[Closed] Computer infected: Keep getting Trojan:Win32/Sirefef.AH and Pup.MyWebSE

Status
Not open for further replies.
B

Boker

Posts: 12   +0
This computer has had issues for awhile and has been used by many people. Am running Microsoft Security Essentials and MWB. I have tried cleaning the computer and running MWB but these two keep popping back up. When I open IE I am redirected and have not been able to open Firefox at all. A friend told me about you so I thought I'd give it a shot before I shoot the computer...no really, can you help?
 
I'll be glad to help with the malware. Is it possible to limit the use of the system to just yourself while I'm helping you?

MyWebSearce will show up in Malwarebytes. In addition to having Mbam remove those entries:
Go to Add/Remove Programs> Look for any of the following:
* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way
If any of the above are installed, uninstall them. Then us Windows Explorer to access Computer> Local Drive(C)> Programs> find the program Folder for each of the programs you uninstalled and do a Right Click> Delete.
=========================================
Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
===================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
Threads are closed after 5 days if there is no reply.
 
Reformat/reinstall

In reading your threads it appears we should probably reinstall, but I have some questions. First, my name is Patty, I am helping my husband with his computer as he doesn't navigate through programs, folders, etc. very well. I will communicate with you through my laptop except to do what is necessary on his pc. In the past several people have used his computer and God only knows what is on it. It has been running slow for a very long time, but this particular infection seems to have appeared in the last day or two.
I'm thinking we need to do a complete reinstall as my husband does access his bank account from that computer. However, I was wondering if we should do the five step preliminary removal and send you the logs before we do that. We are not planning on saving anything on the computer because I'm afraid that if it is the wrong kind of trojan it may have infected the music, pictures, etc. What is your opinion on this?
Also, can you provide a link that might help me with the reinstall process? I have not done one before and would like all the help I can get. I am not super with a computer, but can navigate around pretty well and should be able to pull this off.
Thank you for your time.
 
Patty, why don't you run the preliminary scan so I can see the extent of the infection? I can also check to see what security is on the system also.
==========================================
About (Sirefef) rootkit
  • You receive the message "Error communicating with kernel"
  • You believe you are infected with a rogue antivirus such as "Open Cloud Security"
  • This malware is also known as "Sirefef" and "Max++" and ESET detects this and its many variants as Win32/Sirefef
=============================================
If the infection is extensive enough, I will easily recommend the reformat/reinstall if I think that's what needs to be done. And I will give you a good reference site to take you through.
 
logs

Here you go, hope I got this right. I also included a log for MWB from a scan done the day before.
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.09.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
HP_Administrator :: SIEGFREIDS [administrator]

4/9/2012 10:28:03 AM
mbam-log-2012-04-09 (10-28-03).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 383707
Time elapsed: 4 hour(s), 42 minute(s), 36 second(s)

Memory Processes Detected: 1
C:\WINDOWS\svcs.exe (Trojan.Downloader) -> 824 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 8
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8C875948-9C60-4381-9248-0DF180542D53} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETWORKLOG (Trojan.Downloader) -> Quarantined and deleted successfully.
HKLM\System\CurrentControlSet\Services\tnidriver (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\NetworkLog|ImagePath (Trojan.Downloader) -> Data: C:\WINDOWS\svcs.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 7
C:\Documents and Settings\HP_Administrator\Application Data\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\ErrorSmart\Log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\ErrorSmart\Registry Backups (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\PrivacyControl (Rogue.PrivacyControl) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\PrivacyControl\Log (Rogue.PrivacyControl) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\PrivacyControl\Registry Backups (Rogue.PrivacyControl) -> Quarantined and deleted successfully.
C:\Program Files\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.

Files Detected: 3
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\svcs.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\HP_Administrator\Application Data\ErrorSmart\Registry Backups\2008-02-22_08-01-39.reg (Rogue.ErrorSmart) -> Quarantined and deleted successfully.

(end)
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.10.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
HP_Administrator :: SIEGFREIDS [administrator]

4/10/2012 8:34:36 PM
mbam-log-2012-04-10 (20-34-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231256
Time elapsed: 23 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-04-11 09:18:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 Maxtor_6L200M0 rev.BANC1G10
Running: c77pvzlg[1].exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ufdiyfod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 192
Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 3776

---- EOF - GMER 1.0.15 ----
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by HP_Administrator at 9:36:11 on 2012-04-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.96 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
 
Patty, there is a second log from DDS. It's named Attach.txt. It should also be pasted in a reply and not zipped/
============================================
There is one entry in Mbam that shows it wasn't removed:
Registry Keys Detected: 8
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
This usually means the entry was on a flash drive. If you have been using a flash drive, you should disinfect it:

Please disinfect all movable drives
  1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  4. Wait until it has finished scanning and then exit the program.
  5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

Download AppRemover and save to the desktop
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    image_preview
  5. Click on Next after choice has been made
  6. Check the AVG program you want to uninstall
  7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Microsoft Security Essentials
Comodo AV
Avast! Free Antivirus
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please also include the logs from Combofix and Eset.

Mbam appears to have removed a good deal of the malware. The 2 scans above should also find any remaining entries. Let's continue.
 
DDS Zip

.Sorry, thought I got that one...I'll work on the other ones this evening. Thank you.


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/21/2005 8:11:22 PM
System Uptime: 4/11/2012 4:07:12 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | Goldfish3
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | CPU 1 | 3000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 179 GiB total, 130.045 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 0.868 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP943: 1/12/2012 1:59:06 PM - Software Distribution Service 3.0
RP944: 1/13/2012 10:23:57 PM - Software Distribution Service 3.0
RP945: 1/15/2012 9:59:53 AM - Software Distribution Service 3.0
RP946: 1/16/2012 10:11:40 AM - Software Distribution Service 3.0
RP947: 1/17/2012 10:21:24 AM - Software Distribution Service 3.0
RP948: 1/18/2012 2:00:14 PM - Software Distribution Service 3.0
RP949: 1/19/2012 2:06:43 PM - Software Distribution Service 3.0
RP950: 1/20/2012 6:35:25 PM - Software Distribution Service 3.0
RP951: 1/22/2012 10:28:13 AM - Software Distribution Service 3.0
RP952: 1/23/2012 10:31:20 AM - Software Distribution Service 3.0
RP953: 1/24/2012 9:36:06 AM - Software Distribution Service 3.0
RP954: 1/24/2012 11:34:40 AM - Software Distribution Service 3.0
RP955: 1/25/2012 3:42:28 PM - Software Distribution Service 3.0
RP956: 1/26/2012 6:18:31 PM - Software Distribution Service 3.0
RP957: 1/27/2012 6:32:01 PM - Software Distribution Service 3.0
RP958: 1/28/2012 9:46:13 AM - Software Distribution Service 3.0
RP959: 1/29/2012 11:11:01 AM - Software Distribution Service 3.0
RP960: 1/30/2012 6:55:41 PM - Software Distribution Service 3.0
RP961: 1/31/2012 9:10:40 AM - Software Distribution Service 3.0
RP962: 1/31/2012 11:38:51 PM - Software Distribution Service 3.0
RP963: 2/2/2012 9:24:59 AM - Software Distribution Service 3.0
RP964: 2/3/2012 1:20:49 PM - Software Distribution Service 3.0
RP965: 2/4/2012 6:41:20 PM - Software Distribution Service 3.0
RP966: 2/6/2012 9:54:30 AM - Software Distribution Service 3.0
RP967: 2/7/2012 11:33:30 AM - Software Distribution Service 3.0
RP968: 2/8/2012 3:05:36 PM - Software Distribution Service 3.0
RP969: 2/9/2012 3:25:11 PM - Software Distribution Service 3.0
RP970: 2/11/2012 2:34:55 AM - Software Distribution Service 3.0
RP971: 2/12/2012 9:55:00 AM - Software Distribution Service 3.0
RP972: 2/14/2012 3:08:16 PM - Software Distribution Service 3.0
RP973: 2/15/2012 10:20:52 AM - Software Distribution Service 3.0
RP974: 2/15/2012 3:13:13 PM - Software Distribution Service 3.0
RP975: 2/15/2012 3:38:51 PM - Software Distribution Service 3.0
RP976: 2/17/2012 7:57:54 AM - Software Distribution Service 3.0
RP977: 2/18/2012 10:08:25 AM - Software Distribution Service 3.0
RP978: 2/19/2012 7:17:12 PM - Software Distribution Service 3.0
RP979: 2/20/2012 10:39:20 PM - Software Distribution Service 3.0
RP980: 2/21/2012 11:47:59 PM - Software Distribution Service 3.0
RP981: 2/23/2012 1:24:10 PM - Software Distribution Service 3.0
RP982: 2/25/2012 8:08:37 AM - Software Distribution Service 3.0
RP983: 2/26/2012 8:44:43 AM - Software Distribution Service 3.0
RP984: 2/26/2012 9:08:41 AM - Removed Adobe Reader 9.5.0.
RP985: 2/26/2012 9:10:55 AM - Removed Apple Application Support
RP986: 2/27/2012 8:05:26 AM - Software Distribution Service 3.0
RP987: 2/27/2012 9:25:27 AM - Printer Driver Microsoft XPS Document Writer Installed
RP988: 2/27/2012 9:35:48 AM - Software Distribution Service 3.0
RP989: 2/27/2012 9:44:42 AM - Software Distribution Service 3.0
RP990: 2/27/2012 3:18:35 PM - Software Distribution Service 3.0
RP991: 2/28/2012 9:17:22 AM - Software Distribution Service 3.0
RP992: 2/29/2012 9:16:20 AM - Software Distribution Service 3.0
RP993: 3/1/2012 10:19:13 AM - Software Distribution Service 3.0
RP994: 3/2/2012 10:26:57 AM - Software Distribution Service 3.0
RP995: 3/3/2012 8:51:42 PM - Software Distribution Service 3.0
RP996: 3/4/2012 10:43:43 PM - Software Distribution Service 3.0
RP997: 3/6/2012 9:50:36 AM - Software Distribution Service 3.0
RP998: 3/7/2012 11:04:57 AM - Software Distribution Service 3.0
RP999: 3/9/2012 8:21:42 AM - Software Distribution Service 3.0
RP1000: 3/11/2012 10:16:16 AM - Software Distribution Service 3.0
RP1001: 3/12/2012 1:06:37 PM - Software Distribution Service 3.0
RP1002: 3/12/2012 2:42:11 PM - Installed Adobe Reader X (10.1.2).
RP1003: 3/13/2012 1:46:35 PM - Software Distribution Service 3.0
RP1004: 3/14/2012 6:55:04 AM - Software Distribution Service 3.0
RP1005: 3/14/2012 5:52:37 PM - Software Distribution Service 3.0
RP1006: 3/14/2012 5:54:15 PM - Software Distribution Service 3.0
RP1007: 3/15/2012 8:22:19 PM - Software Distribution Service 3.0
RP1008: 3/17/2012 12:58:43 AM - Software Distribution Service 3.0
RP1009: 3/18/2012 9:25:44 AM - Software Distribution Service 3.0
RP1010: 3/19/2012 10:19:34 AM - Software Distribution Service 3.0
RP1011: 3/20/2012 12:11:18 PM - Software Distribution Service 3.0
RP1012: 3/20/2012 12:24:40 PM - Software Distribution Service 3.0
RP1013: 3/22/2012 10:08:50 AM - Software Distribution Service 3.0
RP1014: 3/23/2012 4:00:26 PM - Software Distribution Service 3.0
RP1015: 3/25/2012 9:06:34 AM - Software Distribution Service 3.0
RP1016: 3/26/2012 11:25:32 AM - Software Distribution Service 3.0
RP1017: 3/27/2012 3:13:16 PM - Software Distribution Service 3.0
RP1018: 3/29/2012 8:50:18 AM - Software Distribution Service 3.0
RP1019: 3/31/2012 2:42:06 AM - Software Distribution Service 3.0
RP1020: 4/1/2012 9:04:39 AM - Software Distribution Service 3.0
RP1021: 4/2/2012 10:26:20 AM - Software Distribution Service 3.0
RP1022: 4/3/2012 4:54:22 PM - Software Distribution Service 3.0
RP1023: 4/4/2012 10:40:17 PM - Software Distribution Service 3.0
RP1024: 4/5/2012 11:23:26 PM - Software Distribution Service 3.0
RP1025: 4/7/2012 1:00:39 AM - Software Distribution Service 3.0
RP1026: 4/8/2012 9:33:11 AM - Software Distribution Service 3.0
RP1027: 4/8/2012 9:37:37 AM - Software Distribution Service 3.0
RP1028: 4/9/2012 12:55:30 AM - Software Distribution Service 3.0
RP1029: 4/9/2012 10:07:48 AM - Installed Microsoft Fix it 50525
RP1030: 4/9/2012 10:14:44 AM - Software Distribution Service 3.0
RP1031: 4/9/2012 6:12:41 PM - Software Distribution Service 3.0
RP1032: 4/10/2012 1:33:02 PM - Software Distribution Service 3.0
RP1033: 4/11/2012 4:20:34 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
5600
5600_Help
5600Trb
Ad-Aware
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.2)
Adobe Shockwave Player
Advanced Registry Optimizer
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Boggle
Bonjour
CameraDrivers
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
DeviceFunctionQFolder
DocProc
DocumentViewer
DocumentViewerQFolder
Fax
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Deskjet Preloaded Printer Drivers
HP Document Viewer 5.3
HP Image Zone Express
HP Officejet 5600 series
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 5.3.B
HP PSC 2350 series
HP Smart Web Printing 4.60
HP Tunes
HP Update
HPProductAssistant
HpSdpAppCoreApp
HPSSupply
Intel(R) Graphics Media Accelerator Driver
IntelliMover Data Transfer Demo
InterVideo DiscLabel
iTunes
iWin Games (remove only)
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java(TM) 6 Update 29
LS_HSI
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Click-to-Run 2010
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Business 2010 - English
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works
Mozilla Firefox (3.6.28)
MSVCSetup
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NewCopy
OLYMPUS Master
OpenOffice.org 3.0
Otto
Photosmart 320,370,7400,8100,8400 Series
PrintMaster 2.0 Platinum
ProductContext
PS2
PSPrinters06
QuickTime
Readme
Roxio Drag-to-Disc
Roxio Easy CD and DVD Burning
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB975713)
Shop for HP Supplies
SmartWebPrinting
Sonic Encoders
Sonic Express Labeler
Sonic RecordNow!
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982664)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB971029)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
vanBasco's Karaoke Player
Visual J# .NET Redistributable Package
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10 Hotfix [See KB889858 for more information]
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Yahoo! Browser Services
Yahoo! BrowserPlus 2.9.2
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
4/9/2012 9:48:59 AM, error: Service Control Manager [7023] - The TMHIDSRV service terminated with the following error: Access is denied.
4/9/2012 9:33:59 AM, error: Service Control Manager [7023] - The Sffp_sd service terminated with the following error: Access is denied.
4/9/2012 9:22:16 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
4/9/2012 9:19:57 AM, error: Service Control Manager [7023] - The Arc service terminated with the following error: Access is denied.
4/9/2012 9:18:58 AM, error: Service Control Manager [7023] - The Iaimtv1 service terminated with the following error: Access is denied.
4/9/2012 9:04:58 AM, error: Service Control Manager [7023] - The Vetmonnt service terminated with the following error: Access is denied.
4/9/2012 9:03:53 AM, error: Service Control Manager [7023] - The WmaCVideo32 service terminated with the following error: The specified procedure could not be found.
4/9/2012 9:03:53 AM, error: Service Control Manager [7023] - The Ezplay service terminated with the following error: The specified module could not be found.
4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The ZSMC211 service terminated with the following error: The specified module could not be found.
4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The Wg5n service terminated with the following error: The specified module could not be found.
4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The Uiusys service terminated with the following error: The specified module could not be found.
4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The Slssvc service terminated with the following error: The specified module could not be found.
4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The Interactivelogon service terminated with the following error: Access is denied.
4/9/2012 9:03:52 AM, error: Service Control Manager [7023] - The EagleNT service terminated with the following error: The specified module could not be found.
4/9/2012 9:01:55 AM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0013D408A78F has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/9/2012 3:04:05 PM, error: Service Control Manager [7023] - The Sdhelper service terminated with the following error: Access is denied.
4/9/2012 2:49:05 PM, error: Service Control Manager [7023] - The Vaiomediaplatform-photoserver-appserver service terminated with the following error: Access is denied.
4/9/2012 2:34:07 PM, error: Service Control Manager [7023] - The Cwafadminmonitor service terminated with the following error: Access is denied.
4/9/2012 2:19:04 PM, error: Service Control Manager [7023] - The Xpagentserver service terminated with the following error: Access is denied.
4/9/2012 2:04:04 PM, error: Service Control Manager [7023] - The FETNDIS service terminated with the following error: Access is denied.
4/9/2012 12:57:40 AM, error: Service Control Manager [7023] - The ZSMC211 service terminated with the following error: Access is denied.
4/9/2012 12:49:42 AM, error: Service Control Manager [7023] - The Winvnc service terminated with the following error: Access is denied.
4/9/2012 12:49:38 AM, error: Service Control Manager [7023] - The Areschatserver service terminated with the following error: Access is denied.
4/9/2012 12:46:56 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'mrxsmb.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
4/9/2012 12:34:01 PM, error: Service Control Manager [7023] - The Omniserv service terminated with the following error: Access is denied.
4/9/2012 12:19:02 PM, error: Service Control Manager [7023] - The AcronisOSSReinstallSvc service terminated with the following error: Access is denied.
4/9/2012 12:18:05 AM, error: Service Control Manager [7023] - The Ezplay service terminated with the following error: Access is denied.
4/9/2012 12:15:58 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'mrxsmb.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
4/9/2012 12:04:02 PM, error: Service Control Manager [7023] - The Vulfntrs service terminated with the following error: Access is denied.
4/9/2012 11:49:03 AM, error: Service Control Manager [7023] - The Msfwsvc service terminated with the following error: Access is denied.
4/9/2012 11:34:05 AM, error: Service Control Manager [7023] - The LPCFilter service terminated with the following error: Access is denied.
4/9/2012 11:19:06 AM, error: Service Control Manager [7023] - The SE27mgmt service terminated with the following error: Access is denied.
4/9/2012 11:04:03 AM, error: Service Control Manager [7023] - The VIAPFD service terminated with the following error: Access is denied.
4/9/2012 10:49:11 AM, error: Service Control Manager [7023] - The Oracleorahomemanagementserver service terminated with the following error: Access is denied.
4/9/2012 10:34:11 AM, error: Service Control Manager [7023] - The Clisvc service terminated with the following error: Access is denied.
4/9/2012 10:19:00 AM, error: Service Control Manager [7023] - The Defrag32b service terminated with the following error: Access is denied.
4/9/2012 10:03:59 AM, error: Service Control Manager [7023] - The Ha10kx2k service terminated with the following error: Access is denied.
4/9/2012 1:58:03 PM, error: Service Control Manager [7023] - The TUWinStylerThemeSvc service terminated with the following error: Access is denied.
4/9/2012 1:49:04 PM, error: Service Control Manager [7023] - The Websenseusagemonitor service terminated with the following error: Access is denied.
4/9/2012 1:34:03 PM, error: Service Control Manager [7023] - The Acprfmgrsvc service terminated with the following error: Access is denied.
4/9/2012 1:33:45 AM, error: Service Control Manager [7023] - The Irbus service terminated with the following error: Access is denied.
4/9/2012 1:19:41 AM, error: Service Control Manager [7023] - The Wg5n service terminated with the following error: Access is denied.
4/9/2012 1:19:03 PM, error: Service Control Manager [7023] - The Machnm32 service terminated with the following error: Access is denied.
4/9/2012 1:18:43 AM, error: Service Control Manager [7023] - The WmaCVideo32 service terminated with the following error: Access is denied.
4/9/2012 1:04:41 AM, error: Service Control Manager [7023] - The Slssvc service terminated with the following error: Access is denied.
4/9/2012 1:04:03 PM, error: Service Control Manager [7023] - The Usbcm service terminated with the following error: Access is denied.
4/9/2012 1:03:42 AM, error: Service Control Manager [7023] - The Uiusys service terminated with the following error: Access is denied.
4/8/2012 11:12:52 PM, error: Service Control Manager [7023] - The EagleNT service terminated with the following error: Access is denied.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Usbcm service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The U81xmdfl service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Transcode360 service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Toscosrv service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The TMHIDSRV service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The SWNC8U20 service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Sffp_sd service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The SaiU040B service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Rootmodem service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Prohlp02 service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Mps9 service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The LPCFilter service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Lkclassads service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Jsdaemon service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Iaimtv1 service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Houdinilicenseserver service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Evteng service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Epson_pm_rpcv4_01 service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Defrag32b service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Cwafadminmonitor service terminated with the following error: The specified module could not be found.
4/11/2012 8:52:52 AM, error: Service Control Manager [7023] - The Avgfwsrv service terminated with the following error: The specified module could not be found.
4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Vulfntrs service terminated with the following error: The specified module could not be found.
4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Se58bus service terminated with the following error: The specified module could not be found.
4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Sdhelper service terminated with the following error: The specified module could not be found.
4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Ipodsrv service terminated with the following error: The specified module could not be found.
4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Clisvc service terminated with the following error: The specified module could not be found.
4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Bh611 service terminated with the following error: The specified module could not be found.
4/10/2012 1:01:25 PM, error: Service Control Manager [7023] - The Acprfmgrsvc service terminated with the following error: The specified module could not be found.
.
==== End Of File ===========================
 
Patty, the first DDS.txt log you left isn't complete. It should continue with a section named ============== Pseudo HJT Report ===============
When the log is complete, it will show ============= FINISH: (current time) ===============

I note I forgot to leave the Eset scan instructions:
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===========================================
So I need the full DDS.txt log, Combofix log and Eset scan log.

Please let me know if you do not plan to continue.
 
Problem

I ran the dds again and saved the reports, it took a few hours to run ESET, then I ran ComboFix and it gave me a message saying "you are badly infected with Rootkit Zero Access" that it is in the top something ip. (sorry I didn't write it all down) Then it said again that it was infected with Rootkit and that it needed to reboot the machine and to NOT try and manually reboot. However, it is not shutting down. I have not touched the machine and am going to leave it be until I hear from you. Also, I disabled Microsoft Security Essentials, but the red warning box keeps popping up with the one infection it found. ?? If it is disabled why is this. I also had a box pop up during this process that said "unclickable children of element" ? Thanks again. Patty
 
You didn't have to run DDS again. Please search the system for DDS.txt dated>> Run by HP_Administrator at 9:36:11 on 2012-04-11

Try running Combofix in Safe Mode:
Boot into Safe Mode with Networking
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.

Now try the scan. If it still won't work, do the following:
  1. Delete Combofix file, download fresh one, but rename combofix.exe to
    friday.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
  2. Download one of these versions of RKill:
    (Note: You do not need to download all three versions> You only need to get one of these to run.You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.)
    Rkill.com
    Rkill.scr
    Rkill.exe
    [o] Double-click on the Rkill desktop icon to run the tool.(Vista/Win 7> right-click> choose Run As Administrator.
    [o] A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    [o] If not, delete the file, then download and use the one provided in Link 2.
    [o] If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    [o] Do not reboot until instructed.
    [o] If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, add the following:
  3. Please download exeHelper by Raktor and save desktop.
    [o] Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    [o] A black window should pop up, press any key to close once the fix is completed.
    [o] A log file called exehelperlog.txt will be created and should open at the end of the scan)
    [o] A copy of that log will also be saved in the directory where you ran exeHelper.com
    [o] Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
    (Directions courtesy bleeping computer)
  4. .With both RKill and exehelper on board:
    [o]Go right to the renamed (Combofix) and double click on friday.exe to run
    [o]If it won't run in Normal Mode, run BOTH tools from safe mode, then try the double click on friday.exe to run.

If successful, please leave RKill, Exehelper and Combofix logs.
 
Just got this post, it did not show up in the email, so I came here and saw this. Once I got to safe mode and safe mode with networking I got another window asking Windows XP Media Center Edition or Microsof Windows Recovery Console...which one should I use?
 
Okay, when I started the computer in safe mode CF automatically ran successfully and I ran exeHelper. I cannot seem to locate the original DDS file. Any suggestions where I might find it? Here are the other two. The log for Raktor doesn't look right,,,did I do something wrong or do I need to locate that too?

ComboFix 12-04-14.03 - Administrator 04/17/2012 21:19:47.1.2 - x86 NETWORK
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\DragToDiscUserNameE.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\WINDOWS
c:\windows\$NtUninstallKB62280$\3572818124
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\L\nezyfjsm
c:\windows\$NtUninstallKB62280$\485945278\oemid
c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
c:\windows\$NtUninstallKB62280$\485945278\version
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\ps2.bat
D:\Autorun.inf
c:\windows\$NtUninstallKB62280$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NETWORKLOG
-------\Legacy_TNIDRIVER
.
.
((((((((((((((((((((((((( Files Created from 2012-03-18 to 2012-04-18 )))))))))))))))))))))))))))))))
.
.
2012-04-18 01:35 . 2012-04-18 01:35 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FC15389-017A-41F1-852E-1BB24E012FD4}\offreg.dll
2012-04-18 01:18 . 2012-04-18 01:18 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-04-15 00:37 . 2012-04-15 00:37 42960 ----a-w- c:\windows\system32\drivers\vazmbxzg.sys
2012-04-15 00:36 . 2004-06-29 10:07 1268204 ----a-w- c:\windows\system32\drivers\AGRSM.sys
2012-04-15 00:34 . 2004-08-04 02:41 126686 ----a-w- c:\windows\system32\drivers\mtlmnt5.sys
2012-04-15 00:34 . 2012-04-15 00:34 -------- d-----w- c:\windows\LastGood.Tmp
2012-04-14 18:29 . 2012-04-14 18:29 -------- d-----w- c:\program files\ESET
2012-04-14 18:15 . 2012-04-14 18:15 -------- d-sh--w- c:\documents and settings\HP_Administrator\UserData
2012-04-14 17:58 . 2012-04-14 17:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-04-14 16:53 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FC15389-017A-41F1-852E-1BB24E012FD4}\mpengine.dll
2012-04-11 00:31 . 2012-04-11 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-11 00:31 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-09 14:26 . 2012-04-09 14:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2012-04-09 14:26 . 2012-04-09 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-04 12:30 . 2012-04-04 12:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 12:30 . 2011-11-24 04:13 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-14 02:15 . 2012-01-28 14:46 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-01 11:01 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-10 11:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 14:10 . 2004-08-10 04:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 12:17 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2004-08-10 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2009-10-02 20:32 237072 -c----w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-01 126976]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-15 98304]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-11-15 1121016]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 10:06 88363 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2004-10-13 16:00 57344 -c--a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-10-13 16:17 2742272 -c--a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
2008-08-22 20:33 2084480 -c--a-w- c:\program files\Advanced Registry Optimizer\ARO.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 11:04 59392 -c--a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-03-18 00:10 61952 -c--a-w- c:\windows\system32\Hdaudpropshortcut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2004-06-07 11:42 659456 -c--a-w- c:\windows\system32\hphmon06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-07 11:53 49152 -c--a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 09:04 52736 -c--a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 14:54 253952 -c--a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
2006-05-16 22:50 40960 -c--a-w- c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-03-15 19:11 98304 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2004-12-14 02:23 663552 -c--a-w- c:\windows\CREATOR\Remind_XP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-10-13 14:01 77824 -c--a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1/4/2012 3:22 PM 822624]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [12/8/2009 12:40 PM 78104]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [10/1/2011 9:30 AM 508776]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 584680]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 209512]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [10/1/2011 9:30 AM 219496]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/4/2012 8:30 AM 253600]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
UNDPX2A
RTSTOR
WinFl32
knobserv
gmer
servicelayer
carboniteservice
ovsecurityserver
dcstor32
oracleformsserver-forms60server-oraform
RMSvc
MR97310_USB_DUAL_CAMERA
vci
nwlnkipx
IntuitUpdateService
tng-dts
mssql$sqlexpress
RIOUNIV
z800mdm
atimpab
DC21x4
lvuvc
vstor2-ws60
omnidrv
NITaggerService
wkscfgsrv
govsrv
wpshelper
pav_service
wltwo51b
Xyz777s
p17xfilt
HBtnKey
z800bus
Freedom
U81xbus
BrScnUsb
VrAcFil
ADIDTSFiltService
cdudf_xp
itmrtsvc
viaudio
pdlnepkt
smapint
logonsvcid
w810mdfl
issm
w810obex
MTsensor
HPFECP20
s116bus
elnkfwppservice
usbmate
ndiscm
spbbcdrv
PGPwded
A88xTuner
SQLAgent$MICROSOFTSMLBIZ
mssql$pinnaclesys
epstnt01
ma763004
sisnic
syslogd
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
MHN
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 12:30]
.
2012-04-18 c:\windows\Tasks\User_Feed_Synchronization-{26896CAC-0932-4854-BC93-06AF0AFEDD2A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mWindow Title = Internet Explorer By Enter.Net
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/info/hho-hp-music-hpdesktop-icon
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ckrqxi89.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbf98f9&v=7.008.031.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{7BEDF996-5864-4505-B998-D7B5243E8C75} - c:\windows\system32\jkkKBQiH.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Akamai NetSession Interface - c:\documents and settings\HP_Administrator\Local Settings\Application Data\Akamai\netsession_win.exe
MSConfigStartUp-93809662843331368666936102142566 - c:\program files\Antivirus 2009\av2009.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Antispyware - c:\program files\AntiSpyware\Antispyware.exe
MSConfigStartUp-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE
MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-Propel Accelerator - c:\program files\Propel Accelerator\trayctl.exe
MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-17 21:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2012-04-17 21:43:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-18 01:43
.
Pre-Run: 139,761,401,856 bytes free
Post-Run: 140,786,380,800 bytes free
.
- - End Of File - - 15677D3F4198967549CA839763B1F88C

exeHelper by Raktor
Build 20100414
Run at 21:57:57 on 04/17/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
 
I'd like to see if we can get the Netsvcs repaired:

First: Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
----------------------------------------
Next: Please download and extract the following file: XPSP3 netsvcs
Then double click on it to merge it into the Registry.
----------------------------------------
The download Combofix again and rescan. Please leave the new Combofix log in your next reply.
 
Success...

ComboFix 12-04-18.02 - HP_Administrator 04/18/2012 20:48:28.2.2 - x86
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-19 to 2012-04-19 )))))))))))))))))))))))))))))))
.
.
2012-04-19 00:45 . 2012-04-19 00:45 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8510DC15-D677-4129-B5A3-F26BC2D001AD}\offreg.dll
2012-04-14 18:29 . 2012-04-14 18:29 -------- d-----w- c:\program files\ESET
2012-04-14 18:15 . 2012-04-14 18:15 -------- d-sh--w- c:\documents and settings\HP_Administrator\UserData
2012-04-14 17:58 . 2012-04-14 17:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-04-11 00:31 . 2012-04-11 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-11 00:31 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-09 14:26 . 2012-04-09 14:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2012-04-09 14:26 . 2012-04-09 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-04 12:30 . 2012-04-04 12:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 12:30 . 2011-11-24 04:13 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-14 02:15 . 2012-01-28 14:46 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-01 11:01 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-10 11:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 14:10 . 2004-08-10 04:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 12:17 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2004-08-10 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2009-10-02 20:32 237072 -c----w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-01 126976]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-15 98304]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-11-15 1121016]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 10:06 88363 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2004-10-13 16:00 57344 -c--a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-10-13 16:17 2742272 -c--a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
2008-08-22 20:33 2084480 -c--a-w- c:\program files\Advanced Registry Optimizer\ARO.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 11:04 59392 -c--a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-03-18 00:10 61952 -c--a-w- c:\windows\system32\Hdaudpropshortcut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2004-06-07 11:42 659456 -c--a-w- c:\windows\system32\hphmon06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-07 11:53 49152 -c--a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 09:04 52736 -c--a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 14:54 253952 -c--a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
2006-05-16 22:50 40960 -c--a-w- c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-03-15 19:11 98304 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2004-12-14 02:23 663552 -c--a-w- c:\windows\CREATOR\Remind_XP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-10-13 14:01 77824 -c--a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1/4/2012 3:22 PM 822624]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [12/8/2009 12:40 PM 78104]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [10/1/2011 9:30 AM 508776]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 584680]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 209512]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [10/1/2011 9:30 AM 219496]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/4/2012 8:30 AM 253600]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 12:30]
.
2012-04-18 c:\windows\Tasks\User_Feed_Synchronization-{26896CAC-0932-4854-BC93-06AF0AFEDD2A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mWindow Title = Internet Explorer By Enter.Net
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/info/hho-hp-music-hpdesktop-icon
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ckrqxi89.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbf98f9&v=7.008.031.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-18 20:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-04-18 21:03:55
ComboFix-quarantined-files.txt 2012-04-19 01:03
ComboFix2.txt 2012-04-18 01:43
.
Pre-Run: 147,490,074,624 bytes free
Post-Run: 147,441,344,512 bytes free
.
- - End Of File - - 77C432A963041471607DE9FC03DF61F4
 
Hi Bobbye, I just need to let you know that my husband has asked me to find the disks and restore the computer. He doesn't have the patience for this as he has a lot of music and stuff he needs to do with his computer. So, thank you for your time. It looks as though the thread will be deleted in a day anyway since they are closed after five days. Patty
 
Hello Bobby, sorry we hadn't heard from you. I know you are probably very busy. We did a system restore on the computer and mbam and security essentials didn't find anything when we were all done. Computer works better but I was wondering if there is a way to improve the performance? Sorry I was impatient but I have work to do on here and people waiting on me. I do appreciate your time. Boker
 
Patty, I am very sorry for the delay. I had some personal business that had to be handled- now I'm trying to catch up.

Since a System Restore was done, basically everything we had done is gone. The problem is that I don't think you know just what date you first got the malware. Explain to him that it's likely Win32/Sirefef isn't getting completely removed, rather than coming back.
----------------------------------------------
1. If you're still running this program, I advise removing it:
Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk

2. You don't need this to start on boot and run in the background. Advise uncheck ALL HP processes on Startup menu. To print, click on File> Print.
Startup^HP Digital Imaging Monitor

3. Advise remove this registry cleaner. We don't recommend a registry cleaner to anyone. The risks outweigh and small benefit you 'may' get:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
2008-08-22 20:33 2084480 -c--a-w- c:\program files\Advanced Registry Optimizer\ARO.exe

4. 8 years ago, a reminder to register on the creative site was put on the Startup menu. It's still there. Advise remove:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2004-12-14 02:23 663552 -c--a-w- c:\windows\CREATOR\Remind_XP.exe

5. There were 2 outdated version of Java on the system and no current version. These are vulnerabilities to the system.

6. Lastly, we did not get an online virus scan. IF malware was in a restore point and IF you choose that restore point, you can reinfect the system.
.
 
Status
Not open for further replies.

Similar threads

A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
H
Freezes after BSOD
Replies
10
Views
1K
bazz2004
B
Bob O'Donnell
AMD makes AI statement with new hardware and roadmap, set to rival Nvidia in the data...
Replies
4
Views
264
pcnthuziast
pcnthuziast

Latest posts

Back