Inactive UnHackMe Root Kit can't kick Control_RUNDLL RootKit

Status
Not open for further replies.
R

radarrider

Posts: 9   +0
Have a HP laptop that I restored to factory original from second partition AFTER it was jacked. I installed updated virus scanners on a desktop and cleaned the laptop drive. Seemed to work, but had too many files damaged, so did HP factory recovery from D: partition. Installed Panda, Threatfire and AVG Internet Security. Still having same problems with very slow boots, security errors and lock ups. Will not create a restore point. The orinigal infection removed all the restore points. Seems to work in safe mode with networking okay.

UnHackMe finds control_RunDll and some other files tell it to delete. They aren't found on the reboot and UnHackMe usually locks up. If I cancel out of UnHackMe, PC will usually come on up.

Vista 32-bit, 4 GB.
Followed steps. Here are the logs:

MalwareBytes:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5937

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

3/2/2011 4:32:53 PM
mbam-log-2011-03-02 (16-32-53).txt

Scan type: Quick scan
Objects scanned: 158163
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER log

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-03-02 15:39:43
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0002
Running: 053xeihi.exe; Driver: C:\Users\Dave\AppData\Local\Temp\uxryipod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 2/26/2011 1:00:56 PM
System Uptime: 3/2/2011 3:40:33 PM (3 hours ago)

Motherboard: Quanta | | 361B
Processor: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz | CPU | 2401/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 457 GiB total, 338.537 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.56 GiB free.
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

7-Zip 4.65
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
AVG 2011
Cards_Calendar_OrderGift_DoMorePlugout
CyberLink DVD Suite
CyberLink YouCam
DigitalPersona Personal 4.11
doPDF 6.2 printer
ESU for Microsoft Vista
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP Help and Support
HP Integrated Module with Bluetooth wireless technology 6.0.1.6204
HP MediaSmart DVD
HP MediaSmart Music/Photo/Video
HP MediaSmart SmartMenu
HP MediaSmart TV
HP Photosmart Essential 2.5
HP Photosmart Essential 3.0
HP Quick Launch Buttons 6.40 H2
HP Smart Web Printing
HP Total Care Advisor
HP Update
HP User Guides 0115
HP Wireless Assistant
HPNetworkAssistant
HPPhotoSmartPhotobookWebPack1
HPTCSSetup
IDT Audio
Intel® Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 24
Java(TM) 6 Update 6
JMicron JMB38X Flash Media Controller
LabelPrint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.14)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.1
NVIDIA Drivers
Panda Cloud Antivirus
Panda Identity Protect 3.0.44
Panda Security Toolbar
Panda Security URL Filtering
PhotoNow!
Power2Go
PowerDirector
ProtectSmart Hard Drive Protection
PSSWCORE
QuickPlay SlingPlayer 0.4.6
Realtek 8169 8168 8101E 8102E Ethernet Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Slingbox Flash Tour
SlingPlayer
Synaptics Pointing Device Driver
ThreatFire
UnHackMe 5.99 release
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Validity Sensors software
VideoToolkit01
VLC media player 1.1.7
Windows Driver Package - ENE (enecir) HIDClass (04/29/2008 2.5.0.0)
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

3/2/2011 3:36:31 PM, Error: disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
3/2/2011 2:51:49 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/2/2011 2:50:34 PM, Error: EventLog [6008] - The previous system shutdown at 2:42:16 PM on 3/2/2011 was unexpected.
3/2/2011 2:50:09 PM, Error: volsnap [27] - The shadow copies of volume C: were aborted during detection because a critical control file could not be opened.
3/2/2011 2:46:38 PM, Error: volsnap [14] - The shadow copies of volume C: were aborted because of an IO failure on volume C:.
3/2/2011 2:40:25 PM, Error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
3/2/2011 12:39:26 PM, Error: EventLog [6008] - The previous system shutdown at 12:09:14 PM on 3/2/2011 was unexpected.
3/2/2011 12:04:35 PM, Error: EventLog [6008] - The previous system shutdown at 11:37:09 AM on 3/2/2011 was unexpected.
3/2/2011 11:21:12 AM, Error: EventLog [6008] - The previous system shutdown at 11:15:29 AM on 3/2/2011 was unexpected.
3/1/2011 9:36:41 AM, Error: EventLog [6008] - The previous system shutdown at 8:36:19 AM on 3/1/2011 was unexpected.
3/1/2011 8:50:39 PM, Error: EventLog [6008] - The previous system shutdown at 7:53:12 PM on 3/1/2011 was unexpected.
3/1/2011 7:51:15 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
3/1/2011 7:51:15 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolume1.
3/1/2011 7:47:26 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
3/1/2011 7:46:44 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
3/1/2011 7:45:27 PM, Error: EventLog [6008] - The previous system shutdown at 10:23:28 AM on 3/1/2011 was unexpected.
3/1/2011 7:31:39 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Eventlog service.
3/1/2011 7:26:09 AM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 16 time(s).
3/1/2011 7:26:09 AM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 14 time(s).
3/1/2011 7:26:09 AM, Error: Service Control Manager [7031] - The WLAN AutoConfig service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
3/1/2011 7:26:09 AM, Error: Service Control Manager [7031] - The Windows Audio Endpoint Builder service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/1/2011 7:26:04 AM, Error: Service Control Manager [7034] - The KtmRm for Distributed Transaction Coordinator service terminated unexpectedly. It has done this 3 time(s).
3/1/2011 7:26:04 AM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 3 time(s).
3/1/2011 7:26:04 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 6 time(s).
3/1/2011 7:22:54 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the PlugPlay service.
3/1/2011 10:07:33 AM, Error: EventLog [6008] - The previous system shutdown at 9:44:25 AM on 3/1/2011 was unexpected.
2/28/2011 11:58:32 PM, Error: Service Control Manager [7034] - The Windows Firewall service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:58:32 PM, Error: Service Control Manager [7034] - The Diagnostic Policy Service service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:58:32 PM, Error: Service Control Manager [7034] - The Base Filtering Engine service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:57:48 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 15 time(s).
2/28/2011 11:57:48 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 13 time(s).
2/28/2011 11:57:48 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 7 time(s).
2/28/2011 11:56:35 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 14 time(s).
2/28/2011 11:56:35 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 12 time(s).
2/28/2011 11:56:14 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 13 time(s).
2/28/2011 11:54:55 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 12 time(s).
2/28/2011 11:54:55 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 11 time(s).
2/28/2011 11:54:55 PM, Error: Service Control Manager [7031] - The WLAN AutoConfig service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/28/2011 11:47:14 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 9 time(s).
2/28/2011 11:47:14 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 8 time(s).
2/28/2011 11:47:14 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 4 time(s).
2/28/2011 11:44:32 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 8 time(s).
2/28/2011 11:44:32 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 7 time(s).
2/28/2011 11:44:32 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Tablet PC Input Service service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 7 time(s).
2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Portable Device Enumerator Service service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 6 time(s).
2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Human Interface Device Access service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 2 time(s).
2/28/2011 11:42:10 PM, Error: Service Control Manager [7034] - The Desktop Window Manager Session Manager service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:40:23 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Telephony service, but this action failed with the following error: An instance of the service is already running.
2/28/2011 11:35:46 PM, Error: Service Control Manager [7034] - The Superfetch service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:35:46 PM, Error: Service Control Manager [7034] - The ReadyBoost service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:35:46 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 6 time(s).
2/28/2011 11:35:46 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 5 time(s).
2/28/2011 11:35:46 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 1 time(s).
2/28/2011 11:35:46 PM, Error: Service Control Manager [7031] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/28/2011 11:35:46 PM, Error: Service Control Manager [7031] - The Portable Device Enumerator Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/28/2011 11:35:46 PM, Error: Service Control Manager [7031] - The Human Interface Device Access service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/28/2011 11:35:46 PM, Error: Service Control Manager [7031] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/28/2011 11:35:46 PM, Error: Service Control Manager [7031] - The Desktop Window Manager Session Manager service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/28/2011 11:35:32 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Audio Endpoint Builder service, but this action failed with the following error: An instance of the service is already running.
2/28/2011 11:35:26 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:35:26 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 4 time(s).
2/28/2011 11:35:26 PM, Error: Service Control Manager [7031] - The Telephony service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/28/2011 11:35:26 PM, Error: Service Control Manager [7031] - The KtmRm for Distributed Transaction Coordinator service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
2/28/2011 11:35:01 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Base Filtering Engine service, but this action failed with the following error: An instance of the service is already running.
2/28/2011 11:34:58 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 5 time(s).
2/28/2011 11:34:58 PM, Error: Service Control Manager [7034] - The Network Location Awareness service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:34:58 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 4 time(s).
2/28/2011 11:34:58 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:34:58 PM, Error: Service Control Manager [7031] - The Terminal Services service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/28/2011 11:34:32 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 4 time(s).
2/28/2011 11:34:32 PM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:34:32 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 2 time(s).
2/28/2011 11:34:32 PM, Error: Service Control Manager [7031] - The Telephony service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/28/2011 11:34:32 PM, Error: Service Control Manager [7031] - The Tablet PC Input Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/28/2011 11:34:32 PM, Error: Service Control Manager [7031] - The Superfetch service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/28/2011 11:34:32 PM, Error: Service Control Manager [7031] - The ReadyBoost service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/28/2011 11:34:32 PM, Error: Service Control Manager [7031] - The Network Location Awareness service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
2/28/2011 11:34:09 PM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 3 time(s).
2/28/2011 11:34:09 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Network Connections service, but this action failed with the following error: An instance of the service is already running.
2/28/2011 11:34:09 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/28/2011 11:34:09 PM, Error: Service Control Manager [7031] - The Network Connections service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
2/28/2011 11:34:09 PM, Error: Service Control Manager [7001] - The Windows Audio service depends on the Windows Audio Endpoint Builder service which failed to start because of the following error: The operation completed successfully.
2/28/2011 11:32:15 PM, Error: Service Control Manager [7022] - The Panda Cloud Antivirus Service service hung on starting.
2/28/2011 11:32:14 PM, Error: Service Control Manager [7022] - The AVGIDSAgent service hung on starting.
2/28/2011 11:26:08 PM, Error: EventLog [6008] - The previous system shutdown at 11:16:52 PM on 2/28/2011 was unexpected.
2/28/2011 1:36:27 PM, Error: Service Control Manager [7030] - The Panda Cloud Antivirus Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
2/27/2011 9:23:58 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80240016: Synaptics - Input - Synaptics PS/2 Port TouchPad.
2/27/2011 6:27:32 PM, Error: Microsoft-Windows-Service Pack Installer [6] - The Service Pack cannot be installed when the computer is running on battery power.
2/27/2011 5:03:17 PM, Error: Service Control Manager [7030] - The ThreatFire service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

==== End Of File ===========================

DDS.txt in next post
 
dds.txt

DDS.txt:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Dave at 17:48:14.19 on Wed 03/02/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3038.930 [GMT -6:00]

AV: AVG Internet Security 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: AVG Internet Security 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\STacSV.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\vfsFPService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\aestsrv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\wsqmcons.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\WindowsMobile\WmdSync.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dave\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DigitalPersona Personal Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpqSRMon]
mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"
mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"
mRun: [TVAgent] "c:\program files\hewlett-packard\media\tv\TVAgent.exe"
mRun: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Panda Security URL Filtering] "c:\programdata\panda security url filtering\Panda_URL_Filtering.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
LSA: Notification Packages = scecli DPPWDFLT

================= FIREFOX ===================

FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\uqdpcows.default\
FF - prefs.js: browser.startup.homepage - www.google.com/mail
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1143&p=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\digitalpersona\bin\firefoxext\components\dpffcli.dll
FF - component: c:\program files\panda security\panda id protect\firefox\components\FFKeypad.dll
FF - component: c:\users\dave\appdata\roaming\mozilla\firefox\profiles\uqdpcows.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\users\dave\appdata\roaming\mozilla\firefox\profiles\uqdpcows.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\digitalpersona\bin\FirefoxExt
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Panda Identity Protect: widgetruntime@surfsecret.com - c:\program files\panda security\panda id protect\Firefox
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\digitalpersona\bin\firefoxext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: AddonFox: {ad48108d-92a6-4eb9-87e4-978aca1dbae4} - %profile%\extensions\{ad48108d-92a6-4eb9-87e4-978aca1dbae4}
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-2-27 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-2-27 69392]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-7-12 54112]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-12-16 126536]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files\hewlett-packard\media\dvd\000.fcl [2008-7-23 59376]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_e2247046\AEstSrv.exe [2009-3-2 81920]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-22 3226632]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-18 26168]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-12-16 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-12-16 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-12-16 99400]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-12-16 111176]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-12-16 113736]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-31 361808]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-5-26 599344]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-31 193840]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-4-28 54784]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-7-7 96856]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-6-25 44064]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-2-27 33552]
R3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-5-26 40752]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2011-2-28 35816]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2011-2-28 24416]

=============== Created Last 30 ================

2011-03-02 21:03:43 -------- d-----w- c:\users\dave\appdata\roaming\Malwarebytes
2011-03-02 21:03:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-02 21:03:06 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-02 21:03:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-02 21:03:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-01 13:37:26 -------- d-sh--w- C:\found.000
2011-03-01 13:25:21 -------- d-sh--r- C:\comment.htt
2011-03-01 05:43:47 -------- d-----w- C:\Backreg
2011-03-01 05:41:46 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2011-03-01 04:15:55 37600 ----a-w- c:\windows\system32\Partizan.exe
2011-03-01 04:15:55 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2011-03-01 04:15:46 2 --shatr- c:\windows\winstart.bat
2011-03-01 04:15:35 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2011-03-01 04:15:32 -------- d-----w- c:\program files\UnHackMe
2011-02-28 19:48:07 -------- d-----w- c:\users\dave\appdata\roaming\Panda Security
2011-02-28 19:37:30 -------- d-----w- c:\users\dave\appdata\roaming\SurfSecret Privacy Suite
2011-02-28 19:37:06 -------- d-----w- c:\users\dave\appdata\local\panda2_0dn
2011-02-28 19:36:58 -------- d-----w- c:\progra~2\Panda Security URL Filtering
2011-02-28 19:36:08 -------- d-----w- c:\program files\Panda Security
2011-02-28 19:36:08 -------- d-----w- c:\progra~2\Panda Security
2011-02-28 19:26:28 -------- d-----w- c:\users\dave\appdata\local\Adobe
2011-02-28 19:23:39 -------- d-----w- C:\temp downloads
2011-02-28 18:06:03 -------- d--h--w- C:\$AVG
2011-02-28 04:22:04 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-02-28 04:22:04 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-02-28 04:17:34 -------- d-----w- c:\program files\Windows Portable Devices
2011-02-28 03:29:19 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2011-02-28 03:29:18 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2011-02-28 03:29:18 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-02-28 03:29:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-02-28 03:29:00 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-02-28 03:29:00 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-02-28 03:29:00 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-02-28 03:29:00 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-02-28 03:29:00 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-02-28 03:27:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-02-28 03:27:58 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-02-28 03:27:58 234496 ----a-w- c:\windows\system32\oleacc.dll
2011-02-28 03:27:18 -------- d-----w- c:\progra~2\NVIDIA Corporation
2011-02-28 03:24:14 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-28 03:21:35 -------- d-----w- c:\windows\system32\SRSLabs
2011-02-28 02:42:13 231424 ----a-w- c:\windows\system32\msshsq.dll
2011-02-28 02:24:43 -------- d-----w- c:\users\dave\appdata\roaming\AVG10
2011-02-28 02:18:45 -------- d--h--w- c:\progra~2\Common Files
2011-02-28 02:18:42 -------- d-----w- c:\program files\VideoLAN
2011-02-28 02:13:59 -------- d-----w- c:\windows\system32\drivers\AVG
2011-02-28 02:13:59 -------- d-----w- c:\progra~2\AVG10
2011-02-28 02:12:11 -------- d-----w- c:\program files\AVG
2011-02-28 02:07:50 -------- d-----w- c:\program files\Amazon
2011-02-28 00:43:23 -------- d-----w- c:\windows\system32\eu-ES
2011-02-28 00:43:23 -------- d-----w- c:\windows\system32\ca-ES
2011-02-28 00:43:15 -------- d-----w- c:\windows\system32\vi-VN
2011-02-28 00:27:04 -------- d-----w- c:\windows\system32\EventProviders
2011-02-27 23:03:59 524288 ----a-w- c:\windows\system32\sqlsrv32.dll
2011-02-27 23:02:59 99328 ----a-w- c:\program files\windows media player\wmpband.dll
2011-02-27 22:59:42 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-02-27 22:59:42 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-02-27 22:59:42 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-02-27 22:59:42 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-02-27 22:59:42 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-27 22:45:15 20648 ----a-w- c:\windows\system32\dopdfmn6.dll
2011-02-27 22:45:15 18088 ----a-w- c:\windows\system32\dopdfmi6.dll
2011-02-27 22:45:14 -------- d-----w- c:\program files\Softland
2011-02-27 18:10:38 -------- d--h--w- C:\system16
2011-02-27 17:17:10 -------- d-----w- C:\_files
2011-02-27 17:14:48 -------- d-----w- C:\Admin
2011-02-27 14:24:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-27 13:52:00 -------- d-----w- c:\windows\system32\tr
2011-02-27 13:52:00 -------- d-----w- c:\windows\system32\sv
2011-02-27 13:52:00 -------- d-----w- c:\windows\system32\ru
2011-02-27 13:52:00 -------- d-----w- c:\windows\system32\no
2011-02-27 13:52:00 -------- d-----w- c:\windows\system32\da
2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\ko
2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\ja
2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\it
2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\fr
2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\es
2011-02-27 13:51:58 -------- d-----w- c:\windows\system32\de
2011-02-27 13:51:55 -------- d-----w- c:\windows\DPDrv
2011-02-27 13:48:03 -------- d-----w- c:\progra~2\Downloaded Installations
2011-02-27 13:47:24 125952 ----a-w- c:\windows\system32\srvsvc.dll
2011-02-27 13:47:23 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-27 13:47:23 17920 ----a-w- c:\windows\system32\netevent.dll
2011-02-27 13:47:23 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-27 13:47:23 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-27 13:47:17 420352 ----a-w- c:\windows\system32\vbscript.dll
2011-02-27 13:47:16 377344 ----a-w- c:\windows\system32\winhttp.dll
2011-02-27 13:46:51 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-02-27 13:43:02 -------- d-----w- c:\users\dave\appdata\roaming\Macrovision
2011-02-27 13:42:02 -------- d-----w- c:\users\dave\appdata\roaming\DigitalPersona
2011-02-27 13:42:02 -------- d-----w- c:\users\dave\appdata\local\DigitalPersona
2011-02-27 13:42:00 -------- d-----w- c:\users\dave\appdata\roaming\Symantec
2011-02-27 01:19:53 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2011-02-27 01:17:05 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-27 01:17:00 40448 ----a-w- c:\windows\system32\winrs.exe
2011-02-27 01:17:00 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-02-27 01:17:00 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-02-27 01:15:20 310784 ----a-w- c:\windows\system32\unregmp2.exe
2011-02-27 01:15:20 1418752 ----a-w- c:\program files\windows media player\setup_wm.exe
2011-02-27 01:15:00 714240 ----a-w- c:\windows\system32\timedate.cpl
2011-02-27 01:14:58 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-02-27 01:14:58 518144 ----a-w- c:\windows\system32\RMActivate.exe
2011-02-27 01:14:57 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2011-02-27 01:14:57 471552 ----a-w- c:\windows\system32\secproc.dll
2011-02-27 01:14:57 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2011-02-27 01:14:57 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2011-02-27 01:14:57 332288 ----a-w- c:\windows\system32\msdrm.dll
2011-02-27 01:14:56 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-02-27 01:14:56 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2011-02-27 01:14:53 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-02-27 01:14:53 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-02-27 01:14:53 1696256 ----a-w- c:\windows\system32\gameux.dll
2011-02-26 19:56:54 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-02-26 19:32:07 24064 ----a-w- c:\windows\system32\nshhttp.dll
2011-02-26 19:32:05 411648 ----a-w- c:\windows\system32\drivers\http.sys
2011-02-26 19:32:04 30720 ----a-w- c:\windows\system32\httpapi.dll
2011-02-26 19:31:20 -------- d-----w- c:\program files\MSXML 4.0
2011-02-26 19:27:57 2039808 ----a-w- c:\windows\system32\win32k.sys
2011-02-26 19:27:54 274944 ----a-w- c:\windows\system32\schannel.dll
2011-02-26 19:27:52 1616384 ----a-w- c:\program files\windows mail\msoe.dll
2011-02-26 19:27:49 67072 ----a-w- c:\windows\system32\asycfilt.dll
2011-02-26 19:27:47 502272 ----a-w- c:\windows\system32\usp10.dll
2011-02-26 19:27:46 66048 ----a-w- c:\program files\windows mail\wabmig.exe
2011-02-26 19:27:46 515584 ----a-w- c:\program files\windows mail\wab.exe
2011-02-26 19:27:46 33280 ----a-w- c:\program files\windows mail\wabfind.dll
2011-02-26 19:27:44 1316864 ----a-w- c:\windows\system32\ole32.dll
2011-02-26 19:27:43 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2011-02-26 19:24:31 160256 ----a-w- c:\windows\system32\wkssvc.dll
2011-02-26 19:24:28 128000 ----a-w- c:\windows\system32\spoolsv.exe
2011-02-26 19:24:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2011-02-26 19:22:51 31744 ----a-w- c:\windows\system32\msvidc32.dll
2011-02-26 19:21:56 243712 ----a-w- c:\windows\system32\rastls.dll
2011-02-26 19:18:39 -------- d-----w- c:\program files\DigitalPersona
2011-02-26 19:18:28 2730536 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-02-26 19:18:25 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{95139aea-7654-4ba4-98f6-0c35086b5942}\mpengine.dll
2011-02-26 19:18:21 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-26 19:17:19 -------- d-----w- c:\windows\system32\ENU
2011-02-26 19:17:18 319456 ----a-w- c:\windows\system32\difxapi.dll
2011-02-26 19:17:18 1034776 ----a-w- c:\windows\system32\imsmudlg.exe
2011-02-26 19:17:18 -------- d-----w- c:\windows\system32\Lang
2011-02-26 19:17:13 312344 ----a-w- c:\windows\system32\drivers\iaStor.sys
2011-02-26 19:17:13 -------- d-----w- C:\Intel
2011-02-26 19:15:17 172032 ----a-w- c:\windows\system32\wintrust.dll
2011-02-26 19:14:57 98304 ----a-w- c:\windows\system32\cabview.dll
2011-02-26 19:12:18 81960 ----a-w- c:\windows\system32\drivers\btwavdt.sys
2011-02-26 19:12:18 80424 ----a-w- c:\windows\system32\drivers\btwaudio.sys
2011-02-26 19:12:18 16168 ----a-w- c:\windows\system32\drivers\btwrchid.sys
2011-02-26 19:12:12 233472 ----a-w- c:\windows\system32\BtwRSupport.dll
2011-02-26 19:12:08 -------- d-----w- c:\windows\system32\es-MX
2011-02-26 19:12:08 -------- d-----w- c:\windows\system32\es-AR
2011-02-26 19:12:05 -------- d-----w- c:\program files\WIDCOMM
2011-02-26 19:11:02 -------- d-----w- c:\windows\system32\HPMDP
2011-02-26 19:09:48 53248 ----a-w- c:\windows\system32\CSVer.dll
2011-02-26 19:08:59 663552 ----a-w- c:\windows\system32\NETw5c32.dll
2011-02-26 19:08:29 9728 ----a-w- c:\windows\system32\RtNicProp32.dll
2011-02-26 19:08:28 -------- d-----w- c:\program files\Realtek
2011-02-26 19:08:06 61440 ----a-w- c:\windows\system32\aestaren.dll
2011-02-26 19:08:06 372736 ----a-w- c:\windows\system32\aestecap.dll
2011-02-26 19:08:06 152064 ----a-w- c:\windows\system32\HPToneCtrls32.dll
2011-02-26 19:08:06 138240 ----a-w- c:\windows\system32\aestacap.dll
2011-02-26 19:08:04 86016 ----a-w- c:\windows\system32\AESTCom.dll
2011-02-26 19:08:04 536576 ----a-w- c:\windows\system32\idtmini1.exe
2011-02-26 19:08:04 458844 ----a-w- c:\windows\sttray.exe
2011-02-26 19:08:04 3600384 ----a-w- c:\windows\system32\stlang.dll
2011-02-26 19:08:04 12030044 ----a-w- c:\windows\system32\idtcpl.cpl
2011-02-26 19:07:30 175616 ----a-w- c:\windows\system32\staco.dll
2011-02-26 19:07:16 915456 ----a-w- c:\windows\system32\stapo.dll
2011-02-26 19:07:15 490496 ----a-w- c:\windows\system32\stapi32.dll
2011-02-26 19:05:55 110080 ----a-w- c:\windows\system32\JmCrIcon.dll
2011-02-26 19:05:55 -------- d-----w- c:\windows\JMCR_DIR
2011-02-26 19:05:27 -------- d-----w- c:\program files\Synaptics
2011-02-26 19:04:48 768544 ----a-w- c:\windows\system32\nvcplui.exe
2011-02-26 19:04:48 420384 ----a-w- c:\windows\system32\nvcpl.cpl
2011-02-26 19:04:48 313888 ----a-w- c:\windows\system32\nvexpbar.dll
2011-02-26 19:04:48 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
2011-02-26 19:03:58 453152 ----a-w- c:\windows\system32\NVUNINST.EXE

==================== Find3M ====================

2011-02-26 19:06:13 125 ----a-w- c:\windows\xUninstall.bat
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-17 00:39:53 365888 ----a-w- c:\windows\system32\PSUNCpl.cpl
2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe

============= FINISH: 18:24:51.30 ===============

Thanks for the help-RR
 
Welcome aboard
yahooo.gif


First of all, I'm not sure how fresh Windows installation can be already infected.
Do you have any indication, your computer IS infected?

Secondly, you're running two AV programs, Panda and AVG.
One of them has to go.
If AVG, make sure to use this tool to uninstall it: http://www.avg.com/us-en/download-tools
 
Hi,

Thanks for the welcome. It may not be a clean install, but a recovery from a HP created partition.

I didn't repartition the drive. When I do a HP system restore its starting from the same MBR, I choose from menu to restore. The boot manager directs to the D: partition and fires up some installer that puts factory Vista on the computer without a up-to-date virus or firewall. The laptop keeps having security and reliability issues that didn't show up until I did get a verified virus. I thought I got rid of the virus, but friend says my emails have virus infected attachments. I stored data on old desktop that I put back on via windows copy. Who knows if I really killed a root kit or that it didn't get reinfected when I connected to the internet for updates.

The UnHackMe program is finding footprints of Known malware/rootkits.

I'll drop the panda. AVG is full Internet Security package.

I just ran Black Light, found nothing
 
Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

==================================================================

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
 
Broni said:
Download MBRCheck to your desktop

A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

==================================================================

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
[
  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
    .[/color]
Click to expand...


  • MBR file:MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Quanta
    BIOS Manufacturer: Hewlett-Packard
    System Manufacturer: Hewlett-Packard
    System Product Name: HP HDX 16 Notebook PC
    Logical Drives Mask: 0x0000003c

    Kernel Drivers (total 221):
    0x81E0F000 \SystemRoot\system32\ntkrnlpa.exe
    0x821C9000 \SystemRoot\system32\hal.dll
    0x80400000 \SystemRoot\system32\kdcom.dll
    0x80407000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x80477000 \SystemRoot\system32\PSHED.dll
    0x80488000 \SystemRoot\system32\BOOTVID.dll
    0x80490000 \SystemRoot\system32\CLFS.SYS
    0x804D1000 \SystemRoot\system32\CI.dll
    0x8060E000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8067F000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8068D000 \SystemRoot\system32\drivers\acpi.sys
    0x806D3000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806DC000 \SystemRoot\system32\drivers\Partizan.sys
    0x806E4000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806EC000 \SystemRoot\system32\drivers\pci.sys
    0x80713000 \SystemRoot\system32\drivers\isapnp.sys
    0x80722000 \SystemRoot\system32\drivers\mpio.sys
    0x8073E000 \SystemRoot\System32\drivers\partmgr.sys
    0x8074D000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x80750000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x8075A000 \SystemRoot\system32\drivers\volmgr.sys
    0x80769000 \SystemRoot\System32\drivers\volmgrx.sys
    0x807B3000 \SystemRoot\system32\drivers\intelide.sys
    0x807BA000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x807C8000 \SystemRoot\system32\drivers\aliide.sys
    0x807CF000 \SystemRoot\system32\drivers\amdide.sys
    0x807D6000 \SystemRoot\system32\drivers\cmdide.sys
    0x807DE000 \SystemRoot\System32\drivers\mountmgr.sys
    0x805B1000 \SystemRoot\system32\drivers\msdsm.sys
    0x805CB000 \SystemRoot\system32\drivers\nvraid.sys
    0x82801000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x82822000 \SystemRoot\system32\drivers\pciide.sys
    0x82829000 \SystemRoot\system32\drivers\viaide.sys
    0x82831000 \SystemRoot\system32\drivers\iastorv.sys
    0x828D2000 \SystemRoot\system32\DRIVERS\iaStor.sys
    0x829A0000 \SystemRoot\system32\drivers\atapi.sys
    0x829A8000 \SystemRoot\system32\drivers\ataport.SYS
    0x829C6000 \SystemRoot\system32\drivers\lsi_scsi.sys
    0x82A03000 \SystemRoot\system32\drivers\storport.sys
    0x82A44000 \SystemRoot\system32\drivers\msahci.sys
    0x82A4E000 \SystemRoot\system32\drivers\hpcisss.sys
    0x82A59000 \SystemRoot\system32\drivers\adp94xx.sys
    0x82AC3000 \SystemRoot\system32\drivers\adpahci.sys
    0x82B0F000 \SystemRoot\system32\drivers\adpu160m.sys
    0x82B2A000 \SystemRoot\system32\drivers\SCSIPORT.SYS
    0x82B50000 \SystemRoot\system32\drivers\adpu320.sys
    0x82B76000 \SystemRoot\system32\drivers\djsvs.sys
    0x82B8A000 \SystemRoot\system32\drivers\arc.sys
    0x82BA0000 \SystemRoot\system32\drivers\arcsas.sys
    0x8AA0D000 \SystemRoot\system32\drivers\elxstor.sys
    0x8AAA1000 \SystemRoot\system32\drivers\i2omp.sys
    0x8AAAB000 \SystemRoot\system32\drivers\iirsp.sys
    0x8AABB000 \SystemRoot\system32\drivers\iteatapi.sys
    0x8AAC7000 \SystemRoot\system32\drivers\iteraid.sys
    0x8AAD3000 \SystemRoot\system32\drivers\lsi_fc.sys
    0x8AAED000 \SystemRoot\system32\drivers\lsi_sas.sys
    0x8AB05000 \SystemRoot\system32\drivers\megasas.sys
    0x8AB0F000 \SystemRoot\system32\drivers\megasr.sys
    0x8ABC6000 \SystemRoot\system32\drivers\mraid35x.sys
    0x8ABD1000 \SystemRoot\system32\drivers\nfrd960.sys
    0x8ABDF000 \SystemRoot\system32\drivers\nvstor.sys
    0x8AC0D000 \SystemRoot\system32\drivers\ql2300.sys
    0x8AD45000 \SystemRoot\system32\drivers\ql40xx.sys
    0x8AD9A000 \SystemRoot\system32\drivers\sisraid2.sys
    0x8ADA7000 \SystemRoot\system32\drivers\sisraid4.sys
    0x8ADBC000 \SystemRoot\system32\drivers\symc8xx.sys
    0x8ADC8000 \SystemRoot\system32\drivers\sym_hi.sys
    0x8ADD3000 \SystemRoot\system32\drivers\sym_u3.sys
    0x82BB6000 \SystemRoot\system32\drivers\uliahci.sys
    0x8ADDE000 \SystemRoot\system32\drivers\ulsata.sys
    0x8AE0B000 \SystemRoot\system32\drivers\ulsata2.sys
    0x8AE37000 \SystemRoot\system32\drivers\vsmraid.sys
    0x8AE58000 \SystemRoot\system32\drivers\fltmgr.sys
    0x8AE8A000 \SystemRoot\system32\drivers\fileinfo.sys
    0x8AE9A000 \SystemRoot\system32\drivers\TfFsMon.sys
    0x8AEAB000 \SystemRoot\system32\drivers\TfSysMon.sys
    0x8AEBE000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8B00C000 \SystemRoot\system32\drivers\ndis.sys
    0x8B117000 \SystemRoot\system32\drivers\msrpc.sys
    0x8B142000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8B20D000 \SystemRoot\System32\drivers\tcpip.sys
    0x8B2F7000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8B40E000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8B51E000 \SystemRoot\system32\drivers\wd.sys
    0x8B526000 \SystemRoot\system32\drivers\volsnap.sys
    0x8B55F000 \SystemRoot\System32\Drivers\spldr.sys
    0x8B567000 \SystemRoot\system32\drivers\sbp2port.sys
    0x8B57C000 \SystemRoot\System32\Drivers\mup.sys
    0x8B58B000 \SystemRoot\System32\drivers\ecache.sys
    0x8B5B2000 \SystemRoot\system32\DRIVERS\hpdskflt.sys
    0x8B5BB000 \SystemRoot\system32\drivers\disk.sys
    0x8B5CC000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8B5D5000 \SystemRoot\system32\DRIVERS\avgrkx86.sys
    0x8B5DA000 \SystemRoot\system32\DRIVERS\AVGIDSEH.Sys
    0x8B5F0000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x8B3E0000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x8B5FB000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x8F000000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    0x8F99D000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
    0x8AF2F000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8F99F000 \SystemRoot\System32\drivers\watchdog.sys
    0x8F9AB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8F9B6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8B3EF000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8FA0C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8FC01000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
    0x8FF8A000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
    0x8FFAC000 \SystemRoot\system32\DRIVERS\ohci1394.sys
    0x8FFBC000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
    0x8FFCA000 \SystemRoot\system32\DRIVERS\jmcr.sys
    0x8FFE1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8FFF4000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
    0x8FA99000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8FAA4000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8FFF9000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8FADF000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8FAEA000 \SystemRoot\system32\DRIVERS\enecir.sys
    0x8FB02000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8FB1A000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x8FB23000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
    0x8FB2F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8FB5E000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8FB69000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8FB80000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8FB8B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8FBAE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8FBBD000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8FBD1000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8FBE6000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8FFFB000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8B17D000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8B400000 \SystemRoot\system32\DRIVERS\circlass.sys
    0x8FBF6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8B200000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8B1A7000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8B1DC000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x9020F000 \SystemRoot\system32\DRIVERS\stwrt.sys
    0x90277000 \SystemRoot\system32\DRIVERS\portcls.sys
    0x902A4000 \SystemRoot\system32\DRIVERS\drmk.sys
    0x902C9000 \SystemRoot\system32\drivers\nvhda32v.sys
    0x902D7000 \SystemRoot\system32\DRIVERS\hidir.sys
    0x902E2000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x902F2000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x902F9000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x90302000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x9030A000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
    0x90316000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x9031F000 \SystemRoot\System32\Drivers\Null.SYS
    0x90326000 \SystemRoot\System32\Drivers\Beep.SYS
    0x9032D000 \SystemRoot\System32\drivers\vga.sys
    0x90339000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x9035A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x90362000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x9036A000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x90375000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x90383000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x9038C000 \SystemRoot\system32\DRIVERS\avgfwd6x.sys
    0x9039D000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x903B3000 \SystemRoot\system32\DRIVERS\smb.sys
    0x90600000 \SystemRoot\system32\DRIVERS\avgtdix.sys
    0x90648000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x9067A000 \SystemRoot\system32\drivers\afd.sys
    0x906C2000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x906D8000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x906E6000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x906F9000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x90735000 \SystemRoot\system32\DRIVERS\psinknc.sys
    0x90757000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x9076E000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x90778000 \SystemRoot\System32\Drivers\dfsc.sys
    0x9078F000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x907B0000 \SystemRoot\system32\DRIVERS\avgldx86.sys
    0x907EC000 \SystemRoot\system32\drivers\vfs101x.sys
    0x903C7000 \SystemRoot\System32\Drivers\BTHUSB.sys
    0x90E08000 \SystemRoot\System32\Drivers\bthport.sys
    0x90E88000 \SystemRoot\system32\DRIVERS\rfcomm.sys
    0x90EB1000 \SystemRoot\system32\DRIVERS\BthEnum.sys
    0x90EBB000 \SystemRoot\system32\DRIVERS\bthpan.sys
    0x90ED5000 \SystemRoot\system32\drivers\btwavdt.sys
    0x90F40000 \SystemRoot\system32\drivers\btwaudio.sys
    0x90FC0000 \SystemRoot\system32\DRIVERS\btwrchid.sys
    0x90FC3000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x90FEB000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x8B312000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0x93640000 \SystemRoot\System32\win32k.sys
    0x903D4000 \SystemRoot\System32\drivers\Dxapi.sys
    0x903DE000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x93860000 \SystemRoot\System32\TSDDD.dll
    0x93880000 \SystemRoot\System32\cdd.dll
    0x8AFCF000 \SystemRoot\system32\drivers\luafv.sys
    0x9C40C000 \SystemRoot\system32\DRIVERS\PSINAflt.sys
    0x9C433000 \SystemRoot\system32\DRIVERS\PSINProt.sys
    0x9C452000 \SystemRoot\system32\DRIVERS\PSINFile.sys
    0x9C46E000 \SystemRoot\system32\DRIVERS\PSINProc.sys
    0x9C48C000 \SystemRoot\system32\drivers\spsys.sys
    0x9C53C000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x9C54C000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x9C576000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x9C580000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x9C593000 \SystemRoot\system32\drivers\HTTP.sys
    0x829E0000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x805E6000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x8AFEA000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x9EE09000 \SystemRoot\system32\drivers\mrxdav.sys
    0x9EE2A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x9EE49000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x9EE82000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x9EE9A000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x9EEC2000 \SystemRoot\System32\DRIVERS\srv.sys
    0x9EF28000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
    0x9FA08000 \SystemRoot\system32\drivers\peauth.sys
    0x9FAE6000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x9FAF0000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x9FAFC000 \??\C:\Program Files\Hewlett-Packard\Media\DVD\000.fcl
    0x9FB1D000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0x9FB32000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
    0x9FB44000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
    0x9FB4E000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
    0x9FB78000 \??\C:\Windows\system32\drivers\TfNetMon.sys
    0x9FB84000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x77670000 \WINDOWS\System32\ntdll.dll

    Processes (total 98):
    0 System Idle Process
    4 System
    604 C:\WINDOWS\System32\smss.exe
    848 csrss.exe
    904 C:\WINDOWS\System32\wininit.exe
    916 csrss.exe
    952 C:\WINDOWS\System32\services.exe
    964 C:\WINDOWS\System32\lsass.exe
    976 C:\WINDOWS\System32\lsm.exe
    1092 C:\WINDOWS\System32\winlogon.exe
    1176 C:\WINDOWS\System32\svchost.exe
    1240 C:\WINDOWS\System32\nvvsvc.exe
    1268 C:\WINDOWS\System32\svchost.exe
    1408 C:\WINDOWS\System32\svchost.exe
    1444 C:\WINDOWS\System32\svchost.exe
    1464 C:\WINDOWS\System32\svchost.exe
    1476 C:\WINDOWS\System32\DriverStore\FileRepository\stwrt.inf_e2247046\stacsv.exe
    1628 C:\WINDOWS\System32\audiodg.exe
    1672 C:\WINDOWS\System32\svchost.exe
    1696 C:\WINDOWS\System32\SLsvc.exe
    1732 C:\WINDOWS\System32\svchost.exe
    1816 C:\WINDOWS\System32\rundll32.exe
    1864 C:\WINDOWS\System32\hpservice.exe
    1948 C:\WINDOWS\System32\vfsFPService.exe
    2024 C:\WINDOWS\System32\svchost.exe
    816 C:\WINDOWS\System32\spoolsv.exe
    856 C:\Program Files\DigitalPersona\Bin\DpHostW.exe
    1228 C:\WINDOWS\System32\svchost.exe
    1880 C:\WINDOWS\System32\DriverStore\FileRepository\stwrt.inf_e2247046\AEstSrv.exe
    2068 C:\Program Files\AVG\AVG10\avgfws.exe
    2080 C:\Program Files\AVG\AVG10\avgwdsvc.exe
    2092 C:\WINDOWS\System32\svchost.exe
    2168 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    2224 C:\WINDOWS\System32\svchost.exe
    2276 C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
    2296 C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
    2316 C:\WINDOWS\SMINST\BLService.exe
    2588 C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    2620 C:\WINDOWS\System32\svchost.exe
    2692 C:\Program Files\ThreatFire\TFService.exe
    2752 C:\WINDOWS\System32\svchost.exe
    2780 C:\WINDOWS\System32\SearchIndexer.exe
    2824 C:\WINDOWS\System32\taskeng.exe
    2996 C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
    3064 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    3196 WUDFHost.exe
    3204 C:\Program Files\AVG\AVG10\avgam.exe
    3372 C:\Program Files\AVG\AVG10\avgnsx.exe
    4068 C:\WINDOWS\System32\dwm.exe
    4084 C:\WINDOWS\explorer.exe
    2408 C:\WINDOWS\System32\taskeng.exe
    2728 C:\WINDOWS\System32\taskeng.exe
    1324 C:\Program Files\AVG\AVG10\avgemcx.exe
    5288 C:\Program Files\AVG\AVG10\avgcsrvx.exe
    5968 C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    5084 C:\WINDOWS\System32\svchost.exe
    1436 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
    5480 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    4368 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    5620 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    5232 C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
    4608 C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
    4624 C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    4668 C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe
    5668 C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    2200 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    5764 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    5796 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    5836 C:\Program Files\DigitalPersona\Bin\DpAgent.exe
    5844 C:\Program Files\ThreatFire\TFTray.exe
    5860 C:\Program Files\AVG\AVG10\avgtray.exe
    5908 C:\Program Files\IDT\WDM\sttray.exe
    5364 C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
    4804 C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe
    3996 C:\WINDOWS\WindowsMobile\wmdSync.exe
    6072 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    4296 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    1644 WmiPrvSE.exe
    1560 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    5148 C:\WINDOWS\System32\svchost.exe
    5052 C:\WINDOWS\System32\mobsync.exe
    5912 C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    6068 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    3704 C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
    1932 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
    5340 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    4272 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    4480 C:\WINDOWS\System32\taskmgr.exe
    4248 C:\WINDOWS\System32\notepad.exe
    5500 C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    5752 C:\Program Files\AVG\AVG10\avgcsrvx.exe
    4472 C:\WINDOWS\System32\SearchProtocolHost.exe
    6048 C:\WINDOWS\System32\SearchFilterHost.exe
    5312 C:\Program Files\Mozilla Firefox\firefox.exe
    5660 C:\Program Files\Mozilla Firefox\plugin-container.exe
    4612 dllhost.exe
    5584 dllhost.exe
    4796 C:\Users\Dave\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000072`3dc00000 (NTFS)

    PhysicalDrive0 Model Number: ST9500325AS, Rev: 0002SPM1

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 6DF26AE7D6663DFFFF5602BEDE5BE4683120D56C


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Unhooker crashes:
    "Sorry, but unhandled exception has occured
    program will be terminated
    exception code: 0xc0000005
    Error log generated, please report to developers"

    Error log file:
    Exception code : 0xC0000005
    Instruction address : 0x00000000
    Attempt to read at address : 0x00000000
    +++++++++++++++++++++++++++++

    So that's all I got. What's next?
 
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
I can't get AVG uninstalled. It keeps hanging up giving me a security error.

I'm about ready to reinstall from the partion, but want to make it a clean install if so. I can take this drive out and put it in my desktop which appears to be clean and reasonably stable.

Are there tools I can run on it when it's not the boot drive that will strip out the root kit?

Please advise. I've spent quite a bit of time trying to get this machine to work properly and don't have access to the original disks needed to repartition the drive and truly start fresh.

Thanks--RR
 
Well, if you want to restore it to factory settings, simply press F11 at HP logo and follow on-screen instructions.
Be aware, that all your data will be lost.
 
I've reload factory image twice already and keep having the same ***** problems with security and corrupt files.

My concern is that restoring from HPs factory partition is being hi-jacked by the root kit leaving me in an endless loop. So given I have another machine that I can plug this drive into, What will scan and remove a rootkit when the drive that is infected isn't a boot drive? Specifically if the RK is changing its signature, what will identify and remove it when hopefully the RK it isn't running?

Thanks again.
 
Your best option would be to format a whole drive, but in that case, your recovery partition would be gone as well.
Since you don't have any disks, it doesn't look like an option.

I suggest, we continue with our steps.

Try a different tool to uninstall AVG: http://www.avg.com/us-en/download-tools
 
Okay here is the combofix log
I got a lot more activity on the laptop that reeks of malware including a message to save my files that windows had a error and was rebooting shortly. It forced a reboot with no other warning or ability to over ride. I've found the machine rebooted several times in the last few days. This is the first time I've seen it actually do it...

ComboFix 11-03-04.04 - Dave 03/06/2011 10:41:24.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3038.1494 [GMT -6:00]
Running from: c:\users\Dave\Desktop\Combofix.exe
AV: Panda Cloud Antivirus *Disabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Disabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
.
.
2011-03-06 16:51 . 2011-03-06 16:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-04 00:44 . 2011-03-04 00:44 -------- d-----w- C:\found.001
2011-03-02 21:03 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-02 21:03 . 2011-03-02 21:03 -------- d-----w- c:\programdata\Malwarebytes
2011-03-02 21:03 . 2011-03-02 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-02 21:03 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-01 13:37 . 2011-03-01 13:37 -------- d-----w- C:\found.000
2011-03-01 13:25 . 2011-03-01 13:25 -------- d-----r- C:\comment.htt
2011-03-01 05:43 . 2011-03-01 05:43 -------- d-----w- C:\Backreg
2011-03-01 04:15 . 2011-03-01 04:15 2 --shatr- c:\windows\winstart.bat
2011-03-01 04:15 . 2011-03-04 15:19 -------- d-----w- c:\program files\UnHackMe
2011-02-28 19:36 . 2011-03-06 15:29 -------- d-----w- c:\programdata\Panda Security URL Filtering
2011-02-28 19:36 . 2011-02-28 19:37 -------- d-----w- c:\program files\Panda Security
2011-02-28 19:36 . 2011-02-28 19:36 -------- d-----w- c:\programdata\Panda Security
2011-02-28 19:23 . 2011-02-28 19:24 -------- d-----w- C:\temp downloads
2011-02-28 18:06 . 2011-02-28 18:06 -------- d-----w- C:\$AVG
2011-02-28 04:22 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-02-28 04:22 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-02-28 04:17 . 2011-02-28 04:17 -------- d-----w- c:\program files\Windows Portable Devices
2011-02-28 03:29 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2011-02-28 03:29 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2011-02-28 03:29 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-02-28 03:29 . 2009-09-25 01:33 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-02-28 03:29 . 2009-09-25 02:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-02-28 03:29 . 2009-09-25 02:07 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-02-28 03:29 . 2009-09-25 02:04 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-02-28 03:29 . 2009-09-25 01:33 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-02-28 03:29 . 2009-09-25 01:32 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-02-28 03:27 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-02-28 03:27 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-02-28 03:27 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2011-02-28 03:27 . 2011-02-28 03:27 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-02-28 03:24 . 2011-02-28 03:27 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-28 03:21 . 2011-02-28 03:21 -------- d-----w- c:\windows\system32\SRSLabs
2011-02-28 02:42 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
2011-02-28 02:18 . 2011-02-28 02:18 -------- d--h--w- c:\programdata\Common Files
2011-02-28 02:18 . 2011-02-28 02:18 -------- d-----w- c:\program files\VideoLAN
2011-02-28 02:07 . 2011-02-28 02:26 -------- d-----w- c:\program files\Amazon
2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\ca-ES
2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\eu-ES
2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\vi-VN
2011-02-28 00:27 . 2011-02-28 00:27 -------- d-----w- c:\windows\system32\EventProviders
2011-02-27 23:03 . 2009-04-11 06:28 524288 ----a-w- c:\windows\system32\sqlsrv32.dll
2011-02-27 23:02 . 2009-04-11 06:28 33280 ----a-w- c:\windows\system32\wscapi.dll
2011-02-27 22:59 . 2009-11-08 16:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-02-27 22:59 . 2009-11-08 16:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-02-27 22:59 . 2009-11-08 16:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-02-27 22:59 . 2009-11-08 16:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-02-27 22:59 . 2009-11-08 16:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-27 22:45 . 2009-03-18 16:41 20648 ----a-w- c:\windows\system32\dopdfmn6.dll
2011-02-27 22:45 . 2009-03-18 16:41 18088 ----a-w- c:\windows\system32\dopdfmi6.dll
2011-02-27 22:45 . 2011-02-27 22:45 -------- d-----w- c:\program files\Softland
2011-02-27 22:42 . 2011-02-27 22:42 -------- d-----w- c:\program files\7-Zip
2011-02-27 18:10 . 2011-03-02 03:29 -------- d-----w- C:\system16
2011-02-27 17:17 . 2011-02-27 17:33 -------- d-----w- C:\_files
2011-02-27 17:14 . 2011-02-27 22:42 -------- d-----w- C:\Admin
2011-02-27 14:23 . 2011-02-27 14:23 -------- d-----w- c:\programdata\McAfee
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\tr
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\sv
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\ru
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\no
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\da
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\ko
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\ja
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\it
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\fr
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\es
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\de
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\DPDrv
2011-02-27 13:48 . 2011-02-27 13:48 -------- d-----w- c:\programdata\Downloaded Installations
2011-02-27 13:47 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2011-02-27 13:47 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2011-02-27 13:47 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-27 13:47 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-27 13:47 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-27 13:47 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2011-02-27 13:47 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2011-02-27 13:46 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-02-27 13:41 . 2011-03-06 15:55 -------- d-----w- c:\users\Dave
2011-02-27 01:19 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2011-02-27 01:17 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-27 01:17 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-02-27 01:17 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-02-27 01:17 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2011-02-27 01:15 . 2009-09-10 14:58 1418752 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
2011-02-27 01:15 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2011-02-27 01:15 . 2009-10-23 17:10 714240 ----a-w- c:\windows\system32\timedate.cpl
2011-02-27 01:14 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-02-27 01:14 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2011-02-27 01:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2011-02-27 01:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2011-02-27 01:14 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2011-02-27 01:14 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2011-02-27 01:14 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2011-02-27 01:14 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-02-27 01:14 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2011-02-27 01:14 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2011-02-27 01:14 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-02-27 01:14 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-02-26 19:56 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-02-26 19:32 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2011-02-26 19:32 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2011-02-26 19:32 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2011-02-26 19:31 . 2011-02-26 19:31 -------- d-----w- c:\program files\MSXML 4.0
2011-02-26 19:27 . 2010-12-31 13:57 2039808 ----a-w- c:\windows\system32\win32k.sys
2011-02-26 19:27 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
2011-02-26 19:27 . 2010-01-29 15:40 1616384 ----a-w- c:\program files\Windows Mail\msoe.dll
2011-02-26 19:27 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2011-02-26 19:27 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2011-02-26 19:27 . 2010-10-12 15:53 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
2011-02-26 19:27 . 2010-10-12 13:41 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
2011-02-26 19:27 . 2010-10-12 13:41 515584 ----a-w- c:\program files\Windows Mail\wab.exe
2011-02-26 19:27 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
2011-02-26 19:27 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-02-26 19:24 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2011-02-26 19:24 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
2011-02-26 19:24 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2011-02-26 19:22 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2011-02-26 19:21 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2011-02-26 19:18 . 2011-02-27 13:51 -------- d-----w- c:\program files\DigitalPersona
2011-02-26 19:18 . 2011-02-26 19:18 -------- d-----w- c:\programdata\Macrovision
2011-02-26 19:18 . 2011-02-23 15:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{95139AEA-7654-4BA4-98F6-0C35086B5942}\mpengine.dll
2011-02-26 19:18 . 2011-02-02 23:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-26 19:17 . 2011-02-26 19:17 -------- d-----w- c:\windows\system32\ENU
2011-02-26 19:17 . 2011-02-26 19:17 -------- d-----w- c:\windows\system32\Lang
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-17 00:39 . 2010-12-17 00:39 365888 ----a-w- c:\windows\system32\PSUNCpl.cpl
2010-12-17 00:10 . 2010-12-17 00:10 113736 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2010-12-17 00:10 . 2010-12-17 00:10 111176 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2010-12-17 00:10 . 2010-12-17 00:10 126536 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2010-12-17 00:10 . 2010-12-17 00:10 99400 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2010-12-17 00:10 . 2010-12-17 00:10 141384 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2010-12-19 14:46 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-12-19 86696]
.
[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-12-17 00:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-12-17 00:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-07-24 1148200]
"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-08-02 1144104]
"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-08-02 210216]
"TVAgent"="c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe" [2008-07-24 468264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-12-01 842816]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-12-31 378128]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-22 458844]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-12-17 423232]
"Panda Security URL Filtering"="c:\programdata\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2010-12-19 223400]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-19 727592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 Normandy;Normandy SR2; [x]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-12-31 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-12-31 69392]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2010-12-17 126536]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files\Hewlett-Packard\Media\DVD\000.fcl [2008-07-24 59376]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\aestsrv.exe [2009-03-03 81920]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-07-16 26168]
S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2010-12-17 140608]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2010-12-17 141384]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2010-12-17 99400]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2010-12-17 111176]
S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys [2010-12-17 113736]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-08-07 361808]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [x]
S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-05-26 599344]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-04-28 54784]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-07-07 96856]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-06-26 44064]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-12-31 33552]
S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-05-26 40752]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\uqdpcows.default\
FF - prefs.js: browser.startup.homepage - www.google.com/mail
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1143&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\DigitalPersona\Bin\FirefoxExt
FF - Ext: Panda Identity Protect: widgetruntime@surfsecret.com - c:\program files\Panda Security\Panda ID Protect\Firefox
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\DigitalPersona\Bin\firefoxext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: AddonFox: {ad48108d-92a6-4eb9-87e4-978aca1dbae4} - %profile%\extensions\{ad48108d-92a6-4eb9-87e4-978aca1dbae4}
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-hpqSRMon - (no file)
HKLM-Run-SmartMenu - %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-06 10:54
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\program files\ThreatFire\TFWAH.dll
.
- - - - - - - > 'lsass.exe'(760)
c:\program files\ThreatFire\TFWAH.dll
.
- - - - - - - > 'Explorer.exe'(3176)
c:\program files\ThreatFire\TfWah.dll
c:\windows\system32\dwmapi.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4016_none_d0893820442e7fe4\MSVCP80.dll
c:\windows\ehome\ehSSO.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\WSCAPI.dll
c:\windows\System32\QAgent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\STacSV.exe
c:\windows\system32\rundll32.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
c:\program files\ThreatFire\TFService.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
.
**************************************************************************
.
Completion time: 2011-03-06 11:01:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-06 17:01
.
Pre-Run: 363,987,828,736 bytes free
Post-Run: 363,812,220,928 bytes free
.
- - End Of File - - 9C21F3B8673A97F0BAAAE2D83EE7AF84
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\winstart.bat


Folder::
C:\$AVG

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Afer using the remover tool on AVG I had to uninstall Pandascan. The tray icon wouldn't show up which is how I know to temp. disable it. When ComboFix ran I got error PEV.exe is corrupt. On reboot I got PEVcfxxe is corrupt with a message to run disk scan. I reinstalled pandascan but not AVG.

So what's the next dagger I can throw?

Thanks--RR

ComboFix 11-03-04.04 - Dave 03/06/2011 13:16:05.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3038.1637 [GMT -6:00]
Running from: c:\users\Dave\Desktop\Combofix.exe
Command switches used :: c:\users\Dave\Desktop\cfscript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\winstart.bat"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\$AVG
c:\$avg\$VAULT\V_00000001.fil
c:\$avg\$VAULT\vvfolder.idx
c:\windows\winstart.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
.
.
2011-03-06 19:24 . 2011-03-06 19:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-05 23:20 . 2011-03-05 23:20 -------- d-----w- C:\found.002
2011-03-04 00:44 . 2011-03-04 00:44 -------- d-----w- C:\found.001
2011-03-02 21:03 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-02 21:03 . 2011-03-02 21:03 -------- d-----w- c:\programdata\Malwarebytes
2011-03-02 21:03 . 2011-03-02 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-02 21:03 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-01 13:37 . 2011-03-01 13:37 -------- d-----w- C:\found.000
2011-03-01 13:25 . 2011-03-01 13:25 -------- d-----r- C:\comment.htt
2011-03-01 05:43 . 2011-03-01 05:43 -------- d-----w- C:\Backreg
2011-03-01 04:15 . 2011-03-04 15:19 -------- d-----w- c:\program files\UnHackMe
2011-02-28 19:36 . 2011-03-06 19:08 -------- d-----w- c:\program files\Panda Security
2011-02-28 19:36 . 2011-02-28 19:36 -------- d-----w- c:\programdata\Panda Security
2011-02-28 19:23 . 2011-02-28 19:24 -------- d-----w- C:\temp downloads
2011-02-28 04:22 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-02-28 04:22 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-02-28 04:17 . 2011-02-28 04:17 -------- d-----w- c:\program files\Windows Portable Devices
2011-02-28 03:29 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2011-02-28 03:29 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2011-02-28 03:29 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-02-28 03:29 . 2009-09-25 01:33 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-02-28 03:29 . 2009-09-25 02:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-02-28 03:29 . 2009-09-25 02:07 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-02-28 03:29 . 2009-09-25 02:04 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-02-28 03:29 . 2009-09-25 01:33 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-02-28 03:29 . 2009-09-25 01:32 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-02-28 03:27 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-02-28 03:27 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-02-28 03:27 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2011-02-28 03:27 . 2011-02-28 03:27 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-02-28 03:24 . 2011-02-28 03:27 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-28 03:21 . 2011-02-28 03:21 -------- d-----w- c:\windows\system32\SRSLabs
2011-02-28 02:42 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
2011-02-28 02:18 . 2011-02-28 02:18 -------- d--h--w- c:\programdata\Common Files
2011-02-28 02:18 . 2011-02-28 02:18 -------- d-----w- c:\program files\VideoLAN
2011-02-28 02:07 . 2011-02-28 02:26 -------- d-----w- c:\program files\Amazon
2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\ca-ES
2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\eu-ES
2011-02-28 00:43 . 2011-02-28 00:43 -------- d-----w- c:\windows\system32\vi-VN
2011-02-28 00:27 . 2011-02-28 00:27 -------- d-----w- c:\windows\system32\EventProviders
2011-02-27 23:03 . 2009-04-11 06:28 524288 ----a-w- c:\windows\system32\sqlsrv32.dll
2011-02-27 23:02 . 2009-04-11 06:28 33280 ----a-w- c:\windows\system32\wscapi.dll
2011-02-27 22:59 . 2009-11-08 16:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-02-27 22:59 . 2009-11-08 16:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-02-27 22:59 . 2009-11-08 16:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-02-27 22:59 . 2009-11-08 16:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-02-27 22:59 . 2009-11-08 16:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-27 22:45 . 2009-03-18 16:41 20648 ----a-w- c:\windows\system32\dopdfmn6.dll
2011-02-27 22:45 . 2009-03-18 16:41 18088 ----a-w- c:\windows\system32\dopdfmi6.dll
2011-02-27 22:45 . 2011-02-27 22:45 -------- d-----w- c:\program files\Softland
2011-02-27 22:42 . 2011-02-27 22:42 -------- d-----w- c:\program files\7-Zip
2011-02-27 18:10 . 2011-03-02 03:29 -------- d-----w- C:\system16
2011-02-27 17:17 . 2011-02-27 17:33 -------- d-----w- C:\_files
2011-02-27 17:14 . 2011-02-27 22:42 -------- d-----w- C:\Admin
2011-02-27 14:23 . 2011-02-27 14:23 -------- d-----w- c:\programdata\McAfee
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\tr
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\sv
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\ru
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\no
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\windows\system32\da
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\ko
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\ja
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\it
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\fr
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\es
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\system32\de
2011-02-27 13:51 . 2011-02-27 13:51 -------- d-----w- c:\windows\DPDrv
2011-02-27 13:48 . 2011-02-27 13:48 -------- d-----w- c:\programdata\Downloaded Installations
2011-02-27 13:47 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2011-02-27 13:47 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2011-02-27 13:47 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-27 13:47 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-27 13:47 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-27 13:47 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2011-02-27 13:47 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2011-02-27 13:46 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-02-27 13:41 . 2011-03-06 15:55 -------- d-----w- c:\users\Dave
2011-02-27 01:19 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2011-02-27 01:17 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-27 01:17 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-02-27 01:17 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-02-27 01:17 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2011-02-27 01:15 . 2009-09-10 14:58 1418752 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
2011-02-27 01:15 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2011-02-27 01:15 . 2009-10-23 17:10 714240 ----a-w- c:\windows\system32\timedate.cpl
2011-02-27 01:14 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-02-27 01:14 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2011-02-27 01:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2011-02-27 01:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2011-02-27 01:14 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2011-02-27 01:14 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2011-02-27 01:14 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2011-02-27 01:14 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-02-27 01:14 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2011-02-27 01:14 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2011-02-27 01:14 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-02-27 01:14 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-02-26 19:56 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-02-26 19:32 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2011-02-26 19:32 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2011-02-26 19:32 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2011-02-26 19:31 . 2011-02-26 19:31 -------- d-----w- c:\program files\MSXML 4.0
2011-02-26 19:27 . 2010-12-31 13:57 2039808 ----a-w- c:\windows\system32\win32k.sys
2011-02-26 19:27 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
2011-02-26 19:27 . 2010-01-29 15:40 1616384 ----a-w- c:\program files\Windows Mail\msoe.dll
2011-02-26 19:27 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2011-02-26 19:27 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2011-02-26 19:27 . 2010-10-12 15:53 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
2011-02-26 19:27 . 2010-10-12 13:41 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
2011-02-26 19:27 . 2010-10-12 13:41 515584 ----a-w- c:\program files\Windows Mail\wab.exe
2011-02-26 19:27 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
2011-02-26 19:27 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-02-26 19:24 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2011-02-26 19:24 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
2011-02-26 19:24 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2011-02-26 19:22 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2011-02-26 19:21 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2011-02-26 19:18 . 2011-02-27 13:51 -------- d-----w- c:\program files\DigitalPersona
2011-02-26 19:18 . 2011-02-26 19:18 -------- d-----w- c:\programdata\Macrovision
2011-02-26 19:18 . 2011-02-23 15:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{95139AEA-7654-4BA4-98F6-0C35086B5942}\mpengine.dll
2011-02-26 19:18 . 2011-02-02 23:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-26 19:17 . 2011-02-26 19:17 -------- d-----w- c:\windows\system32\ENU
2011-02-26 19:17 . 2011-02-26 19:17 -------- d-----w- c:\windows\system32\Lang
2011-02-26 19:17 . 2008-04-18 21:29 1034776 ----a-w- c:\windows\system32\imsmudlg.exe
2011-02-26 19:17 . 2006-11-10 17:25 319456 ----a-w- c:\windows\system32\difxapi.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
.
[7] 2010-06-28 . 7C6F74A11FCF5745B36CB8085B7DE3FB . 1316864 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6002.22433_none_ae70528d08aae434\ole32.dll
[-] 2010-06-28 . 9586E7CB2255A8B097A7E4538202585E . 1316864 . . [6.0.6000.16386] . . c:\windows\ERDNT\cache\ole32.dll
[-] 2010-06-28 . 9586E7CB2255A8B097A7E4538202585E . 1316864 . . [6.0.6000.16386] . . c:\windows\System32\ole32.dll
[-] 2010-06-28 . 9586E7CB2255A8B097A7E4538202585E . 1316864 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6002.18277_none_adbf7553efaa1c63\ole32.dll
[7] 2010-06-28 . 64A319477AF21806B8A17E8A3A3FF8BC . 1315840 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6001.22720_none_ac91afb30b7f271a\ole32.dll
[7] 2010-06-28 . AA406846DD60E3A4536DBAAB4037B685 . 1315840 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6001.18498_none_abc461f7f2931b51\ole32.dll
[-] 2009-04-11 . C50A0AB19094BC362FBA69E105EBCCFD . 1316864 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6002.18005_none_ae092067ef732bd0\ole32.dll
[-] 2008-01-21 . 3B634E4BE373D6D987EBF906B43FAAB3 . 1315328 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6001.18000_none_ac1da75bf2516084\ole32.dll
.
[-] 2006-11-02 . 7F15B4953378C8B5161D65C26D5FED4D . 11776 . . [6.0.6000.16386] . . c:\windows\ERDNT\cache\cngaudit.dll
[-] 2006-11-02 . 7F15B4953378C8B5161D65C26D5FED4D . 11776 . . [6.0.6000.16386] . . c:\windows\System32\cngaudit.dll
[-] 2006-11-02 . 7F15B4953378C8B5161D65C26D5FED4D . 11776 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll
.
[-] 2009-04-11 . 84B8827562B005C118CADBA0F25DB2C6 . 444416 . . [6.0.6000.16386] . . c:\windows\ERDNT\cache\dsound.dll
[-] 2009-04-11 . 84B8827562B005C118CADBA0F25DB2C6 . 444416 . . [6.0.6000.16386] . . c:\windows\System32\dsound.dll
[-] 2009-04-11 . 84B8827562B005C118CADBA0F25DB2C6 . 444416 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-audio-dsound_31bf3856ad364e35_6.0.6002.18005_none_5a8737643f04aa4c\dsound.dll
[7] 2008-01-21 . 8A7B8DA5CA558D2DE47086BB23556543 . 444416 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-audio-dsound_31bf3856ad364e35_6.0.6001.18000_none_589bbe5841e2df00\dsound.dll
.
[-] 2009-04-11 . 8AAEEE8E59A70F37579993D118A34EE0 . 1788416 . . [6.0.6002.18005] . . c:\windows\ERDNT\cache\d3d9.dll
[-] 2009-04-11 . 8AAEEE8E59A70F37579993D118A34EE0 . 1788416 . . [6.0.6002.18005] . . c:\windows\System32\d3d9.dll
[-] 2009-04-11 . 8AAEEE8E59A70F37579993D118A34EE0 . 1788416 . . [6.0.6002.18005] . . c:\windows\winsxs\x86_microsoft-windows-directx-direct3d9_31bf3856ad364e35_6.0.6002.18005_none_c438e5b15de80145\d3d9.dll
[7] 2008-01-21 . FAB8F08EC64A54917C07BDB6DC811C95 . 1788928 . . [6.0.6001.18000] . . c:\windows\winsxs\x86_microsoft-windows-directx-direct3d9_31bf3856ad364e35_6.0.6001.18000_none_c24d6ca560c635f9\d3d9.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-07-24 1148200]
"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-08-02 1144104]
"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-08-02 210216]
"TVAgent"="c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe" [2008-07-24 468264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-12-01 842816]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-12-31 378128]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-22 458844]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-19 727592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 Normandy;Normandy SR2; [x]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-12-31 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-12-31 69392]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files\Hewlett-Packard\Media\DVD\000.fcl [2008-07-24 59376]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\aestsrv.exe [2009-03-03 81920]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-07-16 26168]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-08-07 361808]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [x]
S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-05-26 599344]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-04-28 54784]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-07-07 96856]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-06-26 44064]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-12-31 33552]
S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-05-26 40752]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\uqdpcows.default\
FF - prefs.js: browser.startup.homepage - www.google.com/mail
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1143&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\DigitalPersona\Bin\FirefoxExt
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\DigitalPersona\Bin\firefoxext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: AddonFox: {ad48108d-92a6-4eb9-87e4-978aca1dbae4} - %profile%\extensions\{ad48108d-92a6-4eb9-87e4-978aca1dbae4}
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-06 13:25
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\program files\ThreatFire\TFWAH.dll
.
- - - - - - - > 'lsass.exe'(636)
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2011-03-06 13:29:08
ComboFix-quarantined-files.txt 2011-03-06 19:29
ComboFix2.txt 2011-03-06 17:01
.
Pre-Run: 360,961,716,224 bytes free
Post-Run: 364,076,130,304 bytes free
.
- - End Of File - - B15093FB459EDDBA89F51EABCAF6AA8D
 
I was not able to get Avira to scan. It didn't seem to ever get going. I've spent too much time on this drive so I'm pulling off any files I might need and want to scan that partition when connected to another machine as a non-boot drive.

Can someone tell me what tools will work best at detecting a rootkit installed on a non-boot drive?

I'm debating whether to go through the HP recovery process or format the laptop C partition from the desktop and restore an image from well before the infection using Seagate's tool diskwizard (Acronis powered...)

I'd like to start it off shortly to have a working laptop before the work week cranks up.

Thanks for the help and any more guidance to killing this thing.
 
Status
Not open for further replies.

Similar threads

Daniel Sims
Apple bans Epic Games again, ending its third-party app store ambitions
Replies
10
Views
232
holydiver
H
Daniel Sims
Nvidia is bundling 3 months of Game Pass and GeForce Now with RTX 4000 GPUs until early...
Replies
4
Views
301
Bamda
Bamda
midian182
Microsoft hints that Windows 11 could become a fully cloud-based subscription service
2 3
Replies
51
Views
2K
Vanderlinde
V

Latest posts

Back