TechSpot

UnHackMe Root Kit can't kick Control_RUNDLL RootKit

Inactive
By radarrider
Mar 2, 2011
  1. Have a HP laptop that I restored to factory original from second partition AFTER it was jacked. I installed updated virus scanners on a desktop and cleaned the laptop drive. Seemed to work, but had too many files damaged, so did HP factory recovery from D: partition. Installed Panda, Threatfire and AVG Internet Security. Still having same problems with very slow boots, security errors and lock ups. Will not create a restore point. The orinigal infection removed all the restore points. Seems to work in safe mode with networking okay.

    UnHackMe finds control_RunDll and some other files tell it to delete. They aren't found on the reboot and UnHackMe usually locks up. If I cancel out of UnHackMe, PC will usually come on up.

    Vista 32-bit, 4 GB.
    Followed steps. Here are the logs:

    MalwareBytes:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5937

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19019

    3/2/2011 4:32:53 PM
    mbam-log-2011-03-02 (16-32-53).txt

    Scan type: Quick scan
    Objects scanned: 158163
    Time elapsed: 5 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER log

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-03-02 15:39:43
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0002
    Running: 053xeihi.exe; Driver: C:\Users\Dave\AppData\Local\Temp\uxryipod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    Attach.txt:

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/26/2011 1:00:56 PM
    System Uptime: 3/2/2011 3:40:33 PM (3 hours ago)

    Motherboard: Quanta | | 361B
    Processor: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz | CPU | 2401/1066mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 457 GiB total, 338.537 GiB free.
    D: is FIXED (NTFS) - 9 GiB total, 1.56 GiB free.
    E: is CDROM ()
    F: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    7-Zip 4.65
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 8.1.2
    Adobe Shockwave Player
    AVG 2011
    Cards_Calendar_OrderGift_DoMorePlugout
    CyberLink DVD Suite
    CyberLink YouCam
    DigitalPersona Personal 4.11
    doPDF 6.2 printer
    ESU for Microsoft Vista
    Hewlett-Packard Active Check for Health Check
    Hewlett-Packard Asset Agent for Health Check
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Customer Experience Enhancements
    HP Doc Viewer
    HP Help and Support
    HP Integrated Module with Bluetooth wireless technology 6.0.1.6204
    HP MediaSmart DVD
    HP MediaSmart Music/Photo/Video
    HP MediaSmart SmartMenu
    HP MediaSmart TV
    HP Photosmart Essential 2.5
    HP Photosmart Essential 3.0
    HP Quick Launch Buttons 6.40 H2
    HP Smart Web Printing
    HP Total Care Advisor
    HP Update
    HP User Guides 0115
    HP Wireless Assistant
    HPNetworkAssistant
    HPPhotoSmartPhotobookWebPack1
    HPTCSSetup
    IDT Audio
    Intel® Matrix Storage Manager
    Java Auto Updater
    Java(TM) 6 Update 24
    Java(TM) 6 Update 6
    JMicron JMB38X Flash Media Controller
    LabelPrint
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.14)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee autoProducer 6.1
    NVIDIA Drivers
    Panda Cloud Antivirus
    Panda Identity Protect 3.0.44
    Panda Security Toolbar
    Panda Security URL Filtering
    PhotoNow!
    Power2Go
    PowerDirector
    ProtectSmart Hard Drive Protection
    PSSWCORE
    QuickPlay SlingPlayer 0.4.6
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Slingbox Flash Tour
    SlingPlayer
    Synaptics Pointing Device Driver
    ThreatFire
    UnHackMe 5.99 release
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Validity Sensors software
    VideoToolkit01
    VLC media player 1.1.7
    Windows Driver Package - ENE (enecir) HIDClass (04/29/2008 2.5.0.0)
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    3/2/2011 3:36:31 PM, Error: disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    3/2/2011 2:51:49 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    3/2/2011 2:50:34 PM, Error: EventLog [6008] - The previous system shutdown at 2:42:16 PM on 3/2/2011 was unexpected.
    3/2/2011 2:50:09 PM, Error: volsnap [27] - The shadow copies of volume C: were aborted during detection because a critical control file could not be opened.
    3/2/2011 2:46:38 PM, Error: volsnap [14] - The shadow copies of volume C: were aborted because of an IO failure on volume C:.
    3/2/2011 2:40:25 PM, Error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    3/2/2011 12:39:26 PM, Error: EventLog [6008] - The previous system shutdown at 12:09:14 PM on 3/2/2011 was unexpected.
    3/2/2011 12:04:35 PM, Error: EventLog [6008] - The previous system shutdown at 11:37:09 AM on 3/2/2011 was unexpected.
    3/2/2011 11:21:12 AM, Error: EventLog [6008] - The previous system shutdown at 11:15:29 AM on 3/2/2011 was unexpected.
    3/1/2011 9:36:41 AM, Error: EventLog [6008] - The previous system shutdown at 8:36:19 AM on 3/1/2011 was unexpected.
    3/1/2011 8:50:39 PM, Error: EventLog [6008] - The previous system shutdown at 7:53:12 PM on 3/1/2011 was unexpected.
    3/1/2011 7:51:15 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
    3/1/2011 7:51:15 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolume1.
    3/1/2011 7:47:26 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    3/1/2011 7:46:44 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
    3/1/2011 7:45:27 PM, Error: EventLog [6008] - The previous system shutdown at 10:23:28 AM on 3/1/2011 was unexpected.
    3/1/2011 7:31:39 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Eventlog service.
    3/1/2011 7:26:09 AM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 16 time(s).
    3/1/2011 7:26:09 AM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 14 time(s).
    3/1/2011 7:26:09 AM, Error: Service Control Manager [7031] - The WLAN AutoConfig service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    3/1/2011 7:26:09 AM, Error: Service Control Manager [7031] - The Windows Audio Endpoint Builder service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/1/2011 7:26:04 AM, Error: Service Control Manager [7034] - The KtmRm for Distributed Transaction Coordinator service terminated unexpectedly. It has done this 3 time(s).
    3/1/2011 7:26:04 AM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 3 time(s).
    3/1/2011 7:26:04 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 6 time(s).
    3/1/2011 7:22:54 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the PlugPlay service.
    3/1/2011 10:07:33 AM, Error: EventLog [6008] - The previous system shutdown at 9:44:25 AM on 3/1/2011 was unexpected.
    2/28/2011 11:58:32 PM, Error: Service Control Manager [7034] - The Windows Firewall service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:58:32 PM, Error: Service Control Manager [7034] - The Diagnostic Policy Service service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:58:32 PM, Error: Service Control Manager [7034] - The Base Filtering Engine service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:57:48 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 15 time(s).
    2/28/2011 11:57:48 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 13 time(s).
    2/28/2011 11:57:48 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 7 time(s).
    2/28/2011 11:56:35 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 14 time(s).
    2/28/2011 11:56:35 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 12 time(s).
    2/28/2011 11:56:14 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 13 time(s).
    2/28/2011 11:54:55 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 12 time(s).
    2/28/2011 11:54:55 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 11 time(s).
    2/28/2011 11:54:55 PM, Error: Service Control Manager [7031] - The WLAN AutoConfig service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    2/28/2011 11:47:14 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 9 time(s).
    2/28/2011 11:47:14 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 8 time(s).
    2/28/2011 11:47:14 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 4 time(s).
    2/28/2011 11:44:32 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 8 time(s).
    2/28/2011 11:44:32 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 7 time(s).
    2/28/2011 11:44:32 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Tablet PC Input Service service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 7 time(s).
    2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Portable Device Enumerator Service service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 6 time(s).
    2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Human Interface Device Access service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 2 time(s).
    2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Desktop Window Manager Session Manager service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:40:23 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Telephony service, but this action failed with the following error: An instance of the service is already running.
    2/28/2011 11:35:46 PM, Error: Service Control Manager [7034] - The Superfetch service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:35:46 PM, Error: Service Control Manager [7034] - The ReadyBoost service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:35:46 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 6 time(s).
    2/28/2011 11:35:46 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 5 time(s).
    2/28/2011 11:35:46 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 1 time(s).
    2/28/2011 11:35:46 PM, Error: Service Control Manager [7031] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    2/28/2011 11:35:46 PM, Error: Service Control Manager [7031] - The Portable Device Enumerator Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    2/28/2011 11:35:46 PM, Error: Service Control Manager [7031] - The Human Interface Device Access service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    2/28/2011 11:35:46 PM, Error: Service Control Manager [7031] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    2/28/2011 11:35:46 PM, Error: Service Control Manager [7031] - The Desktop Window Manager Session Manager service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    2/28/2011 11:35:32 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Audio Endpoint Builder service, but this action failed with the following error: An instance of the service is already running.
    2/28/2011 11:35:26 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:35:26 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 4 time(s).
    2/28/2011 11:35:26 PM, Error: Service Control Manager [7031] - The Telephony service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    2/28/2011 11:35:26 PM, Error: Service Control Manager [7031] - The KtmRm for Distributed Transaction Coordinator service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    2/28/2011 11:35:01 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Base Filtering Engine service, but this action failed with the following error: An instance of the service is already running.
    2/28/2011 11:34:58 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 5 time(s).
    2/28/2011 11:34:58 PM, Error: Service Control Manager [7034] - The Network Location Awareness service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:34:58 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 4 time(s).
    2/28/2011 11:34:58 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:34:58 PM, Error: Service Control Manager [7031] - The Terminal Services service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/28/2011 11:34:32 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 4 time(s).
    2/28/2011 11:34:32 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:34:32 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 2 time(s).
    2/28/2011 11:34:32 PM, Error: Service Control Manager [7031] - The Telephony service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/28/2011 11:34:32 PM, Error: Service Control Manager [7031] - The Tablet PC Input Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/28/2011 11:34:32 PM, Error: Service Control Manager [7031] - The Superfetch service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/28/2011 11:34:32 PM, Error: Service Control Manager [7031] - The ReadyBoost service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/28/2011 11:34:32 PM, Error: Service Control Manager [7031] - The Network Location Awareness service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    2/28/2011 11:34:09 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 3 time(s).
    2/28/2011 11:34:09 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Network Connections service, but this action failed with the following error: An instance of the service is already running.
    2/28/2011 11:34:09 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    2/28/2011 11:34:09 PM, Error: Service Control Manager [7031] - The Network Connections service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    2/28/2011 11:34:09 PM, Error: Service Control Manager [7001] - The Windows Audio service depends on the Windows Audio Endpoint Builder service which failed to start because of the following error: The operation completed successfully.
    2/28/2011 11:32:15 PM, Error: Service Control Manager [7022] - The Panda Cloud Antivirus Service service hung on starting.
    2/28/2011 11:32:14 PM, Error: Service Control Manager [7022] - The AVGIDSAgent service hung on starting.
    2/28/2011 11:26:08 PM, Error: EventLog [6008] - The previous system shutdown at 11:16:52 PM on 2/28/2011 was unexpected.
    2/28/2011 1:36:27 PM, Error: Service Control Manager [7030] - The Panda Cloud Antivirus Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    2/27/2011 9:23:58 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80240016: Synaptics - Input - Synaptics PS/2 Port TouchPad.
    2/27/2011 6:27:32 PM, Error: Microsoft-Windows-Service Pack Installer [6] - The Service Pack cannot be installed when the computer is running on battery power.
    2/27/2011 5:03:17 PM, Error: Service Control Manager [7030] - The ThreatFire service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

    ==== End Of File ===========================

    DDS.txt in next post
     
  2. radarrider

    radarrider TS Rookie Topic Starter

    dds.txt

    DDS.txt:

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Dave at 17:48:14.19 on Wed 03/02/2011
    Internet Explorer: 8.0.6001.19019
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3038.930 [GMT -6:00]

    AV: AVG Internet Security 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
    SP: AVG Internet Security 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\STacSV.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Hpservice.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\vfsFPService.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\DigitalPersona\Bin\DpHostW.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\aestsrv.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
    C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
    C:\Windows\SMINST\BLService.exe
    C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\ThreatFire\TFService.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\UnHackMe\hackmon.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
    C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
    C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe
    C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\DigitalPersona\Bin\DpAgent.exe
    C:\Program Files\ThreatFire\TFTray.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
    C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\System32\wsqmcons.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgchsvx.exe
    C:\Program Files\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\AVG\AVG10\avgam.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\AVG\AVG10\avgfws.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Windows\WindowsMobile\WmdSync.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Dave\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: DigitalPersona Personal Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [hpqSRMon]
    mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"
    mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"
    mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"
    mRun: [TVAgent] "c:\program files\hewlett-packard\media\tv\TVAgent.exe"
    mRun: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
    mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
    mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
    mRun: [Panda Security URL Filtering] "c:\programdata\panda security url filtering\Panda_URL_Filtering.exe"
    mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    LSA: Notification Packages = scecli DPPWDFLT

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\uqdpcows.default\
    FF - prefs.js: browser.startup.homepage - www.google.com/mail
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1143&p=
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - component: c:\program files\digitalpersona\bin\firefoxext\components\dpffcli.dll
    FF - component: c:\program files\panda security\panda id protect\firefox\components\FFKeypad.dll
    FF - component: c:\users\dave\appdata\roaming\mozilla\firefox\profiles\uqdpcows.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
    FF - component: c:\users\dave\appdata\roaming\mozilla\firefox\profiles\uqdpcows.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\digitalpersona\bin\FirefoxExt
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
    FF - Ext: Panda Identity Protect: widgetruntime@surfsecret.com - c:\program files\panda security\panda id protect\Firefox
    FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\digitalpersona\bin\firefoxext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: AddonFox: {ad48108d-92a6-4eb9-87e4-978aca1dbae4} - %profile%\extensions\{ad48108d-92a6-4eb9-87e4-978aca1dbae4}
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-2-27 51984]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-2-27 69392]
    R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-7-12 54112]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-12-16 126536]
    R2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files\hewlett-packard\media\dvd\000.fcl [2008-7-23 59376]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_e2247046\AEstSrv.exe [2009-3-2 81920]
    R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-22 3226632]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-18 26168]
    R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-12-16 140608]
    R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-12-16 141384]
    R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-12-16 99400]
    R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-12-16 111176]
    R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-12-16 113736]
    R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-31 361808]
    R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
    R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-5-26 599344]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-31 193840]
    R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-4-28 54784]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-7-7 96856]
    R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-6-25 44064]
    R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-2-27 33552]
    R3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-5-26 40752]
    S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2011-2-28 35816]
    S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2011-2-28 24416]

    =============== Created Last 30 ================

    2011-03-02 21:03:43 -------- d-----w- c:\users\dave\appdata\roaming\Malwarebytes
    2011-03-02 21:03:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-02 21:03:06 -------- d-----w- c:\progra~2\Malwarebytes
    2011-03-02 21:03:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-02 21:03:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-01 13:37:26 -------- d-sh--w- C:\found.000
    2011-03-01 13:25:21 -------- d-sh--r- C:\comment.htt
    2011-03-01 05:43:47 -------- d-----w- C:\Backreg
    2011-03-01 05:41:46 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
    2011-03-01 04:15:55 37600 ----a-w- c:\windows\system32\Partizan.exe
    2011-03-01 04:15:55 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
    2011-03-01 04:15:46 2 --shatr- c:\windows\winstart.bat
    2011-03-01 04:15:35 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
    2011-03-01 04:15:32 -------- d-----w- c:\program files\UnHackMe
    2011-02-28 19:48:07 -------- d-----w- c:\users\dave\appdata\roaming\Panda Security
    2011-02-28 19:37:30 -------- d-----w- c:\users\dave\appdata\roaming\SurfSecret Privacy Suite
    2011-02-28 19:37:06 -------- d-----w- c:\users\dave\appdata\local\panda2_0dn
    2011-02-28 19:36:58 -------- d-----w- c:\progra~2\Panda Security URL Filtering
    2011-02-28 19:36:08 -------- d-----w- c:\program files\Panda Security
    2011-02-28 19:36:08 -------- d-----w- c:\progra~2\Panda Security
    2011-02-28 19:26:28 -------- d-----w- c:\users\dave\appdata\local\Adobe
    2011-02-28 19:23:39 -------- d-----w- C:\temp downloads
    2011-02-28 18:06:03 -------- d--h--w- C:\$AVG
    2011-02-28 04:22:04 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2011-02-28 04:22:04 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
    2011-02-28 04:17:34 -------- d-----w- c:\program files\Windows Portable Devices
    2011-02-28 03:29:19 92672 ----a-w- c:\windows\system32\UIAnimation.dll
    2011-02-28 03:29:18 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
    2011-02-28 03:29:18 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
    2011-02-28 03:29:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
    2011-02-28 03:29:00 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2011-02-28 03:29:00 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
    2011-02-28 03:29:00 252928 ----a-w- c:\windows\system32\dxdiag.exe
    2011-02-28 03:29:00 195584 ----a-w- c:\windows\system32\dxdiagn.dll
    2011-02-28 03:29:00 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
    2011-02-28 03:27:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-02-28 03:27:58 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2011-02-28 03:27:58 234496 ----a-w- c:\windows\system32\oleacc.dll
    2011-02-28 03:27:18 -------- d-----w- c:\progra~2\NVIDIA Corporation
    2011-02-28 03:24:14 -------- d-----w- c:\program files\NVIDIA Corporation
    2011-02-28 03:21:35 -------- d-----w- c:\windows\system32\SRSLabs
    2011-02-28 02:42:13 231424 ----a-w- c:\windows\system32\msshsq.dll
    2011-02-28 02:24:43 -------- d-----w- c:\users\dave\appdata\roaming\AVG10
    2011-02-28 02:18:45 -------- d--h--w- c:\progra~2\Common Files
    2011-02-28 02:18:42 -------- d-----w- c:\program files\VideoLAN
    2011-02-28 02:13:59 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-02-28 02:13:59 -------- d-----w- c:\progra~2\AVG10
    2011-02-28 02:12:11 -------- d-----w- c:\program files\AVG
    2011-02-28 02:07:50 -------- d-----w- c:\program files\Amazon
    2011-02-28 00:43:23 -------- d-----w- c:\windows\system32\eu-ES
    2011-02-28 00:43:23 -------- d-----w- c:\windows\system32\ca-ES
    2011-02-28 00:43:15 -------- d-----w- c:\windows\system32\vi-VN
    2011-02-28 00:27:04 -------- d-----w- c:\windows\system32\EventProviders
    2011-02-27 23:03:59 524288 ----a-w- c:\windows\system32\sqlsrv32.dll
    2011-02-27 23:02:59 99328 ----a-w- c:\program files\windows media player\wmpband.dll
    2011-02-27 22:59:42 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2011-02-27 22:59:42 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2011-02-27 22:59:42 297808 ----a-w- c:\windows\system32\mscoree.dll
    2011-02-27 22:59:42 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2011-02-27 22:59:42 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2011-02-27 22:45:15 20648 ----a-w- c:\windows\system32\dopdfmn6.dll
    2011-02-27 22:45:15 18088 ----a-w- c:\windows\system32\dopdfmi6.dll
    2011-02-27 22:45:14 -------- d-----w- c:\program files\Softland
    2011-02-27 18:10:38 -------- d--h--w- C:\system16
    2011-02-27 17:17:10 -------- d-----w- C:\_files
    2011-02-27 17:14:48 -------- d-----w- C:\Admin
    2011-02-27 14:24:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-27 13:52:00 -------- d-----w- c:\windows\system32\tr
    2011-02-27 13:52:00 -------- d-----w- c:\windows\system32\sv
    2011-02-27 13:52:00 -------- d-----w- c:\windows\system32\ru
    2011-02-27 13:52:00 -------- d-----w- c:\windows\system32\no
    2011-02-27 13:52:00 -------- d-----w- c:\windows\system32\da
    2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\ko
    2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\ja
    2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\it
    2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\fr
    2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\es
    2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\de
    2011-02-27 13:51:55 -------- d-----w- c:\windows\DPDrv
    2011-02-27 13:48:03 -------- d-----w- c:\progra~2\Downloaded Installations
    2011-02-27 13:47:24 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2011-02-27 13:47:23 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-27 13:47:23 17920 ----a-w- c:\windows\system32\netevent.dll
    2011-02-27 13:47:23 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-02-27 13:47:23 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-02-27 13:47:17 420352 ----a-w- c:\windows\system32\vbscript.dll
    2011-02-27 13:47:16 377344 ----a-w- c:\windows\system32\winhttp.dll
    2011-02-27 13:46:51 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-02-27 13:43:02 -------- d-----w- c:\users\dave\appdata\roaming\Macrovision
    2011-02-27 13:42:02 -------- d-----w- c:\users\dave\appdata\roaming\DigitalPersona
    2011-02-27 13:42:02 -------- d-----w- c:\users\dave\appdata\local\DigitalPersona
    2011-02-27 13:42:00 -------- d-----w- c:\users\dave\appdata\roaming\Symantec
    2011-02-27 01:19:53 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
    2011-02-27 01:17:05 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-02-27 01:17:00 40448 ----a-w- c:\windows\system32\winrs.exe
    2011-02-27 01:17:00 20480 ----a-w- c:\windows\system32\winrshost.exe
    2011-02-27 01:17:00 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-02-27 01:15:20 310784 ----a-w- c:\windows\system32\unregmp2.exe
    2011-02-27 01:15:20 1418752 ----a-w- c:\program files\windows media player\setup_wm.exe
    2011-02-27 01:15:00 714240 ----a-w- c:\windows\system32\timedate.cpl
    2011-02-27 01:14:58 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2011-02-27 01:14:58 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2011-02-27 01:14:57 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2011-02-27 01:14:57 471552 ----a-w- c:\windows\system32\secproc.dll
    2011-02-27 01:14:57 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2011-02-27 01:14:57 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2011-02-27 01:14:57 332288 ----a-w- c:\windows\system32\msdrm.dll
    2011-02-27 01:14:56 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2011-02-27 01:14:56 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2011-02-27 01:14:53 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-02-27 01:14:53 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-02-27 01:14:53 1696256 ----a-w- c:\windows\system32\gameux.dll
    2011-02-26 19:56:54 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
    2011-02-26 19:32:07 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2011-02-26 19:32:05 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2011-02-26 19:32:04 30720 ----a-w- c:\windows\system32\httpapi.dll
    2011-02-26 19:31:20 -------- d-----w- c:\program files\MSXML 4.0
    2011-02-26 19:27:57 2039808 ----a-w- c:\windows\system32\win32k.sys
    2011-02-26 19:27:54 274944 ----a-w- c:\windows\system32\schannel.dll
    2011-02-26 19:27:52 1616384 ----a-w- c:\program files\windows mail\msoe.dll
    2011-02-26 19:27:49 67072 ----a-w- c:\windows\system32\asycfilt.dll
    2011-02-26 19:27:47 502272 ----a-w- c:\windows\system32\usp10.dll
    2011-02-26 19:27:46 66048 ----a-w- c:\program files\windows mail\wabmig.exe
    2011-02-26 19:27:46 515584 ----a-w- c:\program files\windows mail\wab.exe
    2011-02-26 19:27:46 33280 ----a-w- c:\program files\windows mail\wabfind.dll
    2011-02-26 19:27:44 1316864 ----a-w- c:\windows\system32\ole32.dll
    2011-02-26 19:27:43 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
    2011-02-26 19:24:31 160256 ----a-w- c:\windows\system32\wkssvc.dll
    2011-02-26 19:24:28 128000 ----a-w- c:\windows\system32\spoolsv.exe
    2011-02-26 19:24:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
    2011-02-26 19:22:51 31744 ----a-w- c:\windows\system32\msvidc32.dll
    2011-02-26 19:21:56 243712 ----a-w- c:\windows\system32\rastls.dll
    2011-02-26 19:18:39 -------- d-----w- c:\program files\DigitalPersona
    2011-02-26 19:18:28 2730536 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
    2011-02-26 19:18:25 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{95139aea-7654-4ba4-98f6-0c35086b5942}\mpengine.dll
    2011-02-26 19:18:21 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-02-26 19:17:19 -------- d-----w- c:\windows\system32\ENU
    2011-02-26 19:17:18 319456 ----a-w- c:\windows\system32\difxapi.dll
    2011-02-26 19:17:18 1034776 ----a-w- c:\windows\system32\imsmudlg.exe
    2011-02-26 19:17:18 -------- d-----w- c:\windows\system32\Lang
    2011-02-26 19:17:13 312344 ----a-w- c:\windows\system32\drivers\iaStor.sys
    2011-02-26 19:17:13 -------- d-----w- C:\Intel
    2011-02-26 19:15:17 172032 ----a-w- c:\windows\system32\wintrust.dll
    2011-02-26 19:14:57 98304 ----a-w- c:\windows\system32\cabview.dll
    2011-02-26 19:12:18 81960 ----a-w- c:\windows\system32\drivers\btwavdt.sys
    2011-02-26 19:12:18 80424 ----a-w- c:\windows\system32\drivers\btwaudio.sys
    2011-02-26 19:12:18 16168 ----a-w- c:\windows\system32\drivers\btwrchid.sys
    2011-02-26 19:12:12 233472 ----a-w- c:\windows\system32\BtwRSupport.dll
    2011-02-26 19:12:08 -------- d-----w- c:\windows\system32\es-MX
    2011-02-26 19:12:08 -------- d-----w- c:\windows\system32\es-AR
    2011-02-26 19:12:05 -------- d-----w- c:\program files\WIDCOMM
    2011-02-26 19:11:02 -------- d-----w- c:\windows\system32\HPMDP
    2011-02-26 19:09:48 53248 ----a-w- c:\windows\system32\CSVer.dll
    2011-02-26 19:08:59 663552 ----a-w- c:\windows\system32\NETw5c32.dll
    2011-02-26 19:08:29 9728 ----a-w- c:\windows\system32\RtNicProp32.dll
    2011-02-26 19:08:28 -------- d-----w- c:\program files\Realtek
    2011-02-26 19:08:06 61440 ----a-w- c:\windows\system32\aestaren.dll
    2011-02-26 19:08:06 372736 ----a-w- c:\windows\system32\aestecap.dll
    2011-02-26 19:08:06 152064 ----a-w- c:\windows\system32\HPToneCtrls32.dll
    2011-02-26 19:08:06 138240 ----a-w- c:\windows\system32\aestacap.dll
    2011-02-26 19:08:04 86016 ----a-w- c:\windows\system32\AESTCom.dll
    2011-02-26 19:08:04 536576 ----a-w- c:\windows\system32\idtmini1.exe
    2011-02-26 19:08:04 458844 ----a-w- c:\windows\sttray.exe
    2011-02-26 19:08:04 3600384 ----a-w- c:\windows\system32\stlang.dll
    2011-02-26 19:08:04 12030044 ----a-w- c:\windows\system32\idtcpl.cpl
    2011-02-26 19:07:30 175616 ----a-w- c:\windows\system32\staco.dll
    2011-02-26 19:07:16 915456 ----a-w- c:\windows\system32\stapo.dll
    2011-02-26 19:07:15 490496 ----a-w- c:\windows\system32\stapi32.dll
    2011-02-26 19:05:55 110080 ----a-w- c:\windows\system32\JmCrIcon.dll
    2011-02-26 19:05:55 -------- d-----w- c:\windows\JMCR_DIR
    2011-02-26 19:05:27 -------- d-----w- c:\program files\Synaptics
    2011-02-26 19:04:48 768544 ----a-w- c:\windows\system32\nvcplui.exe
    2011-02-26 19:04:48 420384 ----a-w- c:\windows\system32\nvcpl.cpl
    2011-02-26 19:04:48 313888 ----a-w- c:\windows\system32\nvexpbar.dll
    2011-02-26 19:04:48 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
    2011-02-26 19:03:58 453152 ----a-w- c:\windows\system32\NVUNINST.EXE

    ==================== Find3M ====================

    2011-02-26 19:06:13 125 ----a-w- c:\windows\xUninstall.bat
    2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
    2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-12-17 00:39:53 365888 ----a-w- c:\windows\system32\PSUNCpl.cpl
    2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe

    ============= FINISH: 18:24:51.30 ===============

    Thanks for the help-RR
     
  3. Broni

    Broni Malware Annihilator Posts: 47,172   +264

    Welcome aboard [​IMG]

    First of all, I'm not sure how fresh Windows installation can be already infected.
    Do you have any indication, your computer IS infected?

    Secondly, you're running two AV programs, Panda and AVG.
    One of them has to go.
    If AVG, make sure to use this tool to uninstall it: http://www.avg.com/us-en/download-tools
     
  4. radarrider

    radarrider TS Rookie Topic Starter

    Hi,

    Thanks for the welcome. It may not be a clean install, but a recovery from a HP created partition.

    I didn't repartition the drive. When I do a HP system restore its starting from the same MBR, I choose from menu to restore. The boot manager directs to the D: partition and fires up some installer that puts factory Vista on the computer without a up-to-date virus or firewall. The laptop keeps having security and reliability issues that didn't show up until I did get a verified virus. I thought I got rid of the virus, but friend says my emails have virus infected attachments. I stored data on old desktop that I put back on via windows copy. Who knows if I really killed a root kit or that it didn't get reinfected when I connected to the internet for updates.

    The UnHackMe program is finding footprints of Known malware/rootkits.

    I'll drop the panda. AVG is full Internet Security package.

    I just ran Black Light, found nothing
     
  5. Broni

    Broni Malware Annihilator Posts: 47,172   +264

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ==================================================================

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
     
  6. radarrider

    radarrider TS Rookie Topic Starter



    • MBR file:MBRCheck, version 1.2.3
      (c) 2010, AD

      Command-line:
      Windows Version: Windows Vista Home Premium Edition
      Windows Information: Service Pack 2 (build 6002), 32-bit
      Base Board Manufacturer: Quanta
      BIOS Manufacturer: Hewlett-Packard
      System Manufacturer: Hewlett-Packard
      System Product Name: HP HDX 16 Notebook PC
      Logical Drives Mask: 0x0000003c

      Kernel Drivers (total 221):
      0x81E0F000 \SystemRoot\system32\ntkrnlpa.exe
      0x821C9000 \SystemRoot\system32\hal.dll
      0x80400000 \SystemRoot\system32\kdcom.dll
      0x80407000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
      0x80477000 \SystemRoot\system32\PSHED.dll
      0x80488000 \SystemRoot\system32\BOOTVID.dll
      0x80490000 \SystemRoot\system32\CLFS.SYS
      0x804D1000 \SystemRoot\system32\CI.dll
      0x8060E000 \SystemRoot\system32\drivers\Wdf01000.sys
      0x8067F000 \SystemRoot\system32\drivers\WDFLDR.SYS
      0x8068D000 \SystemRoot\system32\drivers\acpi.sys
      0x806D3000 \SystemRoot\system32\drivers\WMILIB.SYS
      0x806DC000 \SystemRoot\system32\drivers\Partizan.sys
      0x806E4000 \SystemRoot\system32\drivers\msisadrv.sys
      0x806EC000 \SystemRoot\system32\drivers\pci.sys
      0x80713000 \SystemRoot\system32\drivers\isapnp.sys
      0x80722000 \SystemRoot\system32\drivers\mpio.sys
      0x8073E000 \SystemRoot\System32\drivers\partmgr.sys
      0x8074D000 \SystemRoot\system32\DRIVERS\compbatt.sys
      0x80750000 \SystemRoot\system32\DRIVERS\BATTC.SYS
      0x8075A000 \SystemRoot\system32\drivers\volmgr.sys
      0x80769000 \SystemRoot\System32\drivers\volmgrx.sys
      0x807B3000 \SystemRoot\system32\drivers\intelide.sys
      0x807BA000 \SystemRoot\system32\drivers\PCIIDEX.SYS
      0x807C8000 \SystemRoot\system32\drivers\aliide.sys
      0x807CF000 \SystemRoot\system32\drivers\amdide.sys
      0x807D6000 \SystemRoot\system32\drivers\cmdide.sys
      0x807DE000 \SystemRoot\System32\drivers\mountmgr.sys
      0x805B1000 \SystemRoot\system32\drivers\msdsm.sys
      0x805CB000 \SystemRoot\system32\drivers\nvraid.sys
      0x82801000 \SystemRoot\system32\drivers\CLASSPNP.SYS
      0x82822000 \SystemRoot\system32\drivers\pciide.sys
      0x82829000 \SystemRoot\system32\drivers\viaide.sys
      0x82831000 \SystemRoot\system32\drivers\iastorv.sys
      0x828D2000 \SystemRoot\system32\DRIVERS\iaStor.sys
      0x829A0000 \SystemRoot\system32\drivers\atapi.sys
      0x829A8000 \SystemRoot\system32\drivers\ataport.SYS
      0x829C6000 \SystemRoot\system32\drivers\lsi_scsi.sys
      0x82A03000 \SystemRoot\system32\drivers\storport.sys
      0x82A44000 \SystemRoot\system32\drivers\msahci.sys
      0x82A4E000 \SystemRoot\system32\drivers\hpcisss.sys
      0x82A59000 \SystemRoot\system32\drivers\adp94xx.sys
      0x82AC3000 \SystemRoot\system32\drivers\adpahci.sys
      0x82B0F000 \SystemRoot\system32\drivers\adpu160m.sys
      0x82B2A000 \SystemRoot\system32\drivers\SCSIPORT.SYS
      0x82B50000 \SystemRoot\system32\drivers\adpu320.sys
      0x82B76000 \SystemRoot\system32\drivers\djsvs.sys
      0x82B8A000 \SystemRoot\system32\drivers\arc.sys
      0x82BA0000 \SystemRoot\system32\drivers\arcsas.sys
      0x8AA0D000 \SystemRoot\system32\drivers\elxstor.sys
      0x8AAA1000 \SystemRoot\system32\drivers\i2omp.sys
      0x8AAAB000 \SystemRoot\system32\drivers\iirsp.sys
      0x8AABB000 \SystemRoot\system32\drivers\iteatapi.sys
      0x8AAC7000 \SystemRoot\system32\drivers\iteraid.sys
      0x8AAD3000 \SystemRoot\system32\drivers\lsi_fc.sys
      0x8AAED000 \SystemRoot\system32\drivers\lsi_sas.sys
      0x8AB05000 \SystemRoot\system32\drivers\megasas.sys
      0x8AB0F000 \SystemRoot\system32\drivers\megasr.sys
      0x8ABC6000 \SystemRoot\system32\drivers\mraid35x.sys
      0x8ABD1000 \SystemRoot\system32\drivers\nfrd960.sys
      0x8ABDF000 \SystemRoot\system32\drivers\nvstor.sys
      0x8AC0D000 \SystemRoot\system32\drivers\ql2300.sys
      0x8AD45000 \SystemRoot\system32\drivers\ql40xx.sys
      0x8AD9A000 \SystemRoot\system32\drivers\sisraid2.sys
      0x8ADA7000 \SystemRoot\system32\drivers\sisraid4.sys
      0x8ADBC000 \SystemRoot\system32\drivers\symc8xx.sys
      0x8ADC8000 \SystemRoot\system32\drivers\sym_hi.sys
      0x8ADD3000 \SystemRoot\system32\drivers\sym_u3.sys
      0x82BB6000 \SystemRoot\system32\drivers\uliahci.sys
      0x8ADDE000 \SystemRoot\system32\drivers\ulsata.sys
      0x8AE0B000 \SystemRoot\system32\drivers\ulsata2.sys
      0x8AE37000 \SystemRoot\system32\drivers\vsmraid.sys
      0x8AE58000 \SystemRoot\system32\drivers\fltmgr.sys
      0x8AE8A000 \SystemRoot\system32\drivers\fileinfo.sys
      0x8AE9A000 \SystemRoot\system32\drivers\TfFsMon.sys
      0x8AEAB000 \SystemRoot\system32\drivers\TfSysMon.sys
      0x8AEBE000 \SystemRoot\System32\Drivers\ksecdd.sys
      0x8B00C000 \SystemRoot\system32\drivers\ndis.sys
      0x8B117000 \SystemRoot\system32\drivers\msrpc.sys
      0x8B142000 \SystemRoot\system32\drivers\NETIO.SYS
      0x8B20D000 \SystemRoot\System32\drivers\tcpip.sys
      0x8B2F7000 \SystemRoot\System32\drivers\fwpkclnt.sys
      0x8B40E000 \SystemRoot\System32\Drivers\Ntfs.sys
      0x8B51E000 \SystemRoot\system32\drivers\wd.sys
      0x8B526000 \SystemRoot\system32\drivers\volsnap.sys
      0x8B55F000 \SystemRoot\System32\Drivers\spldr.sys
      0x8B567000 \SystemRoot\system32\drivers\sbp2port.sys
      0x8B57C000 \SystemRoot\System32\Drivers\mup.sys
      0x8B58B000 \SystemRoot\System32\drivers\ecache.sys
      0x8B5B2000 \SystemRoot\system32\DRIVERS\hpdskflt.sys
      0x8B5BB000 \SystemRoot\system32\drivers\disk.sys
      0x8B5CC000 \SystemRoot\system32\drivers\crcdisk.sys
      0x8B5D5000 \SystemRoot\system32\DRIVERS\avgrkx86.sys
      0x8B5DA000 \SystemRoot\system32\DRIVERS\AVGIDSEH.Sys
      0x8B5F0000 \SystemRoot\system32\DRIVERS\tunnel.sys
      0x8B3E0000 \SystemRoot\system32\DRIVERS\intelppm.sys
      0x8B5FB000 \SystemRoot\system32\DRIVERS\CmBatt.sys
      0x8F000000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
      0x8F99D000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
      0x8AF2F000 \SystemRoot\System32\drivers\dxgkrnl.sys
      0x8F99F000 \SystemRoot\System32\drivers\watchdog.sys
      0x8F9AB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
      0x8F9B6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
      0x8B3EF000 \SystemRoot\system32\DRIVERS\usbehci.sys
      0x8FA0C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
      0x8FC01000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
      0x8FF8A000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
      0x8FFAC000 \SystemRoot\system32\DRIVERS\ohci1394.sys
      0x8FFBC000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
      0x8FFCA000 \SystemRoot\system32\DRIVERS\jmcr.sys
      0x8FFE1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
      0x8FFF4000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
      0x8FA99000 \SystemRoot\system32\DRIVERS\kbdclass.sys
      0x8FAA4000 \SystemRoot\system32\DRIVERS\SynTP.sys
      0x8FFF9000 \SystemRoot\system32\DRIVERS\USBD.SYS
      0x8FADF000 \SystemRoot\system32\DRIVERS\mouclass.sys
      0x8FAEA000 \SystemRoot\system32\DRIVERS\enecir.sys
      0x8FB02000 \SystemRoot\system32\DRIVERS\cdrom.sys
      0x8FB1A000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
      0x8FB23000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
      0x8FB2F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
      0x8FB5E000 \SystemRoot\system32\DRIVERS\TDI.SYS
      0x8FB69000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
      0x8FB80000 \SystemRoot\system32\DRIVERS\ndistapi.sys
      0x8FB8B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
      0x8FBAE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
      0x8FBBD000 \SystemRoot\system32\DRIVERS\raspptp.sys
      0x8FBD1000 \SystemRoot\system32\DRIVERS\rassstp.sys
      0x8FBE6000 \SystemRoot\system32\DRIVERS\termdd.sys
      0x8FFFB000 \SystemRoot\system32\DRIVERS\swenum.sys
      0x8B17D000 \SystemRoot\system32\DRIVERS\ks.sys
      0x8B400000 \SystemRoot\system32\DRIVERS\circlass.sys
      0x8FBF6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
      0x8B200000 \SystemRoot\system32\DRIVERS\umbus.sys
      0x8B1A7000 \SystemRoot\system32\DRIVERS\usbhub.sys
      0x8B1DC000 \SystemRoot\System32\Drivers\NDProxy.SYS
      0x9020F000 \SystemRoot\system32\DRIVERS\stwrt.sys
      0x90277000 \SystemRoot\system32\DRIVERS\portcls.sys
      0x902A4000 \SystemRoot\system32\DRIVERS\drmk.sys
      0x902C9000 \SystemRoot\system32\drivers\nvhda32v.sys
      0x902D7000 \SystemRoot\system32\DRIVERS\hidir.sys
      0x902E2000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
      0x902F2000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
      0x902F9000 \SystemRoot\system32\DRIVERS\kbdhid.sys
      0x90302000 \SystemRoot\system32\DRIVERS\mouhid.sys
      0x9030A000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
      0x90316000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
      0x9031F000 \SystemRoot\System32\Drivers\Null.SYS
      0x90326000 \SystemRoot\System32\Drivers\Beep.SYS
      0x9032D000 \SystemRoot\System32\drivers\vga.sys
      0x90339000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
      0x9035A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
      0x90362000 \SystemRoot\system32\drivers\rdpencdd.sys
      0x9036A000 \SystemRoot\System32\Drivers\Msfs.SYS
      0x90375000 \SystemRoot\System32\Drivers\Npfs.SYS
      0x90383000 \SystemRoot\System32\DRIVERS\rasacd.sys
      0x9038C000 \SystemRoot\system32\DRIVERS\avgfwd6x.sys
      0x9039D000 \SystemRoot\system32\DRIVERS\tdx.sys
      0x903B3000 \SystemRoot\system32\DRIVERS\smb.sys
      0x90600000 \SystemRoot\system32\DRIVERS\avgtdix.sys
      0x90648000 \SystemRoot\System32\DRIVERS\netbt.sys
      0x9067A000 \SystemRoot\system32\drivers\afd.sys
      0x906C2000 \SystemRoot\system32\DRIVERS\pacer.sys
      0x906D8000 \SystemRoot\system32\DRIVERS\netbios.sys
      0x906E6000 \SystemRoot\system32\DRIVERS\wanarp.sys
      0x906F9000 \SystemRoot\system32\DRIVERS\rdbss.sys
      0x90735000 \SystemRoot\system32\DRIVERS\psinknc.sys
      0x90757000 \SystemRoot\system32\DRIVERS\usbccgp.sys
      0x9076E000 \SystemRoot\system32\drivers\nsiproxy.sys
      0x90778000 \SystemRoot\System32\Drivers\dfsc.sys
      0x9078F000 \SystemRoot\System32\Drivers\usbvideo.sys
      0x907B0000 \SystemRoot\system32\DRIVERS\avgldx86.sys
      0x907EC000 \SystemRoot\system32\drivers\vfs101x.sys
      0x903C7000 \SystemRoot\System32\Drivers\BTHUSB.sys
      0x90E08000 \SystemRoot\System32\Drivers\bthport.sys
      0x90E88000 \SystemRoot\system32\DRIVERS\rfcomm.sys
      0x90EB1000 \SystemRoot\system32\DRIVERS\BthEnum.sys
      0x90EBB000 \SystemRoot\system32\DRIVERS\bthpan.sys
      0x90ED5000 \SystemRoot\system32\drivers\btwavdt.sys
      0x90F40000 \SystemRoot\system32\drivers\btwaudio.sys
      0x90FC0000 \SystemRoot\system32\DRIVERS\btwrchid.sys
      0x90FC3000 \SystemRoot\System32\Drivers\fastfat.SYS
      0x90FEB000 \SystemRoot\System32\Drivers\crashdmp.sys
      0x8B312000 \SystemRoot\System32\Drivers\dump_iaStor.sys
      0x93640000 \SystemRoot\System32\win32k.sys
      0x903D4000 \SystemRoot\System32\drivers\Dxapi.sys
      0x903DE000 \SystemRoot\system32\DRIVERS\monitor.sys
      0x93860000 \SystemRoot\System32\TSDDD.dll
      0x93880000 \SystemRoot\System32\cdd.dll
      0x8AFCF000 \SystemRoot\system32\drivers\luafv.sys
      0x9C40C000 \SystemRoot\system32\DRIVERS\PSINAflt.sys
      0x9C433000 \SystemRoot\system32\DRIVERS\PSINProt.sys
      0x9C452000 \SystemRoot\system32\DRIVERS\PSINFile.sys
      0x9C46E000 \SystemRoot\system32\DRIVERS\PSINProc.sys
      0x9C48C000 \SystemRoot\system32\drivers\spsys.sys
      0x9C53C000 \SystemRoot\system32\DRIVERS\lltdio.sys
      0x9C54C000 \SystemRoot\system32\DRIVERS\nwifi.sys
      0x9C576000 \SystemRoot\system32\DRIVERS\ndisuio.sys
      0x9C580000 \SystemRoot\system32\DRIVERS\rspndr.sys
      0x9C593000 \SystemRoot\system32\drivers\HTTP.sys
      0x829E0000 \SystemRoot\System32\DRIVERS\srvnet.sys
      0x805E6000 \SystemRoot\system32\DRIVERS\bowser.sys
      0x8AFEA000 \SystemRoot\System32\drivers\mpsdrv.sys
      0x9EE09000 \SystemRoot\system32\drivers\mrxdav.sys
      0x9EE2A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
      0x9EE49000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
      0x9EE82000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
      0x9EE9A000 \SystemRoot\System32\DRIVERS\srv2.sys
      0x9EEC2000 \SystemRoot\System32\DRIVERS\srv.sys
      0x9EF28000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
      0x9FA08000 \SystemRoot\system32\drivers\peauth.sys
      0x9FAE6000 \SystemRoot\System32\Drivers\secdrv.SYS
      0x9FAF0000 \SystemRoot\System32\drivers\tcpipreg.sys
      0x9FAFC000 \??\C:\Program Files\Hewlett-Packard\Media\DVD\000.fcl
      0x9FB1D000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
      0x9FB32000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
      0x9FB44000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
      0x9FB4E000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
      0x9FB78000 \??\C:\Windows\system32\drivers\TfNetMon.sys
      0x9FB84000 \SystemRoot\system32\DRIVERS\cdfs.sys
      0x77670000 \WINDOWS\System32\ntdll.dll

      Processes (total 98):
      0 System Idle Process
      4 System
      604 C:\WINDOWS\System32\smss.exe
      848 csrss.exe
      904 C:\WINDOWS\System32\wininit.exe
      916 csrss.exe
      952 C:\WINDOWS\System32\services.exe
      964 C:\WINDOWS\System32\lsass.exe
      976 C:\WINDOWS\System32\lsm.exe
      1092 C:\WINDOWS\System32\winlogon.exe
      1176 C:\WINDOWS\System32\svchost.exe
      1240 C:\WINDOWS\System32\nvvsvc.exe
      1268 C:\WINDOWS\System32\svchost.exe
      1408 C:\WINDOWS\System32\svchost.exe
      1444 C:\WINDOWS\System32\svchost.exe
      1464 C:\WINDOWS\System32\svchost.exe
      1476 C:\WINDOWS\System32\DriverStore\FileRepository\stwrt.inf_e2247046\stacsv.exe
      1628 C:\WINDOWS\System32\audiodg.exe
      1672 C:\WINDOWS\System32\svchost.exe
      1696 C:\WINDOWS\System32\SLsvc.exe
      1732 C:\WINDOWS\System32\svchost.exe
      1816 C:\WINDOWS\System32\rundll32.exe
      1864 C:\WINDOWS\System32\hpservice.exe
      1948 C:\WINDOWS\System32\vfsFPService.exe
      2024 C:\WINDOWS\System32\svchost.exe
      816 C:\WINDOWS\System32\spoolsv.exe
      856 C:\Program Files\DigitalPersona\Bin\DpHostW.exe
      1228 C:\WINDOWS\System32\svchost.exe
      1880 C:\WINDOWS\System32\DriverStore\FileRepository\stwrt.inf_e2247046\AEstSrv.exe
      2068 C:\Program Files\AVG\AVG10\avgfws.exe
      2080 C:\Program Files\AVG\AVG10\avgwdsvc.exe
      2092 C:\WINDOWS\System32\svchost.exe
      2168 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
      2224 C:\WINDOWS\System32\svchost.exe
      2276 C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
      2296 C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
      2316 C:\WINDOWS\SMINST\BLService.exe
      2588 C:\Program Files\Cyberlink\Shared files\RichVideo.exe
      2620 C:\WINDOWS\System32\svchost.exe
      2692 C:\Program Files\ThreatFire\TFService.exe
      2752 C:\WINDOWS\System32\svchost.exe
      2780 C:\WINDOWS\System32\SearchIndexer.exe
      2824 C:\WINDOWS\System32\taskeng.exe
      2996 C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
      3064 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
      3196 WUDFHost.exe
      3204 C:\Program Files\AVG\AVG10\avgam.exe
      3372 C:\Program Files\AVG\AVG10\avgnsx.exe
      4068 C:\WINDOWS\System32\dwm.exe
      4084 C:\WINDOWS\explorer.exe
      2408 C:\WINDOWS\System32\taskeng.exe
      2728 C:\WINDOWS\System32\taskeng.exe
      1324 C:\Program Files\AVG\AVG10\avgemcx.exe
      5288 C:\Program Files\AVG\AVG10\avgcsrvx.exe
      5968 C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
      5084 C:\WINDOWS\System32\svchost.exe
      1436 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
      5480 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
      4368 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
      5620 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
      5232 C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
      4608 C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
      4624 C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
      4668 C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe
      5668 C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
      2200 C:\Program Files\Common Files\Java\Java Update\jusched.exe
      5764 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
      5796 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
      5836 C:\Program Files\DigitalPersona\Bin\DpAgent.exe
      5844 C:\Program Files\ThreatFire\TFTray.exe
      5860 C:\Program Files\AVG\AVG10\avgtray.exe
      5908 C:\Program Files\IDT\WDM\sttray.exe
      5364 C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
      4804 C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe
      3996 C:\WINDOWS\WindowsMobile\wmdSync.exe
      6072 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
      4296 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
      1644 WmiPrvSE.exe
      1560 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
      5148 C:\WINDOWS\System32\svchost.exe
      5052 C:\WINDOWS\System32\mobsync.exe
      5912 C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
      6068 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
      3704 C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
      1932 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
      5340 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
      4272 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
      4480 C:\WINDOWS\System32\taskmgr.exe
      4248 C:\WINDOWS\System32\notepad.exe
      5500 C:\PROGRA~1\AVG\AVG10\avgrsx.exe
      5752 C:\Program Files\AVG\AVG10\avgcsrvx.exe
      4472 C:\WINDOWS\System32\SearchProtocolHost.exe
      6048 C:\WINDOWS\System32\SearchFilterHost.exe
      5312 C:\Program Files\Mozilla Firefox\firefox.exe
      5660 C:\Program Files\Mozilla Firefox\plugin-container.exe
      4612 dllhost.exe
      5584 dllhost.exe
      4796 C:\Users\Dave\Desktop\MBRCheck.exe

      \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
      \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000072`3dc00000 (NTFS)

      PhysicalDrive0 Model Number: ST9500325AS, Rev: 0002SPM1

      Size Device Name MBR Status
      --------------------------------------------
      465 GB \\.\PhysicalDrive0 Unknown MBR code
      SHA1: 6DF26AE7D6663DFFFF5602BEDE5BE4683120D56C


      Found non-standard or infected MBR.
      Enter 'Y' and hit ENTER for more options, or 'N' to exit:

      Done!
      +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      Unhooker crashes:
      "Sorry, but unhandled exception has occured
      program will be terminated
      exception code: 0xc0000005
      Error log generated, please report to developers"

      Error log file:
      Exception code : 0xC0000005
      Instruction address : 0x00000000
      Attempt to read at address : 0x00000000
      +++++++++++++++++++++++++++++

      So that's all I got. What's next?
     
  7. Broni

    Broni Malware Annihilator Posts: 47,172   +264

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. radarrider

    radarrider TS Rookie Topic Starter

    I can't get AVG uninstalled. It keeps hanging up giving me a security error.

    I'm about ready to reinstall from the partion, but want to make it a clean install if so. I can take this drive out and put it in my desktop which appears to be clean and reasonably stable.

    Are there tools I can run on it when it's not the boot drive that will strip out the root kit?

    Please advise. I've spent quite a bit of time trying to get this machine to work properly and don't have access to the original disks needed to repartition the drive and truly start fresh.

    Thanks--RR
     
  9. Broni

    Broni Malware Annihilator Posts: 47,172   +264

    Well, if you want to restore it to factory settings, simply press F11 at HP logo and follow on-screen instructions.
    Be aware, that all your data will be lost.
     
  10. radarrider

    radarrider TS Rookie Topic Starter

    I've reload factory image twice already and keep having the same ***** problems with security and corrupt files.

    My concern is that restoring from HPs factory partition is being hi-jacked by the root kit leaving me in an endless loop. So given I have another machine that I can plug this drive into, What will scan and remove a rootkit when the drive that is infected isn't a boot drive? Specifically if the RK is changing its signature, what will identify and remove it when hopefully the RK it isn't running?

    Thanks again.
     
  11. Broni

    Broni Malware Annihilator Posts: 47,172   +264

    Your best option would be to format a whole drive, but in that case, your recovery partition would be gone as well.
    Since you don't have any disks, it doesn't look like an option.

    I suggest, we continue with our steps.

    Try a different tool to uninstall AVG: http://www.avg.com/us-en/download-tools
     
     
  12. radarrider

    radarrider TS Rookie Topic Starter

    Okay here is the combofix log
    I got a lot more activity on the laptop that reeks of malware including a message to save my files that windows had a error and was rebooting shortly. It forced a reboot with no other warning or ability to over ride. I've found the machine rebooted several times in the last few days. This is the first time I've seen it actually do it...

    ComboFix 11-03-04.04 - Dave 03/06/2011 10:41:24.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3038.1494 [GMT -6:00]
    Running from: c:\users\Dave\Desktop\Combofix.exe
    AV: Panda Cloud Antivirus *Disabled/Updated* {86971480-9989-6750-B122-681A86518D59}
    SP: Panda Cloud Antivirus *Disabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-06 16:51 . 2011-03-06 16:51 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-04 00:44 . 2011-03-04 00:44 -------- d-----w- C:\found.001
    2011-03-02 21:03 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-02 21:03 . 2011-03-02 21:03 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-02 21:03 . 2011-03-02 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-02 21:03 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-01 13:37 . 2011-03-01 13:37 -------- d-----w- C:\found.000
    2011-03-01 13:25 . 2011-03-01 13:25 -------- d-----r- C:\comment.htt
    2011-03-01 05:43 . 2011-03-01 05:43 -------- d-----w- C:\Backreg
    2011-03-01 04:15 . 2011-03-01 04:15 2 --shatr- c:\windows\winstart.bat
    2011-03-01 04:15 . 2011-03-04 15:19 -------- d-----w- c:\program files\UnHackMe
    2011-02-28 19:36 . 2011-03-06 15:29 -------- d-----w- c:\programdata\Panda Security URL Filtering
    2011-02-28 19:36 . 2011-02-28 19:37 -------- d-----w- c:\program files\Panda Security
    2011-02-28 19:36 . 2011-02-28 19:36 -------- d-----w- c:\programdata\Panda Security
    2011-02-28 19:23 . 2011-02-28 19:24 -------- d-----w- C:\temp downloads
    2011-02-28 18:06 . 2011-02-28 18:06 -------- d-----w- C:\$AVG
    2011-02-28 04:22 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2011-02-28 04:22 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
    2011-02-28 04:17 . 2011-02-28 04:17 -------- d-----w- c:\program files\Windows Portable Devices
    2011-02-28 03:29 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
    2011-02-28 03:29 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
    2011-02-28 03:29 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
    2011-02-28 03:29 . 2009-09-25 01:33 369664 ----a-w- c:\windows\system32\WMPhoto.dll
    2011-02-28 03:29 . 2009-09-25 02:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2011-02-28 03:29 . 2009-09-25 02:07 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
    2011-02-28 03:29 . 2009-09-25 02:04 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
    2011-02-28 03:29 . 2009-09-25 01:33 195584 ----a-w- c:\windows\system32\dxdiagn.dll
    2011-02-28 03:29 . 2009-09-25 01:32 252928 ----a-w- c:\windows\system32\dxdiag.exe
    2011-02-28 03:27 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-02-28 03:27 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2011-02-28 03:27 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
    2011-02-28 03:27 . 2011-02-28 03:27 -------- d-----w- c:\programdata\NVIDIA Corporation
    2011-02-28 03:24 . 2011-02-28 03:27 -------- d-----w- c:\program files\NVIDIA Corporation
    2011-02-28 03:21 . 2011-02-28 03:21 -------- d-----w- c:\windows\system32\SRSLabs
    2011-02-28 02:42 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
    2011-02-28 02:18 . 2011-02-28 02:18 -------- d--h--w- c:\programdata\Common Files
    2011-02-28 02:18 . 2011-02-28 02:18 -------- d-----w- c:\program files\VideoLAN
    2011-02-28 02:07 . 2011-02-28 02:26 -------- d-----w- c:\program files\Amazon
    2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\ca-ES
    2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\eu-ES
    2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\vi-VN
    2011-02-28 00:27 . 2011-02-28 00:27 -------- d-----w- c:\windows\system32\EventProviders
    2011-02-27 23:03 . 2009-04-11 06:28 524288 ----a-w- c:\windows\system32\sqlsrv32.dll
    2011-02-27 23:02 . 2009-04-11 06:28 33280 ----a-w- c:\windows\system32\wscapi.dll
    2011-02-27 22:59 . 2009-11-08 16:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2011-02-27 22:59 . 2009-11-08 16:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2011-02-27 22:59 . 2009-11-08 16:55 297808 ----a-w- c:\windows\system32\mscoree.dll
    2011-02-27 22:59 . 2009-11-08 16:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2011-02-27 22:59 . 2009-11-08 16:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2011-02-27 22:45 . 2009-03-18 16:41 20648 ----a-w- c:\windows\system32\dopdfmn6.dll
    2011-02-27 22:45 . 2009-03-18 16:41 18088 ----a-w- c:\windows\system32\dopdfmi6.dll
    2011-02-27 22:45 . 2011-02-27 22:45 -------- d-----w- c:\program files\Softland
    2011-02-27 22:42 . 2011-02-27 22:42 -------- d-----w- c:\program files\7-Zip
    2011-02-27 18:10 . 2011-03-02 03:29 -------- d-----w- C:\system16
    2011-02-27 17:17 . 2011-02-27 17:33 -------- d-----w- C:\_files
    2011-02-27 17:14 . 2011-02-27 22:42 -------- d-----w- C:\Admin
    2011-02-27 14:23 . 2011-02-27 14:23 -------- d-----w- c:\programdata\McAfee
    2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\tr
    2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\sv
    2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\ru
    2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\no
    2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\da
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\ko
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\ja
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\it
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\fr
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\es
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\de
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\DPDrv
    2011-02-27 13:48 . 2011-02-27 13:48 -------- d-----w- c:\programdata\Downloaded Installations
    2011-02-27 13:47 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2011-02-27 13:47 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
    2011-02-27 13:47 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-27 13:47 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-02-27 13:47 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-02-27 13:47 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
    2011-02-27 13:47 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
    2011-02-27 13:46 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-02-27 13:41 . 2011-03-06 15:55 -------- d-----w- c:\users\Dave
    2011-02-27 01:19 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
    2011-02-27 01:17 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-02-27 01:17 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-02-27 01:17 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
    2011-02-27 01:17 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
    2011-02-27 01:15 . 2009-09-10 14:58 1418752 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
    2011-02-27 01:15 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
    2011-02-27 01:15 . 2009-10-23 17:10 714240 ----a-w- c:\windows\system32\timedate.cpl
    2011-02-27 01:14 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2011-02-27 01:14 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2011-02-27 01:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2011-02-27 01:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
    2011-02-27 01:14 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
    2011-02-27 01:14 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2011-02-27 01:14 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2011-02-27 01:14 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2011-02-27 01:14 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2011-02-27 01:14 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2011-02-27 01:14 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-02-27 01:14 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-02-26 19:56 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2011-02-26 19:32 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2011-02-26 19:32 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2011-02-26 19:32 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
    2011-02-26 19:31 . 2011-02-26 19:31 -------- d-----w- c:\program files\MSXML 4.0
    2011-02-26 19:27 . 2010-12-31 13:57 2039808 ----a-w- c:\windows\system32\win32k.sys
    2011-02-26 19:27 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
    2011-02-26 19:27 . 2010-01-29 15:40 1616384 ----a-w- c:\program files\Windows Mail\msoe.dll
    2011-02-26 19:27 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
    2011-02-26 19:27 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
    2011-02-26 19:27 . 2010-10-12 15:53 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
    2011-02-26 19:27 . 2010-10-12 13:41 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
    2011-02-26 19:27 . 2010-10-12 13:41 515584 ----a-w- c:\program files\Windows Mail\wab.exe
    2011-02-26 19:27 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
    2011-02-26 19:27 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
    2011-02-26 19:24 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
    2011-02-26 19:24 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
    2011-02-26 19:24 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
    2011-02-26 19:22 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
    2011-02-26 19:21 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
    2011-02-26 19:18 . 2011-02-27 13:51 -------- d-----w- c:\program files\DigitalPersona
    2011-02-26 19:18 . 2011-02-26 19:18 -------- d-----w- c:\programdata\Macrovision
    2011-02-26 19:18 . 2011-02-23 15:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{95139AEA-7654-4BA4-98F6-0C35086B5942}\mpengine.dll
    2011-02-26 19:18 . 2011-02-02 23:11 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-02-26 19:17 . 2011-02-26 19:17 -------- d-----w- c:\windows\system32\ENU
    2011-02-26 19:17 . 2011-02-26 19:17 -------- d-----w- c:\windows\system32\Lang
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-17 00:39 . 2010-12-17 00:39 365888 ----a-w- c:\windows\system32\PSUNCpl.cpl
    2010-12-17 00:10 . 2010-12-17 00:10 113736 ----a-w- c:\windows\system32\drivers\PSINProt.sys
    2010-12-17 00:10 . 2010-12-17 00:10 111176 ----a-w- c:\windows\system32\drivers\PSINProc.sys
    2010-12-17 00:10 . 2010-12-17 00:10 126536 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
    2010-12-17 00:10 . 2010-12-17 00:10 99400 ----a-w- c:\windows\system32\drivers\PSINFile.sys
    2010-12-17 00:10 . 2010-12-17 00:10 141384 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
    2010-12-19 14:46 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-12-19 86696]
    .
    [HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
    @="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
    [HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
    2010-12-17 00:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
    @="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
    [HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
    2010-12-17 00:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
    "DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-07-24 1148200]
    "TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-08-02 1144104]
    "CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-08-02 210216]
    "TVAgent"="c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe" [2008-07-24 468264]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
    "DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-12-01 842816]
    "ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-12-31 378128]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-22 458844]
    "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-12-17 423232]
    "Panda Security URL Filtering"="c:\programdata\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2010-12-19 223400]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-19 727592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
    R3 Normandy;Normandy SR2; [x]
    S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-12-31 51984]
    S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-12-31 69392]
    S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2010-12-17 126536]
    S2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files\Hewlett-Packard\Media\DVD\000.fcl [2008-07-24 59376]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\aestsrv.exe [2009-03-03 81920]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-07-16 26168]
    S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2010-12-17 140608]
    S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2010-12-17 141384]
    S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2010-12-17 99400]
    S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2010-12-17 111176]
    S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys [2010-12-17 113736]
    S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-08-07 361808]
    S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [x]
    S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-05-26 599344]
    S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-04-28 54784]
    S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-07-07 96856]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-06-26 44064]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-12-31 33552]
    S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-05-26 40752]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\uqdpcows.default\
    FF - prefs.js: browser.startup.homepage - www.google.com/mail
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1143&p=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\DigitalPersona\Bin\FirefoxExt
    FF - Ext: Panda Identity Protect: widgetruntime@surfsecret.com - c:\program files\Panda Security\Panda ID Protect\Firefox
    FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\DigitalPersona\Bin\firefoxext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: AddonFox: {ad48108d-92a6-4eb9-87e4-978aca1dbae4} - %profile%\extensions\{ad48108d-92a6-4eb9-87e4-978aca1dbae4}
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    HKLM-Run-hpqSRMon - (no file)
    HKLM-Run-SmartMenu - %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-06 10:54
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ThreatFire]
    "AlternateImagePath"=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(804)
    c:\program files\ThreatFire\TFWAH.dll
    .
    - - - - - - - > 'lsass.exe'(760)
    c:\program files\ThreatFire\TFWAH.dll
    .
    - - - - - - - > 'Explorer.exe'(3176)
    c:\program files\ThreatFire\TfWah.dll
    c:\windows\system32\dwmapi.dll
    c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
    c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
    c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
    c:\windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4016_none_d0893820442e7fe4\MSVCP80.dll
    c:\windows\ehome\ehSSO.dll
    c:\windows\system32\wpdshserviceobj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\WSCAPI.dll
    c:\windows\System32\QAgent.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\STacSV.exe
    c:\windows\system32\rundll32.exe
    c:\program files\DigitalPersona\Bin\DpHostW.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
    c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
    c:\program files\Cyberlink\Shared files\RichVideo.exe
    c:\program files\ThreatFire\TFService.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-06 11:01:51 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-06 17:01
    .
    Pre-Run: 363,987,828,736 bytes free
    Post-Run: 363,812,220,928 bytes free
    .
    - - End Of File - - 9C21F3B8673A97F0BAAAE2D83EE7AF84
     
  13. Broni

    Broni Malware Annihilator Posts: 47,172   +264

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\winstart.bat
    
    
    Folder::
    C:\$AVG
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  14. radarrider

    radarrider TS Rookie Topic Starter

    Afer using the remover tool on AVG I had to uninstall Pandascan. The tray icon wouldn't show up which is how I know to temp. disable it. When ComboFix ran I got error PEV.exe is corrupt. On reboot I got PEVcfxxe is corrupt with a message to run disk scan. I reinstalled pandascan but not AVG.

    So what's the next dagger I can throw?

    Thanks--RR

    ComboFix 11-03-04.04 - Dave 03/06/2011 13:16:05.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3038.1637 [GMT -6:00]
    Running from: c:\users\Dave\Desktop\Combofix.exe
    Command switches used :: c:\users\Dave\Desktop\cfscript.txt
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    FILE ::
    "c:\windows\winstart.bat"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\$AVG
    c:\$avg\$VAULT\V_00000001.fil
    c:\$avg\$VAULT\vvfolder.idx
    c:\windows\winstart.bat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-06 19:24 . 2011-03-06 19:24 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-05 23:20 . 2011-03-05 23:20 -------- d-----w- C:\found.002
    2011-03-04 00:44 . 2011-03-04 00:44 -------- d-----w- C:\found.001
    2011-03-02 21:03 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-02 21:03 . 2011-03-02 21:03 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-02 21:03 . 2011-03-02 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-02 21:03 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-01 13:37 . 2011-03-01 13:37 -------- d-----w- C:\found.000
    2011-03-01 13:25 . 2011-03-01 13:25 -------- d-----r- C:\comment.htt
    2011-03-01 05:43 . 2011-03-01 05:43 -------- d-----w- C:\Backreg
    2011-03-01 04:15 . 2011-03-04 15:19 -------- d-----w- c:\program files\UnHackMe
    2011-02-28 19:36 . 2011-03-06 19:08 -------- d-----w- c:\program files\Panda Security
    2011-02-28 19:36 . 2011-02-28 19:36 -------- d-----w- c:\programdata\Panda Security
    2011-02-28 19:23 . 2011-02-28 19:24 -------- d-----w- C:\temp downloads
    2011-02-28 04:22 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2011-02-28 04:22 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
    2011-02-28 04:17 . 2011-02-28 04:17 -------- d-----w- c:\program files\Windows Portable Devices
    2011-02-28 03:29 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
    2011-02-28 03:29 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
    2011-02-28 03:29 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
    2011-02-28 03:29 . 2009-09-25 01:33 369664 ----a-w- c:\windows\system32\WMPhoto.dll
    2011-02-28 03:29 . 2009-09-25 02:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2011-02-28 03:29 . 2009-09-25 02:07 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
    2011-02-28 03:29 . 2009-09-25 02:04 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
    2011-02-28 03:29 . 2009-09-25 01:33 195584 ----a-w- c:\windows\system32\dxdiagn.dll
    2011-02-28 03:29 . 2009-09-25 01:32 252928 ----a-w- c:\windows\system32\dxdiag.exe
    2011-02-28 03:27 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-02-28 03:27 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2011-02-28 03:27 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
    2011-02-28 03:27 . 2011-02-28 03:27 -------- d-----w- c:\programdata\NVIDIA Corporation
    2011-02-28 03:24 . 2011-02-28 03:27 -------- d-----w- c:\program files\NVIDIA Corporation
    2011-02-28 03:21 . 2011-02-28 03:21 -------- d-----w- c:\windows\system32\SRSLabs
    2011-02-28 02:42 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
    2011-02-28 02:18 . 2011-02-28 02:18 -------- d--h--w- c:\programdata\Common Files
    2011-02-28 02:18 . 2011-02-28 02:18 -------- d-----w- c:\program files\VideoLAN
    2011-02-28 02:07 . 2011-02-28 02:26 -------- d-----w- c:\program files\Amazon
    2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\ca-ES
    2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\eu-ES
    2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\vi-VN
    2011-02-28 00:27 . 2011-02-28 00:27 -------- d-----w- c:\windows\system32\EventProviders
    2011-02-27 23:03 . 2009-04-11 06:28 524288 ----a-w- c:\windows\system32\sqlsrv32.dll
    2011-02-27 23:02 . 2009-04-11 06:28 33280 ----a-w- c:\windows\system32\wscapi.dll
    2011-02-27 22:59 . 2009-11-08 16:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2011-02-27 22:59 . 2009-11-08 16:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2011-02-27 22:59 . 2009-11-08 16:55 297808 ----a-w- c:\windows\system32\mscoree.dll
    2011-02-27 22:59 . 2009-11-08 16:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2011-02-27 22:59 . 2009-11-08 16:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2011-02-27 22:45 . 2009-03-18 16:41 20648 ----a-w- c:\windows\system32\dopdfmn6.dll
    2011-02-27 22:45 . 2009-03-18 16:41 18088 ----a-w- c:\windows\system32\dopdfmi6.dll
    2011-02-27 22:45 . 2011-02-27 22:45 -------- d-----w- c:\program files\Softland
    2011-02-27 22:42 . 2011-02-27 22:42 -------- d-----w- c:\program files\7-Zip
    2011-02-27 18:10 . 2011-03-02 03:29 -------- d-----w- C:\system16
    2011-02-27 17:17 . 2011-02-27 17:33 -------- d-----w- C:\_files
    2011-02-27 17:14 . 2011-02-27 22:42 -------- d-----w- C:\Admin
    2011-02-27 14:23 . 2011-02-27 14:23 -------- d-----w- c:\programdata\McAfee
    2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\tr
    2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\sv
    2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\ru
    2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\no
    2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\da
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\ko
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\ja
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\it
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\fr
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\es
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\de
    2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\DPDrv
    2011-02-27 13:48 . 2011-02-27 13:48 -------- d-----w- c:\programdata\Downloaded Installations
    2011-02-27 13:47 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2011-02-27 13:47 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
    2011-02-27 13:47 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-27 13:47 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-02-27 13:47 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-02-27 13:47 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
    2011-02-27 13:47 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
    2011-02-27 13:46 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-02-27 13:41 . 2011-03-06 15:55 -------- d-----w- c:\users\Dave
    2011-02-27 01:19 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
    2011-02-27 01:17 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-02-27 01:17 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-02-27 01:17 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
    2011-02-27 01:17 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
    2011-02-27 01:15 . 2009-09-10 14:58 1418752 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
    2011-02-27 01:15 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
    2011-02-27 01:15 . 2009-10-23 17:10 714240 ----a-w- c:\windows\system32\timedate.cpl
    2011-02-27 01:14 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2011-02-27 01:14 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2011-02-27 01:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2011-02-27 01:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
    2011-02-27 01:14 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
    2011-02-27 01:14 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2011-02-27 01:14 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2011-02-27 01:14 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2011-02-27 01:14 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2011-02-27 01:14 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2011-02-27 01:14 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-02-27 01:14 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-02-26 19:56 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2011-02-26 19:32 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2011-02-26 19:32 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2011-02-26 19:32 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
    2011-02-26 19:31 . 2011-02-26 19:31 -------- d-----w- c:\program files\MSXML 4.0
    2011-02-26 19:27 . 2010-12-31 13:57 2039808 ----a-w- c:\windows\system32\win32k.sys
    2011-02-26 19:27 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
    2011-02-26 19:27 . 2010-01-29 15:40 1616384 ----a-w- c:\program files\Windows Mail\msoe.dll
    2011-02-26 19:27 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
    2011-02-26 19:27 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
    2011-02-26 19:27 . 2010-10-12 15:53 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
    2011-02-26 19:27 . 2010-10-12 13:41 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
    2011-02-26 19:27 . 2010-10-12 13:41 515584 ----a-w- c:\program files\Windows Mail\wab.exe
    2011-02-26 19:27 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
    2011-02-26 19:27 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
    2011-02-26 19:24 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
    2011-02-26 19:24 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
    2011-02-26 19:24 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
    2011-02-26 19:22 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
    2011-02-26 19:21 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
    2011-02-26 19:18 . 2011-02-27 13:51 -------- d-----w- c:\program files\DigitalPersona
    2011-02-26 19:18 . 2011-02-26 19:18 -------- d-----w- c:\programdata\Macrovision
    2011-02-26 19:18 . 2011-02-23 15:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{95139AEA-7654-4BA4-98F6-0C35086B5942}\mpengine.dll
    2011-02-26 19:18 . 2011-02-02 23:11 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-02-26 19:17 . 2011-02-26 19:17 -------- d-----w- c:\windows\system32\ENU
    2011-02-26 19:17 . 2011-02-26 19:17 -------- d-----w- c:\windows\system32\Lang
    2011-02-26 19:17 . 2008-04-18 21:29 1034776 ----a-w- c:\windows\system32\imsmudlg.exe
    2011-02-26 19:17 . 2006-11-10 17:25 319456 ----a-w- c:\windows\system32\difxapi.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ------- Sigcheck -------
    .
    [7] 2010-06-28 . 7C6F74A11FCF5745B36CB8085B7DE3FB . 1316864 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6002.22433_none_ae70528d08aae434\ole32.dll
    [-] 2010-06-28 . 9586E7CB2255A8B097A7E4538202585E . 1316864 . . [6.0.6000.16386] . . c:\windows\ERDNT\cache\ole32.dll
    [-] 2010-06-28 . 9586E7CB2255A8B097A7E4538202585E . 1316864 . . [6.0.6000.16386] . . c:\windows\System32\ole32.dll
    [-] 2010-06-28 . 9586E7CB2255A8B097A7E4538202585E . 1316864 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6002.18277_none_adbf7553efaa1c63\ole32.dll
    [7] 2010-06-28 . 64A319477AF21806B8A17E8A3A3FF8BC . 1315840 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6001.22720_none_ac91afb30b7f271a\ole32.dll
    [7] 2010-06-28 . AA406846DD60E3A4536DBAAB4037B685 . 1315840 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6001.18498_none_abc461f7f2931b51\ole32.dll
    [-] 2009-04-11 . C50A0AB19094BC362FBA69E105EBCCFD . 1316864 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6002.18005_none_ae092067ef732bd0\ole32.dll
    [-] 2008-01-21 . 3B634E4BE373D6D987EBF906B43FAAB3 . 1315328 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6001.18000_none_ac1da75bf2516084\ole32.dll
    .
    [-] 2006-11-02 . 7F15B4953378C8B5161D65C26D5FED4D . 11776 . . [6.0.6000.16386] . . c:\windows\ERDNT\cache\cngaudit.dll
    [-] 2006-11-02 . 7F15B4953378C8B5161D65C26D5FED4D . 11776 . . [6.0.6000.16386] . . c:\windows\System32\cngaudit.dll
    [-] 2006-11-02 . 7F15B4953378C8B5161D65C26D5FED4D . 11776 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll
    .
    [-] 2009-04-11 . 84B8827562B005C118CADBA0F25DB2C6 . 444416 . . [6.0.6000.16386] . . c:\windows\ERDNT\cache\dsound.dll
    [-] 2009-04-11 . 84B8827562B005C118CADBA0F25DB2C6 . 444416 . . [6.0.6000.16386] . . c:\windows\System32\dsound.dll
    [-] 2009-04-11 . 84B8827562B005C118CADBA0F25DB2C6 . 444416 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-audio-dsound_31bf3856ad364e35_6.0.6002.18005_none_5a8737643f04aa4c\dsound.dll
    [7] 2008-01-21 . 8A7B8DA5CA558D2DE47086BB23556543 . 444416 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-audio-dsound_31bf3856ad364e35_6.0.6001.18000_none_589bbe5841e2df00\dsound.dll
    .
    [-] 2009-04-11 . 8AAEEE8E59A70F37579993D118A34EE0 . 1788416 . . [6.0.6002.18005] . . c:\windows\ERDNT\cache\d3d9.dll
    [-] 2009-04-11 . 8AAEEE8E59A70F37579993D118A34EE0 . 1788416 . . [6.0.6002.18005] . . c:\windows\System32\d3d9.dll
    [-] 2009-04-11 . 8AAEEE8E59A70F37579993D118A34EE0 . 1788416 . . [6.0.6002.18005] . . c:\windows\winsxs\x86_microsoft-windows-directx-direct3d9_31bf3856ad364e35_6.0.6002.18005_none_c438e5b15de80145\d3d9.dll
    [7] 2008-01-21 . FAB8F08EC64A54917C07BDB6DC811C95 . 1788928 . . [6.0.6001.18000] . . c:\windows\winsxs\x86_microsoft-windows-directx-direct3d9_31bf3856ad364e35_6.0.6001.18000_none_c24d6ca560c635f9\d3d9.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
    "DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-07-24 1148200]
    "TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-08-02 1144104]
    "CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-08-02 210216]
    "TVAgent"="c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe" [2008-07-24 468264]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
    "DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-12-01 842816]
    "ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-12-31 378128]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-22 458844]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-19 727592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R3 Normandy;Normandy SR2; [x]
    S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-12-31 51984]
    S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-12-31 69392]
    S2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files\Hewlett-Packard\Media\DVD\000.fcl [2008-07-24 59376]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\aestsrv.exe [2009-03-03 81920]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-07-16 26168]
    S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-08-07 361808]
    S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [x]
    S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-05-26 599344]
    S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
    S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-04-28 54784]
    S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-07-07 96856]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-06-26 44064]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-12-31 33552]
    S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-05-26 40752]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\uqdpcows.default\
    FF - prefs.js: browser.startup.homepage - www.google.com/mail
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1143&p=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\DigitalPersona\Bin\FirefoxExt
    FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\DigitalPersona\Bin\firefoxext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: AddonFox: {ad48108d-92a6-4eb9-87e4-978aca1dbae4} - %profile%\extensions\{ad48108d-92a6-4eb9-87e4-978aca1dbae4}
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-06 13:25
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ThreatFire]
    "AlternateImagePath"=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(684)
    c:\program files\ThreatFire\TFWAH.dll
    .
    - - - - - - - > 'lsass.exe'(636)
    c:\program files\ThreatFire\TFWAH.dll
    .
    Completion time: 2011-03-06 13:29:08
    ComboFix-quarantined-files.txt 2011-03-06 19:29
    ComboFix2.txt 2011-03-06 17:01
    .
    Pre-Run: 360,961,716,224 bytes free
    Post-Run: 364,076,130,304 bytes free
    .
    - - End Of File - - B15093FB459EDDBA89F51EABCAF6AA8D
     
  15. Broni

    Broni Malware Annihilator Posts: 47,172   +264

  16. radarrider

    radarrider TS Rookie Topic Starter

    I was not able to get Avira to scan. It didn't seem to ever get going. I've spent too much time on this drive so I'm pulling off any files I might need and want to scan that partition when connected to another machine as a non-boot drive.

    Can someone tell me what tools will work best at detecting a rootkit installed on a non-boot drive?

    I'm debating whether to go through the HP recovery process or format the laptop C partition from the desktop and restore an image from well before the infection using Seagate's tool diskwizard (Acronis powered...)

    I'd like to start it off shortly to have a working laptop before the work week cranks up.

    Thanks for the help and any more guidance to killing this thing.
     
  17. Broni

    Broni Malware Annihilator Posts: 47,172   +264

    I suggest, you create new topic in Windows forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.