.06

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    HP_Owner :: YOUR-D0F670B45A [administrator]

    4/11/2012 5:16:55 PM
    mbam-log-2012-04-11 (17-16-55).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 216501
    Time elapsed: 39 minute(s), 20 second(s)

    Memory Processes Detected: 1
    C:\WINDOWS\system32\0uN0drVDp.com (Backdoor.Agent.H) -> 1964 -> Delete on reboot.

    Memory Modules Detected: 1
    C:\WINDOWS\system32\lvuvc.dll (RootKit.0Access.H) -> Delete on reboot.

    Registry Keys Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Krypt) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 18
    C:\WINDOWS\system32\lvuvc.dll (RootKit.0Access.H) -> Delete on reboot.
    C:\WINDOWS\system32\0uN0drVDp.com_ (Backdoor.Agent.H) -> Delete on reboot.
    C:\WINDOWS\system32\0uN0drVDp.com (Backdoor.Agent.H) -> Delete on reboot.
    C:\Documents and Settings\HP_Owner\Local Settings\Temp\sghj0.6884074251720731.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tue0.01720785359643806.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tue0.1432090184478646.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tue0.34209091113649404.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tue0.382014815493416.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tue0.40010392119493454.exe (Trojan.CryptPro.Gen) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tue0.5235407241632137.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tue0.7574299220759129.exe (Trojan.CryptPro.Gen) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tue0.7885395720864793.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tue0.8548748101895046.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\hki2406.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\dpqpws\setup.exe (Trojan.Krypt) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\ggndao\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Desktop\Security Updates.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\jika0.7963916282801337.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.

    (end)
    --------------------------------------------------------------------------------------------------------

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-04-11 18:19:16
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 WDC_WD1600JS-60NCB1 rev.10.02E02
    Running: kpu00bdf.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\uflcraoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xF20BF6C6]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xF20BF91C]

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEEE3138B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEEE313B5]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEEE31375]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEEE313CB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEEE3139F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
  2. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/8/2006 5:01:26 PM
    System Uptime: 4/11/2012 5:59:32 PM (1 hours ago)
    .
    Motherboard: ECS | | Asterope3
    Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | CPU 1 | 3065/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 142 GiB total, 125.208 GiB free.
    D: is FIXED (FAT32) - 7 GiB total, 0.301 GiB free.
    F: is Removable
    G: is Removable
    H: is Removable
    I: is CDROM ()
    J: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP118: 10/29/2011 10:32:24 AM - System Checkpoint
    RP119: 11/27/2011 9:58:51 AM - System Checkpoint
    RP120: 12/3/2011 3:49:32 PM - System Checkpoint
    RP121: 12/3/2011 4:47:57 PM - Software Distribution Service 3.0
    RP122: 12/3/2011 4:53:35 PM - Software Distribution Service 3.0
    RP123: 12/5/2011 6:39:46 PM - System Checkpoint
    RP124: 12/6/2011 11:00:17 AM - Software Distribution Service 3.0
    RP125: 12/19/2011 1:54:05 PM - Software Distribution Service 3.0
    RP126: 12/24/2011 11:39:08 AM - System Checkpoint
    RP127: 12/28/2011 2:26:38 PM - Restore Operation
    RP128: 12/28/2011 2:43:23 PM - Software Distribution Service 3.0
    RP129: 12/28/2011 2:59:44 PM - Software Distribution Service 3.0
    RP130: 1/1/2012 11:45:48 AM - Software Distribution Service 3.0
    RP131: 1/13/2012 2:01:01 PM - System Checkpoint
    RP132: 1/14/2012 11:00:18 AM - Software Distribution Service 3.0
    RP133: 1/16/2012 4:18:52 PM - Software Distribution Service 3.0
    RP134: 1/16/2012 4:35:31 PM - Software Distribution Service 3.0
    RP135: 1/16/2012 5:19:17 PM - Software Distribution Service 3.0
    RP136: 1/17/2012 6:13:46 PM - System Checkpoint
    RP137: 1/23/2012 4:04:04 PM - System Checkpoint
    RP138: 1/24/2012 4:24:11 PM - System Checkpoint
    RP139: 2/1/2012 4:54:46 PM - Software Distribution Service 3.0
    RP140: 2/17/2012 2:54:30 PM - Software Distribution Service 3.0
    RP141: 3/5/2012 3:32:07 PM - System Checkpoint
    RP142: 3/23/2012 11:00:41 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 7.0.5
    AiO_Scan_CDA
    AiOSoftwareNPI
    ATI Control Panel
    ATI Display Driver
    AutoUpdate
    BufferChm
    COMODO Internet Security
    CP_CalendarTemplates1
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Panorama1Config
    CueTour
    Customer Experience Enhancement
    CustomerResearchQFolder
    Data Fax SoftModem with SmartCP
    Destinations
    DeviceManagementQFolder
    DivX
    Easy Internet Sign-up
    eSupportQFolder
    F300
    F300_Help
    Fax_CDA
    FullDPAppQFolder
    High Definition Audio Driver Package - KB888111
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Boot Optimizer
    HP Customer Participation Program 7.0
    HP DVD Play 2.1
    HP Imaging Device Functions 7.0
    HP Photosmart Essential
    HP Photosmart, Officejet and Deskjet 7.0.A
    HP Software Update
    HP Solution Center 7.0
    HP Support Overview
    HP USB Multimedia Keyboard Driver V1.1
    HP Web Helper
    HPPhotoSmartExpress
    HPProductAssistant
    HpSdpAppCoreApp
    InstantShareDevicesMFC
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 31
    LightScribe 1.4.105.1
    Malwarebytes Anti-Malware version 1.61.0.1400
    MarketResearch
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft Money 2006
    Microsoft Office Professional Edition 2003
    Microsoft Office Standard Edition 2003 60 days trial
    Microsoft Works
    Mozilla Firefox 11.0 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee autoProducer 5.0
    My HP Games
    Netscape Browser (remove only)
    NewCopy_CDA
    PC-Doctor 5 for Windows
    PhotoGallery
    ProductContextNPI
    Python 2.2 pywin32 extensions (build 203)
    Python 2.2.3
    Quicken 2006
    RandMap
    Readme
    RealPlayer
    Realtek High Definition Audio Driver
    Remove WeatherBug Installer
    Rhapsody
    Scan
    ScannerCopy
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    SkinsHP1
    SolutionCenter
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    Sonic_PrimoSDK
    Status
    Toolbox
    TrayApp
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    Updates from HP (remove only)
    Verizon Broadband Toolbar
    Verizon Help and Support Tool
    Verizon Servicepoint 1.5.12
    Vz In Home Agent
    WebFldrs XP
    WebReg
    WildTangent Web Driver
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Service Pack 3
    Yahoo! Search Protection
    Yahoo! Software Update
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/9/2012 1:16:40 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    4/9/2012 1:16:40 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/9/2012 1:15:59 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    4/8/2012 9:44:20 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    4/8/2012 9:44:20 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/11/2012 6:15:00 PM, error: Schedule [7901] - The At86.job command failed to start due to the following error: %%2147942402
    4/11/2012 6:15:00 PM, error: Schedule [7901] - The At85.job command failed to start due to the following error: %%2147942402
    4/11/2012 6:15:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402
    4/11/2012 6:15:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402
    4/11/2012 6:01:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde ViaIde
    4/11/2012 6:00:06 PM, error: Service Control Manager [7023] - The Avsvcmonitor service terminated with the following error: The specified module could not be found.
    4/11/2012 6:00:05 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    .
    ==== End Of File ===========================
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
    Run by HP_Owner at 18:20:26 on 2012-04-11
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.552 [GMT -4:00]
    .
    AV: McAfee VirusScan Enterprise *Disabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    FW: COMODO Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Verizon\McciTrayApp.exe
    C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
    C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Yahoo!\Search Protection\YspService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    \\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\System32\ping.exe
    C:\WINDOWS\System32\ping.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uSearch Page =
    uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uSearchAssistant =
    mSearchAssistant =
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
    BHO: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-8cb0-ab60bb9aae22} - c:\progra~1\vol_to~1\VOL_TO~1.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
    BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-8cb0-ab60bb9aae22} - c:\progra~1\vol_to~1\VOL_TO~1.DLL
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [YSearchProtection] c:\program files\yahoo!\search protection\YspService.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
    mRun: [<NO NAME>]
    mRun: [PCDrProfiler]
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
    mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
    mRun: [BtcMaestro] "c:\program files\hp usb multimedia keyboard\KMaestro.exe"
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: Interfaces\{80443072-5384-4D29-A197-604ECE8884D8} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
    Notify: AtiExtEvent - Ati2evxx.dll
    AppInit_DLLs: c:\windows\system32\guard32.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\b8jqba6g.default\
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-10-7 492768]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-10-7 31704]
    R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
    R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-10-7 1883328]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-11-30 104000]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
    R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-11-30 72264]
    R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-11-30 34152]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-11-30 168776]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-11 253600]
    .
    =============== Created Last 30 ================
    .
    2012-04-11 22:13:29 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\Mozilla
    2012-04-11 21:14:24 -------- d-----w- c:\documents and settings\hp_owner\application data\Malwarebytes
    2012-04-11 21:13:04 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-04-11 21:13:01 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-11 21:13:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-11 21:12:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-04-11 21:12:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    ==================== Find3M ====================
    .
    2012-04-11 21:59:57 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-04-11 21:11:37 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-11 21:11:37 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 18:21:29.00 ===============
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    There is an abundance of malware on this system! As for this:

    Re: the ordinal 1112 could not be located in the dynamic link library WSOCK32.dll

    The problem isn't with McAfee but with your winsock.dll file. I'll have you use the System File Checker if it persist after the system is clean-if it can be cleaned!

    The error is potentially the result of an infection which has replaced the original winsock file or corrupted it. If the issue still persists after the sfc scan then potentially the virus/rootkit is still present
    ==========================================
    There are several infections from a Backdoor, so here's what you need to know:

    What is a Backdoor.bot?
    And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:
    1. Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
    2. Data theft (e.g. retrieving passwords or credit card information)
    3. Installation of software, including third-party malware
    4. Downloading or uploading of files on the user's computer
    5. Modification or deletion of files
    6. Keystroke logging
    7. Watching the user's screen
    8. Wasting the computer's storage space
    9. Crashing the computer

    Being advised of this, would you rather consider a reformat/reinstall instead of an attempt to clean which may not find or remove all if it's code.
    =============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
  4. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    If this thing really is as badly infected as you say, a reformat is likely in order. But first a few questions???

    - Given the malicious nature of this infection, what is a safe way to backup some files (documents and pictures) without propagating the infection? If I burn to CD/DVD is this safe? Sounds like a jump drive is out.

    - The infected machine is my Uncle's, it was on my home network for about 5 minutes to download scan software. The other (clean) machine on the network at the time had Comodo firewall set to "block all" traffic. Additionally I transferred the log files from the infected machine to the other machine with a USB drive. The drive was in the clean machine for about 15 seconds, not ejected, just pulled out as soon as the 4 files were copied. Is the clean system now compromised, how do I check?

    - How do I clean/check the jump drive without compromising any other systems?
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You can disinfect the flash drive and any other movable drives:
    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
    ============================================
    FYI:
    1. One of the infected files, lvuvc.dll appears to be for the Logitech Webcam. This shows the Zero Access Rootkit My guess is that it was downloaded from a 'dirty' site.

    2. Most of the infected file are .exe> executable, so you do not want to save any .exe files.

    3. This is a curious one: A saved Bookmark or Favorite maybe?
    C:\Documents and Settings\HP_Owner\Desktop\Security Updates.url (Rogue.Link) -> Quarantined and deleted successfully.
    ==========================================
    I'd like to run 3 more scans to see what remains on the system. However, to be on the safe side, all of the passwords should be changed and any online financial transactions should be monitored.
    ============================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ========================================
    Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    =======================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ====================================
    I will advise you after I review these logs
    ====================================
    As for backing up,
    • Backup all your documents and important items only.
    • DON'T backup any executable files (,exe .scr .html or .htm)
    • DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files
  6. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    ComboFix

    ComboFix 12-04-12.03 - HP_Owner 04/12/2012 17:12:05.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.450 [GMT -4:00]
    Running from: c:\documents and settings\HP_Owner\My Documents\Downloads\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Disabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\HP_Owner\Desktop\Search.lnk
    c:\documents and settings\HP_Owner\WINDOWS
    c:\windows\$NtUninstallKB62280$\485945278\@
    c:\windows\$NtUninstallKB62280$\485945278\bckfg.tmp
    c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
    c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
    c:\windows\$NtUninstallKB62280$\485945278\keywords
    c:\windows\$NtUninstallKB62280$\485945278\kwrd.dll
    c:\windows\$NtUninstallKB62280$\485945278\L\bfhdmwap
    c:\windows\$NtUninstallKB62280$\485945278\lsflt7.ver
    c:\windows\$NtUninstallKB62280$\485945278\oemid
    c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
    c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
    c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
    c:\windows\$NtUninstallKB62280$\485945278\version
    c:\windows\$NtUninstallKB62280$\975060391
    c:\windows\system32\config\systemprofile\WINDOWS
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\system32\smservaz.dll
    D:\Autorun.inf
    c:\windows\$NtUninstallKB62280$ . . . . Failed to delete
    .
    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-12 to 2012-04-12 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-11 22:13 . 2012-04-11 22:13 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Mozilla
    2012-04-11 21:14 . 2012-04-11 21:14 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
    2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-11 21:13 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-11 21:12 . 2012-04-11 21:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-04-11 21:12 . 2012-04-11 21:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-11 21:11 . 2011-12-03 21:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-02-03 09:22 . 2004-08-04 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-03-13 04:39 . 2012-04-11 21:11 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\YspService.exe" [2010-04-01 243000]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
    "VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
    "BtcMaestro"="c:\program files\HP USB Multimedia Keyboard\KMaestro.exe" [2007-08-30 344064]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-10-20 2497352]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-10-13 36903]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-13 27136]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "c:\\Program Files\\Rhapsody\\rhapsody.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [10/7/2011 7:48 PM 492768]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/7/2011 7:48 PM 31704]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/11/2012 5:11 PM 253600]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    CTSYN
    mps9
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-12 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 21:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uSearchAssistant =
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\b8jqba6g.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-PCDrProfiler - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-12 17:38
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwClose
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(644)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'lsass.exe'(700)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'explorer.exe'(164)
    c:\windows\system32\WININET.dll
    c:\windows\system32\guard32.dll
    c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    - - - - - - - > 'csrss.exe'(612)
    c:\windows\system32\cmdcsr.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
    c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\McAfee\Common Framework\McTray.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-12 17:45:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-12 21:45
    .
    Pre-Run: 135,935,971,328 bytes free
    Post-Run: 137,410,203,648 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - B2200713B587ED4E0F40AAD34DED835B
  7. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    Malwarebytes - Full Scan

    Currently Running ESET - will post when complete

    ------------------------------------------------------------
    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.12.08

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    HP_Owner :: YOUR-D0F670B45A [administrator]

    4/12/2012 5:49:54 PM
    mbam-log-2012-04-12 (17-49-54).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 278403
    Time elapsed: 1 hour(s), 5 minute(s), 7 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Qoobox\Quarantine\C\WINDOWS\system32\smservaz.dll.vir (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP140\A0029097.com (Backdoor.Agent.H) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP143\A0030590.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.

    (end)
  8. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    ESET - McAfee on-access

    McAfee On-access was running while ESET ran and detected and cleaned/deleted several files. This is surprising as I could not start a manual scan with McAfee or update it due to the WINSOC32 Error. It is now updating properly. The log file from McAfee on-acess is very long, I can post it if you would like, but it will take about 6 posts, due to the 50000 character limit.

    --------------------------------
    C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\notana.jar-641693ef-3f3e9642.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\xmltree.jar-5fadb05-601a0097.zip multiple threats
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-37a21075-33ffeda6.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-57301a0e-4f795fea.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-37cad680-3bcfef04.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-5d7aa40-53a76b8a.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\lwfndygmenpkrakbg.jar-70598d08-75fb3020.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\mqwgtqr.jar-515ba980-4d791f99.zip Java/Exploit.CVE-2011-3544.AG trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-1f459b78-231306c0.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-7fb791df-72201723.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-17d1bd16-3e1859d7.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-1fa12906-1b8475ac.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\utsnbn.jar-4fae89dd-62d08bc1.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\hp\bin\wbug\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
    C:\WINDOWS\system32\drivers\redbook.sys Win32/Sirefef.DA trojan
    D:\I386\APPS\APP18753\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
    D:\I386\APPS\APP18753\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
    --------------------------------------------------
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Combofix header:
    Combofix directions:
    ==============================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Files 
      C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\notana.jar-641693ef-3f3e9642.zip 
      C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\xmltree.jar-5fadb05-601a0097.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-37a21075-33ffeda6.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-57301a0e-4f795fea.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-37cad680-3bcfef04.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-5d7aa40-53a76b8a.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\lwfndygmenpkrakbg.jar-70598d08-75fb3020.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\mqwgtqr.jar-515ba980-4d791f99.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-1f459b78-231306c0.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-7fb791df-72201723.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-17d1bd16-3e1859d7.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-1fa12906-1b8475ac.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\utsnbn.jar-4fae89dd-62d08bc1.zip 
      C:\hp\bin\wbug\HPPavillion_Spring06.exe 
      C:\WINDOWS\system32\drivers\redbook.sys 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =======================================
    What is the D Drive? Is it the flash drive?
    D:\I386\APPS\APP18753\src\CompaqPresario_Spring06.exe
    D:\I386\APPS\APP18753\src\HPPavillion_Spring06.exe
    =======================================
    A driver is infected with the Win32/Sirefef.DA trojan and I'm going to remove it. We will then see if there is a clean copy of it on the system- if there is, I can replace the file.
    C:\WINDOWS\system32\drivers\redbook.sys Win32/Sirefef.DA trojan

    But you should know what this is for:
    So you may have a sound problem temporarily.
    =========================================

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      redbook.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ===========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    DDS::
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uRun: [YSearchProtection] c:\program files\yahoo!\search protection\YspService.exe
    mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "YSearchProtection"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Reminder"=-
    "HP Software Update"=-
    
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Click on Start> Run> type in msconfic> Enter> Selective Startup> Startup tab> Uncheck ALL HP and Digital Imaging processes> Click on Apply when finished> OK> Reboot the computer.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.

    Anytime you want to access the printer> Click on File> Print. You will have all the setting available to you.
    To access the Digital Imaging> use All Programs. There is no need for any processes related to either to start on boot, then run in the background using system resources.

    Install Date: 11/8/2006 >> you had some 6 yeal old 'reminders to register' I removed.
    =======================================
    I think you may be able to save the system.
  10. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    D Drive

    Hi Bobbye,

    The D drive is the restore partition of the harddrive on this HP. If I damage the system restore files, I will not be able to perform a reformat/reinstall of windows XP. There is not a set of recovery disks that have been made for this machine yet, and HP limits us to making only one set (due to licensing restrictions). Hopefully removing these files will not make the recovery software think that the files are corrupt, but given that they are infected they are not real useful right now anyway.
  11. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    OT Moveit / Systemlook redbook /

    I tried to be sure AV was off when scanning with Combofix. I opened the McAfee VirusScan Console and disabled everything (there is no exit option on this version of McAfee). I also disabled all Comodo protection and exited it. Combofix is still listing "*Resident AV is active."

    ---------------------------------------------
    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\notana.jar-641693ef-3f3e9642.zip moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\xmltree.jar-5fadb05-601a0097.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-37a21075-33ffeda6.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-57301a0e-4f795fea.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-37cad680-3bcfef04.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-5d7aa40-53a76b8a.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\lwfndygmenpkrakbg.jar-70598d08-75fb3020.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\mqwgtqr.jar-515ba980-4d791f99.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-1f459b78-231306c0.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-7fb791df-72201723.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-17d1bd16-3e1859d7.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-1fa12906-1b8475ac.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\utsnbn.jar-4fae89dd-62d08bc1.zip moved successfully.
    C:\hp\bin\wbug\HPPavillion_Spring06.exe moved successfully.
    C:\WINDOWS\system32\drivers\redbook.sys moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32768 bytes

    User: HP_Owner
    ->Temp folder emptied: 900455 bytes
    ->Temporary Internet Files folder emptied: 366245 bytes
    ->Java cache emptied: 131705 bytes
    ->FireFox cache emptied: 19716364 bytes
    ->Flash cache emptied: 31614 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 9568390 bytes
    ->Java cache emptied: 34868 bytes
    ->Flash cache emptied: 36180 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 22134801 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 190031524 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 46949 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 232.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 04142012_073350

    Files moved on Reboot...
    C:\Documents and Settings\HP_Owner\Local Settings\Temp\IadHide5.dll moved successfully.

    Registry entries deleted on Reboot...
    ------------------------------------------------------------
    SystemLook 30.07.11 by jpshortstuff
    Log created at 07:41 on 14/04/2012 by HP_Owner
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "redbook.*"
    C:\WINDOWS\$NtServicePackUninstall$\redbook.sys -----c- 57472 bytes [22:00 03/12/2011] [14:59 03/08/2004] B31B4588E4086D8D84ADBF9845C2402B
    C:\WINDOWS\ServicePackFiles\i386\redbook.sys ------- 57600 bytes [18:40 13/04/2008] [18:40 13/04/2008] F828DD7E1419B6653894A8F97A0094C5
    C:\WINDOWS\system32\dllcache\redbook.sys --a---- 57600 bytes [14:59 03/08/2004] [17:40 13/04/2008] F828DD7E1419B6653894A8F97A0094C5
    C:\WINDOWS\system32\drivers\redbook.sys --a---- 57600 bytes [14:59 03/08/2004] [17:40 13/04/2008] F828DD7E1419B6653894A8F97A0094C5
    C:\_OTM\MovedFiles\04142012_073350\C_WINDOWS\system32\drivers\redbook.sys --a---- 57600 bytes [14:59 03/08/2004] [18:40 13/04/2008] (Unable to calculate MD5)

    -= EOF =-

    -----------------------------------
    ComboFix 12-04-14.02 - HP_Owner 04/14/2012 7:55.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.380 [GMT -4:00]
    Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    * Resident AV is active
    .
    .
    FILE ::
    "c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll"
    "c:\program files\HP\Digital Imaging\bin\hpqimzone.exe"
    "c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk
    c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk
    c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk
    c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\hp\digital imaging\bin\hpqthb08.exe
    c:\program files\hp\digital imaging\bin\hpqtra08.exe
    c:\program files\hp\hp software update\HPWuSchd2.exe
    c:\program files\updates from hp\9972322\program\Updates from HP.exe
    c:\program files\yahoo!\search protection\YspService.exe
    c:\windows\creator\Remind_XP.exe
    c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-14 11:33 . 2012-04-14 11:33 -------- d-----w- C:\_OTM
    2012-04-13 01:30 . 2012-04-13 01:30 -------- d-----w- c:\program files\ESET
    2012-04-11 22:13 . 2012-04-11 22:13 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Mozilla
    2012-04-11 21:14 . 2012-04-11 21:14 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
    2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-11 21:13 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-11 21:12 . 2012-04-11 21:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-04-11 21:12 . 2012-04-11 21:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-11 21:11 . 2011-12-03 21:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-01 11:01 . 2004-08-04 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2004-08-04 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2004-08-04 04:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2004-08-04 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2012-02-03 09:22 . 2004-08-04 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-03-13 04:39 . 2012-04-11 21:11 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-12_21.38.11 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-14 11:52 . 2012-04-14 11:52 16384 c:\windows\Temp\Perflib_Perfdata_5a4.dat
    + 2004-08-04 04:00 . 2012-03-01 11:01 66560 c:\windows\system32\mshtmled.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 66560 c:\windows\system32\mshtmled.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 25600 c:\windows\system32\jsproxy.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 25600 c:\windows\system32\jsproxy.dll
    + 2004-08-03 14:59 . 2008-04-13 17:40 57600 c:\windows\system32\drivers\redbook.sys
    - 2004-08-03 14:59 . 2008-04-13 18:40 57600 c:\windows\system32\drivers\redbook.sys
    + 2011-02-04 18:58 . 2012-03-01 11:01 12800 c:\windows\system32\dllcache\xpshims.dll
    - 2011-02-04 18:58 . 2011-12-17 19:46 12800 c:\windows\system32\dllcache\xpshims.dll
    + 2004-08-03 14:59 . 2008-04-13 17:40 57600 c:\windows\system32\dllcache\redbook.sys
    - 2004-08-04 04:00 . 2011-12-17 19:46 66560 c:\windows\system32\dllcache\mshtmled.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 66560 c:\windows\system32\dllcache\mshtmled.dll
    + 2011-02-04 18:58 . 2012-03-01 11:01 55296 c:\windows\system32\dllcache\msfeedsbs.dll
    - 2011-02-04 18:58 . 2011-12-17 19:46 55296 c:\windows\system32\dllcache\msfeedsbs.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 43520 c:\windows\system32\dllcache\licmgr10.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 43520 c:\windows\system32\dllcache\licmgr10.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 25600 c:\windows\system32\dllcache\jsproxy.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 25600 c:\windows\system32\dllcache\jsproxy.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 12800 c:\windows\ie8updates\KB2675157-IE8\xpshims.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 66560 c:\windows\ie8updates\KB2675157-IE8\mshtmled.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 55296 c:\windows\ie8updates\KB2675157-IE8\msfeedsbs.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 43520 c:\windows\ie8updates\KB2675157-IE8\licmgr10.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 25600 c:\windows\ie8updates\KB2675157-IE8\jsproxy.dll
    + 2012-04-14 11:21 . 2012-04-14 11:21 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_bfc1ed38\System.Drawing.Design.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 206848 c:\windows\system32\occache.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 206848 c:\windows\system32\occache.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 611840 c:\windows\system32\mstime.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 611840 c:\windows\system32\mstime.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 184320 c:\windows\system32\iepeers.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 184320 c:\windows\system32\iepeers.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 387584 c:\windows\system32\iedkcs32.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 387584 c:\windows\system32\iedkcs32.dll
    + 2004-08-04 04:00 . 2012-02-29 12:17 174080 c:\windows\system32\ie4uinit.exe
    - 2004-08-04 04:00 . 2011-12-16 12:23 174080 c:\windows\system32\ie4uinit.exe
    + 2009-12-24 06:59 . 2012-02-29 14:10 177664 c:\windows\system32\dllcache\wintrust.dll
    - 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 916992 c:\windows\system32\dllcache\wininet.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 916992 c:\windows\system32\dllcache\wininet.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 105984 c:\windows\system32\dllcache\url.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 105984 c:\windows\system32\dllcache\url.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 206848 c:\windows\system32\dllcache\occache.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 206848 c:\windows\system32\dllcache\occache.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 611840 c:\windows\system32\dllcache\mstime.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 611840 c:\windows\system32\dllcache\mstime.dll
    + 2011-02-04 18:58 . 2012-03-01 11:01 602112 c:\windows\system32\dllcache\msfeeds.dll
    - 2011-02-04 18:58 . 2011-12-17 19:46 602112 c:\windows\system32\dllcache\msfeeds.dll
    + 2012-02-29 14:10 . 2012-02-29 14:10 148480 c:\windows\system32\dllcache\imagehlp.dll
    - 2011-02-04 18:58 . 2011-12-17 19:46 247808 c:\windows\system32\dllcache\ieproxy.dll
    + 2011-02-04 18:58 . 2012-03-01 11:01 247808 c:\windows\system32\dllcache\ieproxy.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 184320 c:\windows\system32\dllcache\iepeers.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 184320 c:\windows\system32\dllcache\iepeers.dll
    + 2011-02-04 18:58 . 2012-03-01 11:01 743424 c:\windows\system32\dllcache\iedvtool.dll
    - 2011-02-04 18:58 . 2011-12-17 19:46 743424 c:\windows\system32\dllcache\iedvtool.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 387584 c:\windows\system32\dllcache\iedkcs32.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 387584 c:\windows\system32\dllcache\iedkcs32.dll
    - 2004-08-04 04:00 . 2011-12-16 12:23 174080 c:\windows\system32\dllcache\ie4uinit.exe
    + 2004-08-04 04:00 . 2012-02-29 12:17 174080 c:\windows\system32\dllcache\ie4uinit.exe
    + 2012-01-27 21:35 . 2012-01-27 21:35 471040 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 916992 c:\windows\ie8updates\KB2675157-IE8\wininet.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 105984 c:\windows\ie8updates\KB2675157-IE8\url.dll
    + 2012-04-14 11:23 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2675157-IE8\spuninst\updspapi.dll
    + 2012-04-14 11:23 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2675157-IE8\spuninst\spuninst.exe
    + 2012-04-14 11:23 . 2011-12-17 19:46 206848 c:\windows\ie8updates\KB2675157-IE8\occache.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 611840 c:\windows\ie8updates\KB2675157-IE8\mstime.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 602112 c:\windows\ie8updates\KB2675157-IE8\msfeeds.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 247808 c:\windows\ie8updates\KB2675157-IE8\ieproxy.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 184320 c:\windows\ie8updates\KB2675157-IE8\iepeers.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 743424 c:\windows\ie8updates\KB2675157-IE8\iedvtool.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 387584 c:\windows\ie8updates\KB2675157-IE8\iedkcs32.dll
    + 2012-04-14 11:23 . 2011-12-16 12:23 174080 c:\windows\ie8updates\KB2675157-IE8\ie4uinit.exe
    + 2006-10-13 17:09 . 2006-10-13 17:09 466944 c:\windows\assembly\temp\YNKT4AK5PV\System.Drawing.dll
    + 2012-04-14 11:22 . 2012-04-14 11:22 843776 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_64a403b5\System.Drawing.dll
    + 2012-04-14 11:22 . 2012-04-14 11:22 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_e916a5a2\System.Drawing.Design.dll
    + 2012-04-14 11:21 . 2012-04-14 11:21 471040 c:\windows\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 1212416 c:\windows\system32\dllcache\urlmon.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 1212416 c:\windows\system32\dllcache\urlmon.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 5978624 c:\windows\system32\dllcache\mshtml.dll
    + 2011-02-04 18:58 . 2012-03-01 11:01 2000384 c:\windows\system32\dllcache\iertutil.dll
    - 2011-02-04 18:58 . 2011-12-17 19:46 2000384 c:\windows\system32\dllcache\iertutil.dll
    + 2012-01-31 08:46 . 2012-01-31 08:46 6385664 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2656370\M2656370Uninstall.msp
    + 2012-01-31 00:46 . 2012-01-31 00:46 7069184 c:\windows\Installer\747b288.msp
    + 2012-04-14 11:23 . 2011-12-17 19:46 1212416 c:\windows\ie8updates\KB2675157-IE8\urlmon.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 5979136 c:\windows\ie8updates\KB2675157-IE8\mshtml.dll
    + 2012-04-14 11:23 . 2011-12-17 19:46 2000384 c:\windows\ie8updates\KB2675157-IE8\iertutil.dll
    + 2012-04-14 11:22 . 2012-04-14 11:22 3035136 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_de00d7d7\System.Windows.Forms.dll
    + 2012-04-14 11:22 . 2012-04-14 11:22 7917568 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_3e48104e\System.Windows.Forms.dll
    + 2012-04-14 11:22 . 2012-04-14 11:22 2248704 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_b6a48c8e\System.Drawing.dll
    + 2012-04-14 11:22 . 2012-04-14 11:22 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_aeee9029\System.Design.dll
    + 2012-04-14 11:22 . 2012-04-14 11:22 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_3563aff9\System.Design.dll
    + 2011-02-04 18:59 . 2012-04-13 21:09 55154568 c:\windows\system32\MRT.exe
    + 2011-02-04 18:58 . 2012-03-02 10:01 11082752 c:\windows\system32\dllcache\ieframe.dll
    + 2012-04-14 11:23 . 2011-12-18 19:46 11082240 c:\windows\ie8updates\KB2675157-IE8\ieframe.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
    "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
    "VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
    "BtcMaestro"="c:\program files\HP USB Multimedia Keyboard\KMaestro.exe" [2007-08-30 344064]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-10-20 2497352]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-13 27136]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Rhapsody\\rhapsody.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [10/7/2011 7:48 PM 492768]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/7/2011 7:48 PM 31704]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/11/2012 5:11 PM 253600]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    CTSYN
    mps9
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-13 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 21:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uSearchAssistant =
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\b8jqba6g.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-14 08:05
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwClose
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(632)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'lsass.exe'(688)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'csrss.exe'(600)
    c:\windows\system32\cmdcsr.dll
    .
    Completion time: 2012-04-14 08:08:02
    ComboFix-quarantined-files.txt 2012-04-14 12:07
    ComboFix2.txt 2012-04-12 21:45
    .
    Pre-Run: 136,986,664,960 bytes free
    Post-Run: 136,982,847,488 bytes free
    .
    - - End Of File - - B6A815CA129C118715138579C0F6E2F7
     
  12. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    Seems like the new forums are up and running, got your test message!
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Yes, nice isn't it! Please do the following to replace the infected driver. Then give me an update on how the system is doing.

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    FileLook::
    c:\windows\system32\cmdcsr.dll
    
    Clearjavacache::
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\redbook.sys | C:\WINDOWS\system32\drivers\redbook.sys
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
  14. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    When I run ComboFix I am still getting the following messages:
    "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection..."
    "Rootkit is detected Be patient as this may take a while."
    "Combofix has detected the presence of rootkit activity and needs to reboot the machine"

    I have gotten these three messages everytime I run Combo Fix. This leads me to believe, whatever rootkit is infecting this machine, keeps coming back after the scans.

    I will post the ComboFix log from the infected machine in a few minutes when it completes running.
  15. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    Hi Bobbye,

    Here is the ComboFix log. I disabled all of McAfee's features, but ComboFix detected the AV engine as active. When this happened I opened the task manager and manually ended the McAfee processes. This version of McAfee is miserable to try and shutdown. I'm thinking after I'm done cleaning or reformatting, McAfee is going to go away and Avast is going to be used instead. Anyhow, here's the log.
    ----------------------------------------------------------------------------------------
    ComboFix 12-04-14.02 - HP_Owner 04/15/2012 21:55:47.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.528 [GMT -4:00]
    Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
    AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\ServicePackFiles\i386\redbook.sys --> c:\windows\system32\drivers\redbook.sys
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-14 11:33 . 2012-04-14 11:33 -------- d-----w- C:\_OTM
    2012-04-13 01:30 . 2012-04-13 01:30 -------- d-----w- c:\program files\ESET
    2012-04-11 22:13 . 2012-04-11 22:13 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Mozilla
    2012-04-11 21:14 . 2012-04-11 21:14 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
    2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-11 21:13 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-11 21:12 . 2012-04-11 21:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-04-11 21:12 . 2012-04-11 21:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-11 21:11 . 2011-12-03 21:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-01 11:01 . 2004-08-04 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2004-08-04 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2004-08-04 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2004-08-04 04:00 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2004-08-04 04:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2004-08-04 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2012-02-03 09:22 . 2004-08-04 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-03-13 04:39 . 2012-04-11 21:11 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\system32\cmdcsr.dll ---
    Company: COMODO
    File Description: COMODO Internet Security
    File Version: 5, 8, 211697, 2124
    Product Name: COMODO Internet Security
    Copyright: 2005-2012 COMODO. All rights reserved.
    Original Filename:
    File size: 33984
    Created time: 2011-10-07 23:47
    Modified time: 2011-10-07 23:47
    MD5: 1B3DD3F0EBC1B4220EB39EBE205FB445
    SHA1: 0965F8AA8637E6F4C7F0686681E5E1D14C9AD0BF
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-04-14_12.05.35 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-16 01:53 . 2012-04-16 01:53 16384 c:\windows\Temp\Perflib_Perfdata_5a0.dat
    - 2009-03-08 09:31 . 2011-12-17 19:46 55296 c:\windows\system32\msfeedsbs.dll
    + 2009-03-08 09:31 . 2012-03-01 11:01 55296 c:\windows\system32\msfeedsbs.dll
    - 2004-08-03 14:59 . 2008-04-13 17:40 57600 c:\windows\system32\dllcache\redbook.sys
    + 2004-08-03 14:59 . 2008-04-13 18:40 57600 c:\windows\system32\dllcache\redbook.sys
    - 2004-08-04 04:00 . 2011-12-17 19:46 105984 c:\windows\system32\url.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 105984 c:\windows\system32\url.dll
    + 2009-03-08 09:32 . 2012-03-01 11:01 602112 c:\windows\system32\msfeeds.dll
    - 2009-03-08 09:32 . 2011-12-17 19:46 602112 c:\windows\system32\msfeeds.dll
    - 2004-08-04 04:00 . 2011-12-17 19:46 1212416 c:\windows\system32\urlmon.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 1212416 c:\windows\system32\urlmon.dll
    + 2004-08-04 04:00 . 2012-03-01 11:01 5978624 c:\windows\system32\mshtml.dll
    - 2009-03-08 09:32 . 2011-12-17 19:46 2000384 c:\windows\system32\iertutil.dll
    + 2009-03-08 09:32 . 2012-03-01 11:01 2000384 c:\windows\system32\iertutil.dll
    + 2009-03-08 09:39 . 2012-03-02 10:01 11082752 c:\windows\system32\ieframe.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
    "BtcMaestro"="c:\program files\HP USB Multimedia Keyboard\KMaestro.exe" [2007-08-30 344064]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-10-20 2497352]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-13 27136]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
    2007-05-11 20:20 2061816 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
    2010-03-17 20:55 1565696 ----a-w- c:\program files\Verizon\McciTrayApp.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Rhapsody\\rhapsody.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [10/7/2011 7:48 PM 492768]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/7/2011 7:48 PM 31704]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/11/2012 5:11 PM 253600]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    CTSYN
    mps9
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-13 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 21:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uSearchAssistant =
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\b8jqba6g.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-15 22:05
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwClose
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(640)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'lsass.exe'(696)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'csrss.exe'(608)
    c:\windows\system32\cmdcsr.dll
    .
    Completion time: 2012-04-15 22:07:57
    ComboFix-quarantined-files.txt 2012-04-16 02:07
    ComboFix2.txt 2012-04-14 12:08
    ComboFix3.txt 2012-04-12 21:45
    .
    Pre-Run: 137,005,117,440 bytes free
    Post-Run: 136,900,648,960 bytes free
    .
    - - End Of File - - E4D000B654C9D0925A873C4249FC7491
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Combofix looks good! What's happening with the system?
  17. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    The system is no longer redirecting when browsing the internet. This is a big improvement.

    I am concerned about the infected files that turned up on the D:/ drive as this is the HP recovery partition. Should we run ESET again to see if those files turn up clean now? I would like to make a set of recovery disks for this machine, in the event that something like this happens again.
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You'll find and excellent discussion about what to and not to do for the Recovery Partition here:
    http://ask-leo.com/can_a_recovery_partition_be_infected.html

    Check in our Windows OS forum here to set up the external disc:
    http://www.techspot.com/community/forums/windows-os.15/
    =================================================
    Unless you were working in the Recovery Partition, I don't know how the following happened to show up in Eset:
    D:\I386\APPS\APP18753\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
    D:\I386\APPS\APP18753\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application.

    However, then entries are "only" for the MyWebToolbar/MyWebSearch and should you have to use the D Drive to restore, these could easily be deleted then.
    =================================================
    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
    -------------------------------------------------
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =======================================
    Reboot the computer.
    =======================================
    MCAFEE ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a [​IMG] sign.
    • Right-click it -> chose "Exit."
    • A popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.

    Update and run a new Eset scan
     
  19. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    - Uninstalled old version of Java, cleared Java cache and installed the latest version.
    - Looks like the two files on the D: drive are from the manufacturer (HP). Some digging online seemed to indicate this.

    ESET log:
    ----------------------------------------------
    C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP145\A0030746.sys Win32/Sirefef.DA trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\notana.jar-641693ef-3f3e9642.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\xmltree.jar-5fadb05-601a0097.zip multiple threats
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-37a21075-33ffeda6.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-57301a0e-4f795fea.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-37cad680-3bcfef04.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-5d7aa40-53a76b8a.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\lwfndygmenpkrakbg.jar-70598d08-75fb3020.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\mqwgtqr.jar-515ba980-4d791f99.zip Java/Exploit.CVE-2011-3544.AG trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-1f459b78-231306c0.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-7fb791df-72201723.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-17d1bd16-3e1859d7.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-1fa12906-1b8475ac.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\utsnbn.jar-4fae89dd-62d08bc1.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\_OTM\MovedFiles\04142012_073350\C_hp\bin\wbug\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
    D:\I386\APPS\APP18753\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
    D:\I386\APPS\APP18753\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I wouldn't worry about those 2 files in the HP Recovery partition. If you ever have to use it, you can delete the MWS Toolbar then.

    I notices in the heading showing McAfee Enterprise that it is showing 'outdated'. If that was happening because of the malware, be sure you update to bring it current.

    Are there any remaining problems? How is the system doing now?
  21. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    The machine seems much faster and no longer redirecting to websites as I mentioned before.

    Not sure why McAfee is showing as out of date. I updated it before running Eset, to make sure it was still functioning. I will try and update it again.

    Should we delete the files that OTM moved?
  22. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    Hi Bobbey,

    I am waiting for your response indicating if the machine is clean or any further steps before I proceed with performing updates, backups and creation of the system restore disks.
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    So sorry for delay!
    There is just one process I'd like you to remove. It for BackWeb AutoUpdater. It is running and shows as:

    c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
    Some companies add this process in the program download but they don't ask permission and usually don't ask if you want it. This makes it "Foistware"

    From Cexx.org:
    Western Data Digital, Logitech Mouse driver and Kodak Easyshare are some of the siftware using it. None of the progrms need this to function:
    Use Windows Explorer to > Locate Iadhide3.dll and delete it.
    Remove the entry from the StartUp folder.
    =========================================================
    Your system is clean! You can not remove the tools we used:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
    • Choose Disc Cleanup
    • Click "OK" to select the partition or drive you want.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin
  24. R2D2B9

    R2D2B9 TechSpot Member Topic Starter Posts: 64

    Thanks for all the help Bobbye. Seems like the machine is all cleaned up. I believe the source of the infection was the outdated version of Java.

    I have run full program and windows updates on the machine and removed all the default junk that HP loads the machine up with from the factory. I have also created system restore disks and plan to make an attempt at imaging the current hard drive.

    The machine is now set up as a limited user with a separate administrator account. I installed WOT in the web browsers to help minimize the risk of web based infection.
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You're very Welcome! Good job! setting the UAC and System Restore. I'll leave a few more suggestions.

    You may find the following helpful: (Links are Bold Blue)
    Tips for added security and safer browsing:
    1. Browser Security
      [o][url="http://www.bleepingcomputer.com/tutorials/tutorial102.htm]Make Internet Explorer safer][/url]
      [o] Use a Site Advisor..
      Have layered Security:
    2. Antivirus Software(only one):
      [o]Microsoft Security Essentials
      [o]Comodo AV
      [o]Avast! Free Antivirus
      =============================
    3. Firewall (only one)
      [o] Zone Alarm Free
      [o]Comodo Firewall Free
    4. Antispyware/Security: I recommend all of the following:
      [o]Spywareblaster:Protects against bad ActiveX.
      [o]IE/Spyad Restricts bad domains.
      [o]MVPS Hosts files Directs HOSTS file to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Popup Stopper
    5. Stay current on updates:
      [o] Windows Updates. You should get All updates marked Critical and the current SP updates.
      [o] Adobe Reade. Uninstall old.
      [o]Java Uninstall old.
    6. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
      (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    7. Do regular Maintenance
      [o]To include Disc Cleanup, Defrag, Error Check/
    8. Remove Temporary Internet Files regularly:
      [o]TFC
    9. System Restore GuideUnderstand Restore Points> why you need to clean and set restore points and what information is in them.
      [*] Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Save to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet/ Have a separate email account on free web-based mail.
    Please let me know if you find any bad links.

    Edit: BTW, I thought of you last night. The H2HD channel had the most awesome program going through Start Wars, telling how it related to Mythology and to present day. Keep an eye out for it if your user name means interest in Star Wars.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.