Solved Redirecting on search results, popups, McAfee damaged

Status
Not open for further replies.
R2D2B9

R2D2B9

Posts: 64   +0
McAfee gives an error:

"The ordinal 1112 could not be located in the dynamic link library WSOCK32.dll"

Computer constantly redirects or opens pop-ups during web browsing.

Log files posted below:

-----------------------------------------------

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.11.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
HP_Owner :: YOUR-D0F670B45A [administrator]

4/11/2012 5:16:55 PM
mbam-log-2012-04-11 (17-16-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216501
Time elapsed: 39 minute(s), 20 second(s)

Memory Processes Detected: 1
C:\WINDOWS\system32\0uN0drVDp.com (Backdoor.Agent.H) -> 1964 -> Delete on reboot.

Memory Modules Detected: 1
C:\WINDOWS\system32\lvuvc.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Krypt) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 18
C:\WINDOWS\system32\lvuvc.dll (RootKit.0Access.H) -> Delete on reboot.
C:\WINDOWS\system32\0uN0drVDp.com_ (Backdoor.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\0uN0drVDp.com (Backdoor.Agent.H) -> Delete on reboot.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\sghj0.6884074251720731.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.01720785359643806.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.1432090184478646.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.34209091113649404.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.382014815493416.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.40010392119493454.exe (Trojan.CryptPro.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.5235407241632137.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.7574299220759129.exe (Trojan.CryptPro.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.7885395720864793.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.8548748101895046.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\hki2406.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\dpqpws\setup.exe (Trojan.Krypt) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ggndao\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Desktop\Security Updates.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jika0.7963916282801337.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.

(end)
--------------------------------------------------------------------------------------------------------

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-04-11 18:19:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 WDC_WD1600JS-60NCB1 rev.10.02E02
Running: kpu00bdf.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\uflcraoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xF20BF6C6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xF20BF91C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEEE3138B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEEE313B5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEEE31375]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEEE313CB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEEE3139F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/8/2006 5:01:26 PM
System Uptime: 4/11/2012 5:59:32 PM (1 hours ago)
.
Motherboard: ECS | | Asterope3
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | CPU 1 | 3065/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 142 GiB total, 125.208 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 0.301 GiB free.
F: is Removable
G: is Removable
H: is Removable
I: is CDROM ()
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP118: 10/29/2011 10:32:24 AM - System Checkpoint
RP119: 11/27/2011 9:58:51 AM - System Checkpoint
RP120: 12/3/2011 3:49:32 PM - System Checkpoint
RP121: 12/3/2011 4:47:57 PM - Software Distribution Service 3.0
RP122: 12/3/2011 4:53:35 PM - Software Distribution Service 3.0
RP123: 12/5/2011 6:39:46 PM - System Checkpoint
RP124: 12/6/2011 11:00:17 AM - Software Distribution Service 3.0
RP125: 12/19/2011 1:54:05 PM - Software Distribution Service 3.0
RP126: 12/24/2011 11:39:08 AM - System Checkpoint
RP127: 12/28/2011 2:26:38 PM - Restore Operation
RP128: 12/28/2011 2:43:23 PM - Software Distribution Service 3.0
RP129: 12/28/2011 2:59:44 PM - Software Distribution Service 3.0
RP130: 1/1/2012 11:45:48 AM - Software Distribution Service 3.0
RP131: 1/13/2012 2:01:01 PM - System Checkpoint
RP132: 1/14/2012 11:00:18 AM - Software Distribution Service 3.0
RP133: 1/16/2012 4:18:52 PM - Software Distribution Service 3.0
RP134: 1/16/2012 4:35:31 PM - Software Distribution Service 3.0
RP135: 1/16/2012 5:19:17 PM - Software Distribution Service 3.0
RP136: 1/17/2012 6:13:46 PM - System Checkpoint
RP137: 1/23/2012 4:04:04 PM - System Checkpoint
RP138: 1/24/2012 4:24:11 PM - System Checkpoint
RP139: 2/1/2012 4:54:46 PM - Software Distribution Service 3.0
RP140: 2/17/2012 2:54:30 PM - Software Distribution Service 3.0
RP141: 3/5/2012 3:32:07 PM - System Checkpoint
RP142: 3/23/2012 11:00:41 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 7.0.5
AiO_Scan_CDA
AiOSoftwareNPI
ATI Control Panel
ATI Display Driver
AutoUpdate
BufferChm
COMODO Internet Security
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
CueTour
Customer Experience Enhancement
CustomerResearchQFolder
Data Fax SoftModem with SmartCP
Destinations
DeviceManagementQFolder
DivX
Easy Internet Sign-up
eSupportQFolder
F300
F300_Help
Fax_CDA
FullDPAppQFolder
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP Customer Participation Program 7.0
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
HP Support Overview
HP USB Multimedia Keyboard Driver V1.1
HP Web Helper
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
InstantShareDevicesMFC
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 31
LightScribe 1.4.105.1
Malwarebytes Anti-Malware version 1.61.0.1400
MarketResearch
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Money 2006
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003 60 days trial
Microsoft Works
Mozilla Firefox 11.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 5.0
My HP Games
Netscape Browser (remove only)
NewCopy_CDA
PC-Doctor 5 for Windows
PhotoGallery
ProductContextNPI
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
RandMap
Readme
RealPlayer
Realtek High Definition Audio Driver
Remove WeatherBug Installer
Rhapsody
Scan
ScannerCopy
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
SkinsHP1
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Status
Toolbox
TrayApp
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Updates from HP (remove only)
Verizon Broadband Toolbar
Verizon Help and Support Tool
Verizon Servicepoint 1.5.12
Vz In Home Agent
WebFldrs XP
WebReg
WildTangent Web Driver
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
4/9/2012 1:16:40 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
4/9/2012 1:16:40 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2012 1:15:59 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
4/8/2012 9:44:20 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
4/8/2012 9:44:20 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/11/2012 6:15:00 PM, error: Schedule [7901] - The At86.job command failed to start due to the following error: %%2147942402
4/11/2012 6:15:00 PM, error: Schedule [7901] - The At85.job command failed to start due to the following error: %%2147942402
4/11/2012 6:15:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402
4/11/2012 6:15:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402
4/11/2012 6:01:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde ViaIde
4/11/2012 6:00:06 PM, error: Service Control Manager [7023] - The Avsvcmonitor service terminated with the following error: The specified module could not be found.
4/11/2012 6:00:05 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
.
==== End Of File ===========================
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by HP_Owner at 18:20:26 on 2012-04-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.552 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Disabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Yahoo!\Search Protection\YspService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\ping.exe
C:\WINDOWS\System32\ping.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uWindow Title = Windows Internet Explorer provided by Yahoo!
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-8cb0-ab60bb9aae22} - c:\progra~1\vol_to~1\VOL_TO~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-8cb0-ab60bb9aae22} - c:\progra~1\vol_to~1\VOL_TO~1.DLL
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\YspService.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [BtcMaestro] "c:\program files\hp usb multimedia keyboard\KMaestro.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: Interfaces\{80443072-5384-4D29-A197-604ECE8884D8} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\b8jqba6g.default\
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
.
============= SERVICES / DRIVERS ===============
.
P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-10-7 492768]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-10-7 31704]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-10-7 1883328]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-11-30 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-11-30 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-11-30 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-11-30 168776]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-11 253600]
.
=============== Created Last 30 ================
.
2012-04-11 22:13:29 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\Mozilla
2012-04-11 21:14:24 -------- d-----w- c:\documents and settings\hp_owner\application data\Malwarebytes
2012-04-11 21:13:04 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-11 21:13:01 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-11 21:13:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-11 21:12:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-11 21:12:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
==================== Find3M ====================
.
2012-04-11 21:59:57 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-11 21:11:37 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 21:11:37 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 18:21:29.00 ===============
 
There is an abundance of malware on this system! As for this:

Re: the ordinal 1112 could not be located in the dynamic link library WSOCK32.dll

The problem isn't with McAfee but with your winsock.dll file. I'll have you use the System File Checker if it persist after the system is clean-if it can be cleaned!

The error is potentially the result of an infection which has replaced the original winsock file or corrupted it. If the issue still persists after the sfc scan then potentially the virus/rootkit is still present
==========================================
There are several infections from a Backdoor, so here's what you need to know:

What is a Backdoor.bot?
This is a piece of malware that has worm, downloader, backdoor, keylogger and spy ability. It may arrive on a system after being exploited by a copy of the worm, residing on an infected machine in the network. After execution, the malware will inject a piece of code in kernel mode (by gaining access to \Device\PhysicalMemory). It will make a copy of itself inside c:\windows\fonts\unwise_.exe (hidden), execute it and continue execution there. The original file it will then be deleted. The worm will register itself as a service under the name: Windows Hosts Controller, and setting the information to "Enables Windows Host Controller Service. This service cannot be stopped." discouraging users from deleting it.
- The worm has the ability to spread via:
o USB drives; when it detects a new drive, it will make a fresh copy of itself, on the USB drive in the following directory:
Recycler\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx\file-name.exe. It will also create an autorun.inf file that will point to the new copy.
Click to expand...

And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:
  1. Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
  2. Data theft (e.g. retrieving passwords or credit card information)
  3. Installation of software, including third-party malware
  4. Downloading or uploading of files on the user's computer
  5. Modification or deletion of files
  6. Keystroke logging
  7. Watching the user's screen
  8. Wasting the computer's storage space
  9. Crashing the computer

Being advised of this, would you rather consider a reformat/reinstall instead of an attempt to clean which may not find or remove all if it's code.
=============================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
Threads are closed after 5 days if there is no reply.
 
If this thing really is as badly infected as you say, a reformat is likely in order. But first a few questions???

- Given the malicious nature of this infection, what is a safe way to backup some files (documents and pictures) without propagating the infection? If I burn to CD/DVD is this safe? Sounds like a jump drive is out.

- The infected machine is my Uncle's, it was on my home network for about 5 minutes to download scan software. The other (clean) machine on the network at the time had Comodo firewall set to "block all" traffic. Additionally I transferred the log files from the infected machine to the other machine with a USB drive. The drive was in the clean machine for about 15 seconds, not ejected, just pulled out as soon as the 4 files were copied. Is the clean system now compromised, how do I check?

- How do I clean/check the jump drive without compromising any other systems?
 
You can disinfect the flash drive and any other movable drives:
  • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
  • Install and run it.
  • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
============================================
FYI:
1. One of the infected files, lvuvc.dll appears to be for the Logitech Webcam. This shows the Zero Access Rootkit My guess is that it was downloaded from a 'dirty' site.

2. Most of the infected file are .exe> executable, so you do not want to save any .exe files.

3. This is a curious one: A saved Bookmark or Favorite maybe?
C:\Documents and Settings\HP_Owner\Desktop\Security Updates.url (Rogue.Link) -> Quarantined and deleted successfully.
==========================================
I'd like to run 3 more scans to see what remains on the system. However, to be on the safe side, all of the passwords should be changed and any online financial transactions should be monitored.
============================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
========================================
Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
When scan has finished, you will see this image:
scan-finished.jpg

  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
=======================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
====================================
I will advise you after I review these logs
====================================
As for backing up,
  • Backup all your documents and important items only.
  • DON'T backup any executable files (,exe .scr .html or .htm)
  • DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files
 
ComboFix

ComboFix 12-04-12.03 - HP_Owner 04/12/2012 17:12:05.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.450 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Owner\Desktop\Search.lnk
c:\documents and settings\HP_Owner\WINDOWS
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\bckfg.tmp
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\keywords
c:\windows\$NtUninstallKB62280$\485945278\kwrd.dll
c:\windows\$NtUninstallKB62280$\485945278\L\bfhdmwap
c:\windows\$NtUninstallKB62280$\485945278\lsflt7.ver
c:\windows\$NtUninstallKB62280$\485945278\oemid
c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
c:\windows\$NtUninstallKB62280$\485945278\version
c:\windows\$NtUninstallKB62280$\975060391
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\smservaz.dll
D:\Autorun.inf
c:\windows\$NtUninstallKB62280$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-12 to 2012-04-12 )))))))))))))))))))))))))))))))
.
.
2012-04-11 22:13 . 2012-04-11 22:13 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Mozilla
2012-04-11 21:14 . 2012-04-11 21:14 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-11 21:13 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-11 21:12 . 2012-04-11 21:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-11 21:12 . 2012-04-11 21:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-11 21:11 . 2011-12-03 21:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-04 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 04:39 . 2012-04-11 21:11 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\YspService.exe" [2010-04-01 243000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"BtcMaestro"="c:\program files\HP USB Multimedia Keyboard\KMaestro.exe" [2007-08-30 344064]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-10-20 2497352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-10-13 36903]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-13 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [10/7/2011 7:48 PM 492768]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/7/2011 7:48 PM 31704]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/11/2012 5:11 PM 253600]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CTSYN
mps9
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 21:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\b8jqba6g.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-PCDrProfiler - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-12 17:38
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(164)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
- - - - - - - > 'csrss.exe'(612)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\RTHDCPL.EXE
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-04-12 17:45:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-12 21:45
.
Pre-Run: 135,935,971,328 bytes free
Post-Run: 137,410,203,648 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B2200713B587ED4E0F40AAD34DED835B
 
Malwarebytes - Full Scan

Currently Running ESET - will post when complete

------------------------------------------------------------
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.12.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
HP_Owner :: YOUR-D0F670B45A [administrator]

4/12/2012 5:49:54 PM
mbam-log-2012-04-12 (17-49-54).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 278403
Time elapsed: 1 hour(s), 5 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Qoobox\Quarantine\C\WINDOWS\system32\smservaz.dll.vir (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP140\A0029097.com (Backdoor.Agent.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP143\A0030590.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.

(end)
 
ESET - McAfee on-access

McAfee On-access was running while ESET ran and detected and cleaned/deleted several files. This is surprising as I could not start a manual scan with McAfee or update it due to the WINSOC32 Error. It is now updating properly. The log file from McAfee on-acess is very long, I can post it if you would like, but it will take about 6 posts, due to the 50000 character limit.

--------------------------------
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\notana.jar-641693ef-3f3e9642.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\xmltree.jar-5fadb05-601a0097.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-37a21075-33ffeda6.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-57301a0e-4f795fea.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-37cad680-3bcfef04.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-5d7aa40-53a76b8a.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\lwfndygmenpkrakbg.jar-70598d08-75fb3020.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\mqwgtqr.jar-515ba980-4d791f99.zip Java/Exploit.CVE-2011-3544.AG trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-1f459b78-231306c0.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-7fb791df-72201723.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-17d1bd16-3e1859d7.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-1fa12906-1b8475ac.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\utsnbn.jar-4fae89dd-62d08bc1.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\hp\bin\wbug\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
C:\WINDOWS\system32\drivers\redbook.sys Win32/Sirefef.DA trojan
D:\I386\APPS\APP18753\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
D:\I386\APPS\APP18753\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
--------------------------------------------------
 
Combofix header:
AV: McAfee VirusScan Enterprise *Disabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Resident AV is active
Click to expand...

Combofix directions:
Before you run the Combofix scan, please disable any security software you have running.
# .Close/disable all anti virus and anti malware programs
(If you need help with this, please see HERE)
Click to expand...
==============================================
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Files 
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\notana.jar-641693ef-3f3e9642.zip 
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\xmltree.jar-5fadb05-601a0097.zip 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-37a21075-33ffeda6.zip 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-57301a0e-4f795fea.zip 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-37cad680-3bcfef04.zip 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-5d7aa40-53a76b8a.zip 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\lwfndygmenpkrakbg.jar-70598d08-75fb3020.zip 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\mqwgtqr.jar-515ba980-4d791f99.zip 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-1f459b78-231306c0.zip 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-7fb791df-72201723.zip 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-17d1bd16-3e1859d7.zip 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-1fa12906-1b8475ac.zip 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\utsnbn.jar-4fae89dd-62d08bc1.zip 
C:\hp\bin\wbug\HPPavillion_Spring06.exe 
C:\WINDOWS\system32\drivers\redbook.sys 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================
What is the D Drive? Is it the flash drive?
D:\I386\APPS\APP18753\src\CompaqPresario_Spring06.exe
D:\I386\APPS\APP18753\src\HPPavillion_Spring06.exe
=======================================
A driver is infected with the Win32/Sirefef.DA trojan and I'm going to remove it. We will then see if there is a clean copy of it on the system- if there is, I can replace the file.
C:\WINDOWS\system32\drivers\redbook.sys Win32/Sirefef.DA trojan

But you should know what this is for:
c:\windows\system32\drivers\redbook.sys
Description:
According to this MSDN article, "The Redbook system driver (Redbook.sys) is the KS filter that manages the rendering of CD digital audio. The Redbook driver is a client of the SysAudio system driver. The system routes CD digital audio through the file system to the Redbook driver and then to the SysAudio driver. The CD digital audio is rendered on the preferred wave output device (as set in the Multimedia property pages in Control Panel).".
Click to expand...

So you may have a sound problem temporarily.
=========================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
redbook.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
===========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
DDS::
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uWindow Title = Windows Internet Explorer provided by Yahoo!
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\YspService.exe
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"=-
"HP Software Update"=-

Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Click on Start> Run> type in msconfic> Enter> Selective Startup> Startup tab> Uncheck ALL HP and Digital Imaging processes> Click on Apply when finished> OK> Reboot the computer.
NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.

Anytime you want to access the printer> Click on File> Print. You will have all the setting available to you.
To access the Digital Imaging> use All Programs. There is no need for any processes related to either to start on boot, then run in the background using system resources.

Install Date: 11/8/2006 >> you had some 6 yeal old 'reminders to register' I removed.
=======================================
I think you may be able to save the system.
 
D Drive

Hi Bobbye,

The D drive is the restore partition of the harddrive on this HP. If I damage the system restore files, I will not be able to perform a reformat/reinstall of windows XP. There is not a set of recovery disks that have been made for this machine yet, and HP limits us to making only one set (due to licensing restrictions). Hopefully removing these files will not make the recovery software think that the files are corrupt, but given that they are infected they are not real useful right now anyway.
 
OT Moveit / Systemlook redbook /

I tried to be sure AV was off when scanning with Combofix. I opened the McAfee VirusScan Console and disabled everything (there is no exit option on this version of McAfee). I also disabled all Comodo protection and exited it. Combofix is still listing "*Resident AV is active."

---------------------------------------------
All processes killed
========== FILES ==========
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\notana.jar-641693ef-3f3e9642.zip moved successfully.
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\xmltree.jar-5fadb05-601a0097.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-37a21075-33ffeda6.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-57301a0e-4f795fea.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-37cad680-3bcfef04.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-5d7aa40-53a76b8a.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\lwfndygmenpkrakbg.jar-70598d08-75fb3020.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\mqwgtqr.jar-515ba980-4d791f99.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-1f459b78-231306c0.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-7fb791df-72201723.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-17d1bd16-3e1859d7.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-1fa12906-1b8475ac.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\utsnbn.jar-4fae89dd-62d08bc1.zip moved successfully.
C:\hp\bin\wbug\HPPavillion_Spring06.exe moved successfully.
C:\WINDOWS\system32\drivers\redbook.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: HP_Owner
->Temp folder emptied: 900455 bytes
->Temporary Internet Files folder emptied: 366245 bytes
->Java cache emptied: 131705 bytes
->FireFox cache emptied: 19716364 bytes
->Flash cache emptied: 31614 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 9568390 bytes
->Java cache emptied: 34868 bytes
->Flash cache emptied: 36180 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 22134801 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 190031524 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 46949 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 232.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 04142012_073350

Files moved on Reboot...
C:\Documents and Settings\HP_Owner\Local Settings\Temp\IadHide5.dll moved successfully.

Registry entries deleted on Reboot...
------------------------------------------------------------
SystemLook 30.07.11 by jpshortstuff
Log created at 07:41 on 14/04/2012 by HP_Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "redbook.*"
C:\WINDOWS\$NtServicePackUninstall$\redbook.sys -----c- 57472 bytes [22:00 03/12/2011] [14:59 03/08/2004] B31B4588E4086D8D84ADBF9845C2402B
C:\WINDOWS\ServicePackFiles\i386\redbook.sys ------- 57600 bytes [18:40 13/04/2008] [18:40 13/04/2008] F828DD7E1419B6653894A8F97A0094C5
C:\WINDOWS\system32\dllcache\redbook.sys --a---- 57600 bytes [14:59 03/08/2004] [17:40 13/04/2008] F828DD7E1419B6653894A8F97A0094C5
C:\WINDOWS\system32\drivers\redbook.sys --a---- 57600 bytes [14:59 03/08/2004] [17:40 13/04/2008] F828DD7E1419B6653894A8F97A0094C5
C:\_OTM\MovedFiles\04142012_073350\C_WINDOWS\system32\drivers\redbook.sys --a---- 57600 bytes [14:59 03/08/2004] [18:40 13/04/2008] (Unable to calculate MD5)

-= EOF =-

-----------------------------------
ComboFix 12-04-14.02 - HP_Owner 04/14/2012 7:55.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.380 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Resident AV is active
.
.
FILE ::
"c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll"
"c:\program files\HP\Digital Imaging\bin\hpqimzone.exe"
"c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk
c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk
c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\hp\digital imaging\bin\hpqthb08.exe
c:\program files\hp\digital imaging\bin\hpqtra08.exe
c:\program files\hp\hp software update\HPWuSchd2.exe
c:\program files\updates from hp\9972322\program\Updates from HP.exe
c:\program files\yahoo!\search protection\YspService.exe
c:\windows\creator\Remind_XP.exe
c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
.
.
((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
.
.
2012-04-14 11:33 . 2012-04-14 11:33 -------- d-----w- C:\_OTM
2012-04-13 01:30 . 2012-04-13 01:30 -------- d-----w- c:\program files\ESET
2012-04-11 22:13 . 2012-04-11 22:13 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Mozilla
2012-04-11 21:14 . 2012-04-11 21:14 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-11 21:13 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-11 21:12 . 2012-04-11 21:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-11 21:12 . 2012-04-11 21:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-11 21:11 . 2011-12-03 21:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01 . 2004-08-04 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-04 04:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 04:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2004-08-04 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 04:39 . 2012-04-11 21:11 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-12_21.38.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-14 11:52 . 2012-04-14 11:52 16384 c:\windows\Temp\Perflib_Perfdata_5a4.dat
+ 2004-08-04 04:00 . 2012-03-01 11:01 66560 c:\windows\system32\mshtmled.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 66560 c:\windows\system32\mshtmled.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-03 14:59 . 2008-04-13 17:40 57600 c:\windows\system32\drivers\redbook.sys
- 2004-08-03 14:59 . 2008-04-13 18:40 57600 c:\windows\system32\drivers\redbook.sys
+ 2011-02-04 18:58 . 2012-03-01 11:01 12800 c:\windows\system32\dllcache\xpshims.dll
- 2011-02-04 18:58 . 2011-12-17 19:46 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2004-08-03 14:59 . 2008-04-13 17:40 57600 c:\windows\system32\dllcache\redbook.sys
- 2004-08-04 04:00 . 2011-12-17 19:46 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2011-02-04 18:58 . 2012-03-01 11:01 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2011-02-04 18:58 . 2011-12-17 19:46 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 12800 c:\windows\ie8updates\KB2675157-IE8\xpshims.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 66560 c:\windows\ie8updates\KB2675157-IE8\mshtmled.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 55296 c:\windows\ie8updates\KB2675157-IE8\msfeedsbs.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 43520 c:\windows\ie8updates\KB2675157-IE8\licmgr10.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 25600 c:\windows\ie8updates\KB2675157-IE8\jsproxy.dll
+ 2012-04-14 11:21 . 2012-04-14 11:21 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_bfc1ed38\System.Drawing.Design.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 206848 c:\windows\system32\occache.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 206848 c:\windows\system32\occache.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 611840 c:\windows\system32\mstime.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 611840 c:\windows\system32\mstime.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 184320 c:\windows\system32\iepeers.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 184320 c:\windows\system32\iepeers.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 04:00 . 2012-02-29 12:17 174080 c:\windows\system32\ie4uinit.exe
- 2004-08-04 04:00 . 2011-12-16 12:23 174080 c:\windows\system32\ie4uinit.exe
+ 2009-12-24 06:59 . 2012-02-29 14:10 177664 c:\windows\system32\dllcache\wintrust.dll
- 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 916992 c:\windows\system32\dllcache\wininet.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 916992 c:\windows\system32\dllcache\wininet.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 105984 c:\windows\system32\dllcache\url.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 206848 c:\windows\system32\dllcache\occache.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 206848 c:\windows\system32\dllcache\occache.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 611840 c:\windows\system32\dllcache\mstime.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 611840 c:\windows\system32\dllcache\mstime.dll
+ 2011-02-04 18:58 . 2012-03-01 11:01 602112 c:\windows\system32\dllcache\msfeeds.dll
- 2011-02-04 18:58 . 2011-12-17 19:46 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2012-02-29 14:10 . 2012-02-29 14:10 148480 c:\windows\system32\dllcache\imagehlp.dll
- 2011-02-04 18:58 . 2011-12-17 19:46 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2011-02-04 18:58 . 2012-03-01 11:01 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 184320 c:\windows\system32\dllcache\iepeers.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2011-02-04 18:58 . 2012-03-01 11:01 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2011-02-04 18:58 . 2011-12-17 19:46 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2004-08-04 04:00 . 2011-12-16 12:23 174080 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-04 04:00 . 2012-02-29 12:17 174080 c:\windows\system32\dllcache\ie4uinit.exe
+ 2012-01-27 21:35 . 2012-01-27 21:35 471040 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 916992 c:\windows\ie8updates\KB2675157-IE8\wininet.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 105984 c:\windows\ie8updates\KB2675157-IE8\url.dll
+ 2012-04-14 11:23 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2675157-IE8\spuninst\updspapi.dll
+ 2012-04-14 11:23 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2675157-IE8\spuninst\spuninst.exe
+ 2012-04-14 11:23 . 2011-12-17 19:46 206848 c:\windows\ie8updates\KB2675157-IE8\occache.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 611840 c:\windows\ie8updates\KB2675157-IE8\mstime.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 602112 c:\windows\ie8updates\KB2675157-IE8\msfeeds.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 247808 c:\windows\ie8updates\KB2675157-IE8\ieproxy.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 184320 c:\windows\ie8updates\KB2675157-IE8\iepeers.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 743424 c:\windows\ie8updates\KB2675157-IE8\iedvtool.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 387584 c:\windows\ie8updates\KB2675157-IE8\iedkcs32.dll
+ 2012-04-14 11:23 . 2011-12-16 12:23 174080 c:\windows\ie8updates\KB2675157-IE8\ie4uinit.exe
+ 2006-10-13 17:09 . 2006-10-13 17:09 466944 c:\windows\assembly\temp\YNKT4AK5PV\System.Drawing.dll
+ 2012-04-14 11:22 . 2012-04-14 11:22 843776 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_64a403b5\System.Drawing.dll
+ 2012-04-14 11:22 . 2012-04-14 11:22 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_e916a5a2\System.Drawing.Design.dll
+ 2012-04-14 11:21 . 2012-04-14 11:21 471040 c:\windows\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 1212416 c:\windows\system32\dllcache\urlmon.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 5978624 c:\windows\system32\dllcache\mshtml.dll
+ 2011-02-04 18:58 . 2012-03-01 11:01 2000384 c:\windows\system32\dllcache\iertutil.dll
- 2011-02-04 18:58 . 2011-12-17 19:46 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2012-01-31 08:46 . 2012-01-31 08:46 6385664 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2656370\M2656370Uninstall.msp
+ 2012-01-31 00:46 . 2012-01-31 00:46 7069184 c:\windows\Installer\747b288.msp
+ 2012-04-14 11:23 . 2011-12-17 19:46 1212416 c:\windows\ie8updates\KB2675157-IE8\urlmon.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 5979136 c:\windows\ie8updates\KB2675157-IE8\mshtml.dll
+ 2012-04-14 11:23 . 2011-12-17 19:46 2000384 c:\windows\ie8updates\KB2675157-IE8\iertutil.dll
+ 2012-04-14 11:22 . 2012-04-14 11:22 3035136 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_de00d7d7\System.Windows.Forms.dll
+ 2012-04-14 11:22 . 2012-04-14 11:22 7917568 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_3e48104e\System.Windows.Forms.dll
+ 2012-04-14 11:22 . 2012-04-14 11:22 2248704 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_b6a48c8e\System.Drawing.dll
+ 2012-04-14 11:22 . 2012-04-14 11:22 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_aeee9029\System.Design.dll
+ 2012-04-14 11:22 . 2012-04-14 11:22 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_3563aff9\System.Design.dll
+ 2011-02-04 18:59 . 2012-04-13 21:09 55154568 c:\windows\system32\MRT.exe
+ 2011-02-04 18:58 . 2012-03-02 10:01 11082752 c:\windows\system32\dllcache\ieframe.dll
+ 2012-04-14 11:23 . 2011-12-18 19:46 11082240 c:\windows\ie8updates\KB2675157-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"BtcMaestro"="c:\program files\HP USB Multimedia Keyboard\KMaestro.exe" [2007-08-30 344064]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-10-20 2497352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-13 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [10/7/2011 7:48 PM 492768]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/7/2011 7:48 PM 31704]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/11/2012 5:11 PM 253600]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CTSYN
mps9
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 21:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\b8jqba6g.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-14 08:05
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'csrss.exe'(600)
c:\windows\system32\cmdcsr.dll
.
Completion time: 2012-04-14 08:08:02
ComboFix-quarantined-files.txt 2012-04-14 12:07
ComboFix2.txt 2012-04-12 21:45
.
Pre-Run: 136,986,664,960 bytes free
Post-Run: 136,982,847,488 bytes free
.
- - End Of File - - B6A815CA129C118715138579C0F6E2F7
 
Yes, nice isn't it! Please do the following to replace the infected driver. Then give me an update on how the system is doing.

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
FileLook::
c:\windows\system32\cmdcsr.dll

Clearjavacache::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\redbook.sys | C:\WINDOWS\system32\drivers\redbook.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
 
When I run ComboFix I am still getting the following messages:
"You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection..."
"Rootkit is detected Be patient as this may take a while."
"Combofix has detected the presence of rootkit activity and needs to reboot the machine"

I have gotten these three messages everytime I run Combo Fix. This leads me to believe, whatever rootkit is infecting this machine, keeps coming back after the scans.

I will post the ComboFix log from the infected machine in a few minutes when it completes running.
 
Hi Bobbye,

Here is the ComboFix log. I disabled all of McAfee's features, but ComboFix detected the AV engine as active. When this happened I opened the task manager and manually ended the McAfee processes. This version of McAfee is miserable to try and shutdown. I'm thinking after I'm done cleaning or reformatting, McAfee is going to go away and Avast is going to be used instead. Anyhow, here's the log.
----------------------------------------------------------------------------------------
ComboFix 12-04-14.02 - HP_Owner 04/15/2012 21:55:47.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.528 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\redbook.sys --> c:\windows\system32\drivers\redbook.sys
.
((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))
.
.
2012-04-14 11:33 . 2012-04-14 11:33 -------- d-----w- C:\_OTM
2012-04-13 01:30 . 2012-04-13 01:30 -------- d-----w- c:\program files\ESET
2012-04-11 22:13 . 2012-04-11 22:13 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Mozilla
2012-04-11 21:14 . 2012-04-11 21:14 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-11 21:13 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-11 21:13 . 2012-04-11 21:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-11 21:12 . 2012-04-11 21:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-11 21:12 . 2012-04-11 21:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-11 21:11 . 2011-12-03 21:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01 . 2004-08-04 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-04 04:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-04 04:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 04:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2004-08-04 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 04:39 . 2012-04-11 21:11 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\cmdcsr.dll ---
Company: COMODO
File Description: COMODO Internet Security
File Version: 5, 8, 211697, 2124
Product Name: COMODO Internet Security
Copyright: 2005-2012 COMODO. All rights reserved.
Original Filename:
File size: 33984
Created time: 2011-10-07 23:47
Modified time: 2011-10-07 23:47
MD5: 1B3DD3F0EBC1B4220EB39EBE205FB445
SHA1: 0965F8AA8637E6F4C7F0686681E5E1D14C9AD0BF
.
.
((((((((((((((((((((((((((((( SnapShot_2012-04-14_12.05.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-16 01:53 . 2012-04-16 01:53 16384 c:\windows\Temp\Perflib_Perfdata_5a0.dat
- 2009-03-08 09:31 . 2011-12-17 19:46 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-03-08 09:31 . 2012-03-01 11:01 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-03 14:59 . 2008-04-13 17:40 57600 c:\windows\system32\dllcache\redbook.sys
+ 2004-08-03 14:59 . 2008-04-13 18:40 57600 c:\windows\system32\dllcache\redbook.sys
- 2004-08-04 04:00 . 2011-12-17 19:46 105984 c:\windows\system32\url.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 105984 c:\windows\system32\url.dll
+ 2009-03-08 09:32 . 2012-03-01 11:01 602112 c:\windows\system32\msfeeds.dll
- 2009-03-08 09:32 . 2011-12-17 19:46 602112 c:\windows\system32\msfeeds.dll
- 2004-08-04 04:00 . 2011-12-17 19:46 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-04 04:00 . 2012-03-01 11:01 5978624 c:\windows\system32\mshtml.dll
- 2009-03-08 09:32 . 2011-12-17 19:46 2000384 c:\windows\system32\iertutil.dll
+ 2009-03-08 09:32 . 2012-03-01 11:01 2000384 c:\windows\system32\iertutil.dll
+ 2009-03-08 09:39 . 2012-03-02 10:01 11082752 c:\windows\system32\ieframe.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"BtcMaestro"="c:\program files\HP USB Multimedia Keyboard\KMaestro.exe" [2007-08-30 344064]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-10-20 2497352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-13 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2007-05-11 20:20 2061816 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2010-03-17 20:55 1565696 ----a-w- c:\program files\Verizon\McciTrayApp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [10/7/2011 7:48 PM 492768]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/7/2011 7:48 PM 31704]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/11/2012 5:11 PM 253600]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CTSYN
mps9
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 21:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\b8jqba6g.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-15 22:05
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'csrss.exe'(608)
c:\windows\system32\cmdcsr.dll
.
Completion time: 2012-04-15 22:07:57
ComboFix-quarantined-files.txt 2012-04-16 02:07
ComboFix2.txt 2012-04-14 12:08
ComboFix3.txt 2012-04-12 21:45
.
Pre-Run: 137,005,117,440 bytes free
Post-Run: 136,900,648,960 bytes free
.
- - End Of File - - E4D000B654C9D0925A873C4249FC7491
 
The system is no longer redirecting when browsing the internet. This is a big improvement.

I am concerned about the infected files that turned up on the D:/ drive as this is the HP recovery partition. Should we run ESET again to see if those files turn up clean now? I would like to make a set of recovery disks for this machine, in the event that something like this happens again.
 
You'll find and excellent discussion about what to and not to do for the Recovery Partition here:
http://ask-leo.com/can_a_recovery_partition_be_infected.html

Check in our Windows OS forum here to set up the external disc:
https://www.techspot.com/community/forums/windows-os.15/
=================================================
Unless you were working in the Recovery Partition, I don't know how the following happened to show up in Eset:
D:\I386\APPS\APP18753\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
D:\I386\APPS\APP18753\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application.

However, then entries are "only" for the MyWebToolbar/MyWebSearch and should you have to use the D Drive to restore, these could easily be deleted then.
=================================================
Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
-------------------------------------------------
To clear the Java Plug-in cache:

  • [1]. Click Start > Control Panel.
    [2]. Double-click the Java icon in the control panel.
    java.png
    The Java Control Panel appears.
    plugin_cache1.jpg

    [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
    plugin_cache2.jpg

    [4] Click Delete Files.The Delete Temporary Files dialog box appears.
    plugin_cache3.jpg

    [5]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [6]. Click Apply> OK on Temporary Files Settings window.
Images courtesy java.com
=======================================
Reboot the computer.
=======================================
MCAFEE ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a
mcafee.png
sign.
  • Right-click it -> chose "Exit."
  • A popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.

Update and run a new Eset scan
 
- Uninstalled old version of Java, cleared Java cache and installed the latest version.
- Looks like the two files on the D: drive are from the manufacturer (HP). Some digging online seemed to indicate this.

ESET log:
----------------------------------------------
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP145\A0030746.sys Win32/Sirefef.DA trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\notana.jar-641693ef-3f3e9642.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\xmltree.jar-5fadb05-601a0097.zip multiple threats
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-37a21075-33ffeda6.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\aebplnambrjkghcdefvlt.jar-57301a0e-4f795fea.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-37cad680-3bcfef04.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bnvfpesjndwvrmlqtynhb.jar-5d7aa40-53a76b8a.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\lwfndygmenpkrakbg.jar-70598d08-75fb3020.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\mqwgtqr.jar-515ba980-4d791f99.zip Java/Exploit.CVE-2011-3544.AG trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-1f459b78-231306c0.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pyreeqhlckuglwmsmcwak.jar-7fb791df-72201723.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-17d1bd16-3e1859d7.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\undnngwfujadnstqfhnaq.jar-1fa12906-1b8475ac.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\_OTM\MovedFiles\04142012_073350\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\utsnbn.jar-4fae89dd-62d08bc1.zip a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\_OTM\MovedFiles\04142012_073350\C_hp\bin\wbug\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
D:\I386\APPS\APP18753\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
D:\I386\APPS\APP18753\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
 
I wouldn't worry about those 2 files in the HP Recovery partition. If you ever have to use it, you can delete the MWS Toolbar then.

I notices in the heading showing McAfee Enterprise that it is showing 'outdated'. If that was happening because of the malware, be sure you update to bring it current.

Are there any remaining problems? How is the system doing now?
 
The machine seems much faster and no longer redirecting to websites as I mentioned before.

Not sure why McAfee is showing as out of date. I updated it before running Eset, to make sure it was still functioning. I will try and update it again.

Should we delete the files that OTM moved?
 
Hi Bobbey,

I am waiting for your response indicating if the machine is clean or any further steps before I proceed with performing updates, backups and creation of the system restore disks.
 
So sorry for delay!
There is just one process I'd like you to remove. It for BackWeb AutoUpdater. It is running and shows as:

c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
Some companies add this process in the program download but they don't ask permission and usually don't ask if you want it. This makes it "Foistware"

From Cexx.org:
Backweb is a generic, background downloading tool that sofoware vendors can incorporate into their product to download data (e.g. product updates) to the user's PC. Its operation depends on the instructions given to it by the individual software vendor who bundles it. While this software has been neither exhonorated nor convicted of malice, some aspects of its installation and operation appear suspect. Additionally, some users have associated it with the appearance of unwanted advertising windows.
Click to expand...

Western Data Digital, Logitech Mouse driver and Kodak Easyshare are some of the siftware using it. None of the progrms need this to function:
Use Windows Explorer to > Locate Iadhide3.dll and delete it.
Remove the entry from the StartUp folder.
=========================================================
Your system is clean! You can not remove the tools we used:

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
  • Choose Disc Cleanup
  • Click "OK" to select the partition or drive you want.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
 
Thanks for all the help Bobbye. Seems like the machine is all cleaned up. I believe the source of the infection was the outdated version of Java.

I have run full program and windows updates on the machine and removed all the default junk that HP loads the machine up with from the factory. I have also created system restore disks and plan to make an attempt at imaging the current hard drive.

The machine is now set up as a limited user with a separate administrator account. I installed WOT in the web browsers to help minimize the risk of web based infection.
 
You're very Welcome! Good job! setting the UAC and System Restore. I'll leave a few more suggestions.

You may find the following helpful: (Links are Bold Blue)
Tips for added security and safer browsing:
  1. Browser Security
    [o][url="http://www.bleepingcomputer.com/tutorials/tutorial102.htm]Make Internet Explorer safer][/url]
    [o] Use a Site Advisor..
    Have layered Security:
  2. Antivirus Software(only one):
    [o]Microsoft Security Essentials
    [o]Comodo AV
    [o]Avast! Free Antivirus
    =============================
  3. Firewall (only one)
    [o] Zone Alarm Free
    [o]Comodo Firewall Free
  4. Antispyware/Security: I recommend all of the following:
    [o]Spywareblaster:Protects against bad ActiveX.
    [o]IE/Spyad Restricts bad domains.
    [o]MVPS Hosts files Directs HOSTS file to 127.0.0.1 which is your local computer.
    [o]Google Toolbar Popup Stopper
  5. Stay current on updates:
    [o] Windows Updates. You should get All updates marked Critical and the current SP updates.
    [o] Adobe Reade. Uninstall old.
    [o]Java Uninstall old.
  6. Reset Cookies to prevent Tracking Cookies:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
    [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
  7. Do regular Maintenance
    [o]To include Disc Cleanup, Defrag, Error Check/
  8. Remove Temporary Internet Files regularly:
    [o]TFC
  9. System Restore GuideUnderstand Restore Points> why you need to clean and set restore points and what information is in them.
    [*] Practice Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Save to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet/ Have a separate email account on free web-based mail.
Please let me know if you find any bad links.

Edit: BTW, I thought of you last night. The H2HD channel had the most awesome program going through Start Wars, telling how it related to Mythology and to present day. Keep an eye out for it if your user name means interest in Star Wars.
 
Status
Not open for further replies.

Similar threads

S
  • Locked
Inactive Please help: Infected-or-not?
Replies
2
Views
3K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
R
Solved Data Hijacking, Help Please
2
Replies
37
Views
5K
Broni
Broni

Latest posts

Back