Inactive Automatic pop up ad at IE start up, even with pop-up disabled

Status
Not open for further replies.
B

bahyi

Posts: 30   +0
Recently, I have been experiencing pop up ads that come up after I open IE even though the Pop-up Blocker is enabled. As I browse, more and more of these pop up windows will come up with different type of ads. Just today, my computer refused to boot up and continues to circulate to the page where you choose to start up in Safe Mode, Safe Mode with Networking, etc...It would not start up normally, and it would not revert back to that last good start up, Safe Mode with Networking also did not work. I finally picked Safe Mode, and chose a restore point date before these pop up ads started. When I opened IE, the automatic pop up once again presented itself. The computer also wouldn't shutdown properly and had to force it off. I'm not sure if this computer will boot up next time. Please help!!!
 
I also forgot to mention that the computer would restart itself without warning from time to time also after this ad started popping up by itself.
 
Not much I can do for you about the possibility of malware until you resolve the startup: Since the Safe Mode option are booting up, I'd like you to let it go into Safe Mode> you won't need the internet for this so don't choose Safe Mode with Networking:

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

I don't know your operating system so you may have to vary slightly for this:
Right click on the TaskBar> Choose Explore> Right click on My Computer> Properties> Tools> Error Checking> Check now> Check both boxes on the screen that comes up> OK> Click on Yes on the message that displays> Reboot the computer.

The Error Check will start in a few seconds. Let it run until finished. It may take a while and will reboot when through. Hopefully that will fix the improper shut down problems.

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

You most likely have adware that is generating the popups. Hopefully we can identify and remove it.
 
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6541

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/9/2011 4:43:34 PM
mbam-log-2011-05-09 (16-43-34).txt

Scan type: Quick scan
Objects scanned: 170237
Time elapsed: 35 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Continue on with the rest of the Preliminary Virus and Malware Removal thread
 
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-09 17:11:32
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800JB-00JJC0 rev.05.01C05
Running: 7wv9zeyi.exe; Driver: C:\DOCUME~1\camron\LOCALS~1\Temp\fwrdqpog.sys


---- System - GMER 1.0.15 ----

SSDT E1A524C8 ZwConnectPort
SSDT F7DE6736 ZwCreateKey
SSDT F7DE672C ZwCreateThread
SSDT F7DE673B ZwDeleteKey
SSDT F7DE6745 ZwDeleteValueKey
SSDT F7DE674A ZwLoadKey
SSDT F7DE6718 ZwOpenProcess
SSDT F7DE671D ZwOpenThread
SSDT F7DE6754 ZwReplaceKey
SSDT F7DE674F ZwRestoreKey
SSDT F7DE6740 ZwSetValueKey

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[984] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[984] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[984] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A4000C
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\windows\System32\svchost.exe[1156] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0071000A
.text C:\windows\System32\svchost.exe[1156] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A3000A
.text C:\windows\System32\svchost.exe[1156] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0070000C
.text C:\windows\System32\svchost.exe[1156] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0374000A
.text C:\windows\System32\svchost.exe[1156] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E5000A
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text D:\palmOne\Hotsync.exe[2060] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 D:\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\windows\Explorer.EXE[2908] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE000A
.text C:\windows\Explorer.EXE[2908] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BF000A
.text C:\windows\Explorer.EXE[2908] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D8000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D6000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[4064] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85F5531B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 85F5531B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85F5531B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 85F5531B

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG06.00.00.01WORKSTATION 7943B9AB16059654D529590369949FABBE58E1A074A820D415712D4F5573E4CC408D70D18D8ADAB68DAA926D6936B0891ED70B4474877B10E3BE5576854C75BB32F5F3A34EC648C1DDA883AB05BC638CE685DC4F9D52EB803A08C4100A36B2867F8BB4ED95A1C06F783026EECB9EF424EC8B79F86B2CA5282DB56975EEA3E6649C9208CF23F9C9CE5101D73B4EC8C0D446C8E949622F8020126011D54BF983A43F02A73EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6679DB7CE019D40AA5CC038D530D6EB34529DB7CE019D40AA5C9362E507D767A499A329D65C04F768C1BA767B949B4FC7A219EE2184EA43A6D5970586C1C021D24A6C2151B646C3C675019F9D7ED875FC5F5A1D959AF825D07A8E149A72CB6973CB49C6859F245AEB63E6FE6892A62DAA27951973817333AD65125ED429E813AEC466363B5E6FE8E8F8471EDD6B57226DC8F87995C6CB34816CC0A9860A4BA31131F281E04BB95535F3847BA3398035446A34C8F98DB7A97339BDACA94CE9D68BDE232D86D3DD37A7698308823C7A7B0F04FE85458F31C10F492F9459BE7E1A71EFAEB16178F5D70041AA2AE9CC633C96E211253E9578E3436E4080D5BE8A10FBDBCF7C4ACFE2395DB5E8BC6B539BF404A6A98C4F018DA8E3CE9E8401C2500F476D476F3E0

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----
 
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by camron at 17:14:07.73 on Mon 05/09/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.480.106 [GMT -7:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\avmwlanstick\WlanNetService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\windows\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Wireless Desktop\LgWDskTp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\RFA\rfagent.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\avmwlanstick\wlangui.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\belsta.exe
C:\Program Files\LINKSYS\Configuration Utility\config.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\found.000\dir0023.chk\Plauto.exe
D:\palmOne\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\camron\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm
uSearch Page =
uSearch Bar =
mLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
TB: Web assistant: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: JunoBar: {5854fac4-5bf0-47dd-b5a9-a5ea8cff3cf4} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\documents and settings\camron\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [HKSERV.EXE] c:\program files\sony\hotkey utility\HKserv.exe
mRun: [LgWDskTp] c:\program files\wireless desktop\LgWDskTp.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [rfagent] "c:\program files\rfa\rfagent.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVMWlanClient] c:\program files\avmwlanstick\wlangui.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\camron\startm~1\programs\startup\hotsyn~1.lnk - d:\palmone\Hotsync.exe
StartupFolder: c:\docume~1\camron\startm~1\programs\startup\palmon~1.lnk - d:\programfile\palmone\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\CalibAdobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\windows\system32\belsta.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\config~1.lnk - c:\program files\linksys\configuration utility\config.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - d:\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\found.000\dir0023.chk\Plauto.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-9 11608]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\savrtpel.sys [2010-3-27 37000]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-9 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-9 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-9 61960]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-1-16 255648]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-1-16 218736]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-1-16 235168]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [2011-2-28 44416]
R3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\drivers\fwlanusb.sys [2007-12-19 265088]
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [2003-11-21 175744]
R3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2010-3-27 158848]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050317.009\NAVENG.Sys [2005-3-17 73728]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050317.009\NavEx15.Sys [2005-3-17 631040]
R3 ndcprtns;NDC Network Agent;c:\windows\system32\drivers\Ndcprtns.sys [2005-10-16 9328]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2010-3-27 305288]
R3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVSCAN.EXE [2010-3-27 194272]
R3 SMSCMS;SMSC LPC Memory Stick Host Controller;c:\windows\system32\drivers\SMSCMS.SYS [2003-11-21 58624]
S3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [2007-12-19 4352]
S3 BEL;Belkin 11Mbps Wireless LAN Driver;c:\windows\system32\drivers\belnds.sys [2005-10-16 51712]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2005-1-16 87712]
S3 MD1900;GSL MD1900 Electronic Dictionary;c:\windows\system32\drivers\MD1900.sys [2008-3-17 33967]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2005-12-11 8960]
S3 WPC11;Instant Wireless Network PC Card V2.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [2002-5-16 54083]
.
=============== Created Last 30 ================
.
2011-05-09 23:49:34 -------- dc----w- c:\docume~1\camron\applic~1\Avira
2011-05-09 22:38:59 61960 -c--a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-09 22:38:34 -------- dc----w- c:\program files\Avira
2011-05-09 22:38:34 -------- dc----w- c:\docume~1\alluse~1\applic~1\Avira
2011-05-09 21:07:19 -------- dc----w- c:\windows\system32\wbem\repository\FS
2011-05-09 21:07:19 -------- dc----w- c:\windows\system32\wbem\Repository
2011-04-23 01:51:38 -------- dc----w- c:\docume~1\alluse~1\applic~1\Skype Extras
2011-04-12 19:37:36 398760 -c--a-r- c:\windows\system32\cpnprt2.cid
2011-04-12 19:37:08 -------- dc----w- c:\program files\Coupons
.
==================== Find3M ====================
.
2011-03-18 17:33:19 71072 -c--a-w- c:\windows\CouponPrinter.ocx
2011-03-07 05:33:50 692736 -c--a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 -c--a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 -c--a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 -c--a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 -c----w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 -c--a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 -c--a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 -c--a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 -c--a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 -c--a-w- c:\windows\system32\encdec.dll
2004-10-09 09:26:21 7269227 -c--a-w- c:\program files\NJCWP500.EXE
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JB-00JJC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85F554D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85f5b7f0]; MOV EAX, [0x85f5b86c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x85FA0840]
3 CLASSPNP[0xF77A8FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000075[0x85FA1E98]
5 ACPI[0xF76FF620] -> nt!IofCallDriver[0x804E37D5] -> [0x85F2ED98]
\Driver\atapi[0x85F89F38] -> IRP_MJ_CREATE -> 0x85F554D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x85F5531B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:15:40.43 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/3/2004 11:43:16 PM
System Uptime: 5/9/2011 3:57:49 PM (2 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | PIZZA
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | PGA 478 | 2800/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 30 GiB total, 12.223 GiB free.
D: is FIXED (NTFS) - 45 GiB total, 10.966 GiB free.
E: is Removable
F: is CDROM ()
G: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP888: 4/18/2011 10:18:57 PM - System Checkpoint
RP889: 4/20/2011 11:02:01 AM - System Checkpoint
RP890: 4/21/2011 11:24:25 AM - System Checkpoint
RP891: 4/22/2011 1:50:52 AM - Software Distribution Service 3.0
RP892: 4/23/2011 6:23:34 PM - System Checkpoint
RP893: 4/24/2011 7:35:11 PM - System Checkpoint
RP894: 4/25/2011 10:14:59 PM - System Checkpoint
RP895: 4/26/2011 10:15:55 PM - System Checkpoint
RP896: 4/28/2011 12:18:17 AM - Software Distribution Service 3.0
RP897: 4/29/2011 10:36:42 AM - System Checkpoint
RP898: 4/30/2011 12:45:21 PM - System Checkpoint
RP899: 5/1/2011 1:06:46 PM - System Checkpoint
RP900: 5/2/2011 1:24:34 PM - System Checkpoint
RP901: 5/3/2011 2:26:08 PM - System Checkpoint
RP902: 5/4/2011 4:17:49 PM - System Checkpoint
RP903: 5/5/2011 4:30:00 PM - System Checkpoint
RP904: 5/7/2011 1:41:24 AM - System Checkpoint
RP905: 5/8/2011 11:12:31 AM - System Checkpoint
RP906: 5/9/2011 2:02:55 PM - Restore Operation
RP907: 5/9/2011 3:38:33 PM - Avira AntiVir Personal - 5/9/2011 15:36
.
==== Installed Programs ======================
.
.
1310
1310_Help
1310Tour
1310Trb
Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Photoshop Elements 2.0
Adobe Reader 7.0.9
Adobe Reader Chinese Traditional Fonts
AiO_Scan
AiOSoftware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
AVM FRITZ!WLAN
Belkin 11Mbps Wireless Desktop Card Installer
Bonjour
BufferChm
Canon MX330 series MP Drivers
Canon Utilities My Printer
Canon Utilities Solution Menu
CC_ccProxyMSI
CC_ccStart
ccCommon
Configuration Utility
Copy
Coupon Printer for Windows
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Destinations
Director
DocProc
DocumentViewer
Epocrates Essentials
Fax
Giga Pocket 5.5
Giga Pocket Demo Movie
Giga Pocket Hardware Library 5.5
Google Chrome
Google Talk (remove only)
Google Talk Plugin
HijackThis 1.99.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HotKey Utility
HP Diagnostic Assistant
HP Image Zone 4.2
HP Memories Disc
HP PSC & OfficeJet 4.2
HP Software Update
HPSystemDiagnostics
InstantShare
InterActual Player
InternetCalls
InterVideo WinDVD 5 for VAIO
iPod for Windows 2006-03-23
iTunes
Java 2 Runtime Environment, SE v1.4.2_01
LiveReg (Symantec Corporation)
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 8.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Miranda IM 0.4.0.1
MMDX
MoodLogic
MSRedist
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Visualizer Library 1.4.00
NJStar Chinese Word Processor
Norton AntiSpam
Norton AntiVirus
Norton Internet Security
Norton Internet Security (Symantec Corporation)
O&O Defrag Server Edition
OpenMG Secure Module 3.3.01
Overland
Palm Desktop
PCLinq2 High-Speed USB Bridge Cable
Persona Windows 32-bit Client - 4.4a
Photo Loader 2.3E
Photodex Presenter
PhotoGallery
Photosynth 2.0.1519.16
Picasa 3
PrintScreen
ProductContext
QFolder
Quicken 2004
QuickProjects
QuickTime
Readme
RealPlayer
Registry First Aid
Scan
Seagate*DiscWizard
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SiS Compatible VGA V2.21a
SkinsHP1
Skype™ 5.3
SoftK56 Data Fax
SonicStage 1.6.00
SonicStage Mastering Studio 1.1
SonicStage Mastering Studio Plugins 1.0
SonicStage MP3 Add-on program
Sony Certificate PCH
Sony Download Taxi 1.5.0.0
Sony USB Driver
Sony Utilities DLL
Sony Video Shared Library
The Da Vinci Code (remove only)
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URGE
VAIO Action Setup
VAIO BrightColor Wallpaper
VAIO Help and Support
VAIO Media 2.6
VAIO Media Integrated Server 2.6
VAIO Media Redistribution 2.6
VAIO Registration
VAIO Remote Commander Utility 6.2
VAIO Support
VAIO Survey Standalone
VAIO System Information
Viewpoint Media Player
WebFldrs XP
WebReg
Welcome to VAIO life
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3
Wireless Desktop
WOT for Internet Explorer
.
==== Event Viewer Messages From Past Week ========
.
5/9/2011 3:06:51 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error message: The referenced assembly is not installed on your system. .
5/9/2011 3:06:51 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\camron\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
5/9/2011 3:06:50 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
5/9/2011 2:13:55 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
5/9/2011 2:13:53 PM, error: Service Control Manager [7034] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s).
5/9/2011 2:13:53 PM, error: Service Control Manager [7034] - The Symantec Network Proxy service terminated unexpectedly. It has done this 1 time(s).
5/9/2011 2:13:53 PM, error: Service Control Manager [7034] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s).
5/9/2011 2:13:53 PM, error: Service Control Manager [7034] - The Seagate Scheduler2 Service service terminated unexpectedly. It has done this 1 time(s).
5/9/2011 2:13:53 PM, error: Service Control Manager [7034] - The O&O Defrag service terminated unexpectedly. It has done this 1 time(s).
5/9/2011 2:13:53 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
5/9/2011 2:13:53 PM, error: Service Control Manager [7034] - The AVM WLAN Connection Service service terminated unexpectedly. It has done this 1 time(s).
5/9/2011 2:13:53 PM, error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
5/9/2011 2:13:53 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/9/2011 2:01:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/9/2011 2:01:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/9/2011 2:00:59 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DMICall Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRTPEL SYMTDI Tcpip
5/9/2011 2:00:59 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
5/9/2011 2:00:59 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/9/2011 2:00:59 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/9/2011 2:00:59 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/9/2011 2:00:59 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/9/2011 2:00:59 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/6/2011 6:09:13 PM, error: Service Control Manager [7024] - The Symantec Network Proxy service terminated with service-specific error 4294967295 (0xFFFFFFFF).
5/6/2011 6:07:46 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Symantec Settings Manager service to connect.
5/5/2011 8:00:49 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
5/5/2011 8:00:49 AM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/4/2011 10:19:40 PM, error: System Error [1003] - Error code 1000000a, parameter1 00000004, parameter2 00000002, parameter3 00000001, parameter4 804ede8e.
5/2/2011 9:13:14 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Norton AntiVirus Auto Protect Service service to connect.
5/2/2011 9:13:14 AM, error: Service Control Manager [7000] - The Norton AntiVirus Auto Protect Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/2/2011 9:13:06 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service navapsvc with arguments "-Service" in order to run the server: {142FB276-7C38-4BB4-B475-3F9233B3EFF8}
.
==== End Of File ===========================
 
on a side note the instructions for error checking did not work. it says unable to check for errors.
 
You have a full Norton Internet Security Suite Why did you put Avira on the system?
RP907: 5/9/2011 3:38:33 PM - Avira AntiVir Personal - 5/9/2011 15:36

The section of the thread related to this clearly says:
Step 1: Antivirus scanning
If you have a functioning, updating antivirus program, please leave it on the system for now. If you're NOT running any antivirus, you should install one now. Please update the antivirus program and run a full system scan.
Click to expand...
Please remove one of these, then reboot the system:
Norton Removal Tool

To uninstall Avira:
  • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
  • Wait for the list of installed programs to load, then click the name of the Avira program.
  • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
  • Press Yes, to confirm the removal and then OK.
  • . Click Next until Finish. The software is removed.
================================================
Bootkit Remover:

Download bootkitremover.rar and save to your desktop.
  1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
  2. Double-click on the remover.exe file to run the program.
    NOTE: The tool should be run from a command line with Administrator privileges.
  3. Scanning should be completed quickly
  4. Paste the output in your next reply.
===============================================
Follow with Combofix, below: Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan: Uninstall directions, if needed:
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
-----------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
===========================================
You have several out of date programs. The following should be updated immediately:
Java Updates
Adobe Reader site

After updates, go to Add/Remove Programs in the Control Panel and uninstall any earlier versions of both Java and the Adobe Reader When you are in Add/Remove Program, please uninstall HijackThis as it is out dated also.

Question: Are you intentionally loading 2 printers> Canon and HP?



.
 
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
 
ComboFix 11-05-10.01 - camron 05/11/2011 0:03.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.480.190 [GMT -7:00]
Running from: c:\documents and settings\camron\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\defender.exe
c:\documents and settings\camron\Application Data\shb.dat
c:\documents and settings\camron\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\program files\Common Files\WinSoftware
c:\program files\Common Files\WinSoftware\PrCheck.dll
c:\windows\Down_Temp
c:\windows\Downloaded Program Files\Temp
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\midas.dll
.
Infected copy of c:\windows\system32\imm32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\imm32.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-11 07:19 . 2011-05-11 07:19 8782 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-05-11 07:19 . 2011-05-11 07:19 7271 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-05-11 07:19 . 2011-05-11 07:19 23327 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-05-11 07:19 . 2011-05-11 07:19 20719 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-05-11 06:43 . 2011-05-11 06:43 -------- dc----w- c:\documents and settings\bootkit_remover
2011-05-11 06:33 . 2011-05-11 06:33 -------- dc----w- c:\program files\7-Zip
2011-05-10 01:59 . 2011-05-10 01:59 -------- dcsh--w- c:\documents and settings\Administrator\PrivacIE
2011-05-09 21:07 . 2011-05-09 21:07 -------- dc----w- c:\windows\system32\wbem\Repository
2011-05-09 21:01 . 2011-05-09 21:01 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2011-05-06 16:42 . 2011-05-10 01:01 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-23 01:51 . 2011-05-07 03:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-04-23 01:50 . 2011-04-23 01:50 -------- dc----w- c:\program files\Common Files\Skype
2011-04-12 19:37 . 2011-04-12 19:37 398760 -c--a-r- c:\windows\system32\cpnprt2.cid
2011-04-12 19:37 . 2011-04-12 19:37 -------- dc----w- c:\program files\Coupons
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-18 17:33 . 2011-02-14 22:05 71072 -c--a-w- c:\windows\CouponPrinter.ocx
2011-03-07 05:33 . 2003-03-03 23:57 692736 -c--a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2003-11-21 22:07 420864 -c--a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2003-11-21 22:07 1857920 -c--a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2003-11-21 22:07 916480 -c--a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2003-11-21 22:07 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2003-11-21 22:07 1469440 -c----w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2005-10-16 17:28 385024 -c--a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2003-11-21 22:07 455936 -c--a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2003-11-21 22:07 357888 -c--a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 14:33 5120 -c--a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2003-11-21 22:07 290432 -c--a-w- c:\windows\system32\atmfd.dll
2004-10-09 09:26 . 2004-10-09 09:26 7269227 -c--a-w- c:\program files\NJCWP500.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2004-07-01 95344]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-08-14 90112]
"LgWDskTp"="c:\program files\Wireless Desktop\LgWDskTp.exe" [2003-08-04 65536]
"Logitech Utility"="Logi_MwX.Exe" [2003-07-29 19968]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-12 71328]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-12-12 70800]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"rfagent"="c:\program files\RFA\rfagent.exe" [2005-04-23 330240]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AVMWlanClient"="c:\program files\avmwlanstick\wlangui.exe" [2007-12-20 1748992]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2009-10-16 1325936]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-16 904840]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-10-16 136544]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 1797488]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\documents and settings\camron\Start Menu\Programs\Startup\
HotSync Manager.lnk - d:\palmone\Hotsync.exe [2004-6-9 471040]
palmOne Registration.lnk - d:\programfile\palmOne\register.exe [2005-9-19 2367488]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\CalibAdobe Gamma Loader.exe [2004-1-22 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Belkin Wireless LAN Utility.lnk - c:\windows\system32\belsta.exe [2005-10-16 172146]
Configuration Utility.lnk - c:\program files\LINKSYS\Configuration Utility\config.exe [2005-10-16 290816]
HOTSYNCSHORTCUTNAME.lnk - d:\palmone\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-29 53248]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Photo Loader supervisory.lnk - c:\found.000\dir0023.chk\Plauto.exe [2006-1-2 229376]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-10-2 57344]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\camron\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\camron\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 9:39 AM 431456]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [2/28/2011 11:17 PM 44416]
R3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\drivers\fwlanusb.sys [12/19/2007 5:04 PM 265088]
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [11/21/2003 3:07 PM 175744]
R3 ndcprtns;NDC Network Agent;c:\windows\system32\drivers\Ndcprtns.sys [10/16/2005 12:36 PM 9328]
R3 SMSCMS;SMSC LPC Memory Stick Host Controller;c:\windows\system32\drivers\SMSCMS.SYS [11/21/2003 3:07 PM 58624]
S3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [12/19/2007 5:04 PM 4352]
S3 BEL;Belkin 11Mbps Wireless LAN Driver;c:\windows\system32\drivers\belnds.sys [10/16/2005 6:03 PM 51712]
S3 MD1900;GSL MD1900 Electronic Dictionary;c:\windows\system32\drivers\MD1900.sys [3/17/2008 4:10 AM 33967]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [12/11/2005 8:47 PM 8960]
S3 WPC11;Instant Wireless Network PC Card V2.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [5/16/2002 2:42 PM 54083]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1201819217-2088249844-2145301736-1005Core.job
- c:\documents and settings\camron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 20:34]
.
2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1201819217-2088249844-2145301736-1005UA.job
- c:\documents and settings\camron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 20:34]
.
2011-03-01 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2011-01-07 23:56]
.
2011-05-07 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2010-03-28 04:22]
.
2004-10-04 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-11-21 00:12]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
mLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
.
- - - - ORPHANS REMOVED - - - -
.
Notify-WgaLogon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-11 00:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JB-00JJC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x85F3331B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG06.00.00.01WORKSTATION"="7943B9AB16059654D529590369949FABBE58E1A074A820D415712D4F5573E4CC408D70D18D8ADAB68DAA926D6936B0891ED70B4474877B10E3BE5576854C75BB32F5F3A34EC648C1DDA883AB05BC638CE685DC4F9D52EB803A08C4100A36B2867F8BB4ED95A1C06F783026EECB9EF424EC8B79F86B2CA5282DB56975EEA3E6649C9208CF23F9C9CE5101D73B4EC8C0D446C8E949622F8020126011D54BF983A43F02A73EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6679DB7CE019D40AA5CC038D530D6EB34529DB7CE019D40AA5C9362E507D767A499A329D65C04F768C1BA767B949B4FC7A219EE2184EA43A6D5970586C1C021D24A6C2151B646C3C675019F9D7ED875FC5F5A1D959AF825D07A8E149A72CB6973CB49C6859F245AEB63E6FE6892A62DAA27951973817333AD65125ED429E813AEC466363B5E6FE8E8F8471EDD6B57226DC8F87995C6CB34816CC0A9860A4BA31131F281E04BB95535F3847BA3398035446A34C8F98DB7A97339BDACA94CE9D68BDE232D86D3DD37A7698308823C7A7B0F04FE85458F31C10F492F9459BE7E1A71EFAEB16178F5D70041AA2AE9CC633C96E211253E9578E3436E4080D5BE8A10FBDBCF7C4ACFE2395DB5E8BC6B539BF404A6A98C4F018DA8E3CE9E8401C2500F476D476F3E02C80E47D82D0DBCCDC7D5E446891807C2B6DDA864FD29655156A2D344D85EDECD903C260C6D5CB750D2C32E88F6951864FE852CFC15692E88688806D04C93EE83E4E1470921E15A80E756348ABAC8D97EB3546F399D37AA179534275DEC4AD888374C5CDA46C74697F9DB323EA3E7C6C36735539057744F42314A61018AB42955BA817A61DB2B41E4BC52C667031F7FF47143A14B837AB4625227C72DF778127868B61B4F681FB5CAAAF0739EAD0DC4E9E9D104086A151563D3594C230EAD66927C589B2FF329B13F7F1E1FD07EC3FE8E30E50B37D404D0465421C9FAA861A059F585BDD98AC267CB3D7714BFD14CB761E53A292113FBEC1DB877FA9DA6945D9519132680BDD92B8FA84D80FE8A201FF5F1BA375DF6248F132606004B6BBBDBA4EE075FA5A0D1783E4CA378780D2E08747D096F5AD798856289AB5E97DEC10378441ED5234D00EB9BF2B4EF6744DA689677FB71DA106A405C117A7E666C035B95A7465C23DFAD49022FEA42DE9DFADA2C121CC0737D9C51E3AFB82C7505CE91156EA42626791AF36156E72F410ADC9F1942A6C48E0427F0731DE197529BEB76243090CE00BEF5783B0100D64800BB99D3440DC86909F67C95D423D5DEA6927E06C814D1D8576903A68C3CC101F7CDCEE814F5FB95786BF26B15DFDE5323F0430D587092ABEF8BE54C1AD758CBF0386AF5F43AF1F94158F7A860AF8F3A112681A4"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2720)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\SYMANT~1\ANTISPAM\asOEHook.dll
c:\program files\Wireless Desktop\LgWndHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\avmwlanstick\WlanNetService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\oodag.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Sony\HotKey Utility\HKWnd.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\program files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2011-05-11 00:32:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-11 07:32
.
Pre-Run: 12,836,868,096 bytes free
Post-Run: 13,309,530,112 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\windows="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 1DF0C33E0F4D5C5F26C3B63344E3C246
 
Run this first please:
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

Code: 
@ECHO OFF
START 
remover.exe fix   \\.\PhysicalDrive0  
EXIT
  • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
  • Then in the FILE NAME box type fix.bat.
  • Save fix.bat to your Desktop.
  • Double clicking.Run fix.bat to run.
    You may see a black box appear; this is normal.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

When done, run remover.exe again and post its output.

Do NOT reboot computer!
 
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\camron\Desktop>
 
is the fix.bat supposed to do something? the black box only showed what the previous post said. it didn't do anything after that. is that normal?
 
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
 
You mean like this?
remover.jpg


It means we haven't found the source of the rootkit yet:

Please download MBRCheck and save to your desktop
  • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    [o] Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    [o] Found non-standard or infected MBR.
    [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Paste this log to your next message.

By the way, please stay away from the coupon printing site/programs while I'm trying to clean the system. That type of program is known to bring malware.
 
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000007c

Kernel Drivers (total 143):
0x804D7000 \windows\system32\ntoskrnl.exe
0x806EF000 \windows\system32\hal.dll
0x85EE8000 \windows\system32\KDCOM.DLL
0xF7B5C000 \windows\system32\BOOTVID.dll
0xF76F9000 ACPI.sys
0xF7C48000 \windows\System32\DRIVERS\WMILIB.SYS
0xF76E8000 pci.sys
0xF7748000 isapnp.sys
0xF7758000 ohci1394.sys
0xF7768000 \windows\System32\DRIVERS\1394BUS.SYS
0xF7D10000 pciide.sys
0xF79C8000 \windows\System32\DRIVERS\PCIIDEX.SYS
0xF76CA000 pcmcia.sys
0xF7778000 MountMgr.sys
0xF76AB000 ftdisk.sys
0xF79D0000 PartMgr.sys
0xF7788000 VolSnap.sys
0xF7693000 atapi.sys
0xF7798000 disk.sys
0xF77A8000 \windows\System32\DRIVERS\CLASSPNP.SYS
0xF7673000 fltmgr.sys
0xF7661000 sr.sys
0xF79D8000 PxHelp20.sys
0xF764A000 KSecDD.sys
0xF75BD000 Ntfs.sys
0xF7590000 NDIS.sys
0xF7525000 timntr.sys
0xF74CC000 tdrpman.sys
0xF74AD000 snapman.sys
0xF79E0000 SISAGPX.sys
0xF7493000 Mup.sys
0xF7898000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF7392000 \SystemRoot\System32\DRIVERS\sisgrp.sys
0xF737E000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF78A8000 \SystemRoot\System32\DRIVERS\SMSCMS.sys
0xF7366000 \SystemRoot\System32\DRIVERS\SCSIPORT.SYS
0xF79F8000 \SystemRoot\System32\Drivers\SonyNC.sys
0xF78B8000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF78C8000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xF78D8000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF78E8000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF7343000 \SystemRoot\System32\DRIVERS\ks.sys
0xF7A60000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7318000 \SystemRoot\System32\DRIVERS\HSFHWSIS.sys
0xF7214000 \SystemRoot\System32\DRIVERS\HSF_DP.sys
0xF7179000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
0xF7AE8000 \SystemRoot\System32\Drivers\Modem.SYS
0xF70E7000 \SystemRoot\system32\drivers\smwdm.sys
0xF70C3000 \SystemRoot\system32\drivers\portcls.sys
0xF7908000 \SystemRoot\system32\drivers\drmk.sys
0xF7C58000 \SystemRoot\system32\drivers\aeaudio.sys
0xF7A70000 \SystemRoot\System32\DRIVERS\usbohci.sys
0xF709F000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7AA0000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF6FE3000 \SystemRoot\System32\DRIVERS\smrt.sys
0xF7928000 \SystemRoot\System32\DRIVERS\STREAM.SYS
0xF7938000 \SystemRoot\System32\DRIVERS\R8139n51.SYS
0xF7948000 \SystemRoot\System32\DRIVERS\nic1394.sys
0xF7D4B000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF79A8000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7447000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF6FCC000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF79B8000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF77D8000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7A88000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF6F1B000 \SystemRoot\System32\DRIVERS\psched.sys
0xF77E8000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7AB8000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7AC8000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF77F8000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7AE0000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7AF8000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7C76000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF6EBD000 \SystemRoot\System32\DRIVERS\update.sys
0xF742F000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF7808000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7858000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7C84000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7C88000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DAD000 \SystemRoot\System32\Drivers\Null.SYS
0xF7C8C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7A68000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF7A80000 \SystemRoot\System32\drivers\vga.sys
0xF7C90000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7C94000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A98000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7AB0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF745B000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF023A000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF01E1000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF01A1000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xF017B000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF78F8000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF00C8000 \??\d:\found.000\dir0008.chk\SYMEVENT.SYS
0xF7968000 \SystemRoot\System32\DRIVERS\arp1394.sys
0xF00A0000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF007E000 \SystemRoot\System32\drivers\afd.sys
0xF7978000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF6EB9000 \SystemRoot\system32\drivers\srvkp.sys
0xF7998000 \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS
0xF002B000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF7AF0000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xEFFBB000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF6FBC000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7DAF000 \SystemRoot\System32\DRIVERS\DMICall.sys
0xF7A48000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xF6F7C000 \SystemRoot\system32\DRIVERS\dc3d.sys
0xF6F6C000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xEFF4A000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF6F5C000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7463000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF6F4C000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xEFF09000 \SystemRoot\system32\DRIVERS\fwlanusb.sys
0xEFEF1000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7CBC000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF005A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7A28000 \SystemRoot\System32\watchdog.sys
0xF010B000 \SystemRoot\System32\Drivers\LHidUsb.Sys
0xF743B000 \SystemRoot\System32\Drivers\LCcFltr.Sys
0xF6EA1000 \SystemRoot\System32\DRIVERS\kbdhid.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D65000 \SystemRoot\System32\drivers\dxgthk.sys
0xF7A78000 \SystemRoot\System32\DRIVERS\LHidFlt2.Sys
0xF4281000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xEFDF2000 \SystemRoot\System32\DRIVERS\LMouFlt2.Sys
0xF6FAC000 \SystemRoot\system32\DRIVERS\point32.sys
0xBF012000 \SystemRoot\System32\SiSGRV.dll
0xBF11A000 \SystemRoot\System32\ATMFD.DLL
0xEFE13000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0xEFAD5000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xEF875000 \SystemRoot\System32\DRIVERS\srv.sys
0xEFAB9000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
0xEF3B0000 \SystemRoot\system32\drivers\wdmaud.sys
0xEF65D000 \SystemRoot\system32\drivers\sysaudio.sys
0xEF579000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xEEFA9000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7CDC000 \SystemRoot\system32\drivers\ndcprtns.sys
0xEE48E000 \SystemRoot\system32\drivers\kmixer.sys
0xEE1DA000 \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS
0xEDDE1000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050317.009\NavEx15.Sys
0xEDDD0000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050317.009\NAVENG.Sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 64):
0 System Idle Process
4 System
504 C:\WINDOWS\system32\smss.exe
572 csrss.exe
784 C:\WINDOWS\system32\winlogon.exe
832 C:\WINDOWS\system32\services.exe
844 C:\WINDOWS\system32\lsass.exe
996 C:\WINDOWS\system32\svchost.exe
1076 svchost.exe
1144 C:\WINDOWS\system32\svchost.exe
1232 svchost.exe
1292 svchost.exe
1348 C:\WINDOWS\system32\spoolsv.exe
1432 svchost.exe
1464 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1496 C:\Program Files\avmwlanstick\WLanNetService.exe
1528 C:\Program Files\Bonjour\mDNSResponder.exe
1560 C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
1592 C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
1632 C:\Program Files\Java\jre6\bin\jqs.exe
1708 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1756 C:\WINDOWS\system32\oodag.exe
1812 C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
1880 C:\WINDOWS\system32\svchost.exe
1912 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1992 C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
2400 C:\WINDOWS\explorer.exe
2480 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2776 alg.exe
3188 C:\Program Files\Sony\HotKey Utility\HKServ.exe
3244 C:\Program Files\Wireless Desktop\LgWDskTp.exe
3484 C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
3540 C:\Program Files\RFA\rfagent.exe
3552 C:\WINDOWS\system32\LVCOMSX.EXE
3568 C:\Program Files\avmwlanstick\WLanGUI.exe
3576 C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
3592 C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
3600 C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
3616 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
3644 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3656 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
3664 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3672 C:\Program Files\iTunes\iTunesHelper.exe
3680 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3712 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
3720 C:\Program Files\Sony\HotKey Utility\HKWnd.exe
3740 C:\WINDOWS\system32\svchost.exe
3804 C:\WINDOWS\system32\ctfmon.exe
588 C:\WINDOWS\system32\belsta.exe
628 C:\Program Files\LINKSYS\Configuration Utility\Config.exe
648 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
696 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
728 C:\found.000\dir0023.chk\Plauto.exe
1488 D:\palmOne\Hotsync.exe
2224 C:\Program Files\iPod\bin\iPodService.exe
2984 wmiprvse.exe
3200 C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
3752 C:\Program Files\Internet Explorer\iexplore.exe
4060 C:\Program Files\Internet Explorer\iexplore.exe
1196 C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
2560 C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVSCAN.EXE
848 C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
1276 C:\Program Files\Messenger\msmsgs.exe
3408 C:\Documents and Settings\camron\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000007`805e9800 (NTFS)

PhysicalDrive0 Model Number: WDCWD800JB-00JJC0, Rev: 05.01C05

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 
Well; that shows 2 clean drives!

Question about:
on a side note the instructions for error checking did not work. it says unable to check for errors.
Click to expand...
Did you close the message that came up "can't do error check- did you want to schedule it after next reboot" [when you clicked on Apply>>> Then reboot>>> That's what you have to do.

Do that please. Then let me know how the system is doing. The error check may take a while- don't interrupt it- let it finish- it will reboot when done> hopefully into Normal Mode,
 
the 'Tools' option is no longer available under 'Properties' for 'My Computer'....what does that mean?

Also, the ads are still popping up, and worse than before, one after another. I end up with a bunch of windows stacked up, all ads. That's only from opening IE. HELP!!!
 
You have a program installed and running named Registry First Aid. Please either uninstall it or disable it.
===================================
If you already downloaded the following and it's on the desktop, okay to use it- but be sure to update before scan. If not, follow download and scan instructions below:
malwarebytesgc8.png

Malwarebytes' Anti-Malware
  • Please download Malwarebytes' Anti-Malware from from HERE
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    [o] Update Malwarebytes' Anti-Malware
    [o] and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Click on Format> Uncheck 'Word Wrap'. Please paste this log with your reply
    [o] If you accidentally close it, the log file is saved here and will be named like this:
    [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
========================
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Don't know why we've gotten this far without either of these scans!
 
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6613

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/18/2011 10:21:26 PM
mbam-log-2011-05-18 (22-21-26).txt

Scan type: Quick scan
Objects scanned: 182437
Time elapsed: 39 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
ESET blanked out about a third into the scan. It had detected 1 infection by then, but the window when all white later on and didn't come back....redo?
 
Status
Not open for further replies.

Similar threads

D
Google is cracking down on third-party apps that block YouTube ads
2
Replies
25
Views
270
Underdog
Underdog
D
Gamers enraged at Ubisoft for injecting ads into the middle of video games
2
Replies
32
Views
946
LimyG
LimyG
Z
Microsoft could soon sneak (more) Start menu ads into Windows
Replies
13
Views
151
user478318
user478318

Latest posts

Back