RootKit infection

[SteveC63]

I got infected with a RootKit, and tried fixing it myself (backstory here: http://forums.malwarebytes.org/index.php?showtopic=96688&st=0&gopid=481618entry481618).

Short version: I got infected, ran ComboFix. CF apparently found a RootKit and cleaned it, but CF also left my network connections off. I tried a bunch of things to get it back, but no luck. (1PW asked if I had uninstalled CF. I hadn't, but after I did, I have the same issue - no network.)

One other note about running CF: When running, it flags that I have a couple of AV programs running: AVG and Ad-Watch. AVG was apparently corrupted by the infection, and I can't disable it or uninstall it because it thinks it's not even there. I do have Ad-Aware installed, but the Ad-Watch part is an upgrade that I never installed.

I know, I shouldn't have gotten so involved without adult supervision, but here I am.

I started following the procedure listed on the HJT topic, and here's my latest:

Ran Malwarebytes, scanned clean. Couldn't perform the update because of the network issue. Report below.

Downloaded and ran Defogger.

Downloaded and ran DDS, and it generated the two log files (below and atached)

Downloaded the GMER scanner, and tried to run it. It starts, then just after the window opens, the machine reboots. After restarting, nothing.

That's where I've left my PC.

Malwarebytes report:

--------------------Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/1/2011 2:48:25 PM

mbam-log-2011-10-01 (14-48-25).txt

Scan type: Quick scan

Objects scanned: 188703

Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-----------------

DDS.txt:

-----------------

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Run by HP_Administrator at 9:26:38 on 2011-10-02

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3077 [GMT -7:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Netgear Update Assistant\LanUpdate.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe

svchost.exe

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\WINDOWS\system32\FsUsbExService.Exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\HP\KBD\KBD.EXE

c:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uSearch Bar = hxxp://www.google.com/ie

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

mURLSearchHooks: H - No File

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [EPSON Stylus Photo R280 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticka.exe /fu "c:\docume~1\hp_adm~1\locals~1\temp\E_SF.tmp" /EF "HKCU"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Creative Live! Cam Manager] "c:\program files\creative\creative live! cam\live! cam manager\CTLCMgr.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [LanUpdate] "c:\program files\netgear update assistant\LanUpdate.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [NPSStartup]

mRun: [AVFX Engine] c:\program files\creative\creative live! cam\videofx\StartFX.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [PCDrProfiler]

mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe

mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\freeco~1.lnk - c:\program files\freecom personal media suite\FCPMS.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg311v3\wlancfg5.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Trusted Zone: hp.com\wimpro2.cce

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://www.miniclip.com/games/ricochet-lost-worlds/en/ReflexiveWebGameLoader.cab

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175810906593

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab

DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} - hxxp://www.miniclip.com/igloader/igloader.CAB

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\i6290glg.default\

FF - prefs.js: browser.search.selectedEngine -

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/guppy/ws/redir?qcat=web&qkw=

FF - component: c:\documents and settings\hp_administrator\application data\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf.dll

FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll

FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll

FF - component: c:\program files\avg\avg10\firefox4\components\avgssff6.dll

FF - component: c:\program files\avg\avg10\firefox4\components\avgssff7.dll

FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\robloxversions\version-b0b74ccbad4f4893\NPRobloxProxy.dll

FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\photodex presenter\npPxPlay.dll

FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\1\NP_wtapp.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-1 64512]

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2011-1-16 233472]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-10-12 1245064]

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-1-16 36608]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-25 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-9-29 2152152]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]

S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\bots\gameguard\dump_wmimmc.sys --> c:\program files\bots\gameguard\dump_wmimmc.sys [?]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-12-12 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-12-12 8456]

S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-25 133104]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-7-21 15232]

S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [2011-1-27 163840]

.

=============== File Associations ===============

.

.scr=DWGTrueViewScriptFile

.

=============== Created Last 30 ================

.

2072-08-01 01:44:42 375808 ----a-w- c:\program files\microsoft games\halo\binkw32.dll

2011-10-01 04:49:23 616024 ----a-w- c:\windows\system32\COMCTL32.OCX

2011-10-01 04:49:23 -------- d-----w- c:\program files\XP TCPIP Repair

2011-10-01 02:33:35 -------- d-----w- C:\OEMSettings

2011-10-01 02:33:20 -------- d-----w- c:\program files\NETGEAR

2011-09-30 13:06:16 -------- d-s---w- C:\ComboFix

2011-09-30 05:20:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-30 04:37:38 -------- d-sha-r- C:\cmdcons

2011-09-30 04:26:28 98816 ----a-w- c:\windows\sed.exe

2011-09-30 04:26:28 518144 ----a-w- c:\windows\SWREG.exe

2011-09-30 04:26:28 256000 ----a-w- c:\windows\PEV.exe

2011-09-30 04:26:28 208896 ----a-w- c:\windows\MBR.exe

2011-09-30 02:07:21 -------- d-----w- c:\program files\CCleaner

2011-09-30 02:00:52 -------- d-----w- c:\documents and settings\hp_administrator\application data\Malwarebytes

2011-09-30 02:00:38 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-09-30 02:00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-29 22:41:26 48016 --sha-w- c:\windows\system32\c_47915.nl_

2011-09-21 03:41:50 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-09-21 03:41:49 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-09-21 03:41:49 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-09-21 03:41:49 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-09-21 03:41:49 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-09-21 03:41:49 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-09-21 03:41:49 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-09-21 03:41:49 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-09-11 06:30:30 -------- d-----w- c:\documents and settings\hp_administrator\application data\HpUpdate

2011-09-11 06:30:26 -------- d-----w- c:\windows\Hewlett-Packard

2011-09-10 03:42:06 -------- d-----w- c:\documents and settings\hp_administrator\application data\Atari

2011-09-10 02:36:32 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll

2011-09-10 02:36:32 527192 ----a-w- c:\windows\system32\XAudio2_7.dll

2011-09-10 02:36:30 239960 ----a-w- c:\windows\system32\xactengine3_7.dll

2011-09-10 02:36:29 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll

2011-09-10 02:36:28 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll

2011-09-10 02:36:27 248672 ----a-w- c:\windows\system32\d3dx11_43.dll

2011-09-10 02:36:26 470880 ----a-w- c:\windows\system32\d3dx10_43.dll

2011-09-10 02:36:25 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll

2011-09-10 02:32:20 -------- d-----w- c:\program files\WildGames

2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll

2011-09-02 22:51:11 -------- d-----w- c:\documents and settings\hp_administrator\riotsGamesLogs

.

==================== Find3M ====================

.

2011-09-25 21:58:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-04 22:51:49 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-21 21:59:08 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-12 18:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 18:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-06 01:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-06 01:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts

.

============= FINISH: 9:27:47.68 ===============

[LDTate]

I tried a bunch of things to get it back, but no luck

Tell me what all you have done

[SteveC63]

I ran through the windows network diagnostics, I've reset the TCP/IP and Winsock. I think that's everything. It's been a few days, I might have forgotten something.

[LDTate]

Do you have a router?

Let’s try to reset the router to its default configuration.

• This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  
• Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  
• You also need to reconfigure any security settings you had in place prior to the reset.
  
• You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.
  

[SteveC63]

I do have a router. I was skeptical that the problem was in the router, as other computers and devices in the house can connect to it.

Should I reset the router anyway?

[LDTate]

No.

If other devices are using it witout issues then leave it alone.

I see you already have combofix.

Run a combofix scan and post the results using copy/paste

[SteveC63]

When I run ComboFix, it completes 50 stages, shows text saying "Deleting files:", then my computer reboots. Upon restart, there's no sign of ComboFix having run. No file with scan results.

Another odd thing is that on my C: drive there is what appears to be another computer, named ComboFix. I expand it, and a mirror of 'My Computer' is in there, including, of course, another ComboFix computer icon. Expanding that gets another set, and another, ad nauseum. For what that's worth.

[LDTate]

Delete the combofix.exe you have on the desktop you have now and download a fresh copy and run it.

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  Note: If you have SP3, use the SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[SteveC63]

I downloaded a fresh copy of ComboFix, same results: PC restarts, then acts as though nothing happened.

During startup of ComboFix, I got warning messages that AVG and Ad-Watch software were running, and that I should disable them. AVG is corrupted, and I can't disable it. I tried to uninstall it via Windows' Add/Remove in Control Panel, but it errors out. I've attached the AVG log file. I was able to uninstall all Ad-aware products (none of which was Ad-Watch).

General behavior of the PC seems pretty normal, except for not recognizing that it's attached to a network.

mfa-20101020-022607.log

[LDTate]

If AVG will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. The AVG uninstaller can be downloaded from here > http://www.appremove.../AppRemover.exe Go to their homepage and you will see they have support for removal of other AV's as well http://www.appremover.com/

[SteveC63]

Hi,

I downloaded and ran AppRemover, and it looks like it successfully removed AVG. when I ran ComboFix, I didn't get the warnings about AV programs running. However, the PC acted just the same; it got through the 50 stages of ComboFix, the display got to a line of text about deleting files, then the PC rebooted.

I noticed an AVG remover file that I had forgotten about (avg_remover_stf_x86_2012_1796) on my desktop. I must have downloaded during earlier troubleshooting, and subsequently forgotten about it. Anyway, when I tried to delete it, I get an "Access is denied" error message. Not sure if related or not, just thought I ought to mention it.

Otherwise, normal operation of the PC.

[LDTate]

http://support.microsoft.com/kb/822798

Without internet connection you'll need to try the Let me fix it myself method.

[SteveC63]

I started going through the steps listed there, and I got through Method #4 with no changes to my PC's behavior.

It looks to me as though that KB page is about not being able to install a file, rather than not being able to delete one, which is what I think my problem is. If I'm wrong about that, please let me know.

While I haven't been able to delete the AVG remover from my desktop, I was able to manually remove a handful of AVG folders. After several restarts, both in and out of safe mode, I still can't delete that pest.

Any other suggestions? Should I go ahead and try the remaining methods on the MS KB page to which you referred me? I have to admit, I'm getting less confident in my abilities to not goof something up, now that the other methods are getting into the realm of registry editing and the like.

[LDTate]

Let's go ahead with trying Combofix.

[SteveC63]

I downloaded a new ComboFix, same results. PC restarts after completing 50 stages and getting to "Deleting files:"

One possible new thing I noticed is a hidden file on the desktop called "._ComboFix.exe" It might have been there all along and I just didn't notice it. I can't delete it, and it gives a cryptic-sounding error message if I try to run it: "The NTVDM CPU has encountered an illegal instruction," and a hexadecimal number.

[LDTate]

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

[SteveC63]

Ran MBAM, scan results below. I can't update it before scanning, because I have no network access.

Computer behaves normally, except for not being able to see the network. Windows can recognize whether the network cable is attached or not, but can't see the network when the cable is attached. The error messages I'm getting say that the Local Area Connection has limited or no connectivity. I click on Repair, and the next message tells me that Windows couldn't finish repairing the problem because it couldn't renew my IP address.

Is it time to take the PC to a shop? Do I get a prize for stumping the experts?

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/9/2011 7:34:42 PM

mbam-log-2011-10-09 (19-34-42).txt

Scan type: Quick scan

Objects scanned: 188452

Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[LDTate]

All a shop will do is re-install Windows.

The infection you had/have is new and the help sites are full of request like yours.

This is a prime example to always have your OS CD/DVD. Even if the OS was pre-installed, go out and buy a Full Windows OS.

Windows XP Repair Install

http://www.michaelstevenstech.com/XPrepairinstall.htm

[SteveC63]

I have the OS disk. Will a Windows re-install fix my issue?

Thanks for your help with this.

[LDTate]

Yes, it should.

Do the Repair Install not a reformat.

[SteveC63]

Turns out the disc I thought was my original OS disc was for a different PC in the house. I have XP Pro installed, the disc is for XP Home.

I don't think any of the applications I run require XP Pro, but from what I've read, the registration procedure might set off flags, since this disc was originally used on a different PC.

What now?

[LDTate]

Try this

Resetting the network adapter. The instructions for Windows 7 are here: http://windows.microsoft.com/en-AU/windows7/How-do-I-fix-network-adapter-problems

For other systems I think you can go to Device Manager, select the appropriate network adapter and do a repair. Also, have a look at http://support.microsoft.com/kb/825826 and http://windows.microsoft.com/en-US/windows-vista/Troubleshoot-network-adapter-problems

If none of this helps then it's possible the network adapter has failed and you need to replace it.

http://windows.microsoft.com/en-AU/windows7/How-do-I-fix-network-adapter-problems

http://support.microsoft.com/kb/825826

[SteveC63]

I've tried repairing the network connection via Windows, but no luck before. It always hangs at being unable to renew the IP address. I haven't tried the specific pages you linked to, I'll try them when I get home.

The first link seems to have a problem. It takes me to a MS error page saying Page could not be found.

[LDTate]

OK.

Fixed link as well

[SteveC63]

The short version is none of the following worked. The long version is below.

A software guy at work has offered to look at my PC if I bring it in. He's not a virus expert, but he's pretty savvy with networking issues. Should I give that a try, or are there more things that you would like to try?

I tried the first two links' suggestions, no change.

The third link, MS KB 825826, had some interesting results.

Method 1 had no effect.

Method 2 got me down into the Services & Applications Manager, and while all of the services were started, some were in manual, rather than automatic. I changed Network Connections, COM+ Event Systems, & Remote Access Connection Manager all to Automatic. After a reboot, everything is the same.

Method 3 is some kind of MS cruel joke. To troubleshoot your lack of network connectivity, they tell you to get online and....

Method 4 is using the dcomcnfg utility. Following the procedure, I get as far as step 4, activating the "Enable Distributed COM on this computer" checkbox. The next step, "Click the down arrow in the Default Impersonation Level box, and then click any setting other than Anonymous, and then click OK." doesn't work. The box where I would select 'any setting other than Anonymous" is blank.

If I click on the Default Protocols tab, the Component Services dialog crashes entirely.

Another odd thing about this section: when I first open Component Services, right-click on My Computer, and select Properties, I get a COM Security dialog box, and subsequent right-clicks get the My Computer Properties box mentioned in the procedure.

Moving down the KB page, I get to the advanced section. Here's how they worked:

Method 1 - System file check: No change.

Method 2 - Not performed. No teaming software installed.

Method 3 - Win 2000 only.

Method 4 - Resetting the network connections: No change.

Method 5 - The registry keys mentioned exist, but I have no way of knowing if their values are correct. I tried to follow the downstream troubleshooting steps ot MS, but neither the downloaded fixit or the manual method work. The registry editor doesn't like the method MS says to use to get the new entries into the registry.

Method 6 - Check for ghosted network controllers: Found four ghosted controllers. Uninstalled two. Device Manager thinks the other two are needed for booting the machine, but after rebooting, they're gone on their own. No change.

Method 7 - No change