9 replies to this topic

[Mustang_Sally]

Hi there!

I am running Vista Home Premium. I have Malwarebytes, but when I go to use it, it starts and then quickly disappears. When I try to use it again I get " Windows can not access the specified device, path, or file. You may not have the appropriate permissions to access the item" The same thing happens with Hijack This. I have tried to download other removal tools. It looks like they download, however, when I go to the saved location, they are no there. The last one i tried to download was RootRepeal and it didn't show up either.

I have tried to rename mbam, but that didn't work. I set the exceptions for the 3 malwarebytes .exe files in AVG, didn't help.

I am not getting any fake warning pop-ups. I do get browser redirects and it won't let me do windows updates for SP2.

I'm not sure what to try next. Help!

[Mustang_Sally]

I ran Win32diag. Hurray something ran After that, I reinstalled Malwarebytes and was able to run it. It found a few things. I tried to uninstall Hijack This, but it still wouldn't let me. So, I tried to run it... no go. I uninstalled/reinstalled Malwarebytes and scanned again.... it said no infections. My computer still won't download any programs and it gives the " Windows can not access the specified device, path, or file. You may not have the appropriate permissions to access the item" message.

I didn't want to go too much further or try running any other programs until some one has look at my logs and gives a suggestion.

I tried to post the Win32diag log, but i got an error that it was too long of a post. I have attached it now.

Malwarebytes Log

Malwarebytes' Anti-Malware 1.41
Database version: 2874
Windows 6.0.6001 Service Pack 1

29/09/2009 11:52:45 PM
mbam-log-2009-09-29 (23-52-45).txt

Scan type: Quick Scan
Objects scanned: 92067
Time elapsed: 5 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\$Recycle.Bin\S-1-5-21-4152655313-2468411337-1519091781-1000\$RGYJFY0.exe (Rogue.MalwareScanner) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\cngaudit.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.


Malwarebytes Log 2nd Run

Malwarebytes' Anti-Malware 1.41
Database version: 2876
Windows 6.0.6001 Service Pack 1

30/09/2009 9:09:31 AM
mbam-log-2009-09-30 (09-09-31).txt

Scan type: Quick Scan
Objects scanned: 92102
Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files

•  Win32kDiag.txt   356.45K   22 downloads

[AdvancedSetup]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[Mustang_Sally]

I ran Combo Fix and attached the log. I tried to unistall HiJack This, however, I was not able to do so. It wouldn't allow me to run it either.

Attached Files

•  ComboFix.txt   21.85K   20 downloads

[AdvancedSetup]

STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Fcopy::
c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll | c:\windows\system32\cngaudit.dll
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02
Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 03
RootRepeal - Rootkit Detector
[indent]

Close ALL applications and as many items in the task tray that will stop and exit.

• Please download the following tool: RootRepeal - Rootkit Detector
  
• Direct download link is here: RootRepeal.rar
  
• If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  
• Extract the program file to a new folder such as C:\RootRepeal
  
• Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the same location where you ran it from, such as C:\RootRepeal
  
• Save it as your_name_rootrepeal.txt - where your_name is your forum name
  
• This makes it more easy to track who the log belongs to.
  
• Then open that log and select all and copy/paste it back on your next reply please.
  
• Quit the RootRepeal program.

[/indent]

[Mustang_Sally]

I ran Combo Fix with the Notepad doc put in it. I then ran Malwarebytes. I tried to download Root Repeal and I was not able to. First I tried to save it in C:\Rootrepeal and I received this message, " You don't have permission to save in this location. Contact the administrtor to obtain permission." I then tried to download it to a different location. It appeared to download, but when I went to retrieved the file, it was not there.

Combo Fix Log

ComboFix 09-10-01.05 - Mitchell 02/10/2009 19:28.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3070.2224 [GMT -6:00]
Running from: c:\users\Mitchell\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Mitchell\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --> c:\windows\system32\cngaudit.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.

2009-10-03 01:32 . 2009-10-03 01:35 -------- d-----w- c:\users\Mitchell\AppData\Local\temp
2009-10-03 01:32 . 2009-10-03 01:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-03 01:32 . 2009-10-03 01:32 -------- d-----w- c:\users\kodak\AppData\Local\temp
2009-10-03 01:32 . 2009-10-03 01:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-03 01:28 . 2006-11-02 09:46 11776 ----a-w- c:\windows\system32\cngaudit.dll
2009-10-02 21:50 . 2009-10-01 16:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-30 14:58 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 14:57 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-28 04:17 . 2009-09-28 04:17 -------- d-----w- c:\program files\Trend Micro
2009-09-28 01:43 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-09-28 01:43 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-09-28 01:43 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-09-28 01:43 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-09-28 01:43 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-28 01:43 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-09-28 01:43 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-09-28 01:43 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-09-27 22:20 . 2009-09-27 22:23 -------- d-----w- c:\program files\mbam
2009-09-27 20:03 . 2004-05-11 15:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2009-09-27 20:03 . 2003-11-19 19:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2009-09-27 20:03 . 2000-07-15 11:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-09-27 20:03 . 2000-07-15 05:00 118784 ----a-w- c:\windows\system32\msstdfmt.dll
2009-09-27 19:52 . 2009-09-30 14:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-27 18:15 . 2008-01-08 19:10 98304 ----a-w- c:\windows\RTKAUDIOSERVICE.EXE
2009-09-24 22:45 . 2009-09-24 22:45 -------- d-----w- c:\windows\system32\EventProviders
2009-09-24 12:45 . 2009-04-11 04:42 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-09-24 12:44 . 2009-04-11 04:43 196096 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-09-24 12:44 . 2009-04-11 06:32 180712 ----a-w- c:\windows\system32\drivers\msiscsi.sys
2009-09-24 12:44 . 2009-04-11 04:42 226304 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-09-24 12:44 . 2009-04-11 06:32 149480 ----a-w- c:\windows\system32\drivers\pci.sys
2009-09-24 12:44 . 2009-04-11 06:32 265688 ----a-w- c:\windows\system32\drivers\acpi.sys
2009-09-24 12:44 . 2009-04-11 06:32 53736 ----a-w- c:\windows\system32\drivers\disk.sys
2009-09-24 12:44 . 2009-04-11 06:32 226280 ----a-w- c:\windows\system32\drivers\volsnap.sys
2009-09-24 12:43 . 2009-04-11 04:42 39936 ----a-w- c:\windows\system32\drivers\usbehci.sys
2009-09-24 12:43 . 2009-04-11 04:43 236544 ----a-w- c:\windows\system32\drivers\HdAudio.sys
2009-09-24 12:43 . 2009-04-11 04:42 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-09-24 12:43 . 2009-04-11 04:43 62208 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2009-09-24 12:43 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2009-09-24 12:42 . 2009-04-11 04:39 16384 ----a-w- c:\windows\system32\iscsilog.dll
2009-09-24 12:42 . 2009-04-11 04:42 19456 ----a-w- c:\windows\system32\drivers\usbohci.sys
2009-09-15 19:26 . 2009-09-15 19:26 411368 ----a-w- c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 01:48 . 2009-09-21 01:48 -------- d-----w- c:\program files\ANI
2009-09-21 01:48 . 2008-02-14 18:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-21 01:48 . 2009-09-21 01:48 -------- d-----w- c:\program files\D-Link
2009-09-15 19:26 . 2008-02-14 18:12 -------- d-----w- c:\program files\Java
2009-09-12 02:50 . 2008-09-09 01:46 6730 ----a-w- c:\users\Mitchell\AppData\Roaming\wklnhst.dat
2009-09-09 09:09 . 2008-10-03 12:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 09:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-31 23:12 . 2009-08-31 23:10 -------- d-----w- c:\program files\3Space Publisher 2
2009-08-31 23:08 . 2009-08-31 23:08 -------- d-----w- c:\program files\PM Painter
2009-08-28 12:39 . 2009-09-02 22:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 22:31 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-21 11:05 . 2008-08-06 15:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-21 11:05 . 2008-08-06 15:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-21 11:05 . 2008-08-06 15:37 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 17:07 . 2009-09-09 01:10 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 01:10 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 16:29 . 2009-09-09 01:10 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 14:16 . 2009-09-09 01:10 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 01:10 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 01:10 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 01:10 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 01:10 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 01:10 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-09 01:10 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-13 09:01 . 2009-08-13 09:01 -------- d-----w- c:\program files\MSXML 4.0
2009-08-12 18:34 . 2009-08-12 04:33 -------- d-----w- c:\users\Mitchell\AppData\Roaming\Arcsoft
2009-08-12 05:51 . 2009-08-12 04:32 -------- d-----w- c:\users\Mitchell\AppData\Roaming\KEDDS
2009-08-12 05:51 . 2009-08-12 04:32 -------- d-----w- c:\programdata\KEDDS
2009-08-12 05:21 . 2009-08-12 05:21 -------- d-----w- c:\users\Mitchell\AppData\Roaming\Skinux
2009-08-12 05:20 . 2009-08-12 04:32 -------- d-----w- c:\programdata\OrbNetworks
2009-08-12 04:35 . 2009-08-12 04:15 -------- d-----w- c:\programdata\Kodak
2009-08-12 04:34 . 2009-08-12 04:33 -------- d-----w- c:\program files\QuickTime
2009-08-12 04:33 . 2009-08-12 04:33 -------- d-----w- c:\programdata\Apple Computer
2009-08-12 04:33 . 2009-08-12 04:33 -------- d-----w- c:\programdata\ArcSoft
2009-08-12 04:33 . 2009-08-12 04:32 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-08-12 04:32 . 2009-08-12 04:32 -------- d-----w- c:\program files\ArcSoft
2009-08-12 04:32 . 2009-08-12 04:28 -------- d-----w- c:\program files\Kodak
2009-08-12 04:31 . 2009-08-12 04:29 -------- d-----w- c:\program files\Common Files\Kodak
2009-08-12 04:13 . 2009-08-12 04:13 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-08-08 14:19 . 2008-02-14 18:05 -------- d-----w- c:\program files\HP
2009-08-08 14:18 . 2008-02-14 18:16 -------- d-----w- c:\programdata\Hewlett-Packard
2009-07-21 21:52 . 2009-07-28 19:48 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 19:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 19:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 19:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-11 19:52 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:00 . 2009-08-11 19:52 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-11 19:52 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-11 19:52 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-11 19:52 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-11 19:32 . 2009-09-09 01:10 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:32 . 2009-09-09 01:10 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-09 01:10 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:29 . 2009-09-09 01:10 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2008-12-05 23:17 . 2008-12-05 23:17 33609323 ----a-w- c:\program files\paint-shop-pro-7.00ev.exe
2008-11-09 21:55 . 2008-11-09 21:54 923547 ----a-w- c:\program files\7z460.exe
2008-08-06 14:48 . 2008-08-06 14:48 22 --sha-w- c:\windows\SMINST\HPCD.sys
2008-02-14 17:29 . 2008-02-14 17:24 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-02_04.54.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-14 17:51 . 2009-10-03 01:35 48126 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-03 01:35 65666 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-05 22:58 . 2009-10-01 03:42 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-05 22:58 . 2009-10-02 21:43 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-05 22:58 . 2009-10-02 21:43 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-05 22:58 . 2009-10-01 03:42 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-05 22:58 . 2009-10-01 03:42 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-05 22:58 . 2009-10-02 21:43 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-06 16:13 . 2009-10-02 04:52 4736 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-08-06 16:13 . 2009-10-03 01:32 4736 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-08-05 23:05 . 2009-10-03 01:35 7910 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4152655313-2468411337-1519091781-1000_UserData.bin
+ 2009-10-03 01:33 . 2009-10-03 01:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-03 01:33 . 2009-10-03 01:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-10-02 12:57 . 2009-10-03 00:56 302642 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2009-06-03 05:02 . 2009-09-30 16:55 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-06-03 05:02 . 2009-10-02 21:43 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2008-08-06 05:03 . 2009-10-03 01:32 116208 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 22:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-04 1783136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-02 2023704]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-15 149280]
"D-Link RangeBooster G WUA-2340"="c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe" [2007-11-12 1662976]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\users\Mitchell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Keyboard Express 3.lnk - c:\program files\Keyboard Express 3\keyexp.exe [2008-10-14 2753024]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FE316154-1969-497C-B8F9-BDF7BCA6AD19}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{24B8CB90-EFD4-43C1-95E0-CD7C6D0FB52D}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{80E35369-A7E1-449F-89A7-C41EBA8CF9F1}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{EA0229C3-F812-415E-8514-418C1D79CBB6}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{68C8C6F3-456F-4CC3-B935-2AE2D46AFFE3}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{57F3D022-02CC-4FCA-8641-FA1EA36561D0}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B66F0110-7FD2-4416-AACE-73FC535EB15E}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{932F66C0-C398-4510-BD88-806F6AAF167A}"= UDP:c:\program files\Midway Home Entertainment\BlackSite Area 51\Binaries\BlackSite.exe:Blacksite Area 51
"{9942B263-677F-4DE3-8F08-4BB37BCBA9AE}"= TCP:c:\program files\Midway Home Entertainment\BlackSite Area 51\Binaries\BlackSite.exe:Blacksite Area 51
"{00745F7D-43AB-4D61-9726-73C5EB68070E}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{BD857846-2438-402C-B1AC-E995F03E3EC3}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{0C0C516B-13F3-4660-9693-9BE4BDC97EE4}"= UDP:c:\program files\Flagship Studios\Hellgate London\Launcher.exe:Hellgate: London
"{3B91BFA2-2309-4016-9554-BD29535D77AA}"= TCP:c:\program files\Flagship Studios\Hellgate London\Launcher.exe:Hellgate: London
"{5D460F6A-D7BF-4ABD-887A-8D9B2BF2B977}"= UDP:c:\program files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{F88CF28B-95B1-478E-8288-E4FC9F2BD287}"= TCP:c:\program files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"TCP Query User{47803347-B971-4CAE-BB18-6F868FFBF4FD}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{DB2E4971-627E-471E-A78F-8EB9EBF3F5FA}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"{088C2F14-77D6-4BE2-970B-2E955F20310B}"= UDP:c:\program files\iWin Games\iWinGames.exe:iWin Games application.
"{F8F5ED56-BD70-4DC2-878E-5BCA5765735F}"= TCP:c:\program files\iWin Games\iWinGames.exe:iWin Games application.
"{EBA790ED-C44F-45A9-832F-FA4C718CA124}"= UDP:c:\program files\iWin Games\WebUpdater.exe:iWin Games updater.
"{2D62BE08-64F6-40DD-A6B0-CBF05F15C299}"= TCP:c:\program files\iWin Games\WebUpdater.exe:iWin Games updater.
"{739FC847-E056-470B-9055-5F085B079A4A}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{D74FB070-15CC-4F25-903C-40ACDB1417D6}"= UDP:c:\program files\Kodak\Digital Display\KodakDigitalDisplaySoftware.exe:Kodak digital display software
"{3CD12901-C791-4AD7-94B6-F147783D5869}"= TCP:c:\program files\Kodak\Digital Display\KodakDigitalDisplaySoftware.exe:Kodak digital display software
"{0359F754-3481-40CA-9CD9-8FEC72CC6BB4}"= UDP:c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe:KodakDigitalDisplayService
"{62CB98A7-812C-4431-82F5-431D4083039E}"= TCP:c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe:KodakDigitalDisplayService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R?2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [14/05/2009 12:21 PM 98304]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [06/08/2008 9:37 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [28/01/2009 9:35 AM 108552]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\System32\drivers\jswpslwf.sys [20/09/2009 7:48 PM 20352]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [06/08/2008 9:37 AM 297752]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [03/12/2008 10:20 PM 1426304]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [06/08/2008 9:37 AM 908056]
S3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;c:\windows\System32\drivers\AGUx86.sys [20/09/2009 7:48 PM 892416]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\RangeBooster G WUA-2340\JSWUtilVst\jswpsapi.exe [20/09/2009 7:48 PM 942080]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theweathernetwork.com/weather/CASK0176
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 19:35
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4152655313-2468411337-1519091781-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bb,35,98,d6,cf,c6,56,75,65,4f,e3,bd,68,ad,2e,0b,16,c7,79,12,71,b6,2a,
70,c7,f9,17,c8,92,c1,25,ac,49,65,c1,f4,41,78,e1,ff,61,4f,9a,77,49,0d,5b,98,\
"??"=hex:b5,51,b7,44,0f,48,fc,32,4e,b4,82,86,df,98,4b,0d

[HKEY_USERS\S-1-5-21-4152655313-2468411337-1519091781-1000\Software\SecuROM\License information*]
"datasecu"=hex:28,ab,93,76,ff,7a,11,e2,d4,17,f6,a6,09,bb,8d,7a,c5,b0,ca,c2,5b,
cc,c9,2f,64,42,7b,49,fa,3a,a4,94,1b,48,d1,2e,54,04,1c,ec,b3,2d,58,6e,93,11,\
"rkeysecu"=hex:f9,1a,fd,73,e3,8e,49,d2,36,81,ef,a6,aa,99,89,70
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2856)
c:\program files\Keyboard Express 3\KEYHOOK.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\System32\schtasks.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\hp\KBD\kbd.exe
.
**************************************************************************
.
Completion time: 2009-10-03 19:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-03 01:41
ComboFix2.txt 2009-10-02 05:00

Pre-Run: 216,598,536,192 bytes free
Post-Run: 216,605,057,024 bytes free

299 --- E O F --- 2009-10-02 21:51


Malwarebytes Log

Malwarebytes' Anti-Malware 1.41
Database version: 2897
Windows 6.0.6001 Service Pack 1

02/10/2009 9:34:06 PM
mbam-log-2009-10-02 (21-34-06).txt

Scan type: Quick Scan
Objects scanned: 92535
Time elapsed: 1 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Mustang_Sally]

I hooked up another computer and downloaded Root Repeal & HijackThis. I put them on a memory stick and ran them from there. I was able to start Root Repeal, however, when I ran a scan, it seemed to be going very slow. It scanned for about 12 hours and it still wasn't done. I shut it down after that, so i don't have a log for Root Repeal. Below is my HijackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:41 PM, on 05/10/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Explorer.exe
C:\hp\kbd\kbd.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theweathe...eather/CASK0176
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Watch for Browser Events - {42A7CE31-CEE7-4CCE-A060-A44A7E52E062} - C:\PROGRA~1\KEYBOA~1\kie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - Startup: Keyboard Express 3.lnk = ?
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - http://design-concep...yerAX_Win32.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom....gamesplayer.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7709 bytes

[AdvancedSetup]

Let's run an Online Anti-Virus scan to see if they detect anything else.

Eset NOD32 Online AntiVirus
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.

Please temporarily disable your current Anti-Virus in order to run this Online AV scanner.
Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  
• Click Start
  
• Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  
• Click Scan
  
• Wait for the scan to finish
  
• Re-enable your Anvirisus software.
  
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

[Mustang_Sally]

Thank-you so very much!! I think things are running fine now. Here is the log from NOD32...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=9909393678047945974fc495022d025c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-06 11:56:32
# local_time=2009-10-06 05:56:32 (-0600, Canada Central Standard Time)
# country="Canada"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=1026 61 83 95 3463708262000
# compatibility_mode=5889 61 66 100 541018741753508
# scanned=224308
# found=0
# cleaned=0
# scan_time=3333

[AdvancedSetup]

Looks good - You're quite welcome for all the help.


Please run the following to remove any tools that might have been used during the scanning and cleaning of your system.

STEP A
[indent]Uninstall ComboFix.exe

• Click START then RUN
  
• Now type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  
• [indent][/indent]
  
• When shown the disclaimer, Select "2"

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe AND check your system time and reset if needed[/indent]


I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?


[indent]At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:


Disable and Enable System Restore-VISTA

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore-Vista

• Click the Vista/Start icon.
  
• Right Click >> Computer
  
• Click Properties.
  
• Click the System Protection tab.
  
• Uncheck All drives
  
• Click "Turn Off System Restore" at the prompt then click "Apply".
  
• Restart your computer.

Turn ON System Restore-Vista

• Click the Vista/Start icon
  
• Right Click >> Computer
  
• Click Properties.
  
• Click the System Protection tab.
  
• Checkmark All drives that were selected previously then click "Apply".

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.
(Vista users, you must ensure that any program versions downloaded are Vista compatible BEFORE installing)

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Enable automatic Windows Update on your system in Control Panel, or at least manually scan each week for updates.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic well and this is a must. I recommend Comodo Firewall Pro

A little outdated but good reading on how to prevent Malware


Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org[/indent]

.