Inactive Malware remains after following 8 steps

[JayF]

Hello,

I am a new user motivated to join by a nasty malware infection. I appreciate the existence of this forum.

I've followed the 8 steps for removing the System Defrag virus, but issues with redirecting IE and Firefox and malicious popups remain. Below are my logs. I would very much appreciate any help you could give .

Thanks in advance
JayF

(order: DDS, Attach, Gmer, Malwarebytes


DDS (Ver_10-12-12.02) - NTFSx86
Run by Jay at 21:35:57.53 on Tue 02/08/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1401 [GMT -8:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\IT Connection Manager\SRUserService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Belkin Storage Manager\StorageManager.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [<NO NAME>]
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [Belkin Storage Manager] "c:\program files\belkin storage manager\StorageManager.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\owner\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: aplus.net\cp
Trusted Zone: jayfrenchtherapy.com\www
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164792322687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F4A1DC8A-3D7A-4C28-A5B6-C624B814A702} - hxxps://cp.aplus.net/tools/fileman/FileMan.cab
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/TrueInstall.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\lw29fkqb.default\
FF - prefs.js: browser.search.selectedEngine - Optify Internal
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\lw29fkqb.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: FireShot: {0b457cAA-602d-484a-8fe7-c1d894a011ba} - %profile%\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-8 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-8 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-8 40384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SRUserService;IT Connection Manager;c:\program files\it connection manager\SRUserService.exe [2008-2-27 278672]
S2 gupdate1c9c5e9ecdfb80a;Google Update Service (gupdate1c9c5e9ecdfb80a);c:\program files\google\update\GoogleUpdate.exe [2009-4-25 133104]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [2004-6-28 61840]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [2006-11-29 23936]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2009-3-24 127656]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [2008-5-6 450560]

=============== Created Last 30 ================

2011-02-08 18:15:25 38848 ----a-w- c:\windows\avastSS.scr
2011-02-08 07:55:17 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2011-02-08 07:55:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-08 07:55:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-08 07:54:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 07:54:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-08 04:05:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-08 04:05:51 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-10 21:06:27 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\System Restore
2011-01-10 21:06:21 -------- d-----w- c:\program files\Screenshot Studio

==================== Find3M ====================

2010-11-30 01:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-15 21:00:14 72080 ----a-w- c:\documents and settings\owner\g2mdlhlpx.exe

============= FINISH: 21:43:36.40 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/27/2006 9:13:39 AM
System Uptime: 2/8/2011 9:07:03 PM (0 hours ago)

Motherboard: Quanta | | 30BB
Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | U2E1 | 1663/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 99 GiB total, 50.923 GiB free.
D: is FIXED (FAT32) - 12 GiB total, 1.371 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP751: 11/16/2010 9:36:13 AM - System Checkpoint
RP752: 12/1/2010 12:06:50 PM - System Checkpoint
RP753: 12/2/2010 11:25:17 AM - Software Distribution Service 3.0
RP754: 12/7/2010 2:17:35 PM - System Checkpoint
RP755: 12/8/2010 4:35:23 PM - Installed QuickTime
RP756: 12/15/2010 2:33:16 PM - System Checkpoint
RP757: 12/31/2010 10:28:46 AM - avast! Free Antivirus Setup
RP758: 12/31/2010 10:49:11 AM - avast! Free Antivirus Setup
RP759: 1/7/2011 10:11:30 AM - System Checkpoint
RP760: 1/9/2011 12:39:40 PM - System Checkpoint
RP761: 1/10/2011 4:15:05 PM - System Checkpoint
RP762: 1/11/2011 4:53:54 PM - System Checkpoint
RP763: 1/13/2011 1:04:58 PM - System Checkpoint
RP764: 1/16/2011 12:02:31 PM - System Checkpoint
RP765: 1/18/2011 9:15:11 AM - System Checkpoint
RP766: 2/4/2011 10:15:49 AM - System Checkpoint
RP767: 2/5/2011 3:40:22 PM - System Checkpoint
RP768: 2/6/2011 6:41:48 PM - System Checkpoint
RP769: 2/7/2011 10:18:37 AM - Software Distribution Service 3.0
RP770: 2/7/2011 11:47:16 AM - Restore Operation
RP771: 2/7/2011 7:38:05 PM - Software Distribution Service 3.0
RP772: 2/7/2011 8:01:37 PM - Restore Operation
RP773: 2/7/2011 8:23:50 PM - Software Distribution Service 3.0
RP774: 2/7/2011 10:55:47 PM - Removed Skype™ 4.2
RP775: 2/7/2011 10:57:40 PM - Removed CA eTrust Antivirus
RP776: 2/8/2011 9:47:42 AM - Restore Operation
RP777: 2/8/2011 9:57:58 AM - Restore Operation

==== Installed Programs ======================


5600
5600_Help
5600Trb
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0.1
Adobe Reader 7.0.5
AiO_Scan
AiOSoftware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AutoUpdate
avast! Free Antivirus
Belkin Storage Manager
BotHunter
BufferChm
Camtasia Studio 7
Cardmod_x86 and MSITPintool
ColorSchemer Studio 2
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
CutePDF Writer 2.8
Destinations
DivX
DocProc
Dropbox
eSupportQFolder
EZ Vinyl/Tape Converter 1.5.2.0 by MixMeister
Fax
FullDPAppQFolder
GemMaster Mystic
Google Chrome
Google Earth
Google Update Helper
Google Updater
GoToMeeting 4.5.0.457
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Help and Support
HP Image Zone Express
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP PSC & OfficeJet 5.3.B
HP Quick Launch Buttons 6.10 A2
HP QuickPlay 2.3
HP Rhapsody
HP Solution Center & Imaging Support Tools 5.3
HP Update
HP User Guides 0035
HP Wireless Assistant 2.00 G2
HPProductAssistant
HpSdpAppCoreApp
InstantShareDevices
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
IT Connection Manager
iTunes
J2SE Runtime Environment 5.0 Update 6
LightScribe 1.4.97.1
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB953295)


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-08 21:35:15
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.892C
Running: bp7rsc8b.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwlirpob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9D30382E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x9D303652]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x9D30378C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

---- Threads - GMER 1.0.15 ----

Thread System [4:140] 89EF0A05
Thread System [4:144] 89EF2A24

---- EOF - GMER 1.0.15 ----


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5709

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/8/2011 9:20:55 PM
mbam-log-2011-02-08 (21-20-55).txt

Scan type: Quick scan
Objects scanned: 198770
Time elapsed: 10 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Bobbye]

(Image courtesy animationplayhouse.com)
Welcome to TechSpot, Jay!
The preliminary steps are just that> a beginning. If you read out text, you will note that they are not meant to find and remove all malware. The System Defragmenter may prevent you from launching any executable on your computer as the program will say they are corrupted. When you attempt to run them it will display the following message:
System Error!
Exe file is corrupted and can't be run. Hard drive scan required.
Scan Hard Drive
Have you noticed this? You may also be advised of fake problems which 'require' you to purchase the program to remove:>>>Don't take any action on these alerts. There may also be fake alerts from your Windows taskbar> referring to "Critical Errors." Don't take action on any of these scare tactics.

This usually shows up in Malwarebytes but there is nothing in this log. Did you run Mbam previously and see this malware? If not, how do you know it's on the system?
==================================
I'd like you to remove the following Domains from the Trusted Zone. Nothing needs to be in that zone.
Trusted Zone: aplus.net\cp
Trusted Zone: jayfrenchtherapy.com\www
Access Internet Options from either Tools in IE or the Control Panel> Security tab> Trusted Sites> Sites> Paste or type each in> Click on Remove>> when both have been removed> Click on OK> Apply> OK.
Sometimes, when a group has an Intranet set up among them, they will set up in the Trusted Zone. But the security is lower in the zone, so it's best to avoid putting anything in it.
====================================
You have one security breach> your Java is way behind for updates and older versions are vulnerabilities to the system. The version you have is v5u6. The current version is v6u23. Please check this site for update.Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.You will also need to remove the outdated versions of the Java plug-ins in Firefox.
=======================================================
I'll be checking these logs while you run the scans.
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

===============================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Query- Recovery Console image
  
  
  
  

  WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes it will open a text window. Please paste that log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=======================================
I notice you did two System Restores:
RP776: 2/8/2011 9:47:42 AM - Restore Operation
RP777: 2/8/2011 9:57:58 AM - Restore Operation
Are the logs you left from before or after?

 

[JayF]

Thank you, Bobbye.

I will take the steps you suggest. In the meantime, answers to your questions:

The 2 system restores were prior to following the steps
I believe the majority of the malware was previously removed by Malwarebytes/Avast. I am no longer getting the system error popups. The issue that remains is that IE and Firefox redirect all searches to random webpages that attempt to download Trojans (now being caught and prevented by avast).

I will reply again after I have followed your steps (later this evening.)

 

[Bobbye]

The redirects are from malware. Post logs when ready.

 

[JayF]

I've done the things you suggested, but got hung up on the combotool. The eset scan came out clean (I'll give you the log if you want it)

Here's what happened with the combotool:

Tried downloading from the website onto the infected computer -- the download hung.
I restarted, then downloaded the executable onto another box and transferred it via a flash drive, then ran the executable on the infected computer in safe mode. This worked, but it asked for the system recovery console. I wasn't on line (safe mode), so I aborted this and rebooted into normal mode. The computer blue-screened on reboot. I rebooted again, no blue-screen this time, then tried running the executable again, and got another bluescreen immediately.

I now apparently need to recover from the combo tool.... Although the computer does restart normally again.

Appreciate your help thus far and I'm open to further suggestions...

 

[JayF]

I'm realizing you could probably use a bit more info, so I'm attaching logs below.
1. The first 2 times I ran Malwarebytes (before I did the 8 steps I ran Malwarebytes twice).
2. The log from Eset (just ran last night).
Also, when I ran Avast during the 8 steps, it caught and quarantined 3 files. Do you want the names of those files?

Re: Combofix, I'm wondering if I should run a system restore to the restore point I created immediately before trying to run it. Will wait for instructions before doing that.

Here are the logs I mentioned:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/8/2011 12:44:33 AM
mbam-log-2011-02-08 (00-44-33).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 315667
Time elapsed: 47 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\local settings\Temp\573.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5709

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/8/2011 6:03:55 AM
mbam-log-2011-02-08 (06-03-55).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 322244
Time elapsed: 43 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\cisvfmon.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\cisvfmon.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\1453E8.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\tmp33.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3a579f61-82cf-4117-919a-db7b394cd5bc}\RP768\A0084167.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3a579f61-82cf-4117-919a-db7b394cd5bc}\RP770\A0085098.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3a579f61-82cf-4117-919a-db7b394cd5bc}\RP770\A0085100.exe (Rogue.WindowsDisk) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3a579f61-82cf-4117-919a-db7b394cd5bc}\RP770\A0085101.exe (Trojan.Agent) -> Quarantined and deleted successfully.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=acf6465bf55dbd47bfcdb1255e01494f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-10 06:57:14
# local_time=2011-02-09 10:57:14 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 3408653 3408653 0 0
# compatibility_mode=4864 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=135634
# found=0
# cleaned=0
# scan_time=9456
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=acf6465bf55dbd47bfcdb1255e01494f
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-02-10 09:40:24
# local_time=2011-02-10 01:40:24 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 3422456 3422456 0 0
# compatibility_mode=4864 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=135999
# found=0
# cleaned=0
# scan_time=5444

 

[Bobbye]

Do not do a System Restore!


Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Then download the full Combofix programs on a flash drive. Install it on the problem computer. If you can run it in Normal Mode with internet connection, it is best to install the Recovery Console. If you cannot do this, don't abort the program, just override the query and click on scan.

The Eset scan is clean. Mbam show numerous malware entries removed. Now I have to find the remaining entries and remove them. But I need to see the Combofix report so I can set up the script to do that.

Edit: Just saw your next reply. It would be better if you did not run Avast while we're cleaning>>>

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[JayF]

When I try the Combofix uninstall, I get
"Windows cannot find Combofix"

I do know that combofix ran though -- it created a C:\Combofix folder that has a mirror of my C drive in it.

Also, I am not running other cleaning programs etc. I was just reporting what Avast found yesterday when I was going through the 8 steps.

I'll wait to hear from you for my next move re: combofix.. Thanks for your help.

 

[Bobbye]

Okay, do you have the log from the scan you did? It should be C:\ComboFix.txt. Paste that in for me. Mbam shows the malware in temp files> if you ran TFC or Combofix previously, they should have been removed. The other entries are in the restore points and will be handled later.

 

[JayF]

No, there's no combofix.txt file.

There is only a combofix folder on the C:\ drive which contains an exact mirror of
the drive (see attached image file for a screenshot --- it's kind of freaky).

 

[Bobbye]

Yeah it is! When you downloaded Combofix, did you save it to the desktop? Next step would have been to double click on the setup to install.

Somehow,Combofix has set itself up as a separate drive on the system instead of just a directory. I think that happened in the 'save' process. That why the process can't be found.

 

[JayF]

I did copy combofix to the desktop. It is possible, though, that I originally ran it from the flash drive I used to transfer the .exe (drive F. I can't find combofix.txt there either though.

 

[JayF]

Not sure what to do at this point. I'm looking for some guidance.... I feel like I need to roll back the effects of combofix somehow. Any ideas?

Thanks in advance

 

[Bobbye]

Can you boot into Normal Mode now and connect to the internet?

I don't think the uninstall is going to work for Combofix because all you downloaded and installed was the executable. If you can connect, I'd like you to try and start over with Combofix> see if the system will take a new download to desktop, then double click to install.

 

[JayF]

So I tried combofix again and got a bluescreen right away. The message was:

Driver_left_locked_pages_in_process

There's no text file in C:\

 

[Bobbye]

Combofix must have gotten corrupt when you aborted the scan. Please run this:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  combofix.*
  :dir
  C:\Combofix
  :process
  combofix.exe 
  :folderfind
  C:\ComboFix.txt.

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[JayF]

Sadly, I can no longer log in to the computer. Apparently the virus has changed the logon password.

I will try the other accounts, but I'm pessimistic. Any ideas? I'm about to pull the plug on this and wipe the hard drive...

 

[JayF]

OK. Apparently the virus let me log on today. I think it has a primitive sense of humor. I was able to run systemcheck in safe mode. Here is the log:

SystemLook 04.09.10 by jpshortstuff
Log created at 19:22 on 15/02/2011 by Jay
Administrator - Elevation successful

========== filefind ==========

Searching for "combofix.*"
C:\Documents and Settings\Owner\Desktop\ComboFix.exe --a---- 4267704 bytes [02:19 14/02/2011] [02:19 14/02/2011] D56DED6CD703E2846297FC2D17105483

========== dir ==========

C:\Combofix - Parameters: "(none)"

---Files---
023.dat --a---- 52784 bytes [07:33 10/02/2011] [07:36 10/02/2011]
023v.dat --a---- 2181 bytes [07:33 10/02/2011] [11:07 27/11/2010]
023w7.dat --a---- 660 bytes [07:33 10/02/2011] [09:55 13/02/2010]
AddDriver02 --a---- 0 bytes [07:43 10/02/2011] [07:43 10/02/2011]
AppData.folder.dat --a---- 387 bytes [07:41 10/02/2011] [07:41 10/02/2011]
AppDataFile.cfx --a---- 28831 bytes [07:33 10/02/2011] [20:11 10/02/2011]
AppDataFolder.cfx --a---- 13956 bytes [07:33 10/02/2011] [09:31 10/02/2011]
appinit.bad --a---- 6760 bytes [07:33 10/02/2011] [16:00 31/08/2000]
asp.str --a---- 602 bytes [07:33 10/02/2011] [07:09 14/07/2009]
Assoc.cmd --a---- 4144 bytes [07:33 10/02/2011] [06:11 16/04/2010]
ATTRIB.cfxxe -ra---- 12288 bytes [07:35 10/02/2011] [00:12 14/04/2008]
Auto-RC.cmd --a---- 5014 bytes [07:33 10/02/2011] [07:15 06/09/2010]
av.cmd --a---- 3586 bytes [07:33 10/02/2011] [20:42 13/01/2011]
av.vbs --a---- 2933 bytes [07:33 10/02/2011] [07:02 16/12/2010]
AWF.cmd --a---- 659 bytes [07:33 10/02/2011] [09:03 16/11/2009]
badclsid --a---- 2609048 bytes [07:36 10/02/2011] [07:36 10/02/2011]
Boot-Rk.cmd --a---- 4807 bytes [07:33 10/02/2011] [10:03 28/01/2011]
Boot.bat --a---- 8418 bytes [07:33 10/02/2011] [07:54 26/11/2010]
BootDrv.vbs --a---- 875 bytes [07:33 10/02/2011] [00:55 28/07/2010]
c.bat --a---- 63180 bytes [07:33 10/02/2011] [07:07 28/01/2011]
c.mrk --a---- 0 bytes [07:35 10/02/2011] [07:35 10/02/2011]
Cache.folder.dat --a---- 536 bytes [07:41 10/02/2011] [07:42 10/02/2011]
Catch-sub.cmd --a---- 1080 bytes [07:33 10/02/2011] [00:45 22/10/2010]
catchme.cfxxe -ra---- 147456 bytes [07:33 10/02/2011] [01:37 18/04/2009]
CCS.bat --a---- 91 bytes [07:35 10/02/2011] [07:35 10/02/2011]
CF-Script.cmd --a---- 29591 bytes [07:33 10/02/2011] [06:06 13/12/2010]
CF2601.cfxxe -ra---- 389120 bytes [07:35 10/02/2011] [07:33 10/02/2011]
CFVersionOld --a---- 0 bytes [07:34 10/02/2011] [07:34 10/02/2011]
CHCP.bat --a---- 16 bytes [07:34 10/02/2011] [07:34 10/02/2011]
clsid.c --a---- 266950 bytes [07:33 10/02/2011] [20:12 10/02/2011]
clsid.dat --a---- 710931 bytes [07:36 10/02/2011] [07:36 10/02/2011]
clsid.hiv --a---- 7987200 bytes [07:36 10/02/2011] [07:36 10/02/2011]
Combo-Fix.sys --a---- 1024 bytes [07:33 10/02/2011] [07:16 20/08/2010]
Combobatch.bat --a---- 7733 bytes [07:33 10/02/2011] [08:27 16/11/2010]
ComboFix-Download.cfxxe -ra---- 141312 bytes [07:33 10/02/2011] [16:00 31/08/2000]
ConEnv.sed --a---- 3457 bytes [07:42 10/02/2011] [07:42 10/02/2011]
Cookies.folder.dat --a---- 277 bytes [07:41 10/02/2011] [07:42 10/02/2011]
Create.cmd --a---- 18215 bytes [07:33 10/02/2011] [22:38 11/01/2011]
Creg.dat --a---- 537234 bytes [07:33 10/02/2011] [09:28 10/02/2011]
CregC.cmd --a---- 3342 bytes [07:33 10/02/2011] [11:52 04/10/2010]
CregC.dat --a---- 472 bytes [07:33 10/02/2011] [01:21 18/04/2010]
CregC_.dat --a---- 904 bytes [07:36 10/02/2011] [07:37 10/02/2011]
CSCRIPT.cfxxe -ra---- 135168 bytes [07:35 10/02/2011] [09:07 07/05/2008]
CSet.cmd --a---- 1686 bytes [07:33 10/02/2011] [05:49 24/12/2009]
d-delA.dat --a---- 0 bytes [07:36 10/02/2011] [07:36 10/02/2011]
dd.cfxxe -ra---- 101376 bytes [07:33 10/02/2011] [13:14 23/08/2010]
ddsDo.sed --a---- 7983 bytes [07:33 10/02/2011] [17:59 25/05/2009]
DelClsid.bat --a---- 2016 bytes [07:33 10/02/2011] [11:31 04/05/2010]
Desktop.folder.dat --a---- 220 bytes [07:42 10/02/2011] [07:42 10/02/2011]
desktop.ini --a---- 113 bytes [07:35 10/02/2011] [07:35 10/02/2011]
DesktopFile.cfx --a---- 8053 bytes [07:33 10/02/2011] [00:59 09/02/2011]
DisclaimED.dat --a---- 7 bytes [07:34 10/02/2011] [07:34 10/02/2011]
DPF.str --a---- 746 bytes [07:33 10/02/2011] [16:00 31/08/2000]
DrvRun.vbs --a---- 650 bytes [07:33 10/02/2011] [10:44 19/04/2010]
dumphive.cfxxe -ra---- 51200 bytes [07:33 10/02/2011] [16:00 31/08/2000]
embedded.sed --a---- 303 bytes [07:33 10/02/2011] [16:00 31/08/2000]
ERDNT.e_e --a---- 163328 bytes [07:33 10/02/2011] [04:02 21/10/2005]
ERDNTDOS.LOC --a---- 2815 bytes [07:33 10/02/2011] [16:00 31/08/2000]
ERDNTWIN.LOC --a---- 3275 bytes [07:33 10/02/2011] [16:00 31/08/2000]
ERUNT.cfxxe -ra---- 157696 bytes [07:33 10/02/2011] [04:00 21/10/2005]
erunt.dat --a---- 10 bytes [07:35 10/02/2011] [07:35 10/02/2011]
ERUNT.LOC --a---- 4090 bytes [07:33 10/02/2011] [16:00 31/08/2000]
Exe.reg --a---- 14517 bytes [07:33 10/02/2011] [10:37 09/12/2010]
extract.cfxxe -ra---- 52736 bytes [07:33 10/02/2011] [16:00 31/08/2000]
FavoriteFolder.cfx --a---- 20 bytes [07:33 10/02/2011] [00:52 06/09/2010]
Favorites.folder.dat --a---- 230 bytes [07:42 10/02/2011] [07:42 10/02/2011]
FavoritesFile.cfx --a---- 6483 bytes [07:33 10/02/2011] [07:53 10/02/2011]
FD-SV.cmd --a---- 8028 bytes [07:33 10/02/2011] [20:29 24/01/2011]
ffdefstr.dll --a---- 38901 bytes [07:33 10/02/2011] [12:45 30/08/2010]
FileKill.cfxxe -ra---- 145920 bytes [07:33 10/02/2011] [16:00 31/08/2000]
files.pif --a---- 3143 bytes [07:33 10/02/2011] [20:12 10/02/2011]
Fin.dat --a---- 677 bytes [07:33 10/02/2011] [12:32 10/08/2010]
FIND3M.bat --a---- 31154 bytes [07:33 10/02/2011] [08:26 16/11/2010]
firefox.exe --a---- 31232 bytes [07:33 10/02/2011] [20:56 20/04/2009]
FIXLSP.bat --a---- 4777 bytes [07:33 10/02/2011] [00:41 24/10/2010]
FKMGen.cmd --a---- 1085 bytes [07:33 10/02/2011] [04:41 04/01/2010]
ForeignWht --a---- 880 bytes [07:35 10/02/2011] [07:35 10/02/2011]
f_system --a---- 0 bytes [07:37 10/02/2011] [07:37 10/02/2011]
GetHive.cmd --a---- 5979 bytes [07:33 10/02/2011] [02:02 23/10/2010]
grep.cfxxe -ra---- 80412 bytes [07:33 10/02/2011] [16:00 31/08/2000]
gsar.cfxxe -ra---- 15360 bytes [07:33 10/02/2011] [16:00 31/08/2000]
handle.cfxxe -ra---- 173936 bytes [07:33 10/02/2011] [21:15 18/11/2008]
hidec.exe --a---- 1536 bytes [07:33 10/02/2011] [09:54 16/08/2005]
history.bat --a---- 954 bytes [07:33 10/02/2011] [01:25 21/10/2009]
History.folder.dat --a---- 352 bytes [07:42 10/02/2011] [07:42 10/02/2011]
hwid.pif --a---- 74529 bytes [07:33 10/02/2011] [08:44 15/07/2010]
iexplore.exe --a---- 31232 bytes [07:33 10/02/2011] [20:56 20/04/2009]
image001.gif --a---- 1057 bytes [07:33 10/02/2011] [16:00 31/08/2000]
Imefile.dat --a---- 224 bytes [07:33 10/02/2011] [15:07 05/09/2010]
Install-RC.cmd --a---- 8004 bytes [07:33 10/02/2011] [07:15 06/09/2010]
IntelMatrix.dat --a---- 2 bytes [07:43 10/02/2011] [07:43 10/02/2011]
Jay.user.cf --a---- 0 bytes [07:36 10/02/2011] [07:36 10/02/2011]
katch.cmd --a---- 1333 bytes [07:33 10/02/2011] [07:33 25/12/2010]
Kill-All.cmd --a---- 1695 bytes [07:33 10/02/2011] [02:37 04/10/2010]
kmd.dat --a---- 14 bytes [07:35 10/02/2011] [07:35 10/02/2011]
Lang.bat --a---- 215364 bytes [07:33 10/02/2011] [02:19 02/12/2010]
List-B.bat --a---- 17892 bytes [07:33 10/02/2011] [06:41 10/02/2011]
List-C.bat --a---- 230968 bytes [07:33 10/02/2011] [07:45 10/02/2011]
List-D.bat --a---- 111168 bytes [07:33 10/02/2011] [08:28 16/11/2010]
List.bat --a---- 1439680 bytes [07:33 10/02/2011] [20:11 10/02/2011]
lnkread.vbs --a---- 3246 bytes [07:33 10/02/2011] [09:49 16/12/2010]
LocalAppData.folder.dat --a---- 345 bytes [07:42 10/02/2011] [07:42 10/02/2011]
LocalAppDataFile.cfx --a---- 4302 bytes [07:33 10/02/2011] [00:59 09/02/2011]
LocalAppDataFolder.cfx --a---- 2902 bytes [07:33 10/02/2011] [05:32 31/12/2010]
LocalService.dat --a---- 225 bytes [07:33 10/02/2011] [16:00 31/08/2000]
LocalServiceNetworkRestricted.dat --a---- 91 bytes [07:33 10/02/2011] [16:00 31/08/2000]
LocalSettings.folder.dat --a---- 118 bytes [07:42 10/02/2011] [07:42 10/02/2011]
LocalSettingsFile.cfx --a---- 2795 bytes [07:33 10/02/2011] [01:39 10/01/2011]
LocalSystemNetworkRestricted.dat --a---- 198 bytes [07:33 10/02/2011] [16:00 31/08/2000]
mbr.cfxxe -ra---- 77312 bytes [07:33 10/02/2011] [14:11 25/10/2009]
mbr.chk --a---- 2141 bytes [07:33 10/02/2011] [19:30 29/08/2010]
md5sum.pif --a---- 6528 bytes [07:33 10/02/2011] [20:12 10/02/2011]
MoveIt.bat --a---- 2834 bytes [07:33 10/02/2011] [21:12 12/10/2010]
mtee.cfxxe -ra---- 11264 bytes [07:33 10/02/2011] [16:00 31/08/2000]
MtPt00 --a---- 164 bytes [07:33 10/02/2011] [07:33 10/02/2011]
Music.folder.dat --a---- 287 bytes [07:42 10/02/2011] [07:42 10/02/2011]
MWindows.dat --a---- 422 bytes [07:36 10/02/2011] [07:36 10/02/2011]
mynul.dat --a---- 0 bytes [07:33 10/02/2011] [16:00 31/08/2000]
n.pif --a---- 31232 bytes [07:33 10/02/2011] [20:56 20/04/2009]
ncmd.com --a---- 8512 bytes [07:33 10/02/2011] [09:12 25/12/2010]
ndis_combofix.dat --a---- 283 bytes [07:33 10/02/2011] [00:12 25/12/2009]
ND_.bat --a---- 64146 bytes [07:33 10/02/2011] [02:21 29/10/2010]
NetHood.folder.dat --a---- 173 bytes [07:42 10/02/2011] [07:42 10/02/2011]
netsvc.bad.dat --a---- 520 bytes [07:33 10/02/2011] [02:21 15/04/2010]
netsvc.dat --a---- 525 bytes [07:33 10/02/2011] [16:00 31/08/2000]
NetworkService.dat --a---- 88 bytes [07:33 10/02/2011] [16:00 31/08/2000]
NewCFUser --a---- 2 bytes [07:34 10/02/2011] [07:34 10/02/2011]
NirCmd.cfxxe -ra---- 31232 bytes [07:33 10/02/2011] [20:56 20/04/2009]
NircmdB.exe --a---- 31232 bytes [07:33 10/02/2011] [20:56 20/04/2009]
NirCmdC.cfxxe -ra---- 30720 bytes [07:33 10/02/2011] [20:56 20/04/2009]
NlsLanguageDefault --a---- 6 bytes [07:34 10/02/2011] [07:34 10/02/2011]
NT-OS.cmd --a---- 38228 bytes [07:33 10/02/2011] [16:51 28/01/2011]
NULL --a---- 0 bytes [07:35 10/02/2011] [07:35 10/02/2011]
OsId.txt --a---- 84 bytes [07:37 10/02/2011] [07:37 10/02/2011]
OSid.vbs --a---- 977 bytes [07:33 10/02/2011] [16:00 31/08/2000]
OsVer --a---- 43 bytes [07:33 10/02/2011] [07:33 10/02/2011]
pausep.cfxxe -ra---- 68096 bytes [07:33 10/02/2011] [21:01 29/09/2002]
Personal.folder.dat --a---- 242 bytes [07:42 10/02/2011] [07:42 10/02/2011]
PersonalFile.cfx --a---- 3621 bytes [07:33 10/02/2011] [07:53 10/02/2011]
PersonalFolder.cfx --a---- 119 bytes [07:33 10/02/2011] [01:40 10/01/2011]
PEV.cfxxe -ra---- 256512 bytes [07:33 10/02/2011] [23:58 26/04/2010]
pev.exe --a---- 256512 bytes [07:33 10/02/2011] [23:58 26/04/2010]
pevb.cfxxe -ra---- 102400 bytes [07:33 10/02/2011] [17:28 28/01/2011]
Pictures.folder.dat --a---- 302 bytes [07:42 10/02/2011] [07:42 10/02/2011]
PING.cfxxe -ra---- 17920 bytes [07:35 10/02/2011] [00:12 14/04/2008]
Policies.dat --a---- 2992 bytes [07:33 10/02/2011] [11:51 06/07/2009]
powp.dat --a---- 64 bytes [07:33 10/02/2011] [00:57 14/05/2010]
Prep.inf --a---- 2898 bytes [07:33 10/02/2011] [10:39 09/12/2010]
PrintHood.folder.dat --a---- 45 bytes [07:42 10/02/2011] [07:42 10/02/2011]
Profiles.Folder.dat --a---- 375 bytes [07:41 10/02/2011] [07:41 10/02/2011]
Profiles.Folder.folder.dat --a---- 689 bytes [07:42 10/02/2011] [07:42 10/02/2011]
ProfilesFile.cfx --a---- 13068 bytes [07:33 10/02/2011] [20:11 10/02/2011]
ProfilesFolder.cfx --a---- 871 bytes [07:33 10/02/2011] [01:00 09/02/2011]
progfile.dat --a---- 55028 bytes [07:37 10/02/2011] [07:40 10/02/2011]
Programs.folder.dat --a---- 280 bytes [07:42 10/02/2011] [07:42 10/02/2011]
ProgramsFile.cfx --a---- 3968 bytes [07:33 10/02/2011] [15:58 28/01/2011]
ProgramsFolder.cfx --a---- 13539 bytes [07:33 10/02/2011] [09:06 01/02/2011]
Purity.dat --a---- 404 bytes [07:33 10/02/2011] [16:00 31/08/2000]
PV.cfxxe -ra---- 73728 bytes [07:42 03/03/2006] [07:42 03/03/2006]
pv.com --a---- 73728 bytes [07:33 10/02/2011] [07:42 03/03/2006]
RCLink.dat --a---- 7478 bytes [07:33 10/02/2011] [16:00 31/08/2000]
RcLink.dat00 --a---- 94 bytes [07:44 10/02/2011] [07:44 10/02/2011]
Recent.folder.dat --a---- 169 bytes [07:42 10/02/2011] [07:42 10/02/2011]
REGDACL.sed --a---- 3558 bytes [07:33 10/02/2011] [16:00 31/08/2000]
RegDo.sed --a---- 9203 bytes [07:33 10/02/2011] [16:00 31/08/2000]
region.dat --a---- 1153 bytes [07:33 10/02/2011] [12:03 17/09/2010]
RegScan.cmd --a---- 53691 bytes [07:33 10/02/2011] [22:58 23/12/2010]
REGT.cfxxe --a---- 146432 bytes [07:36 10/02/2011] [07:36 10/02/2011]
Resident.txt --a---- 80 bytes [07:35 10/02/2011] [07:35 10/02/2011]
restore_pt.dat --a---- 0 bytes [07:37 10/02/2011] [07:37 10/02/2011]
restore_pt.vbs --a---- 587 bytes [07:33 10/02/2011] [06:26 02/05/2009]
Rkey.cmd --a---- 442 bytes [07:33 10/02/2011] [13:35 15/11/2009]
rmbr.cfxxe -ra---- 89088 bytes [07:33 10/02/2011] [09:20 08/11/2010]
rogues.dat --a---- 820 bytes [07:33 10/02/2011] [16:00 31/08/2000]
ROUTE.cfxxe -ra---- 19968 bytes [07:35 10/02/2011] [04:00 16/03/2006]
run2.sed --a---- 287 bytes [07:33 10/02/2011] [16:00 31/08/2000]
Rust.str --a---- 30 bytes [07:33 10/02/2011] [19:38 10/06/2009]
s0rt.cfxxe -ra---- 38400 bytes [07:33 10/02/2011] [08:00 11/11/1999]
safeboot.dat --a---- 329 bytes [07:33 10/02/2011] [16:00 31/08/2000]
safeboot.def.dat --a---- 1464 bytes [07:33 10/02/2011] [10:25 10/06/2009]
sed.cfxxe -ra---- 98816 bytes [07:33 10/02/2011] [16:00 31/08/2000]
SendTo.folder.dat --a---- 169 bytes [07:42 10/02/2011] [07:42 10/02/2011]
SetEnvmt.bat --a---- 16896 bytes [07:33 10/02/2011] [19:43 09/12/2010]
SetPath.bat --a---- 5805 bytes [07:38 10/02/2011] [07:42 10/02/2011]
setpath.cfxxe -ra---- 31014 bytes [07:33 10/02/2011] [16:00 31/08/2000]
SF.exe --a---- 49152 bytes [22:42 10/06/2006] [22:42 10/06/2006]
sfx.cmd --a---- 14 bytes [07:34 10/02/2011] [07:35 10/02/2011]
SnapShot.cmd --a---- 4630 bytes [07:33 10/02/2011] [19:17 14/10/2010]
SRestore.cmd --a---- 2146 bytes [07:33 10/02/2011] [23:35 21/10/2010]
srizbi.md5 --a---- 272816 bytes [07:33 10/02/2011] [20:09 10/02/2011]
StartMenu.folder.dat --a---- 235 bytes [07:42 10/02/2011] [07:42 10/02/2011]
StartMenuFile.cfx --a---- 4671 bytes [07:33 10/02/2011] [15:58 28/01/2011]
StartMenuFolder.cfx --a---- 447 bytes [07:33 10/02/2011] [05:20 03/01/2011]
StartUp.folder.dat --a---- 320 bytes [07:42 10/02/2011] [07:42 10/02/2011]
StartUpFile.cfx --a---- 8486 bytes [07:33 10/02/2011] [20:11 10/02/2011]
Start_dat --a---- 2 bytes [07:35 10/02/2011] [07:35 10/02/2011]
SuppScan.cmd --a---- 19948 bytes [07:33 10/02/2011] [20:34 13/12/2010]
SvcDrv.vbs --a---- 2176 bytes [07:33 10/02/2011] [16:00 31/08/2000]
svchost.dat --a---- 555 bytes [07:33 10/02/2011] [16:00 31/08/2000]
svchost.vista.x64.dat --a---- 749 bytes [07:33 10/02/2011] [21:12 27/11/2010]
svc_wht.dat --a---- 11987 bytes [07:33 10/02/2011] [14:42 29/11/2009]
SWREG.cfxxe -ra---- 161792 bytes [07:33 10/02/2011] [16:00 31/08/2000]
swreg.exe --a---- 161792 bytes [07:33 10/02/2011] [16:00 31/08/2000]
swsc.cfxxe -ra---- 136704 bytes [07:33 10/02/2011] [16:00 31/08/2000]
swxcacls.cfxxe -ra---- 212480 bytes [07:33 10/02/2011] [16:00 31/08/2000]
SysPath.dat --a---- 2064 bytes [07:37 10/02/2011] [07:37 10/02/2011]
system_ini.dat --a---- 276 bytes [07:33 10/02/2011] [16:00 31/08/2000]
tail.cfxxe -ra---- 35328 bytes [07:33 10/02/2011] [16:00 10/11/1999]
temp00 --a---- 101 bytes [07:42 10/02/2011] [07:42 10/02/2011]
Templates.folder.dat --a---- 94 bytes [07:42 10/02/2011] [07:42 10/02/2011]
TemplatesFile.cfx --a---- 3465 bytes [07:33 10/02/2011] [07:53 10/02/2011]
TemplatesFolder.cfx --a---- 62 bytes [07:33 10/02/2011] [05:25 31/12/2010]
toolbar.sed --a---- 633 bytes [07:33 10/02/2011] [21:26 30/10/2009]
Update-CF.cmd --a---- 3934 bytes [07:33 10/02/2011] [08:29 22/12/2010]
VerCF.bat --a---- 279 bytes [07:33 10/02/2011] [07:35 10/02/2011]
VikPev00 --a---- 2189 bytes [07:42 10/02/2011] [07:42 10/02/2011]
Vikpev01 --a---- 0 bytes [07:42 10/02/2011] [07:42 10/02/2011]
VInfo -ra---- 4327 bytes [07:33 10/02/2011] [08:30 17/09/2010]
VInfo2 --a---- 9823 bytes [07:33 10/02/2011] [00:56 09/02/2011]
Vipev.dat --a---- 308 bytes [07:33 10/02/2011] [07:30 11/05/2010]
vistaMcode.dat --a---- 440 bytes [07:33 10/02/2011] [11:17 27/07/2010]
vun.dat --a---- 7584 bytes [07:33 10/02/2011] [12:05 21/06/2010]
w7Mcode.dat --a---- 440 bytes [07:33 10/02/2011] [12:20 24/07/2010]
Wmi_rem.vbs --a---- 1127 bytes [07:33 10/02/2011] [11:38 12/12/2010]
w_sock.dll --a---- 98948 bytes [07:33 10/02/2011] [22:45 21/06/2009]
XP.mac --a---- 40 bytes [07:33 10/02/2011] [07:33 10/02/2011]
xpmcode.dat --a---- 440 bytes [07:33 10/02/2011] [06:14 23/07/2010]
xpreg.dat --a---- 60049 bytes [07:33 10/02/2011] [07:44 25/11/2010]
XPSBoot.reg --a---- 13090 bytes [07:33 10/02/2011] [02:41 03/02/2010]
zDomain.dat --a---- 23773 bytes [07:33 10/02/2011] [16:00 31/08/2000]
zhsvc.dat --a---- 47404 bytes [07:33 10/02/2011] [07:36 10/02/2011]
zip.cfxxe -ra---- 68096 bytes [07:33 10/02/2011] [16:00 31/08/2000]

---Folders---
N_ d------ [07:35 10/02/2011]

========== process ==========

combofix.exe - Unable to open process handle.

========== folderfind ==========

Searching for "C:\ComboFix.txt."
No folders found.

 

[Bobbye]

To verify: you used this term twice: combotool which I am taking to mean Combofix. Is that correct? Please don't shorten or change a program because there is a Combotool.

I had hoped to find enough valid Combofix Files and have you selectively delete them and then start over with Combofix. It appears that when you aborted out of the program when the Recovery Console Query came up, it corrupted the program. Some of the files had already downloaded at that point. Then you switched modes and use the flash drive for the executable only. It won't uninstall because there is no uninstaller in the program.

According to the program to find this file, you have the Combofix executable file on the desktop:
C:\Documents and Settings\Owner\Desktop\ComboFix.exe --a---- 4267704 bytes [02:19 14/02/2011] [02:19 14/02/2011] D56DED6CD703E2846297FC2D17105483.

IF you can access the internet directly, go back to the download site for Combofix> download the program and save it to your desktop
IF you still cannot access the internet, use a flash drive> go to the download site for Combofix> download the program, then install it on the problem computer. IF you're offline, just bypass the Recover Console and go to the Scan

If it possible that there may be an error generated somewhere along the line, but give it a try anyway so we can see what can be done.

 

[JayF]

Thanks for your patience. In answer to your question, all of my references to "Combotool" were to Combofix.

I finally had some success with Combofix. On the 4th try, running in Safe Mode.



Here is the log:

ComboFix 11-02-21.02 - Jay 02/21/2011 23:38:27.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1747 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\g2mdlhlpx.exe
c:\program files\Internet Explorer\SET1FC.tmp
c:\program files\Internet Explorer\SET220.tmp
c:\program files\Internet Explorer\SET221.tmp
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))
.

2011-02-10 04:05 . 2011-02-10 04:05 -------- d-----w- c:\program files\ESET
2011-02-10 03:49 . 2011-02-10 03:49 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-10 03:49 . 2011-02-10 03:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-10 03:49 . 2011-02-10 03:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-08 18:15 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-08 18:15 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-08 18:15 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-08 18:15 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-08 18:15 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-08 18:15 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-08 18:15 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-08 18:15 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-02-08 18:15 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-08 07:55 . 2011-02-08 07:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-02-08 07:55 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-08 07:55 . 2011-02-08 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-08 07:54 . 2011-02-08 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-08 07:54 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 04:05 . 2011-02-08 04:05 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-30 01:38 . 2010-11-30 01:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38 . 2010-11-30 01:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-03 267048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-23 185872]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 61952]
"Belkin Storage Manager"="c:\program files\Belkin Storage Manager\StorageManager.exe" [2009-02-04 858624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

c:\documents and settings\Elana\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-16 113664]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 06:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2006-05-04 05:58 458752 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-07-19 22:14 102400 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Belkin Storage Manager\\StorageManager.exe"=

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/8/2011 10:15 AM 294608]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/8/2011 10:15 AM 17744]
S2 gupdate1c9c5e9ecdfb80a;Google Update Service (gupdate1c9c5e9ecdfb80a);c:\program files\Google\Update\GoogleUpdate.exe [4/25/2009 1:08 PM 133104]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 12:39 PM 61952]
S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [6/28/2004 6:06 PM 61840]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 12:22 PM 34064]
S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [11/29/2006 3:20 AM 23936]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [3/24/2009 9:45 AM 127656]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [5/6/2008 11:01 AM 450560]
.
Contents of the 'Scheduled Tasks' folder

2011-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:34]

2011-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 21:07]

2011-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:18810
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {F4A1DC8A-3D7A-4C28-A5B6-C624B814A702} - hxxps://cp.aplus.net/tools/fileman/FileMan.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\lw29fkqb.default\
FF - prefs.js: browser.search.selectedEngine - Optify Internal
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: FireShot: {0b457cAA-602d-484a-8fe7-c1d894a011ba} - %profile%\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-22 00:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1513858752-1868376869-2513186060-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-02-22 00:19:47
ComboFix-quarantined-files.txt 2011-02-22 08:19

Pre-Run: 57,180,925,952 bytes free
Post-Run: 57,281,015,808 bytes free

- - End Of File - - FF98FC26A13F3C42EC1FA835F11CC02F

 

[Bobbye]

Okay, are you having any noticeable system problems at this point?
I would like to make you aware of the risk you take with file sharing:

Dropbox is for Photo and video sharing online. The word 'share' is the operative word here. Just keep in mind that you and the person you share the video or photo with may have 'other' files in the system that will also get 'shared.'
Note: Even if you are using a "safe" P2P program, it is only the program that is safe.

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
===================================
Question: this are different than what appeared in the DDS log. Have you set them?
uStart Page = about:blank;
uInternet SettingsProxyServerr = http=127.0.0.1:18810
uInternet Settings,[BProxyOverridee = <local>[/b]

Are you able to run the scan in Normal Mode?

 

[JayF]

Hi, Bobbye

Just tried going on line.The redirects are still happening. I didn't see any of the other symptoms, but I didn't stay on that long.

Re: dropbox -- I needed this for my last gig. I will be unsubscribing/purging it as soon as I can. I'm aware of the risks -- I think the likelihood of them infecting me was low .... they were an Apple house, with pretty good security. I hope I haven't infected them.

Re this:

uStart Page = about:blank;
uInternet SettingsProxyServerr = http=127.0.0.1:18810
uInternet Settings,[BProxyOverridee = <local>[/b]

I did change the home page to about:blank.
I did not make the other two changes -- that might be virus activity.

I will try running the scan in normal mode. If it works I'll attach the log.

 

[JayF]

Okay -- I tried running Combofix in normal mode 3 times. The first time I got a blue screen immediately. The 2nd time it hung on loading. The 3rd time I rebooted, ran the combofix /uninstall command, which it bluescreened at the end of. Then I tried running combofix again and got another blue screen. I think it's safe to say I can't run it in normal mode.

 

[JayF]

Also, I investigated the proxy settings -- I think those are old settings left over from a corporate VPN; as far as I know they aren't active any more. I just remover them.

 

[Bobbye]

Okay then- if you can get online, download and run the following program. If you cannot get online, download to flash drive and run on problem computer:

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result. Please leave the log.
• A reboot is required after disinfection.