Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google redirect on Foxfire [Solved]

Started by cronemage , Dec 05 2009 06:20 PM

  • This topic is locked This topic is locked

#31
Perplexus
Posted 10 December 2009 - 10:03 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Ok, we're going to do a little maintenance, check out a couple of files and do another MBAM scan.

------------------
Step 1:
------------------

Please submit the following files to VirScan.org

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\ntoskrnl.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Repeat the above for the following file(s):

c:\windows\system32\ntkrnlpa.exe

------------------
Step 2:
------------------

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

:Files
C:\Documents and Settings\HP_Administrator.STEPH\Ÿ9Ÿ9
C:\Documents and Settings\HP_Administrator.STEPH\Ÿ;Ÿ;

:Commands
[purity]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

------------------
Step 3:
------------------

Posted ImageRun Malwarebytes' Anti-Malware
  • Select the Update tab and then click Check for Updates.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select the Scanner tab and "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

------------------
Step 4:
------------------

Please post back with the following:
  • How your machine is running
  • Virscan reports
  • MBAM log

  • 0

Advertisements

#32
cronemage
Posted 10 December 2009 - 01:13 PM

cronemage

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I feel stupid, but I can't find the clipboard to copy the stuff to you. The scans didn't show anything. Here's the other two logs.

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\Documents and Settings\HP_Administrator.STEPH\Ÿ9Ÿ9 moved successfully.
C:\Documents and Settings\HP_Administrator.STEPH\Ÿ;Ÿ; moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Documents and Settings

User: HP_Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: HP_Administrator.STEPH
->Temp folder emptied: 41294 bytes
->Temporary Internet Files folder emptied: 295113 bytes
->Java cache emptied: 11563076 bytes
->FireFox cache emptied: 54019799 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: MCX1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: MCX2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 19084 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 62.92 mb


OTL by OldTimer - Version 3.1.11.6 log created on 12102009_125419

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_274.dat not found!

Registry entries deleted on Reboot...


Malwarebytes' Anti-Malware 1.42
Database version: 3340
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/10/2009 1:08:47 PM
mbam-log-2009-12-10 (13-08-47).txt

Scan type: Quick Scan
Objects scanned: 143507
Time elapsed: 8 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#33
Perplexus
Posted 10 December 2009 - 01:19 PM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
No problem on the files report as long as they came back clean, we're good :)

Things are looking much better! Let's get an online scan to flush out any orphans :)

------------------
Step 1:
------------------

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


------------------
Step 2:
------------------

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

------------------
Step 3:
------------------

Please post back with the following:
  • How your machine is running
  • KasReport.txt

Edited by Perplexus, 10 December 2009 - 01:19 PM.

  • 0

#34
cronemage
Posted 11 December 2009 - 01:50 AM

cronemage

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
The computer seems to be running fine. Here's the report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, December 11, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, December 11, 2009 00:49:42
Records in database: 3354801
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 192011
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 04:39:07


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1

Selected area has been scanned.
  • 0

#35
Perplexus
Posted 11 December 2009 - 05:58 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
That looks excellent! We just have a couple more files we need to take care of.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

FCopy::
c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe | c:\windows\system32\ntoskrnl.exe
c:\windows\system32\dllcache\ntkrnlpa.exe | c:\windows\system32\ntkrnlpa.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#36
cronemage
Posted 11 December 2009 - 07:07 AM

cronemage

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here's the log:

ComboFix 09-12-09.04 - HP_Administrator 12/11/2009 6:47.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.581 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator.STEPH\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator.STEPH\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe --> c:\windows\system32\ntoskrnl.exe
c:\windows\system32\dllcache\ntkrnlpa.exe --> c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.

2009-12-10 21:27 . 2009-12-10 21:27 -------- d-----w- c:\program files\Java
2009-12-10 21:22 . 2009-12-10 21:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-10 11:57 . 2005-06-17 13:33 872064 ----a-w- c:\windows\system32\drivers\iastor.sys
2009-12-10 11:57 . 2005-06-17 13:33 872064 ----a-w- C:\iastor.sys
2009-12-08 22:03 . 2008-04-13 18:40 96512 ----a-w- C:\atapi.sys
2009-12-08 22:03 . 2008-04-13 18:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-05 23:56 . 2009-12-05 23:56 -------- d-----w- c:\program files\ERUNT
2009-12-05 16:54 . 2009-12-05 16:54 -------- d-----w- C:\_OTL
2009-12-04 10:40 . 2009-12-04 10:40 -------- d-sh--w- c:\documents and settings\HP_Administrator.STEPH\PrivacIE
2009-12-03 22:28 . 2009-12-03 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-12-03 22:08 . 2009-12-03 22:08 -------- d-----w- c:\windows\system32\scripting
2009-12-03 22:08 . 2009-12-03 22:08 -------- d-----w- c:\windows\system32\en
2009-12-03 07:56 . 2008-04-14 00:12 20992 ------w- c:\windows\system32\spupdwxp.exe
2009-12-03 07:55 . 2004-08-04 03:29 1897408 ------w- c:\windows\system32\drivers\nv4_mini.sys
2009-12-03 07:54 . 2008-04-14 00:11 37376 ------w- c:\windows\system32\l2gpstore.dll
2009-12-03 07:53 . 2008-04-14 00:12 20992 ------w- c:\windows\system32\faxpatch.exe
2009-12-03 03:04 . 2009-12-03 03:04 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Application Data\MSNInstaller
2009-12-03 03:00 . 2009-12-03 11:16 -------- d-----w- C:\95f68d2ffe30c13af7d76c3b3815
2009-12-03 02:41 . 2009-12-03 02:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-12-03 02:30 . 2008-04-15 15:17 295424 ------w- c:\windows\system32\dllcache\termsrv.dll
2009-12-02 21:55 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-12-02 21:53 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-12-02 21:53 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-12-02 21:53 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-12-02 21:53 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-12-02 21:53 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-02 21:53 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-02 21:53 . 2009-06-25 08:25 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-12-02 21:53 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-12-02 21:53 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-12-02 21:53 . 2009-02-06 11:06 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-02 21:53 . 2009-02-06 10:32 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-02 21:51 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-02 21:50 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-02 21:50 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-12-02 21:50 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-12-02 21:49 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-12-02 21:43 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-12-02 21:43 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-12-01 06:40 . 2009-12-01 06:40 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Application Data\Malwarebytes
2009-12-01 06:39 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 06:39 . 2009-12-01 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-01 06:39 . 2009-12-05 23:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-01 06:39 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 06:21 . 2009-12-01 06:21 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Application Data\HPQ
2009-12-01 05:23 . 2009-12-01 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SBT
2009-12-01 05:23 . 2009-12-01 05:23 -------- d-----w- c:\program files\Snapshot Viewer
2009-12-01 05:12 . 2009-12-01 05:12 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Application Data\Microsoft Web Folders
2009-11-29 17:27 . 2009-12-01 02:49 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Application Data\HpUpdate
2009-11-29 17:27 . 2009-11-29 17:27 -------- d-----w- c:\windows\Hewlett-Packard
2009-11-29 15:27 . 2009-11-30 23:54 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Local Settings\Application Data\Adobe
2009-11-29 15:19 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-29 15:19 . 2004-08-04 06:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-29 03:08 . 2009-11-29 03:08 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Application Data\Yahoo!
2009-11-29 03:08 . 2009-12-03 11:27 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Application Data\HPAppData
2009-11-28 16:17 . 2009-11-28 16:17 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Application Data\HP
2009-11-28 16:15 . 2009-11-28 16:15 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Local Settings\Application Data\HP
2009-11-28 16:08 . 2007-01-17 16:37 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-11-28 16:08 . 2007-01-17 16:37 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-11-28 16:07 . 2007-11-06 01:06 278016 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mu.dll
2009-11-28 16:07 . 2007-11-06 01:07 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
2009-11-28 16:07 . 2007-11-07 02:10 271704 ----a-r- c:\windows\system32\hpzids01.dll
2009-11-28 16:07 . 2007-01-17 16:37 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2009-11-28 16:06 . 2007-10-31 10:35 729088 ----a-r- c:\windows\system32\hpwwiax4.dll
2009-11-28 16:06 . 2007-10-31 10:35 593920 ----a-r- c:\windows\system32\hpwtscl3.dll
2009-11-28 16:06 . 2007-01-17 16:37 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2009-11-28 16:06 . 2007-01-17 16:37 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-11-28 16:06 . 2007-01-17 16:31 294912 ----a-r- c:\windows\system32\hpovst11.dll
2009-11-28 15:52 . 2009-11-28 15:52 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-28 08:01 . 2009-11-28 08:01 -------- d-sh--w- c:\documents and settings\HP_Administrator.STEPH\UserData
2009-11-28 05:13 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-11-28 05:12 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-28 05:12 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-11-28 05:12 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-11-28 04:13 . 2009-11-28 04:13 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Local Settings\Application Data\Apple
2009-11-28 04:12 . 2009-11-28 04:12 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Local Settings\Application Data\Apple Computer
2009-11-28 04:01 . 2009-11-28 04:01 -------- d-----w- C:\$AVG
2009-11-28 04:00 . 2009-11-28 04:00 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-28 04:00 . 2009-11-28 04:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-28 04:00 . 2009-11-28 04:00 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-28 04:00 . 2009-11-28 04:00 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-28 04:00 . 2009-12-10 21:51 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-28 04:00 . 2009-12-04 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-28 04:00 . 2009-11-28 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-28 03:52 . 2009-11-28 03:52 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Local Settings\Application Data\Mozilla
2009-11-28 03:43 . 2009-12-11 12:47 -------- d-sh--r- c:\windows\system32\dllcache
2009-11-28 03:30 . 2009-11-28 03:30 -------- d-----w- c:\documents and settings\HP_Administrator.STEPH\Application Data\PhraseExpress
2009-11-28 03:29 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-28 03:19 . 2006-03-07 09:44 51976 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-28 03:19 . 2006-03-07 09:42 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intuit
2009-11-28 03:19 . 2006-03-07 08:46 136 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat
2009-11-28 03:18 . 2006-03-07 10:06 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-11-28 03:18 . 2006-03-07 10:06 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory
2009-11-28 03:18 . 2006-03-07 09:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-11-28 03:18 . 2006-03-07 09:40 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2009-11-28 03:18 . 2006-03-07 09:31 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Wildtangent
2009-11-28 03:18 . 2006-03-07 08:51 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050}
2009-11-24 02:07 . 2009-11-24 02:07 -------- d-sh--w- c:\documents and settings\HP_Administrator\IECompatCache
2009-11-17 23:53 . 2009-11-17 23:53 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-11-17 00:47 . 2009-11-17 00:47 -------- d-----w- c:\program files\Conduit
2009-11-17 00:47 . 2009-11-17 00:47 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Conduit
2009-11-17 00:47 . 2009-11-17 14:12 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\XfireXO
2009-11-17 00:47 . 2009-11-17 00:47 -------- d-----w- c:\program files\XfireXO
2009-11-12 00:39 . 2009-11-12 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-11-12 00:14 . 2007-11-07 02:04 1373528 ----a-r- c:\windows\hpzshl01.exe
2009-11-12 00:14 . 2008-01-07 14:10 10563 ----a-r- c:\windows\hpwscr19.dat
2009-11-12 00:14 . 2007-11-07 02:15 1140056 ----a-r- c:\windows\hpzmsi01.exe
2009-11-12 00:13 . 2009-11-12 00:14 -------- d-----w- c:\windows\yellowtail
2009-11-12 00:10 . 2009-11-28 16:15 176731 ----a-w- c:\windows\hpwins19.dat
2009-11-12 00:10 . 2008-01-07 14:08 997 ----a-r- c:\windows\hpwmdl19.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-11 02:54 . 2007-12-15 19:02 58 ---h--w- c:\windows\popcreg.dat
2009-12-11 02:54 . 2007-12-15 19:02 20 ----a-w- c:\windows\popcinfot.dat
2009-12-10 21:26 . 2009-11-28 16:19 152576 ----a-w- c:\documents and settings\HP_Administrator.STEPH\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-10 21:26 . 2009-11-28 16:18 79488 ----a-w- c:\documents and settings\HP_Administrator.STEPH\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-09 17:34 . 2006-03-07 09:42 -------- d-----w- c:\program files\Quicken
2009-12-05 23:59 . 2009-12-05 23:59 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-05 23:54 . 2006-03-07 09:26 83312 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-03 22:28 . 2007-12-15 19:02 -------- d-----w- c:\program files\PopCap Games
2009-12-03 22:12 . 2005-08-31 04:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-03 22:12 . 2009-12-03 22:12 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-12-03 22:12 . 2009-12-03 22:12 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-12-03 22:12 . 2009-12-03 22:12 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-12-03 22:12 . 2009-12-03 22:12 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-12-03 22:12 . 2009-12-03 22:12 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2009-12-03 22:12 . 2009-12-03 22:12 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-12-03 22:12 . 2009-12-03 22:12 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-12-03 22:12 . 2009-12-03 22:12 217088 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2009-12-03 22:12 . 2009-12-03 22:12 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-12-01 05:22 . 2005-11-15 01:06 -------- d-----w- c:\program files\microsoft frontpage
2009-12-01 02:48 . 2005-01-25 01:30 139264 ----a-w- c:\windows\system32\hpzjrd01.dll
2009-12-01 02:45 . 2006-03-07 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-11-29 14:24 . 2009-11-28 03:20 145 ----a-w- c:\documents and settings\HP_Administrator.STEPH\Local Settings\Application Data\fusioncache.dat
2009-11-29 03:08 . 2006-08-10 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-28 16:55 . 2008-12-10 01:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-28 16:24 . 2008-12-10 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-28 16:15 . 2006-03-07 09:50 -------- d-----w- c:\program files\PC-Doctor 5 for Windows
2009-11-28 16:02 . 2006-03-07 09:34 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-28 15:59 . 2008-11-27 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-11-28 04:15 . 2008-01-16 02:56 -------- d-----w- c:\program files\QuickTime
2009-11-28 04:14 . 2007-08-16 02:10 -------- d-----w- c:\program files\Common Files\Apple
2009-11-28 04:13 . 2007-04-08 20:52 -------- d-----w- c:\program files\Apple Software Update
2009-11-28 04:01 . 2008-05-13 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-28 04:00 . 2009-12-01 04:34 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-28 04:00 . 2009-12-01 04:34 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-28 04:00 . 2009-12-01 04:33 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-28 04:00 . 2009-12-01 04:33 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-28 04:00 . 2008-05-13 04:16 -------- d-----w- c:\program files\AVG
2009-11-28 03:49 . 2006-03-07 09:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-28 03:49 . 2006-03-07 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-28 03:39 . 2006-03-07 09:29 -------- d-----w- c:\program files\WildTangent
2009-11-28 03:39 . 2006-03-07 08:46 -------- d-----w- c:\program files\GemMaster
2009-11-28 03:29 . 2009-11-28 03:28 1835 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_ER190AA-ABA s7420n_YC_0Pavi_QCNH613_E62NAemMPA1_48_IOnyx2_SASUSTeK Computer INC._V1.xx_B3.06_T051028_WXP2_L409_M1016_J250_7Intel_8Pentium M_91.7_#060810_N80861064_Z11C10620_G80862582.MRK
2009-11-24 01:16 . 2007-01-09 16:50 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-22 20:51 . 2007-10-07 03:33 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\ZoomBrowser EX
2009-11-22 20:47 . 2007-10-07 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-11-22 06:25 . 2008-06-11 21:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Xfire
2009-11-19 17:48 . 2009-12-01 06:04 872960 ----a-w- c:\documents and settings\HP_Administrator.STEPH\Application Data\Mozilla\Firefox\Profiles\w2qpsr3m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 17:48 . 2009-12-01 06:04 43008 ----a-w- c:\documents and settings\HP_Administrator.STEPH\Application Data\Mozilla\Firefox\Profiles\w2qpsr3m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 17:48 . 2009-12-01 06:04 340480 ----a-w- c:\documents and settings\HP_Administrator.STEPH\Application Data\Mozilla\Firefox\Profiles\w2qpsr3m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 17:48 . 2009-12-01 06:04 346624 ----a-w- c:\documents and settings\HP_Administrator.STEPH\Application Data\Mozilla\Firefox\Profiles\w2qpsr3m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-15 23:21 . 2009-01-20 04:42 1 ----a-w- c:\documents and settings\HP_Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-13 08:25 . 2009-11-17 00:47 52224 ------w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\lszntw0e.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
2009-11-13 08:25 . 2009-11-17 00:47 114688 ------w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\lszntw0e.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\npmozax.dll
2009-11-11 10:54 . 2007-10-19 02:18 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GameHouse
2009-11-11 10:54 . 2008-05-13 04:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AVGTOOLBAR
2009-11-09 22:43 . 2009-11-09 22:43 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-11-09 22:43 . 2009-11-09 22:43 -------- d-----w- c:\program files\ComcastUI
2009-11-02 03:27 . 2008-09-20 01:28 -------- d-----w- c:\program files\Windows Live
2009-11-02 03:25 . 2008-08-05 01:56 -------- d-----w- c:\program files\MIcrosoft
2009-10-29 07:45 . 2004-08-10 04:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-10 04:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 04:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 04:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-16 18:12 . 2009-11-28 08:01 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-10-13 10:30 . 2004-08-10 04:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 04:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 04:00 79872 ----a-w- c:\windows\system32\raschap.dll
2008-12-10 02:21 . 2007-09-16 17:49 14459752 ----a-w- c:\program files\bloodgulch.map
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime" [X]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-28 2020120]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-10 149280]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\MCX1\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-3-7 27136]

c:\documents and settings\MCX2\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-3-7 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
PhraseExpress.lnk - c:\program files\PhraseExpress\phraseexpress.exe [2009-3-8 3794256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-28 04:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\PhraseExpress\\phraseexpress.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/27/2009 10:00 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/27/2009 10:00 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/27/2009 10:00 PM 285392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
QWAVE REG_MULTI_SZ QWAVE
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\HP_Administrator.STEPH\Application Data\Mozilla\Firefox\Profiles\w2qpsr3m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\HP_Administrator.STEPH\Application Data\Mozilla\Firefox\Profiles\w2qpsr3m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-11 07:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3736)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\ARPWRMSG.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-12-11 07:05:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-11 13:05
ComboFix2.txt 2009-12-10 15:20
ComboFix3.txt 2009-12-09 18:24

Pre-Run: 154,359,484,416 bytes free
Post-Run: 154,320,252,928 bytes free

- - End Of File - - 152CBDC2E2CCB797821C85C73CBF97B5
  • 0

#37
Perplexus
Posted 11 December 2009 - 08:11 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Well done! Your log appears clean! :)

------------------
Step 1:
------------------

We're almost done. We need to do some clean up and get you on your way.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Posted Image
(This will remove all restore points to rid your machine of saved infected files and create a new restore point)

------------------
Step 2:
------------------

We need to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions.

  • Run OTL.exe
  • Click the Clean Up button in top right corner.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Now delete any logs that you have left over on your desktop.


------------------
Step 3:
------------------

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
Note: It is a good idea to run TFC to clear out all your temp files every now and again. This helps to keep your computer running more efficiently. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.


------------------
Step 4:
------------------

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Windows Updates are constantly being revised to combat the newest hacks and threats. Microsoft releases security updates that help your computer from becoming vunerable.

Please go to Microsoft's Windows Update and download all the critical updates to help prevent possible re-infection.

It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.

---------------------------------------------------------------------------------------------

This is a good time to set up protection against further attacks. Read our How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker, and a real time spyware program to prevent malware intrusions. Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

---------------------------------------------------------------------------------------------

Anti Spyware

Anti Spyware helps to eliminate certain types of infections. I would recommend getting these and running the scans at least twice a month. Also a real-time protector is beneficial to stop infections before they start. SpywareGuard is an excellent choice here.
  • Posted ImageSUPERAntiSpyware is a powerful tool that can eliminate nasties that make it onto your machine.
  • Posted ImageSpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • Posted ImageSpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

---------------------------------------------------------------------------------------------

Safer Web Browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are some good free alternatives:
All are faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these.

If you choose FireFox, here are a couple of addons that I recommend:
  • NoScript - for blocking ads and other potential website attacks
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must have if you do alot of Google searches.

---------------------------------------------------------------------------------------------

Other Recommendations

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

Take Care and Happy Surfing! :)
  • 0

#38
cronemage
Posted 11 December 2009 - 09:04 AM

cronemage

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you, thank you, thank you! I've installed all the recommended protections you recommended as well. Hopefully this won't happen again :)

Have a wonderful holiday!

Steph
  • 0

#39
Perplexus
Posted 11 December 2009 - 09:07 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
You are most welcome :) Happy Holidays! :)
  • 0

#40
Perplexus
Posted 11 December 2009 - 09:08 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP