System Check malware removal

Solved
By Audioconsultant
Jan 22, 2012
  1. I always thought I practiced "safe computing", never opening unexpected email attachments, always installing Windows updates as they were installed, using TrendMicro's latest, and doing most browsing using Firefox. My machine is running XP 32 bit.

    Friday I was writing a post to a web Forum I had visited many times in the past, when for the first time TrendMicro popped up a window indicating it had blocked a .tmp file. Maybe a minute later before I had posted to the web Forum, Firefox suddenly went away. I closed the other programs I had running and shut down the PC.

    When I restarted the PC, I got what looked like a Windows warning message that my hard drive was failing and asking to run a check. Since my hard drive had actually failed about a month ago and been replaced by Dell, I thought maybe the new drive had also failed. I hit the OK button and it ran a scan claiming it found all sorts of things wrong including bad memory. That did not sound right to me. When it told me that to fix the problems would requiring purchasing a program, I knew I had been infected. Then I noticed the program name was System Check.

    I shut down, then started back up in safe mode. I found that Trend Micro would not run. I shut down and started in Safe Mode with Networking, and found IE, Firefox, and Opera (the 3 browsers I had installed) would not run.

    On a different machine I downloaded from TrendMicro their RescueDisk, which claimed my PC was clean. I downloaded HouseCallLauncher, but it could not reach the Internet. I downloaded RootkitBuster_v5_1050 but it would not run.

    Figuring I needed a clean boot CD, I did some searching and found PEBuilder and after several tries made a boot CD with HouseCallLauncher and RootkitBuster_v5_1050 on it. This made no difference, and HouseCallLauncher still could not reach the Internet and RootkitBuster_v5_1050 would not run.

    I then downloaded Microsoft Malicious Software Remover, put it on a USB key, booted into Safe mode, and ran both the quick and full checks both of which said my PC was clean.

    Meanwhile I found and downloaded Kaspersky Rescue Disk 10 and burned a CD. This boots into Linux and the quick check found and removed a Rootkit. The full check did not find anything else. At the end of the check it said there was an update available (from today) and I downloaded that. The quick check found another Rootkit, and the full check found and deleted or quarantined 5 other items. It then claimed my PC was now cleaned. However when I told it to shut down, the machine hung and never shut down. I had to force a power down.

    With great hope I rebooted from the hard drive in normal mode. It appeared to boot correctly, but I had a blank desktop (blue background) with no icons. The right side of the Start menu was blank, but the left side was there and so was the program menu. In the program menu was a System Check group which I stayed away from. Web browsers could reach the Internet.

    It was at this point my searching led me to this website. I found the 5 step instructions. Step 1 was to have a running anti-virus so I ran TrendMicro and found it had lost the purchase key. I re-entered the key, and Trend appeared to be running correctly.

    For step 2 I downloaded on the problem PC Malwarebytes and followed the instructions up to the point of doing a scan. All went well until I reached:

    Objects scanned: 45367
    Objects detected: 0
    Scan Type: Quick scan
    Time elapsed: 4 minute(s), 46 second(s)
    Currently scanning:
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Local Settings\Temporary Internet Files\Content.IE5\IONCA6YZ\26615fa[1].js

    The above was hand typed, since while Opera would run, I could not access this forum, so I am doing this on another PC.

    At that point it hung up and there has been no further progress for maybe an hour (I was not really timing). If the cursor is over the Malwarebytes window it changes into a hourglass. The only sign of activity is every once in a while a message pops up saying Malwarebytes has blocked access to a IP address.

    Since Malwarebytes is hung up, what should my next step be? Usually I can deal with most PC issues, but this problem has me stumped.

    Trying to post this was difficult since I appeared to have been logged out automatically while typing it. I have now logged back in and hope this works.

    Thanks for your help!
  2. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================================================

    Restart computer manually, skip Malwarebytes for now and complete as many other steps as you can.
  3. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    Posting Issues

    I did the rest of the steps, but when I tried to post the results I get a "Connection closed by remote server" error (running Opera on the problem PC). I am doing this post from a different machine. If this works, I will try posting a different way.
  4. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    OK................
  5. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    attempts to post test results

    Tried to post from the problem PC using Firefox and got the same error message. Copied the data into a txt file on a USB stick and moved it to the other PC where I now am posting from.

    From this machine I got an error "You have included 7 images in your message. You are limited to using 6 images so please go back and correct the problem and then continue again.

    "Images include use of smilies, the BB code tag and HTML <img> tags. The use of these is all subject to them being enabled by the administrator."

    I tried leaving out the Attach.txt data, but got the same message about "7 images". So this post I am leaving out all the test results to see if it will post.
  6. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    Gmer

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-22 21:31:17
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD5000AAKX-753CA1 rev.19.01H19
    Running: 29j2gq6c.exe; Driver: C:\DOCUME~1\RAYA~1.RAY\LOCALS~1\Temp\kxtdqpod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    ---- EOF - GMER 1.0.15 ----
  7. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    DDS part 1

    Got that "7 images" error again when attempting to post the DDS.txt data. I just cut off the second half to see if the first half will post.

    That did not work, so I will try one tiny bit at a time.

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Ray A. Rayburn at 21:35:58 on 2012-01-22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2525 [GMT -7:00]
    .
    AV: Trend Micro Titanium Maximum Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
    .
  8. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    DDS Running Processes

    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Windows Home Server\WHSConnector.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
    C:\Program Files\HP\HP UT\bin\hppusg.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
    C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
    C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
    C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
    C:\Program Files\Opera\opera.exe
    .
  9. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    DDS Pseudo HJT Report - part 1

    Ah Ha!

    This is the part triggering the "7 images" error. I will now try to break it in half.

    That did not work, so I will try breaking the first part in half.

    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.dell.com
    uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
    BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
    BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
    BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
  10. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    DDS Pseudo HJT Report - part 2

    Lets try another little chunk.

    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
    TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [DellCleanup] c:\dell\WINCLEAN.EXE
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
  11. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    DDS Pseudo HJT Report - part 3

    Another chunk.

    This triggered the "7 images" error, so I will shorten it.

    No joy. I will now post 2 lines of the 5 I last attempted to post.

    mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
    mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
  12. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    DDS Pseudo HJT Report - part 4

    The next 3 lines.

    Ugh! Still "7 images" error. Lets try 2 lines.

    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
  13. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    DDS Pseudo HJT Report - part 5

    Lets see if I can post the rest of DDS now.

    No such luck, so I will try the rest of this section.

    That did not work either. I will try 5 lines.

    I give up. The Forum appears to be broken. I can't go posting such long documents 2 lines at a time. Please get the Forum fixed so I can post, and I will put up the rest. That may have to wait for the AM.
     
  14. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    DDS the rest?

    I logged out of TechSpot, then closed the browser tab. Opened a new tab, went to TechSpot, logged in, and tried posting again. Lets see if this works.

    Nope.

    I just searched the text file I am trying to post, and "img" is not in it. Something must be goofy with the Forum.
  15. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Attach those logs and I'll try to post them for you.
  16. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    test results as attachment

    Tried to post from a different computer (this time at work) with the same "7 images" error.

    Therefore as you asked I have attached a text file.

    Attached Files:

  17. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Ray A. Rayburn at 21:35:58 on 2012-01-22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2525 [GMT -7:00]
    .
    AV: Trend Micro Titanium Maximum Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Windows Home Server\WHSConnector.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
    C:\Program Files\HP\HP UT\bin\hppusg.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
    C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
    C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
    C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
    C:\Program Files\Opera\opera.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.dell.com
    uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
    BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
    BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
    BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
    TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [DellCleanup] c:\dell\WINCLEAN.EXE
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
    mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:eek:n /alerts:eek:n /notifications:eek:n /fl:eek:n /fr:eek:n /appData:eek:n /tmcp:eek:n
    mRun: [<NO NAME>]
    mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    StartupFolder: c:\docume~1\raya~1.ray\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\ray a. rayburn\application data\dropbox\bin\Dropbox.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~2.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    uPolicies-explorer: NoDesktop = 1 (0x1)
    uPolicies-system: DisableTaskMgr = 1 (0x1)
    mPolicies-system: DisableTaskMgr = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1324404328062
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1324404437234
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    TCP: DhcpNameServer = 129.82.103.75 75.75.76.76 75.75.75.75
    TCP: Interfaces\{61CC70D4-7E08-4CE0-B7D5-662AC5F22918} : DhcpNameServer = 129.82.103.75 75.75.76.76 75.75.75.75
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
    Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
    Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
    Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\titanium\uiframework\ProToolbarIMRatingActiveX.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\ray a. rayburn\application data\mozilla\firefox\profiles\2vvxkcq8.default\
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-12-20 188272]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-22 652872]
    R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2011-12-20 2984832]
    R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-12-20 64080]
    R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2011-1-10 376688]
    R3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2007-9-6 44784]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-22 20464]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-22 40776]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
    .
    =============== Created Last 30 ================
    .
    2012-01-22 23:37:22 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-01-22 23:37:22 -------- d-----w- c:\documents and settings\ray a. rayburn\application data\Malwarebytes
    2012-01-22 23:37:13 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-01-22 23:37:12 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-22 23:37:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-22 09:36:47 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
    2012-01-22 01:24:07 -------- d-----w- C:\log
    2012-01-21 18:14:27 8656400 ----a-w- C:\RootkitBuster_v5_1050.exe
    2012-01-21 14:50:41 -------- d---a-w- C:\tmbrfix
    2012-01-21 04:22:22 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    2012-01-16 00:46:59 -------- d-----w- c:\documents and settings\ray a. rayburn\application data\Windows Search
    2012-01-11 14:27:01 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
    2012-01-11 14:27:01 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
    2012-01-11 14:27:01 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
    2012-01-11 14:27:01 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
    2011-12-30 17:17:34 -------- d-----w- c:\documents and settings\ray a. rayburn\application data\HpUpdate
    2011-12-30 17:17:32 -------- d-----w- c:\windows\Hewlett-Packard
    2011-12-29 16:11:30 -------- d-----w- c:\documents and settings\all users\application data\zvprt50
    2011-12-29 16:11:23 9451 ------w- c:\windows\system32\hppfaxprintermonui5.dll
    2011-12-29 16:11:23 13385 ------w- c:\windows\system32\hppfaxprintermon5.dll
    2011-12-29 16:11:22 608 --sha-w- c:\windows\system32\winzvprt5.sys
    2011-12-29 16:06:11 -------- d-----w- C:\hp_LJM2727_full_solution_AM_EMEA1
    2011-12-28 20:20:40 -------- d--h--w- c:\windows\PIF
    2011-12-27 22:59:20 -------- d-----w- c:\program files\Gold Line
    2011-12-27 20:43:37 -------- d-----w- c:\documents and settings\ray a. rayburn\WINDOWS
    2011-12-27 02:45:40 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-12-27 02:45:40 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-12-27 02:42:04 -------- d-----w- c:\documents and settings\ray a. rayburn\local settings\application data\Apple Computer
    2011-12-27 02:41:57 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-12-27 02:41:57 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2011-12-27 02:41:20 -------- d-----w- c:\program files\iPod
    2011-12-27 02:41:19 -------- d-----w- c:\program files\iTunes
    2011-12-27 02:41:19 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2011-12-27 02:40:59 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-12-27 02:40:59 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-12-27 02:40:34 -------- d-----w- c:\program files\Bonjour
    2011-12-27 02:32:42 -------- d-----w- c:\program files\common files\HP
    2011-12-27 02:32:34 -------- d-----w- c:\program files\common files\Hewlett-Packard
    2011-12-27 02:32:19 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-12-27 02:32:19 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-12-27 02:31:52 241664 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5mc.DLL
    2011-12-27 02:31:51 59928 ----a-w- c:\windows\system32\fxcompchannel.dll
    2011-12-27 02:30:36 876544 ----a-w- c:\windows\system32\hpxp2727.dll
    2011-12-27 02:30:36 733184 ----a-w- c:\windows\system32\hpptsp02.dll
    2011-12-27 02:30:36 450560 ----a-w- c:\windows\system32\hppasc07.dll
    2011-12-27 02:30:36 327680 ----a-w- c:\windows\system32\hppcpr07.dll
    2011-12-27 01:38:28 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-12-27 01:38:28 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2011-12-27 01:20:50 -------- d-----w- c:\windows\system32\NtmsData
    2011-12-27 01:19:19 -------- d-----w- c:\program files\HP
    .
    ==================== Find3M ====================
    .
    2012-01-22 01:37:57 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-12-21 06:31:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-21 06:19:14 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
    2011-12-21 06:19:14 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
    2011-12-21 06:19:14 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
    2011-12-19 17:30:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-12-19 17:30:10 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2011-12-15 20:45:21 77824 ----a-w- c:\windows\setpwr32.exe
    2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:29:56 1868544 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
    2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 20:35:20 81920 ------w- c:\windows\system32\ieencode.dll
    2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .
    ============= FINISH: 21:36:40.78 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/20/2011 9:48:51 AM
    System Uptime: 1/22/2012 9:21:51 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0GN723
    Processor: Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz | Socket 775 | 2660/333mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 466 GiB total, 385.421 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP10: 12/20/2011 7:45:04 PM - Installed Windows Home Server Connector
    RP11: 12/20/2011 7:56:03 PM - Removed Windows Home Server Connector
    RP12: 12/20/2011 7:56:19 PM - Installed Windows Home Server Connector
    RP13: 12/20/2011 7:58:54 PM - Installed Windows Home Server Toolkit 1.1
    RP14: 12/21/2011 8:29:20 AM - Software Distribution Service 3.0
    RP15: 12/21/2011 8:34:31 AM - Printer Driver AdobePS Acrobat Distiller Installed
    RP16: 12/21/2011 8:37:25 AM - Installed Adobe Acrobat 6.0 Professional
    RP17: 12/21/2011 8:40:21 AM - Printer Driver Adobe PDF Converter Installed
    RP18: 12/21/2011 8:41:48 AM - Installed Adobe Acrobat - Reader 6.0.2 Update
    RP19: 12/21/2011 8:42:07 AM - Installed Adobe Interactive Forms Update SP1
    RP20: 12/21/2011 8:42:28 AM - Installed Adobe Acrobat and Reader 6.0.3 Update
    RP21: 12/21/2011 8:52:51 AM - Installed Bonjour Print Services
    RP22: 12/22/2011 10:40:52 AM - System Checkpoint
    RP23: 12/23/2011 11:07:38 AM - System Checkpoint
    RP24: 12/24/2011 11:55:38 AM - System Checkpoint
    RP25: 12/25/2011 12:55:38 PM - System Checkpoint
    RP26: 12/26/2011 1:55:38 PM - System Checkpoint
    RP27: 12/26/2011 7:31:56 PM - Printer Driver HP LaserJet M2727 MFP Series PCL 6 Installed
    RP28: 12/26/2011 7:41:14 PM - Installed iTunes
    RP29: 12/27/2011 3:59:20 PM - Installed Sound Lab TDSenh
    RP30: 12/28/2011 4:07:56 PM - System Checkpoint
    RP31: 12/29/2011 9:11:26 AM - Printer Driver hpfax1 Installed
    RP32: 12/29/2011 9:11:40 AM - Installed HPSU306Stub
    RP33: 12/30/2011 9:23:27 AM - System Checkpoint
    RP34: 12/30/2011 10:17:38 AM - Removed HPSU306Stub
    RP35: 12/31/2011 1:29:45 PM - System Checkpoint
    RP36: 1/1/2012 2:23:27 PM - System Checkpoint
    RP37: 1/2/2012 3:23:27 PM - System Checkpoint
    RP38: 1/3/2012 3:23:34 PM - System Checkpoint
    RP39: 1/4/2012 4:23:33 PM - System Checkpoint
    RP40: 1/5/2012 11:35:22 PM - System Checkpoint
    RP41: 1/7/2012 12:23:33 AM - System Checkpoint
    RP42: 1/8/2012 12:46:49 AM - System Checkpoint
    RP43: 1/9/2012 1:23:33 AM - System Checkpoint
    RP44: 1/10/2012 2:23:33 AM - System Checkpoint
    RP45: 1/11/2012 3:23:42 AM - System Checkpoint
    RP46: 1/11/2012 9:19:35 PM - Software Distribution Service 3.0
    RP47: 1/13/2012 12:27:34 AM - System Checkpoint
    RP48: 1/14/2012 12:58:32 AM - System Checkpoint
    RP49: 1/15/2012 1:58:31 AM - System Checkpoint
    RP50: 1/16/2012 2:58:32 AM - System Checkpoint
    RP51: 1/17/2012 3:58:31 AM - System Checkpoint
    RP52: 1/18/2012 3:58:38 AM - System Checkpoint
    RP53: 1/19/2012 4:58:38 AM - System Checkpoint
    RP54: 1/20/2012 5:58:38 AM - System Checkpoint
    RP55: 1/22/2012 5:51:32 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Adobe Acrobat - Reader 6.0.2 Update
    Adobe Acrobat 6.0.1 Professional
    Adobe Acrobat and Reader 6.0.3 Update
    Adobe Flash Player 11 Plugin
    Adobe Interactive Forms Update SP1
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Bonjour
    Bonjour Print Services
    CustomerResearchQFolder
    Dell Driver Reset Tool
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    Dropbox
    eWallet 7.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB953955)
    Hotfix for Windows XP (KB954434)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB958347)
    Hotfix for Windows XP (KB959252)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB968764)
    Hotfix for Windows XP (KB969084)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Customer Participation Program 9.0
    HP LaserJet M2727 MFP Series 5.0
    HP Update
    hppFaxDrvM2727
    hppFaxUtility
    hppFonts
    hppLJM2727
    hppManualsM2727
    hppscanM2727
    hppScanTo
    hppSendFax
    hppTLBXFXM2727
    hppusgM2727
    HPSSupply
    hpzTLBXFX
    Intel(R) PRO Network Connections 12.1.12.0
    IrfanView (remove only)
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 20
    Malwarebytes Anti-Malware version 1.60.0.1800
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Ultimate 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox 9.0.1 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP3 Parser (KB973685)
    MSXML 6.0 Parser (KB927977)
    NVIDIA Drivers
    Opera 11.60
    Product_Min_QFolder
    Realtek High Definition Audio Driver
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2483614)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544521)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618444)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Sound Lab TDSenh
    TeamViewer 7
    Trend Micro Titanium Maximum Security
    Trend Micro™ Titanium™ Maximum Security
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951618-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB980182)
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Home Server Connector
    Windows Home Server Toolkit 1.1
    Windows Internet Explorer 8
    Windows Management Framework Core
    Windows Presentation Foundation
    Windows Rights Management Client Backwards Compatibility SP2
    Windows Rights Management Client with Service Pack 2
    Windows Search 4.0
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/21/2012 3:11:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    1/21/2012 2:29:27 PM, error: Dhcp [1002] - The IP address lease 192.168.2.104 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
    1/20/2012 7:59:32 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.2.104 with the system having network hardware address 8C:7B:9D:13:5E:93. Network operations on this system may be disrupted as a result.
    1/20/2012 10:55:01 AM, error: Dhcp [1002] - The IP address lease 192.168.2.106 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
    1/20/2012 10:34:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    1/20/2012 10:30:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm tmtdi
    1/20/2012 10:24:20 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip tmtdi
    1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The Windows Home Server Connector Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/20/2012 10:23:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/20/2012 10:07:35 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    1/20/2012 10:07:35 PM, error: Service Control Manager [7000] - The NTPort Library Driver service failed to start due to the following error: The system cannot find the file specified.
    1/19/2012 10:55:00 PM, error: Dhcp [1002] - The IP address lease 192.168.2.107 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
    1/17/2012 10:54:58 PM, error: Dhcp [1002] - The IP address lease 192.168.2.101 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
    1/17/2012 10:54:57 AM, error: Dhcp [1002] - The IP address lease 192.168.2.102 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
    1/16/2012 10:54:48 AM, error: Dhcp [1002] - The IP address lease 192.168.2.109 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
  18. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  19. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    aswMBR

    aswMBR version 0.9.9.1509 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-23 23:36:28
    -----------------------------
    23:36:28.437 OS Version: Windows 5.1.2600 Service Pack 3
    23:36:28.437 Number of processors: 2 586 0x1706
    23:36:28.437 ComputerName: KELLY UserName:
    23:36:30.140 Initialize success
    23:37:40.203 AVAST engine defs: 12012301
    23:40:35.015 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    23:40:35.015 Disk 0 Vendor: WDC_WD5000AAKX-753CA1 19.01H19 Size: 476940MB BusType: 3
    23:40:35.031 Disk 0 MBR read successfully
    23:40:35.031 Disk 0 MBR scan
    23:40:35.078 Disk 0 Windows VISTA default MBR code
    23:40:35.078 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
    23:40:35.109 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 476898 MB offset 80325
    23:40:35.109 Disk 0 scanning sectors +976768065
    23:40:35.203 Disk 0 scanning C:\WINDOWS\system32\drivers
    23:40:38.562 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Kryptik-GQO [Trj]
    23:40:48.359 Disk 0 trace - called modules:
    23:40:48.375 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xb5d25ff0]<<
    23:40:48.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6a5ab8]
    23:40:48.375 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a1fa5b8]
    23:40:48.375 \Driver\00000480[0x8a1f6d30] -> IRP_MJ_CREATE -> 0xb5d25ff0
    23:40:49.640 AVAST engine scan C:\WINDOWS
    23:40:56.890 AVAST engine scan C:\WINDOWS\system32
    23:42:24.609 AVAST engine scan C:\WINDOWS\system32\drivers
    23:42:28.031 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Kryptik-GQO [Trj]
    23:42:41.125 AVAST engine scan C:\Documents and Settings\Ray A. Rayburn
    00:05:51.031 AVAST engine scan C:\Documents and Settings\All Users
    00:10:09.187 Scan finished successfully
    00:11:59.640 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ray A. Rayburn\Desktop\MBR.dat"
    00:11:59.640 The log file has been saved successfully to "C:\Documents and Settings\Ray A. Rayburn\Desktop\aswMBR.txt"
  20. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    Bootkit Remover

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02738a00
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
  21. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  22. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    Combofix

    ComboFix 12-01-23.02 - Ray A. Rayburn 01/24/2012 17:01:49.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2935 [GMT -7:00]
    Running from: c:\documents and settings\Ray A. Rayburn\Desktop\ComboFix.exe
    AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\~UryG62GqbSFGtC
    c:\documents and settings\All Users\Application Data\~UryG62GqbSFGtCr
    c:\documents and settings\All Users\Application Data\UryG62GqbSFGtC
    c:\documents and settings\Ray A. Rayburn\Desktop\System Check.lnk
    c:\documents and settings\Ray A. Rayburn\Start Menu\Programs\System Check
    c:\documents and settings\Ray A. Rayburn\Start Menu\Programs\System Check\System Check.lnk
    c:\documents and settings\Ray A. Rayburn\Start Menu\Programs\System Check\Uninstall System Check.lnk
    c:\documents and settings\Ray A. Rayburn\WINDOWS
    c:\windows\$NtUninstallKB37017$
    c:\windows\$NtUninstallKB37017$\1370661434
    c:\windows\$NtUninstallKB37017$\2577664317\@
    c:\windows\$NtUninstallKB37017$\2577664317\bckfg.tmp
    c:\windows\$NtUninstallKB37017$\2577664317\cfg.ini
    c:\windows\$NtUninstallKB37017$\2577664317\Desktop.ini
    c:\windows\$NtUninstallKB37017$\2577664317\keywords
    c:\windows\$NtUninstallKB37017$\2577664317\kwrd.dll
    c:\windows\$NtUninstallKB37017$\2577664317\L\rohepcid
    c:\windows\$NtUninstallKB37017$\2577664317\lsflt7.ver
    c:\windows\$NtUninstallKB37017$\2577664317\U\00000001.@
    c:\windows\$NtUninstallKB37017$\2577664317\U\00000002.@
    c:\windows\$NtUninstallKB37017$\2577664317\U\00000004.@
    c:\windows\$NtUninstallKB37017$\2577664317\U\80000000.@
    c:\windows\$NtUninstallKB37017$\2577664317\U\80000004.@
    c:\windows\$NtUninstallKB37017$\2577664317\U\80000032.@
    .
    Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
    Restored copy from - The cat found it :)
    c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-24 23:59 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-01-22 23:37 . 2012-01-22 23:37 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Malwarebytes
    2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-22 23:37 . 2011-12-10 22:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-22 09:36 . 2012-01-22 16:20 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
    2012-01-22 01:45 . 2012-01-22 01:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2012-01-22 01:24 . 2012-01-22 01:24 -------- d-----w- C:\log
    2012-01-21 18:14 . 2012-01-21 21:54 8656400 ----a-w- C:\RootkitBuster_v5_1050.exe
    2012-01-21 14:50 . 2012-01-21 15:14 -------- d---a-w- C:\tmbrfix
    2012-01-21 05:39 . 2012-01-21 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-01-21 05:32 . 2012-01-21 05:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
    2012-01-21 05:29 . 2012-01-21 05:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2012-01-21 04:58 . 2012-01-21 04:58 -------- d-----w- c:\windows\Sun
    2012-01-21 04:22 . 2008-04-14 07:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    2012-01-16 00:46 . 2012-01-16 00:46 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Windows Search
    2012-01-11 14:27 . 2012-01-11 14:27 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-01-11 14:27 . 2012-01-11 14:27 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-01-11 14:27 . 2012-01-11 14:27 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-01-11 14:27 . 2012-01-11 14:27 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    2011-12-30 17:17 . 2011-12-30 17:18 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\HpUpdate
    2011-12-30 17:17 . 2011-12-30 17:17 -------- d-----w- c:\windows\Hewlett-Packard
    2011-12-29 16:12 . 2011-12-29 16:12 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\HP
    2011-12-29 16:11 . 2011-12-29 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\zvprt50
    2011-12-29 16:11 . 2007-04-02 15:19 9451 ------w- c:\windows\system32\hppfaxprintermonui5.dll
    2011-12-29 16:11 . 2007-04-02 15:19 13385 ------w- c:\windows\system32\hppfaxprintermon5.dll
    2011-12-29 16:11 . 2011-12-29 16:11 608 --sha-w- c:\windows\system32\winzvprt5.sys
    2011-12-29 16:06 . 2011-12-29 16:06 -------- d-----w- C:\hp_LJM2727_full_solution_AM_EMEA1
    2011-12-28 20:20 . 2011-12-28 20:20 -------- d--h--w- c:\windows\PIF
    2011-12-28 02:01 . 2011-12-28 02:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
    2011-12-27 22:59 . 2011-12-27 22:59 -------- d-----w- c:\program files\Gold Line
    2011-12-27 02:45 . 2008-04-14 12:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-12-27 02:45 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-12-27 02:42 . 2011-12-27 02:42 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Local Settings\Application Data\Apple Computer
    2011-12-27 02:42 . 2011-12-27 02:45 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Apple Computer
    2011-12-27 02:41 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-12-27 02:41 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\iPod
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\iTunes
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\Apple Software Update
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-12-27 02:40 . 2011-08-03 00:38 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-12-27 02:40 . 2011-08-03 00:38 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-12-27 02:40 . 2011-12-27 02:40 -------- d-----w- c:\program files\Bonjour
    2011-12-27 02:40 . 2011-12-27 02:41 -------- d-----w- c:\program files\Common Files\Apple
    2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Common Files\HP
    2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Hewlett-Packard
    2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
    2011-12-27 02:32 . 2008-04-14 07:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-12-27 02:32 . 2008-04-14 07:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-12-27 02:32 . 2011-12-29 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
    2011-12-27 02:31 . 2008-02-01 18:13 241664 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mc.DLL
    2011-12-27 02:31 . 2007-07-17 12:29 59928 ----a-w- c:\windows\system32\fxcompchannel.dll
    2011-12-27 02:30 . 2008-01-15 08:00 327680 ----a-w- c:\windows\system32\hppcpr07.dll
    2011-12-27 02:30 . 2008-01-07 02:48 733184 ----a-w- c:\windows\system32\hpptsp02.dll
    2011-12-27 02:30 . 2007-06-05 22:31 876544 ----a-w- c:\windows\system32\hpxp2727.dll
    2011-12-27 02:30 . 2007-02-08 04:03 450560 ----a-w- c:\windows\system32\hppasc07.dll
    2011-12-27 01:38 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-12-27 01:38 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2011-12-27 01:20 . 2011-12-27 01:20 -------- d-----w- c:\windows\system32\NtmsData
    2011-12-27 01:19 . 2011-12-27 02:41 -------- dc----w- c:\windows\system32\DRVSTORE
    2011-12-27 01:19 . 2011-12-30 17:17 -------- d-----w- c:\program files\HP
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-22 01:37 . 2011-12-21 06:23 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-12-21 06:31 . 2011-12-21 06:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-21 06:19 . 2011-12-21 06:23 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
    2011-12-21 06:19 . 2011-12-21 06:23 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
    2011-12-21 06:19 . 2011-12-21 06:23 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
    2011-12-19 17:30 . 2011-12-19 17:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-12-19 17:30 . 2011-12-19 17:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2011-12-15 20:45 . 2011-12-15 20:45 77824 ----a-w- c:\windows\setpwr32.exe
    2011-11-25 21:57 . 2008-04-25 16:16 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:29 . 2008-04-25 16:16 1868544 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2008-04-25 16:16 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-04 19:20 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2008-04-25 16:16 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2008-04-25 16:16 385024 ------w- c:\windows\system32\html.iec
    2011-11-03 15:28 . 2008-04-25 16:16 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28 . 2008-04-25 16:16 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 20:35 . 2011-11-01 20:35 81920 ------w- c:\windows\system32\ieencode.dll
    2011-11-01 16:07 . 2008-04-25 16:16 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2008-04-25 16:16 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2012-01-11 14:27 . 2011-12-20 23:33 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-22 16132608]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568]
    "DellCleanup"="c:\dell\WINCLEAN.EXE" [2011-12-15 212992]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
    "Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
    "Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
    "HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-08-31 36864]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
    .
    c:\documents and settings\Ray A. Rayburn\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
    Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-12-20 603504]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppnet01.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppniprint01.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppniprint64.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppnicifs01.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\LaunchApp.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Gold Line\\TEF\\SL60.exe"=
    "c:\\Program Files\\HP\\hp laserjet m2727\\Fax Config utility0.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\WS_FTP\\WS_FTP95.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [12/20/2011 11:22 PM 188272]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/22/2012 4:37 PM 652872]
    R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [12/20/2011 11:34 PM 2984832]
    R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/20/2011 11:23 PM 64080]
    R2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [1/10/2011 12:28 PM 376688]
    R3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [9/6/2007 6:53 PM 44784]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/22/2012 4:37 PM 20464]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/22/2012 4:37 PM 40776]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 9:16 AM 14336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.dell.com
    uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 129.82.103.75 75.75.76.76 75.75.75.75
    FF - ProfilePath - c:\documents and settings\Ray A. Rayburn\Application Data\Mozilla\Firefox\Profiles\2vvxkcq8.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-24 17:15
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3244)
    c:\windows\system32\WININET.dll
    c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\TeamViewer\Version7\TeamViewer.exe
    c:\program files\TeamViewer\Version7\tv_w32.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
    c:\program files\Windows Home Server\WHSTrayApp.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\SearchProtocolHost.exe
    c:\windows\system32\SearchFilterHost.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-24 17:19:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-25 00:19
    .
    Pre-Run: 414,330,695,680 bytes free
    Post-Run: 414,856,302,592 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - A514409431CF3BB833DE2C0D537D8191
  23. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    Combofix Notes

    When I got home tonight and tried to download Combofix nothing would download. I also noted that Windows had updates it wanted to install. I shut down without installing the updates. When I rebooted the machine and ran Opera, I was able to download Combofix. It took a while and it did two automatic reboots, but at last popped open a log.txt file which I just posted.

    I now have my icons back on the Desktop (I was accessing the Desktop via Windows Explorer), the missing items on the right side of the Start menu are back, and the System Check group under All Programs is gone. The only thing not yet right in terms of appearances is the blue desktop instead of the original image.

    Thanks for getting me this far!
  24. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Good news :)

    See if you can change background manually.

    We have one system file missing - i8042prt.sys
    I uploaded that file for you here: http://www.filedropper.com/i8042prt
    Download it and past it to c:\windows\system32\drivers folder.
    Disregard any Windows complaints.

    Re-run Combofix and post fresh log.
  25. Audioconsultant

    Audioconsultant Newcomer, in training Topic Starter Posts: 32

    ComboFix log.txt

    ComboFix 12-01-23.02 - Ray A. Rayburn 01/24/2012 18:37:25.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2709 [GMT -7:00]
    Running from: c:\documents and settings\Ray A. Rayburn\Desktop\ComboFix.exe
    AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-25 01:34 . 2008-04-14 07:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
    2012-01-25 01:34 . 2008-04-14 07:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2012-01-24 23:59 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-01-22 23:37 . 2012-01-22 23:37 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Malwarebytes
    2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-22 23:37 . 2011-12-10 22:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-22 09:36 . 2012-01-22 16:20 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
    2012-01-22 01:45 . 2012-01-22 01:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2012-01-22 01:24 . 2012-01-22 01:24 -------- d-----w- C:\log
    2012-01-21 18:14 . 2012-01-21 21:54 8656400 ----a-w- C:\RootkitBuster_v5_1050.exe
    2012-01-21 14:50 . 2012-01-21 15:14 -------- d---a-w- C:\tmbrfix
    2012-01-21 05:39 . 2012-01-21 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-01-21 05:32 . 2012-01-21 05:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
    2012-01-21 05:29 . 2012-01-21 05:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2012-01-21 04:58 . 2012-01-21 04:58 -------- d-----w- c:\windows\Sun
    2012-01-21 04:22 . 2008-04-14 07:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    2012-01-16 00:46 . 2012-01-16 00:46 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Windows Search
    2012-01-11 14:27 . 2012-01-11 14:27 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-01-11 14:27 . 2012-01-11 14:27 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-01-11 14:27 . 2012-01-11 14:27 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-01-11 14:27 . 2012-01-11 14:27 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    2011-12-30 17:17 . 2011-12-30 17:18 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\HpUpdate
    2011-12-30 17:17 . 2011-12-30 17:17 -------- d-----w- c:\windows\Hewlett-Packard
    2011-12-29 16:12 . 2011-12-29 16:12 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\HP
    2011-12-29 16:11 . 2011-12-29 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\zvprt50
    2011-12-29 16:11 . 2007-04-02 15:19 9451 ------w- c:\windows\system32\hppfaxprintermonui5.dll
    2011-12-29 16:11 . 2007-04-02 15:19 13385 ------w- c:\windows\system32\hppfaxprintermon5.dll
    2011-12-29 16:11 . 2011-12-29 16:11 608 --sha-w- c:\windows\system32\winzvprt5.sys
    2011-12-29 16:06 . 2011-12-29 16:06 -------- d-----w- C:\hp_LJM2727_full_solution_AM_EMEA1
    2011-12-28 20:20 . 2011-12-28 20:20 -------- d--h--w- c:\windows\PIF
    2011-12-28 02:01 . 2011-12-28 02:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
    2011-12-27 22:59 . 2011-12-27 22:59 -------- d-----w- c:\program files\Gold Line
    2011-12-27 02:45 . 2008-04-14 12:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-12-27 02:45 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-12-27 02:42 . 2011-12-27 02:42 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Local Settings\Application Data\Apple Computer
    2011-12-27 02:42 . 2011-12-27 02:45 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Apple Computer
    2011-12-27 02:41 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-12-27 02:41 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\iPod
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\iTunes
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\Apple Software Update
    2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-12-27 02:40 . 2011-08-03 00:38 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-12-27 02:40 . 2011-08-03 00:38 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-12-27 02:40 . 2011-12-27 02:40 -------- d-----w- c:\program files\Bonjour
    2011-12-27 02:40 . 2011-12-27 02:41 -------- d-----w- c:\program files\Common Files\Apple
    2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Common Files\HP
    2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Hewlett-Packard
    2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
    2011-12-27 02:32 . 2008-04-14 07:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-12-27 02:32 . 2008-04-14 07:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-12-27 02:32 . 2011-12-29 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
    2011-12-27 02:31 . 2008-02-01 18:13 241664 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mc.DLL
    2011-12-27 02:31 . 2007-07-17 12:29 59928 ----a-w- c:\windows\system32\fxcompchannel.dll
    2011-12-27 02:30 . 2008-01-15 08:00 327680 ----a-w- c:\windows\system32\hppcpr07.dll
    2011-12-27 02:30 . 2008-01-07 02:48 733184 ----a-w- c:\windows\system32\hpptsp02.dll
    2011-12-27 02:30 . 2007-06-05 22:31 876544 ----a-w- c:\windows\system32\hpxp2727.dll
    2011-12-27 02:30 . 2007-02-08 04:03 450560 ----a-w- c:\windows\system32\hppasc07.dll
    2011-12-27 01:38 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-12-27 01:38 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2011-12-27 01:20 . 2011-12-27 01:20 -------- d-----w- c:\windows\system32\NtmsData
    2011-12-27 01:19 . 2011-12-27 02:41 -------- dc----w- c:\windows\system32\DRVSTORE
    2011-12-27 01:19 . 2011-12-30 17:17 -------- d-----w- c:\program files\HP
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-22 01:37 . 2011-12-21 06:23 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-12-21 06:31 . 2011-12-21 06:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-21 06:19 . 2011-12-21 06:23 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
    2011-12-21 06:19 . 2011-12-21 06:23 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
    2011-12-21 06:19 . 2011-12-21 06:23 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
    2011-12-19 17:30 . 2011-12-19 17:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-12-19 17:30 . 2011-12-19 17:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2011-12-15 20:45 . 2011-12-15 20:45 77824 ----a-w- c:\windows\setpwr32.exe
    2011-11-25 21:57 . 2008-04-25 16:16 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:29 . 2008-04-25 16:16 1868544 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2008-04-25 16:16 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-04 19:20 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2008-04-25 16:16 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2008-04-25 16:16 385024 ------w- c:\windows\system32\html.iec
    2011-11-03 15:28 . 2008-04-25 16:16 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28 . 2008-04-25 16:16 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 20:35 . 2011-11-01 20:35 81920 ------w- c:\windows\system32\ieencode.dll
    2011-11-01 16:07 . 2008-04-25 16:16 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2008-04-25 16:16 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2012-01-11 14:27 . 2011-12-20 23:33 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-22 16132608]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568]
    "DellCleanup"="c:\dell\WINCLEAN.EXE" [2011-12-15 212992]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
    "Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
    "Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
    "HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-08-31 36864]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
    .
    c:\documents and settings\Ray A. Rayburn\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
    Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-12-20 603504]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppnet01.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppniprint01.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppniprint64.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppnicifs01.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\LaunchApp.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Gold Line\\TEF\\SL60.exe"=
    "c:\\Program Files\\HP\\hp laserjet m2727\\Fax Config utility0.exe"=
    "c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\WS_FTP\\WS_FTP95.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/22/2012 4:37 PM 652872]
    R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [12/20/2011 11:34 PM 2984832]
    R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/20/2011 11:23 PM 64080]
    R2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [1/10/2011 12:28 PM 376688]
    R3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [9/6/2007 6:53 PM 44784]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/22/2012 4:37 PM 20464]
    S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [12/20/2011 11:22 PM 188272]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/22/2012 4:37 PM 40776]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 9:16 AM 14336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.dell.com
    uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 129.82.103.75 75.75.76.76 75.75.75.75
    FF - ProfilePath - c:\documents and settings\Ray A. Rayburn\Application Data\Mozilla\Firefox\Profiles\2vvxkcq8.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-24 18:40
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3588)
    c:\windows\system32\WININET.dll
    c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2012-01-24 18:41:37
    ComboFix-quarantined-files.txt 2012-01-25 01:41
    ComboFix2.txt 2012-01-25 00:19
    .
    Pre-Run: 414,863,556,608 bytes free
    Post-Run: 414,873,649,152 bytes free
    .
    - - End Of File - - 84F8B2029B070453405AA08591DDCC74


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.