Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

AV and MBAM disabled by unknown while on-line


  • Please log in to reply

#1
radon

radon

    Member

  • Member
  • PipPip
  • 17 posts
Using PC with dial-up internet, did not knowling visit bad sites. Noticed my Avira free AV was disabled. Tried to open and restart, it failed. Tried to scan with MBAM- it was disabled. Had Ashampoo FW operating, whice did not seem to be affected. Uninstalled Avira and MBAM, re-loaded both, both were disabled as soon as I tried to run scan. Removed both as well as Ashampoo FW, loaded new version of Avast free. Started scan-it was disabled (all shields closed). MS FW can not be activated.

Asked for help on BleepComputers, ran DDS, GMER, Minitool Box, killX, and scans reviewed by forum advisor. Asked to run tdsskiller. I did and lost internet connection ability. Can not open ISP interface (Juno) to log on. Was told to move problem to another section and ask for help. No replies.

Here is result of OTL scan: Would appreciate and help. Thank you (posting from laptop)
OTL logfile created on: 8/4/2011 5:04:22 PM - Run 3
OTL by OldTimer - Version 3.2.26.1 Folder = L:\
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.48 Mb Total Physical Memory | 444.08 Mb Available Physical Memory | 46.33% Memory free
2.26 Gb Paging File | 1.90 Gb Available in Paging File | 84.28% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 224.41 Gb Total Space | 197.39 Gb Free Space | 87.96% Space Free | Partition Type: NTFS
Drive D: | 8.45 Gb Total Space | 0.51 Gb Free Space | 6.01% Space Free | Partition Type: FAT32
Drive L: | 1.91 Gb Total Space | 1.61 Gb Free Space | 84.57% Space Free | Partition Type: FAT

Computer Name: BLITZEN-15 | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/04 16:54:40 | 000,579,584 | ---- | M] (OldTimer Tools) -- L:\OTL.exe
PRC - [2011/07/04 04:43:54 | 003,493,720 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/07 00:02:15 | 000,036,903 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
PRC - [2005/11/11 14:11:12 | 000,237,568 | ---- | M] (Digital Interactive Systems Corporation, Inc.) -- C:\Program Files\DISC\DiscGui.exe
PRC - [2005/11/11 14:10:00 | 000,061,440 | ---- | M] (Digital Interactive Systems Corporation, Inc.) -- C:\Program Files\DISC\DISCUpdateMgr.exe
PRC - [2005/11/01 03:01:00 | 000,090,112 | ---- | M] (Sonic Solutions) -- C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
PRC - [2005/08/02 17:19:16 | 000,058,880 | ---- | M] (Microsoft) -- C:\WINDOWS\arservice.exe


========== Modules (SafeList) ==========

MOD - [2011/08/04 16:54:40 | 000,579,584 | ---- | M] (OldTimer Tools) -- L:\OTL.exe
MOD - [2011/07/04 04:43:51 | 000,199,792 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\snxhk.dll
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2006/03/07 00:02:13 | 000,024,613 | ---- | M] (BackWeb) -- C:\Documents and Settings\HP_Administrator\Local Settings\Temp\IadHide5.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/07/04 04:43:51 | 000,042,184 | ---- | M] () [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2005/08/02 17:19:16 | 000,058,880 | ---- | M] (Microsoft) [Auto | Running] -- C:\WINDOWS\arservice.exe -- (ARSVC)


========== Driver Services (SafeList) ==========

DRV - [2011/07/31 22:29:52 | 000,150,528 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ipsec.sys -- (IPSec)
DRV - [2011/07/31 22:28:51 | 000,325,632 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\netbt.sys -- (NetBT)
DRV - [2011/07/31 22:27:46 | 000,912,640 | ---- | M] () [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\mrxsmb.sys -- (MRxSmb)
DRV - [2011/07/31 22:26:37 | 000,276,992 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\afd.sys -- (AFD)
DRV - [2011/07/31 22:23:20 | 000,115,200 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\redbook.sys -- (redbook)
DRV - [2011/07/04 04:36:43 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/07/04 04:36:32 | 000,309,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/07/04 04:35:23 | 000,043,608 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/07/04 04:35:12 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/07/04 04:32:32 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/07/04 04:32:13 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/07/04 04:32:12 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/13 15:57:16 | 000,062,592 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\cdrom.sys -- (Cdrom)
DRV - [2008/04/13 11:45:34 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2005/12/12 17:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/10/20 09:01:56 | 001,095,009 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/10/05 03:44:06 | 000,468,768 | ---- | M] (Liteon Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wn5301.sys -- (WN5301)
DRV - [2005/09/30 04:11:42 | 000,078,720 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/08/29 08:11:00 | 003,644,928 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/08/13 14:35:00 | 001,313,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/07/28 11:07:58 | 000,156,800 | ---- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hcwPP2.sys -- (hcwPP2)
DRV - [2005/04/06 14:05:24 | 000,015,360 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2005/03/09 06:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/08/03 07:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/03/13 13:23:28 | 000,019,712 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxofwfp.sys -- (MaxtorFrontPanel1)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s...ch?r=minisearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.juno.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JunoInternet\SearchEnh1.dll (Juno, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2011/06/09 21:48:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2011/06/09 21:48:16 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/08/02 14:42:41 | 000,000,736 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Pop-up Blocker) - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\JunoInternet\qsacc\X1IEBHO.dll (Juno, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (hpWebHelper Class) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll (TODO: <Company name>)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (Juno Toolbar Helper) - {FE3098B1-04A3-41fd-8CA9-BEA39CB14C87} - C:\Program Files\JunoInternet\UCReg.dll (Juno, Inc.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AlwaysReady Power Message APP] C:\WINDOWS\arpwrmsg.exe (Microsoft)
O4 - HKLM..\Run: [Ashampoo FireWall] C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe ()
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe (Digital Interactive Systems Corporation)
O4 - HKLM..\Run: [DiscUpdateManager] C:\Program Files\DISC\DISCUpdateMgr.exe (Digital Interactive Systems Corporation, Inc.)
O4 - HKLM..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe (Sonic Solutions)
O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe (HP)
O4 - HKLM..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe (Hewlett-Packard)
O4 - HKLM..\Run: [PCDrProfiler] File not found
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKCU..\Run: [AutoVIP] C:\Program Files\autovip.exe (Alembx Solutions LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe (Hewlett-Packard)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Display All Images with Full Quality - C:\Program Files\JunoInternet\qsacc\appres.dll (Juno, Inc.)
O8 - Extra context menu item: Display Image with Full Quality - C:\Program Files\JunoInternet\qsacc\appres.dll (Juno, Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll (Google Inc.)
O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: trymedia.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: trymedia.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] https in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([update] https in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([windowsupdate] http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.micr...veX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://pcpitstop.com...p/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://www.adobe.com...obat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\junomsg {C4D10830-379D-11d4-9B2D-00C04F1579A5} - C:\Program Files\Juno\bin\jmsgpph.dll (Juno Online Services, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/06 23:58:24 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/01/04 22:22:43 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 15:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 07:01:14 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2009/10/08 17:20:12 | 000,000,000 | RHSD | M] - L:\autorun.inf -- [ FAT ]
O33 - MountPoints2\{4c2481c8-059a-11db-b9dc-0016173e3047}\Shell - "" = AutoRun
O33 - MountPoints2\{4c2481c8-059a-11db-b9dc-0016173e3047}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4c2481c8-059a-11db-b9dc-0016173e3047}\Shell\AutoRun\command - "" = K:\LaunchU3.exe
O33 - MountPoints2\{4c2481c9-059a-11db-b9dc-0016173e3047}\Shell\AutoRun\command - "" = PortableRoboForm.exe
O33 - MountPoints2\{4c2481c9-059a-11db-b9dc-0016173e3047}\Shell\RoboForm2Go\command - "" = PortableRoboForm.exe
O33 - MountPoints2\{bf6efd77-1845-11db-b9e5-0016173e3047}\Shell - "" = AutoRun
O33 - MountPoints2\{bf6efd77-1845-11db-b9e5-0016173e3047}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{bf6efd77-1845-11db-b9e5-0016173e3047}\Shell\AutoRun\command - "" = K:\LaunchU3.exe
O33 - MountPoints2\{d5e3c40e-5af4-11de-baaa-0016173e3047}\Shell - "" = AutoRun
O33 - MountPoints2\{d5e3c40e-5af4-11de-baaa-0016173e3047}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d5e3c40e-5af4-11de-baaa-0016173e3047}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O33 - MountPoints2\{d5e3c410-5af4-11de-baaa-0016173e3047}\Shell - "" = AutoRun
O33 - MountPoints2\{d5e3c410-5af4-11de-baaa-0016173e3047}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d5e3c410-5af4-11de-baaa-0016173e3047}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O33 - MountPoints2\{d5e3c412-5af4-11de-baaa-0016173e3047}\Shell - "" = AutoRun
O33 - MountPoints2\{d5e3c412-5af4-11de-baaa-0016173e3047}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d5e3c412-5af4-11de-baaa-0016173e3047}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/03 17:11:33 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Administrator\Recent
[2011/08/03 10:42:31 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Administrative Tools
[2011/07/31 22:18:48 | 001,404,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\HP_Administrator\Desktop\tdsskiller.exe
[2011/07/31 16:15:07 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/07/31 10:31:24 | 000,309,848 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/07/31 10:31:24 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/07/31 10:31:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/07/31 10:31:22 | 000,043,608 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/07/31 10:31:22 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/07/31 10:31:21 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/07/31 10:31:21 | 000,102,616 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/07/31 10:31:21 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/07/31 10:31:21 | 000,030,808 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/07/31 10:31:04 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/07/31 10:31:04 | 000,040,112 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/07/31 10:30:52 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/07/31 10:30:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2009/08/06 15:10:26 | 000,207,912 | ---- | C] (Lindersoft) -- C:\Program Files\wupdate.exe
[2009/04/13 13:50:45 | 000,159,440 | ---- | C] (Alembx) -- C:\Program Files\wucheck.exe
[2009/04/11 10:53:31 | 002,231,248 | ---- | C] (Alembx Solutions LLC) -- C:\Program Files\autovip.exe
[2009/04/11 10:53:31 | 000,158,040 | ---- | C] (Alembx Solutions LLC) -- C:\Program Files\AddShortcuts.exe
[2009/04/11 10:53:31 | 000,154,272 | ---- | C] (Alembx Solutions LLC) -- C:\Program Files\validate.exe
[2008/09/17 19:43:28 | 002,291,824 | ---- | C] (Alembx Solutions LLC) -- C:\Program Files\setupav.exe
[2008/01/24 10:05:22 | 000,154,672 | ---- | C] (Alembx Solutions) -- C:\Program Files\wcheck.exe
[2007/10/12 20:50:03 | 000,148,936 | ---- | C] (Alembx Solutions, Inc.) -- C:\Program Files\Uninst_AutoVIP.exe
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/04 16:46:42 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/04 09:19:10 | 000,001,022 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3916121995-2667568415-902956153-1008UA.job
[2011/08/04 09:14:05 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/04 09:14:00 | 000,044,560 | -HS- | M] () -- C:\WINDOWS\System32\c_47915.nl_
[2011/08/04 06:14:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/04 05:50:21 | 000,000,054 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2011/08/03 10:10:00 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011/08/02 14:59:31 | 000,000,597 | ---- | M] () -- C:\WINDOWS\JUNO.INI
[2011/08/02 14:48:25 | 000,000,187 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2011/08/02 14:47:32 | 000,096,256 | ---- | M] () -- C:\Program Files\vip.tps
[2011/08/02 14:47:32 | 000,000,320 | ---- | M] () -- C:\Program Files\autovip.ini
[2011/08/02 14:47:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/02 14:47:21 | 1005,113,344 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/02 14:42:41 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/08/01 22:19:00 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3916121995-2667568415-902956153-1008Core.job
[2011/08/01 21:46:00 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2011/08/01 20:40:00 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2011/08/01 16:29:17 | 000,007,680 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/01 16:20:05 | 000,266,240 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\BIGTREE.paf
[2011/07/31 22:29:52 | 000,150,528 | ---- | M] () -- C:\WINDOWS\System32\drivers\ipsec.sys
[2011/07/31 22:28:51 | 000,325,632 | ---- | M] () -- C:\WINDOWS\System32\drivers\netbt.sys
[2011/07/31 22:27:46 | 000,912,640 | ---- | M] () -- C:\WINDOWS\System32\drivers\mrxsmb.sys
[2011/07/31 22:26:37 | 000,276,992 | ---- | M] () -- C:\WINDOWS\System32\drivers\afd.sys
[2011/07/31 22:23:20 | 000,115,200 | ---- | M] () -- C:\WINDOWS\System32\drivers\redbook.sys
[2011/07/31 22:18:48 | 001,404,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\HP_Administrator\Desktop\tdsskiller.exe
[2011/07/31 20:11:56 | 000,000,093 | ---- | M] () -- C:\WINDOWS\mail.ini
[2011/07/31 16:05:34 | 001,008,041 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\rkill.exe
[2011/07/31 10:31:24 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/07/31 10:31:21 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/07/30 14:00:00 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2011/07/12 21:43:31 | 000,271,784 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/31 22:23:19 | 000,044,560 | -HS- | C] () -- C:\WINDOWS\System32\c_47915.nl_
[2011/07/31 16:20:58 | 001,008,041 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\rkill.exe
[2011/07/31 10:31:24 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/07/22 15:41:46 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk
[2009/11/13 15:57:16 | 000,062,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\cdrom.sys
[2009/11/12 05:11:08 | 000,535,221 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\phn.dat
[2009/06/13 16:00:50 | 000,000,093 | ---- | C] () -- C:\WINDOWS\mail.ini
[2009/04/11 10:53:31 | 000,446,369 | ---- | C] () -- C:\Program Files\AutoVIP.chm
[2009/04/11 10:53:31 | 000,000,320 | ---- | C] () -- C:\Program Files\autovip.ini
[2008/11/26 18:51:47 | 000,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2008/09/02 18:39:25 | 000,000,251 | ---- | C] () -- C:\Program Files\wt3d.ini
[2008/02/12 17:16:09 | 000,691,545 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2008/02/12 17:16:09 | 000,003,458 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2007/10/12 20:50:04 | 000,000,189 | ---- | C] () -- C:\Program Files\IDEPLOY.CLI
[2007/03/27 10:45:22 | 000,038,567 | ---- | C] () -- C:\WINDOWS\System32\pcpbios.exe
[2007/03/27 10:45:22 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[2007/02/20 14:27:10 | 000,096,256 | ---- | C] () -- C:\Program Files\vip.tps
[2007/01/07 21:29:31 | 000,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2007/01/07 21:29:02 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/07/30 22:34:12 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/07/15 20:48:57 | 000,000,054 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2006/06/25 19:03:56 | 000,000,047 | ---- | C] () -- C:\WINDOWS\winhlp32.ini
[2006/06/25 19:03:56 | 000,000,047 | ---- | C] () -- C:\WINDOWS\winhelp.ini
[2006/06/25 19:02:57 | 000,017,552 | ---- | C] () -- C:\WINDOWS\System32\TTYTWIN.DRV
[2006/06/25 19:02:40 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\NCSPI8EN.DLL
[2006/06/25 19:02:31 | 000,022,480 | ---- | C] () -- C:\WINDOWS\System32\PFMAPI16.DLL
[2006/06/25 19:02:31 | 000,020,992 | ---- | C] () -- C:\WINDOWS\System32\PFMAPI32.DLL
[2006/06/17 20:12:35 | 000,000,038 | ---- | C] () -- C:\WINDOWS\BMUpdate.ini
[2006/06/17 20:07:15 | 000,001,318 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2006/06/17 20:07:10 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\JPEGACC.DLL
[2006/06/17 20:07:09 | 000,269,312 | ---- | C] () -- C:\WINDOWS\System32\FPXIG.DLL
[2006/06/17 20:07:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\System32\IGFPX32P.DLL
[2006/06/17 20:06:55 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\WELSOF32.DLL
[2006/06/13 10:50:12 | 000,000,472 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
[2006/06/12 15:55:52 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\prnunins.exe
[2006/06/12 12:22:18 | 000,000,597 | ---- | C] () -- C:\WINDOWS\JUNO.INI
[2006/06/11 20:39:58 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/06/11 17:30:55 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
[2006/03/07 00:26:51 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/03/07 00:05:17 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/03/07 00:02:14 | 000,118,842 | R--- | C] () -- C:\WINDOWS\HPCPCUninstaller-6.3.2.116-9972322.exe
[2006/03/07 00:01:25 | 000,014,315 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2006/03/07 00:01:19 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2006/03/06 23:58:49 | 000,000,044 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2006/03/06 23:56:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/06 23:46:49 | 000,000,108 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/03/06 23:45:31 | 000,045,929 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/03/06 23:45:31 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/03/06 23:39:57 | 000,080,417 | ---- | C] () -- C:\WINDOWS\HPHins08.dat
[2006/03/06 23:39:57 | 000,004,011 | ---- | C] () -- C:\WINDOWS\hphmdl08.dat
[2006/03/06 23:39:03 | 000,072,881 | ---- | C] () -- C:\WINDOWS\hpiins01.dat
[2006/03/06 23:39:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpimdl01.dat
[2006/03/06 23:35:35 | 000,087,276 | ---- | C] () -- C:\WINDOWS\hpqins69.dat
[2006/03/06 23:34:03 | 000,112,873 | ---- | C] () -- C:\WINDOWS\hpoins07.dat
[2006/03/06 23:34:03 | 000,021,124 | ---- | C] () -- C:\WINDOWS\hpomdl07.dat
[2006/03/06 23:31:11 | 000,088,403 | ---- | C] () -- C:\WINDOWS\hpoins06.dat
[2006/03/06 23:31:11 | 000,005,389 | ---- | C] () -- C:\WINDOWS\hpomdl06.dat
[2006/03/06 23:30:12 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/03/06 23:27:42 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\hcwXDS.dll
[2006/03/06 23:25:45 | 000,104,361 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2006/03/06 23:24:14 | 000,000,884 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/03/06 23:05:14 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
[2006/03/06 23:05:14 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
[2006/03/06 23:04:57 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2005/12/09 07:03:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/30 14:17:40 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/30 14:07:46 | 000,382,022 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/30 14:07:46 | 000,053,640 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/30 14:05:30 | 000,271,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/30 14:01:42 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/30 13:58:02 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/05 15:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/08/02 17:19:16 | 000,050,176 | ---- | C] () -- C:\WINDOWS\armcex.dll
[2004/08/09 21:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/09 14:00:00 | 000,912,640 | ---- | C] () -- C:\WINDOWS\System32\drivers\mrxsmb.sys
[2004/08/09 14:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/09 14:00:00 | 000,325,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\netbt.sys
[2004/08/09 14:00:00 | 000,276,992 | ---- | C] () -- C:\WINDOWS\System32\drivers\afd.sys
[2004/08/09 14:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/09 14:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/09 14:00:00 | 000,150,528 | ---- | C] () -- C:\WINDOWS\System32\drivers\ipsec.sys
[2004/08/09 14:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/09 14:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/09 14:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/09 14:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/03 07:59:38 | 000,115,200 | ---- | C] () -- C:\WINDOWS\System32\drivers\redbook.sys
[2004/07/26 00:51:38 | 000,000,560 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2001/08/23 01:12:28 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 01:11:02 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
Could you give me a link to your bleeping computer post so I can see what went wrong?

Do you have the TDSSKiller log? I might be able to see what happened from it.

You still have some malware so let's see what we can do to get rid of it.

Go into Control Panel, Scheduled Tasks. Look for tasks at1, at2, etc. These are all malware tasks so double click on each and note the path in the Run box. Cancel then hit the red X at the top to delete the task.

Now right click on Start and select Explore and see if you can find the file that was referenced in each task. You may need to allow explorer to see hidden and system files:

Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button

Try to delete the file if you can.

Also delete: C:\WINDOWS\System32\c_47915.nl_

After you do that:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?

Ron
  • 0

#3
radon

radon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thank you for prompt reply!!

Link: http://www.bleepingc...opic412279.html .


TDSSKiller file attached.

I wrote down procedure you posted. This pushes the limits of my computer skills, but I will give it a try. Will have to post results tomorrow as it is late and you said scan may take hours.

Thanks again. KON

Attached Files


  • 0

#4
radon

radon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Back sooner than I thought I would be!

Followed your instructions, deleted at1, at2, at3, at4. Could not locate "C:\windows\system 32\c_47915.nl_". Got this message: C:\windows\system 32" refers to location that is unavailable. It could be on hard drive, or on a network. Check to make sure disk is properly inserted, or that you are connected to internet or network, then try again."

Tried 2 times to run Avast boot scan, would not run. Avast is still disabled (all sheilds disabled), X through Avast ball in task bar.

Is this hopeless?

Thanks. Back tomorrow.
  • 0

#5
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
Not looking too good. Not sure why it can't see System32. Just hope it's not ramnit. Can you open a command prompt? Start, Run, cmd, OK or Start, All Programs, Accessories, Command Prompt? If not try booting into Safe Mode or safe mode with command prompt. (Reboot and when you see the makers' logo, hear a beep or it mentions F8, start tapping the F8 key slowly. Keep tapping until you see the safe mode menu. IF you can get to a command window type: Type with an Enter after each line:

cd \windows
dir /a
(This should give you a long list of files and folders)

cd system32

(Does it work or does it say can't find it?)

dir /a
(another long list of files.)

netsh winsock reset catalog

netsh int ip reset reset.log


sfc /scannow

(If this works it will take a while maybe 10 minutes or so. It may ask you for a CD. You can try pointing it a C:\i386 but if its not there then just tell it to Skip every time it stops.)

You can also try to do a disk check:
1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, reboot. It should check your harddrive which will take an hour or so.

Ron
  • 0

#6
radon

radon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
YOU ARE A GENIUS!!

I successfully completed the dos instructions you posted (found system32). Re-booted computer after completion,then pale blue screen appeared and diskcheck started on its own.

These were deleted by checkdisk:

corrupt attribute record 16... from file segment 17013
index entry OLD1ab.tmp in index $I30, file 16708

After scan completed, Windows started, then message appeared:
System has recovered from serious error
error signature:
BCcode:b8 BCP1:00000000 BCP2:00000000 BCP3:00000000 BCP4:00000000 OSver:5_1_2600 sp: 3_0 product:256_1

technical info:
C:\docum~1\HP_adm~1\locals~1\temp\WERd49e.dir00\mini080511-01.dmp
C:\dodcum~1\HP_adm~1locals~1\temp\WERd49e.dir00\sysdata.xml

Normal desktop with icons appeared. I clicked Juno, clicked connect, and it connected to internet!!!
Also, Windows FW is now functional . Don't see any other missing things, system appeart intact.

Avast AV is still disabled. Would it be OK to uninstall, then re-install this program or will that mess up your work?

Is there still more to do to get rid of malware or is it now gone?

THANK YOU VERY MUCH! I really appreciate your patience and giving instructions I could follow.
  • 0

#7
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
Go ahead and uninstall and reinstall Avast.

After it installs:


Click on the Avast ball. Then click on Additional Protections then on AutoSandbox then on Settings then uncheck Enable AutoSandbox. OK

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan (Note if the Fix button is enabled (Not the FixMBR button which is always enabled) and tell me) click save log, save it to your desktop and post in your next reply

Ron
  • 0

#8
radon

radon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Sorry for delayed reply. Loaded Avast this a.m., installation,registration went normally. Avast asked to reboot to complete process. I did, but when system restarted Avast was disabled and screen froze. I re-booted 2 times with same results. Booted to safe mode and uninstalled Avast (it was disabled even in safe mode).

Did normal reboot, screen not frozen, but now Juno internet will not connect (as before).

Seems I'm back where I started. Should I continue with your above directions (skipping the Avast install) and try to install MBAM?

Hope there is a way out of this. I was so happy yesterday to get internet access back--

Thanks KON
  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
Do whatever you need to do to get your internet back. Just forget avast for now and see if you can run either of the other two.

Ron
  • 0

#10
radon

radon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Because they worked for getting internet back yesterday, I re-did all dos procedures you previously listed. Tried to do disk check and got this message: Type of file system NTFS. Can not open volume for direct access. Went to desktop, tried Juno-still no connection.

Gave up on that and installed MBAM, ran quick scan. See Log attached.

Should I now try the dreaded (by me) COMBOFIX?

If if seems I am asking questions that have obvious answers, it is because I don't know what I am doing and I want to verify each step with you so I don't mess up things more than they already are.

Thanks. KON

Attached Files


  • 0

Advertisements


#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
In order to run a disk check the disk must not be in use by windows so you either schedule the check for the next reboot:
1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check,

Or you can try chkdsk /r from the Safe Mode Command Prompt.


Yes if you can get Combofix to work that would be good.

Ron
  • 0

#12
radon

radon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I'm still alive...had some family stuff that had to be done before PC fixin'. :)

Going to run Combofix today. Hope I can do it correctly--looks/sounds dangerous.

Thanks for you patience. KON
  • 0

#13
radon

radon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Appears the PC survived the COMBOFIX scan. Log attached.

More work to do?

Thanks KON

ComboFix 11-08-08.02 - HP_Administrator 08/08/2011 17:34:59.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.632 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\Adobe\plugs
c:\documents and settings\HP_Administrator\Application Data\Adobe\shed
c:\documents and settings\HP_Administrator\WINDOWS
C:\Recycle.Bin
c:\windows\$NtUninstallKB3255$
c:\windows\$NtUninstallKB3255$\1424066960
c:\windows\$NtUninstallKB3255$\485945278\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB3255$\485945278\click.tlb
c:\windows\$NtUninstallKB3255$\485945278\L\aqaeidou
c:\windows\$NtUninstallKB3255$\485945278\loader.tlb
c:\windows\$NtUninstallKB3255$\485945278\U\@00000001
c:\windows\$NtUninstallKB3255$\485945278\U\@000000c0
c:\windows\$NtUninstallKB3255$\485945278\U\@000000cb
c:\windows\$NtUninstallKB3255$\485945278\U\@000000cf
c:\windows\$NtUninstallKB3255$\485945278\U\@80000000
c:\windows\$NtUninstallKB3255$\485945278\U\@800000c0
c:\windows\$NtUninstallKB3255$\485945278\U\@800000cb
c:\windows\$NtUninstallKB3255$\485945278\U\@800000cf
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\c_47915.nls
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
c:\windows\system32\rnaph.dll
c:\windows\winhelp.ini
D:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))
.
.
2011-08-09 00:31 . 2009-11-13 22:57 62592 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-08 23:13 . 2011-08-08 23:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-05 19:23 . 2001-08-17 20:51 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2011-08-05 19:23 . 2001-08-18 05:36 106584 ----a-w- c:\windows\system32\dllcache\spdports.dll
2011-08-05 19:23 . 2001-08-17 21:07 19072 ----a-w- c:\windows\system32\dllcache\sparrow.sys
2011-08-05 19:23 . 2001-08-17 20:56 7552 ----a-w- c:\windows\system32\dllcache\sonypvu1.sys
2011-08-05 19:23 . 2001-08-17 19:51 37040 ----a-w- c:\windows\system32\dllcache\sonypi.sys
2011-08-05 19:23 . 2001-08-18 05:36 114688 ----a-w- c:\windows\system32\dllcache\sonypi.dll
2011-08-05 19:23 . 2001-08-17 19:51 20752 ----a-w- c:\windows\system32\dllcache\sonync.sys
2011-08-05 19:23 . 2001-08-17 20:53 9600 ----a-w- c:\windows\system32\dllcache\sonymc.sys
2011-08-05 19:23 . 2008-04-13 18:40 7552 ----a-w- c:\windows\system32\dllcache\sonyait.sys
2011-08-05 19:23 . 2004-08-09 21:00 143422 ----a-w- c:\windows\system32\dllcache\softkey.dll
2011-08-05 19:21 . 2001-08-17 19:50 68608 ----a-w- c:\windows\system32\dllcache\sis6306p.sys
2011-08-05 19:20 . 2001-08-17 21:56 245632 ----a-w- c:\windows\system32\dllcache\s3savmx.dll
2011-08-05 19:19 . 2001-08-17 20:51 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys
2011-08-05 19:18 . 2001-08-18 05:36 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll
2011-08-05 19:17 . 2001-08-18 05:36 20480 ----a-w- c:\windows\system32\dllcache\ovcomc.dll
2011-08-05 19:16 . 2001-08-17 19:20 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2011-08-05 19:16 . 2001-08-17 19:20 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2011-08-05 19:16 . 2001-08-17 19:12 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2011-08-05 19:16 . 2004-08-04 05:31 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-08-05 19:16 . 2001-08-17 19:11 65278 ----a-w- c:\windows\system32\dllcache\netflx3.sys
2011-08-05 19:16 . 2001-08-17 19:50 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys
2011-08-05 19:16 . 2001-08-18 05:36 60480 ----a-w- c:\windows\system32\dllcache\neo20xx.dll
2011-08-05 19:16 . 2001-08-17 20:49 15872 ----a-w- c:\windows\system32\dllcache\ne2000.sys
2011-08-05 19:16 . 2001-08-17 21:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll
2011-08-05 19:16 . 2001-08-17 19:50 27936 ----a-w- c:\windows\system32\dllcache\n9i3d.sys
2011-08-05 19:16 . 2001-08-17 19:50 33088 ----a-w- c:\windows\system32\dllcache\n9i128v2.sys
2011-08-05 19:16 . 2001-08-18 05:36 59104 ----a-w- c:\windows\system32\dllcache\n9i128v2.dll
2011-08-05 19:14 . 2001-08-17 20:57 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys
2011-08-05 19:13 . 2001-08-17 20:51 15744 ----a-w- c:\windows\system32\dllcache\lit220p.sys
2011-08-05 19:12 . 2004-08-09 21:00 59904 ----a-w- c:\windows\system32\dllcache\imkrinst.exe
2011-08-05 19:11 . 2001-08-17 20:28 57471 ----a-w- c:\windows\system32\dllcache\hsf_samp.sys
2011-08-05 19:10 . 2001-08-17 20:51 82304 ----a-w- c:\windows\system32\dllcache\grclass.sys
2011-08-05 19:09 . 2001-08-17 19:19 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2011-08-05 19:08 . 2008-04-13 18:40 8320 ----a-w- c:\windows\system32\dllcache\dlttape.sys
2011-08-05 19:07 . 2001-08-18 05:36 175104 ----a-w- c:\windows\system32\dllcache\csamsp.dll
2011-08-05 19:06 . 2008-04-13 18:46 11776 ----a-w- c:\windows\system32\dllcache\bdasup.sys
2011-08-05 19:05 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-08-01 05:23 . 2011-08-08 03:13 44560 --sha-w- c:\windows\system32\c_47915.nl_
2011-07-31 23:15 . 2011-08-08 23:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-31 17:31 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-31 17:31 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-07-31 17:31 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-31 17:31 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-31 17:31 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-31 17:31 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-31 17:31 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-31 17:31 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-31 17:31 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-07-31 17:31 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-31 17:30 . 2011-08-08 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-07-31 17:30 . 2011-07-31 17:30 -------- d-----w- c:\program files\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-08 03:13 . 2004-08-03 14:59 115200 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-06 17:58 . 2008-11-13 22:19 912640 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-05 19:37 . 2004-08-09 21:00 325632 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-06-02 14:02 . 2004-08-09 21:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-27 04:34 . 2008-09-18 02:43 2291824 ----a-w- c:\program files\setupav.exe
2011-04-19 17:09 . 2009-04-11 17:53 2231248 ----a-w- c:\program files\autovip.exe
2011-01-07 17:10 . 2009-08-06 22:10 207912 ----a-w- c:\program files\wupdate.exe
2009-05-05 00:03 . 2009-04-11 17:53 154272 ----a-w- c:\program files\validate.exe
2009-04-30 03:08 . 2009-04-13 20:50 159440 ----a-w- c:\program files\wucheck.exe
2009-04-13 02:12 . 2009-04-11 17:53 158040 ----a-w- c:\program files\AddShortcuts.exe
2008-01-28 01:05 . 2008-01-24 17:05 154672 ----a-w- c:\program files\wcheck.exe
2007-10-13 03:50 . 2007-10-13 03:50 148936 ----a-w- c:\program files\Uninst_AutoVIP.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 68856]
"AutoVIP"="c:\program files\autovip.exe" [2011-04-19 2231248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-11-11 1064960]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-11-11 61440]
"DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Ashampoo FireWall"="c:\program files\Ashampoo\Ashampoo FireWall\FireWall.exe" [2007-04-05 3251800]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-3-7 36903]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-3-6 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Juno\\bin\\juno.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\JunoInternet\\exec.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/31/2011 10:31 AM 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/31/2011 10:31 AM 19544]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/31/2011 10:31 AM 441176]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 9:02 PM 135664]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [3/6/2006 11:27 PM 468768]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [12/27/2010 3:20 PM 229376]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 04:02]
.
2011-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 04:02]
.
2011-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3916121995-2667568415-902956153-1008Core.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-27 05:20]
.
2011-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3916121995-2667568415-902956153-1008UA.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-27 05:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.juno.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Display All Images with Full Quality - "c:\program files\JunoInternet\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\JunoInternet\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
Trusted Zone: trymedia.com
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-PCDrProfiler - (no file)
SafeBoot-70339660.sys
AddRemove-Corel Remove Program - f:\corel\AppMan\Setup\remove.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-08 17:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\ASFWHide"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2948)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\arservice.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2011-08-08 17:45:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-09 00:44
.
Pre-Run: 208,226,775,040 bytes free
Post-Run: 208,194,719,744 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - A951D4D62099198F3EE4118A180626D2

Attached Files


  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
Please run Combofix one more time as before. I want to see if this:

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected

comes back or is really gone.

Also try to run an avast scan again.

Ron
  • 0

#15
radon

radon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
OK, see attached COMBOFIX scan #2 log.

Re: Avast.....the last 2 times I tried to scan with Avast (see above posts) I lost my internet, Windows FW was disabled, Avast was disabled and other infection symptoms returned. I would like to be certain that what ever is causing that to happen is gone before I try to reload and scan with Avast. I don't know enough about this to know if it is something peculiar to Avast or if it would happen with any AV I try if the infection is still there. How about Microsoft Security Essentials? Good/Don't use/doesn't matter which I use?

I have used Avast for years and not had a problem, but now I'm leery of trying Avast again. Of course, I will follow your directions and if you say try Avast again, then I will.

Thanks KON

Attached Files


Edited by radon, 08 August 2011 - 09:36 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP