Active RECYCLER\S- Malware/Virus??

[Active] RECYCLER\S- Malware/Virus??

I seem to have a bug that is going around. It seems to jam up my computer after a while and wont let me access my taskmgr, C: drive or D: drive and gives me an errror message "windows cannot find C:/RECYCLER\S..."

It also was not letting me google search, so it took me a while to find you guys. So far, I have tried downloading the Autorun eater app, and it appeared to fix it. The malware/virus has returned. I have also tried the ATF Cleaner with no victory. Please help, here are the requested logs

DDS
DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 15:21:08.70 on 22/03/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1480 [GMT -6:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = www.google.ca
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {07AA283A-43D7-4CBE-A064-32A21112D94D} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\windows\temp\E_SAC.tmp" /EF "HKCU "
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe "
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [DetectorApp] c:\program files\sonic\digitalmedia plus v7\mydvd plus\DetectorApp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe "
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [COMODO Internet Security] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Autorun Eater] c:\program files\autorun eater\oldmcdonald.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\windows\system32\CavEmLSP.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184277705054
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.8,85.255.112.156
TCP: {09FF28E6-E4EC-4DA5-A253-80A7E436A762} = 85.255.112.8,85.255.112.156
TCP: {336EB217-E5CD-43EA-BCB5-4545093EE65E} = 85.255.112.8,85.255.112.156
Notify: igfxcui - igfxdev.dll
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\92bc366j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage - hxxp://www2.firesearch.com/
FF - plugin: c:\progra~1\palmone\packag~1\NPInstal.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-10-15 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-10-15 24336]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2008-12-4 234888]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-10-15 700152]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-1-3 1245064]

=============== Created Last 30 ================

2009-03-22 10:21 153 a------- c:\windows\cavscan.INI
2009-03-22 10:02 <DIR> --d----- c:\program files\Autorun Eater
2009-03-21 13:37 <DIR> --d----- c:\documents and settings\owner\The Rocker 2008 Angus DvDRIP
2009-03-20 08:16 <DIR> --d----- c:\documents and settings\owner\The.Forbidden.Kingdom[2008]DvDrip-aXXo
2009-03-19 13:36 <DIR> --d----- c:\docume~1\owner\applic~1\LearnLift
2009-03-18 11:27 <DIR> --d----- c:\documents and settings\owner\Irvine Welsh - Porno 64k
2009-03-18 10:55 <DIR> --d----- c:\documents and settings\owner\[PC] Max Payne 2 The Fall of Max Payne [RIP] [dopeman]
2009-03-18 08:40 <DIR> --d----- c:\documents and settings\owner\Twilight[2008]DvDrip-aXXo
2009-03-17 09:32 <DIR> --d----- C:\bin
2009-03-17 09:26 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-03-17 09:25 38,400 a------- c:\windows\system32\hpz3l054.dll
2009-03-17 09:24 282,680 a------- c:\windows\system32\HPZidr12.dll
2009-03-17 09:24 204,800 a------- c:\windows\system32\HPZipr12.dll
2009-03-17 09:24 94,208 a------- c:\windows\system32\HPZipt12.dll
2009-03-17 09:24 73,728 a------- c:\windows\system32\HPZipm12.exe
2009-03-17 09:24 65,536 a------- c:\windows\system32\HPZinw12.exe
2009-03-17 09:24 57,344 a------- c:\windows\system32\HPZisn12.dll
2009-03-17 09:00 117,155 a------- c:\windows\hpoins11.dat
2009-03-17 09:00 49,664 a------- c:\windows\system32\drivers\HPZid412.sys
2009-03-17 09:00 21,568 a------- c:\windows\system32\drivers\HPZius12.sys
2009-03-17 09:00 16,496 a------- c:\windows\system32\drivers\HPZipr12.sys
2009-03-17 08:59 827,392 a------- c:\windows\system32\hpotiop2.dll
2009-03-17 08:59 659,456 a------- c:\windows\system32\hpowiax2.dll
2009-03-17 08:59 282,624 a------- c:\windows\system32\HPZc3212.dll
2009-03-17 08:59 254,026 a------- c:\windows\system32\hpovst09.dll
2009-03-17 08:59 98,304 a------- c:\windows\system32\hpzjsn01.dll
2009-03-17 08:59 77,824 a------- c:\windows\system32\HPZIDS01.dll
2009-03-17 08:57 11,634 a------- c:\windows\hpomdl11.dat
2009-03-09 10:43 0 a------- c:\windows\system32\HOT3A.tmp
2009-03-09 07:39 <DIR> --d----- c:\program files\uTorrent
2009-03-08 17:29 <DIR> --d----- c:\program files\Registry Mechanic(3)
2009-02-25 23:52 <DIR> --d----- c:\program files\RegVac Registry Cleaner
2009-02-25 23:19 4,470 a------- c:\windows\system32\CompTracker 4.7.un1
2009-02-25 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Tick Find Close Surf

==================== Find3M ====================

2009-02-28 11:26 155,384 a------- c:\windows\system32\guard32.dll
2009-02-28 11:26 110,992 a------- c:\windows\system32\drivers\cmdguard.sys
2009-02-20 12:10 24,336 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 05:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-01-04 17:32 404 ac------ c:\docume~1\owner\applic~1\wklnhst.dat
2008-09-17 19:12 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 15:21:21.64 ===============

ATTACH
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/07/2007 6:38:13 PM
System Uptime: 22/03/2009 2:03:29 PM (1 hours ago)

Motherboard: | |
Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | | 1829/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 66 GiB total, 17.142 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 0.633 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP242: 27/12/2008 11:21:27 AM - System Checkpoint
RP243: 03/01/2009 4:07:48 PM - Shockwave Player
RP244: 03/01/2009 4:12:56 PM - Shockwave Player
RP245: 03/01/2009 5:10:36 PM - Shockwave Player
RP246: 04/01/2009 8:22:27 PM - System Checkpoint
RP247: 05/01/2009 9:38:53 PM - System Checkpoint
RP248: 06/01/2009 10:18:01 PM - System Checkpoint
RP249: 07/01/2009 8:39:05 PM - Removed palmOne
RP250: 07/01/2009 8:42:01 PM - Removed Addit
RP251: 07/01/2009 8:43:39 PM - Removed palmOne
RP252: 07/01/2009 9:02:14 PM - Installed Palm Desktop by ACCESS
RP253: 07/01/2009 9:13:30 PM - Removed Palm Desktop by ACCESS
RP254: 07/01/2009 9:23:03 PM - Installed palmOne
RP255: 07/01/2009 10:13:34 PM - Installed Palm Desktop by ACCESS
RP256: 12/01/2009 9:21:25 PM - System Checkpoint
RP257: 13/01/2009 9:44:23 PM - System Checkpoint
RP258: 14/01/2009 5:20:22 PM - Software Distribution Service 3.0
RP259: 14/01/2009 10:28:16 PM - Software Distribution Service 3.0
RP260: 16/01/2009 11:29:47 PM - System Checkpoint
RP261: 18/01/2009 11:55:04 AM - System Checkpoint
RP262: 20/01/2009 7:41:28 PM - System Checkpoint
RP263: 21/01/2009 9:43:13 PM - System Checkpoint
RP264: 23/01/2009 6:45:24 PM - System Checkpoint
RP265: 25/01/2009 3:29:38 PM - System Checkpoint
RP266: 27/01/2009 9:28:52 PM - System Checkpoint
RP267: 29/01/2009 7:44:12 PM - System Checkpoint
RP268: 01/02/2009 3:26:53 PM - System Checkpoint
RP269: 02/02/2009 8:41:02 PM - System Checkpoint
RP270: 03/02/2009 9:25:45 PM - System Checkpoint
RP271: 04/02/2009 10:25:47 PM - System Checkpoint
RP272: 05/02/2009 10:34:34 PM - System Checkpoint
RP273: 06/02/2009 11:18:34 PM - System Checkpoint
RP274: 08/02/2009 12:04:52 AM - System Checkpoint
RP275: 09/02/2009 5:48:36 PM - System Checkpoint
RP276: 10/02/2009 9:58:11 PM - System Checkpoint
RP277: 12/02/2009 3:00:27 AM - Software Distribution Service 3.0
RP278: 13/02/2009 6:17:58 PM - System Checkpoint
RP279: 15/02/2009 10:53:40 AM - System Checkpoint
RP280: 16/02/2009 11:07:59 AM - System Checkpoint
RP281: 17/02/2009 9:00:08 PM - System Checkpoint
RP282: 19/02/2009 1:29:43 AM - System Checkpoint
RP283: 20/02/2009 1:17:19 PM - System Checkpoint
RP284: 23/02/2009 6:12:52 PM - System Checkpoint
RP285: 25/02/2009 7:17:14 PM - Software Distribution Service 3.0
RP286: 26/02/2009 7:27:20 PM - System Checkpoint
RP287: 27/02/2009 8:27:02 PM - System Checkpoint
RP288: 28/02/2009 8:57:33 PM - System Checkpoint
RP289: 01/03/2009 9:17:54 PM - System Checkpoint
RP290: 03/03/2009 10:41:38 AM - System Checkpoint
RP291: 04/03/2009 11:51:23 AM - System Checkpoint
RP292: 05/03/2009 12:50:15 PM - System Checkpoint
RP293: 05/03/2009 8:20:34 PM - Restore Operation
RP294: 05/03/2009 8:25:09 PM - Software Distribution Service 3.0
RP295: 08/03/2009 2:30:46 PM - System Checkpoint
RP296: 08/03/2009 3:25:18 PM - Restore Operation
RP297: 08/03/2009 3:43:32 PM - Restore Operation
RP298: 08/03/2009 4:14:22 PM - Restore Operation
RP299: 09/03/2009 6:33:08 AM - Restore Operation
RP300: 09/03/2009 9:41:44 AM - Removed Documents To Go
RP301: 11/03/2009 1:18:05 PM - System Checkpoint
RP302: 12/03/2009 5:58:31 AM - Software Distribution Service 3.0
RP303: 13/03/2009 6:11:23 AM - System Checkpoint
RP304: 16/03/2009 11:16:18 AM - Software Distribution Service 3.0
RP305: 17/03/2009 9:27:24 AM - Installed HPSU306Stub
RP306: 17/03/2009 9:39:06 AM - Printer Driver HP Officejet 6300 series fax Installed
RP307: 18/03/2009 9:58:47 AM - Installed HP Product Assistant
RP308: 18/03/2009 10:00:24 AM - Removed HPSU306Stub
RP309: 18/03/2009 10:00:29 AM - Removed HP Software Update
RP310: 18/03/2009 10:00:36 AM - Installed HP Update
RP311: 19/03/2009 12:51:58 PM - Removed Apple Software Update
RP312: 19/03/2009 12:53:58 PM - Removed Apple Mobile Device Support
RP313: 19/03/2009 12:58:14 PM - Removed Bonjour
RP314: 19/03/2009 1:00:06 PM - Removed iTunes
RP315: 19/03/2009 1:35:25 PM - Installed MemoryLifter.
RP316: 20/03/2009 12:50:02 PM - Removed MemoryLifter.

==== Installed Programs ======================

µTorrent
2007 Microsoft Office Suite Service Pack 1 (SP1)
6300
6300_Help
6300Trb
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11
AiO_Scan_CDA
AiOSoftwareNPI
ArcSoft PhotoImpression 6
ArcSoft Print Creations
Ask Toolbar
Autorun Eater v2.3
BufferChm
COMODO Firewall Pro
CompTracker 4.7
Condition Zero
Condition Zero Deleted Scenes
Conexant HD Audio
Counter-Strike
Counter-Strike: Source
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
CustomerResearchQFolder
Day of Defeat
Deathmatch Classic
Destinations
DivX Content Uploader
DivX Web Player
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
EPSON CX7400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX7400 Series Scanner Driver Update
eSupportQFolder
Fax_CDA
FLV Player
HDAUDIO Soft Data Fax Modem with SmartCP
HDExtrem
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP QuickPlay 2.0
HP Solution Center 7.0
HP Update
HP User Guides--System Recovery
HP User Guides 0009
HP Wireless Assistant 2.00 B3
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
InstantShareDevices
InstantShareDevicesMFC
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LightScribe 1.4.52.1
LimeWire PRO 4.12.15
LiveUpdate (Symantec Corporation)
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft ActiveSync
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook 2007
Microsoft Office Outlook 2007 Trial
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (2.0.0.16)
Mozilla Firefox (3.1b2)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NewCopy_CDA
OCR Software by I.R.I.S 7.0
OptionalContentQFolder
Palm Conduit Support for COM
Palm Desktop by ACCESS
PaltalkScene
PanoStandAlone
PhotoGallery
PLAYSTATION(R)Network Downloader
ProductContextNPI
Quick Launch Buttons 5.20 F2
QuickTime
RandMap
Readme
RegVac Registry Cleaner 4.02 (Registered Version)
Ricochet
Scan
ScannerCopy
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SkinsHP1
SlideShow
SmartAudio
SolutionCenter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
Source Dedicated Server
Status
Steam
Symantec KB-DocID:2003093015493306
Synaptics Pointing Device Driver
Toolbox
TrayApp
Unload
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
WebReg
Windows Communication Foundation
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

22/03/2009 2:17:55 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

==== End Of File ===========================

Thanks!!

 

Hi jcmoses
Welcome to WindowsBBS.

Please do this.

Download RootRepeal.zip to your Desktop.

• Extract the compressed file to it's own folder.
• Open the folder and doubleclick on RootRepeal.exe to run it.
• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.

The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

Post the contents of the report in a reply here

Thanks
Geri

 

Thanks for the speedy response!! I found another thread with the similar problem and followed instructions given to him.. sorry I hope that doesn't mess things up. I did the malware bytes thing and it didn't work for me, so I did the combofix and it worked successfully. I tried malware bytes again and it worked.

Here is the combofix .txt.
ComboFix 09-03-22.01 - Owner 2009-03-23 6:56:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1677 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ENCSC-Download.com.2.5.1040.0.exe
c:\recycler\S-8-0-63-100005971-100023801-100020101-8909.com
c:\windows\a.bat
c:\windows\base64.tmp
c:\windows\FVProtect.exe
c:\windows\iTunesMusic.exe
c:\windows\system32\drivers\gaopdxgsfmbsmwihjtvefyvmwahsdnmhgxiasg.sys
c:\windows\system32\drivers\gaopdxtmqoiyauxyydtuaxefnrbrismlfybqrs.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxtvgiiwymvxkxfcywdxmfbeofxmuoghra.dll
c:\windows\system32akttzn.exe
c:\windows\system32anticipator.dll
c:\windows\system32awtoolb.dll
c:\windows\system32bdn.com
c:\windows\system32bsva-egihsg52.exe
c:\windows\system32dpcproxy.exe
c:\windows\system32emesx.dll
c:\windows\system32h@tkeysh@@k.dll
c:\windows\system32hoproxy.dll
c:\windows\system32hxiwlgpm.dat
c:\windows\system32hxiwlgpm.exe
c:\windows\system32medup012.dll
c:\windows\system32medup020.dll
c:\windows\system32msgp.exe
c:\windows\system32msnbho.dll
c:\windows\system32mssecu.exe
c:\windows\system32msvchost.exe
c:\windows\system32mtr2.exe
c:\windows\system32mwin32.exe
c:\windows\system32netode.exe
c:\windows\system32newsd32.exe
c:\windows\system32ps1.exe
c:\windows\system32psof1.exe
c:\windows\system32psoft1.exe
c:\windows\system32regc64.dll
c:\windows\system32regm64.dll
c:\windows\system32Rundl1.exe
c:\windows\system32smp
c:\windows\system32smp\msrc.exe
c:\windows\system32sncntr.exe
c:\windows\system32ssurf022.dll
c:\windows\system32ssvchost.com
c:\windows\system32ssvchost.exe
c:\windows\system32sysreq.exe
c:\windows\system32taack.dat
c:\windows\system32taack.exe
c:\windows\system32temp#01.exe
c:\windows\system32thun.dll
c:\windows\system32thun32.dll
c:\windows\system32VBIEWER.OCX
c:\windows\system32vbsys2.dll
c:\windows\system32vcatchpi.dll
c:\windows\system32winlogonpc.exe
c:\windows\system32winsystem.exe
c:\windows\system32WINWGPX.EXE
c:\windows\userconfig9x.dll
c:\windows\Web\def.htm
c:\windows\zip1.tmp
c:\windows\zip2.tmp
c:\windows\zip3.tmp
c:\windows\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))
.

2009-03-22 17:14 . 2009-03-22 17:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware.com
2009-03-22 17:14 . 2009-03-22 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-22 17:14 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-22 17:14 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-22 10:21 . 2009-03-22 10:21 153 --a------ c:\windows\cavscan.INI
2009-03-22 10:02 . 2009-03-22 16:33 <DIR> d-------- c:\program files\Autorun Eater
2009-03-22 09:29 . 2009-03-22 09:29 <DIR> d-------- c:\documents and settings\Guest\Application Data\HP
2009-03-21 13:37 . 2009-03-21 13:37 <DIR> d-------- c:\documents and settings\Owner\The Rocker 2008 Angus DvDRIP
2009-03-20 08:16 . 2009-03-20 08:16 <DIR> d-------- c:\documents and settings\Owner\The.Forbidden.Kingdom[2008]DvDrip-aXXo
2009-03-19 13:36 . 2009-03-19 13:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\LearnLift
2009-03-18 11:27 . 2009-03-19 07:50 <DIR> d-------- c:\documents and settings\Owner\Irvine Welsh - Porno 64k
2009-03-18 10:55 . 2009-03-19 11:35 <DIR> d-------- c:\documents and settings\Owner\[PC] Max Payne 2 The Fall of Max Payne [RIP] [dopeman]
2009-03-18 09:58 . 2009-03-18 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-03-18 08:40 . 2009-03-19 09:32 <DIR> d-------- c:\documents and settings\Owner\Twilight[2008]DvDrip-aXXo
2009-03-17 09:32 . 2009-03-17 09:32 <DIR> d-------- C:\bin
2009-03-17 09:26 . 2009-03-17 09:26 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-03-17 09:25 . 2006-04-10 14:03 38,400 --a------ c:\windows\system32\hpz3l054.dll
2009-03-17 09:24 . 2006-03-03 21:03 282,680 --a------ c:\windows\system32\HPZidr12.dll
2009-03-17 09:24 . 2006-03-03 21:02 204,800 --a------ c:\windows\system32\HPZipr12.dll
2009-03-17 09:24 . 2006-03-03 21:02 94,208 --a------ c:\windows\system32\HPZipt12.dll
2009-03-17 09:24 . 2007-08-09 01:27 73,728 --a------ c:\windows\system32\HPZipm12.exe
2009-03-17 09:24 . 2006-03-03 21:03 65,536 --a------ c:\windows\system32\HPZinw12.exe
2009-03-17 09:24 . 2006-03-03 21:02 57,344 --a------ c:\windows\system32\HPZisn12.dll
2009-03-17 09:00 . 2009-03-17 09:47 117,155 --a------ c:\windows\hpoins11.dat
2009-03-17 09:00 . 2006-04-12 18:04 49,664 --a------ c:\windows\system32\drivers\HPZid412.sys
2009-03-17 09:00 . 2006-04-12 18:04 21,568 --a------ c:\windows\system32\drivers\HPZius12.sys
2009-03-17 09:00 . 2006-04-12 18:04 16,496 --a------ c:\windows\system32\drivers\HPZipr12.sys
2009-03-17 08:59 . 2006-04-12 18:02 827,392 --a------ c:\windows\system32\hpotiop2.dll
2009-03-17 08:59 . 2006-04-12 18:02 659,456 --a------ c:\windows\system32\hpowiax2.dll
2009-03-17 08:59 . 2006-04-12 18:04 282,624 --a------ c:\windows\system32\HPZc3212.dll
2009-03-17 08:59 . 2006-04-12 18:02 254,026 --a------ c:\windows\system32\hpovst09.dll
2009-03-17 08:59 . 2005-07-18 19:38 98,304 --a------ c:\windows\system32\hpzjsn01.dll
2009-03-17 08:59 . 2006-01-04 02:12 77,824 --a------ c:\windows\system32\HPZIDS01.dll
2009-03-17 08:57 . 2006-05-05 15:18 11,634 --a------ c:\windows\hpomdl11.dat
2009-03-09 10:43 . 2009-03-09 10:43 0 --a------ c:\windows\system32\HOT3A.tmp
2009-03-09 07:39 . 2009-03-09 07:39 <DIR> d-------- c:\program files\uTorrent
2009-03-09 07:38 . 2009-03-09 07:38 <DIR> d-------- c:\documents and settings\Owner\Application Data\HotSync
2009-03-09 07:38 . 2009-03-09 07:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\HotSync
2009-03-09 07:37 . 2009-03-09 07:37 <DIR> d-------- c:\documents and settings\Guest\Application Data\HotSync
2009-03-08 17:29 . 2009-03-09 07:35 <DIR> d-------- c:\program files\Registry Mechanic(3)
2009-02-25 23:52 . 2009-03-22 14:24 <DIR> d-------- c:\program files\RegVac Registry Cleaner
2009-02-25 23:19 . 2009-02-25 23:19 4,470 --a------ c:\windows\system32\CompTracker 4.7.un1
2009-02-25 22:46 . 2009-03-19 12:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Tick Find Close Surf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 22:34 --------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-03-21 22:44 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-03-21 20:06 --------- d-----w c:\program files\Steam
2009-03-20 00:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-20 00:33 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-19 18:54 --------- d-----w c:\program files\Common Files\Apple
2009-03-18 16:00 --------- d-----w c:\program files\HP
2009-03-17 15:31 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-17 15:31 --------- d-----w c:\program files\Common Files\HP
2009-03-17 15:27 --------- d-----w c:\program files\Hewlett-Packard
2009-03-12 15:51 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-12 12:59 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-11 20:02 --------- d-----w c:\program files\palmOne
2009-03-09 17:13 --------- d-----w c:\documents and settings\All Users\Application Data\CompTracker
2009-03-09 13:39 --------- d-----w c:\program files\CompTracker
2009-03-09 13:39 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2009-03-09 13:38 --------- d-----w c:\documents and settings\Owner\Application Data\ArcSoft
2009-03-09 13:32 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 03:07 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-02-28 17:26 155,384 ----a-w c:\windows\system32\guard32.dll
2009-02-28 17:26 110,992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-20 18:10 24,336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-17 04:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-01-04 23:32 404 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-07-16 19:13 67,696 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2008-07-16 19:13 54,376 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-16 19:13 34,952 -c--a-w c:\program files\mozilla firefox\components\myspell.dll
2008-07-16 19:13 46,720 -c--a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-07-16 19:13 172,144 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-18 01:12 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-24 21:25 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-24 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-24 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EPSON Stylus CX7400 Series "= "c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DetectorApp "= "c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe" [2005-10-20 102400]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 761945]
"hpWirelessAssistant "= "c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"QPService "= "c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl "= "c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"Cpqset "= "c:\program files\HPQ\Default Settings\cpqset.exe" [2005-05-18 233534]
"RecGuard "= "c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder "= "c:\windows\CREATOR\Remind_XP.exe" [2005-10-28 679936]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"COMODO Firewall Pro "= "c:\program files\COMODO\Firewall\cfp.exe" [2009-02-28 1851128]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"COMODO Internet Security "= "c:\program files\COMODO\Firewall\cfp.exe" [2009-02-28 1851128]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Autorun Eater "= "c:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]
"High Definition Audio Property Page Shortcut "= "CHDAudPropShortcut.exe" [2006-04-18 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-01-03 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2008-05-08 10452992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Steam\\Steam.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Steam\\steamapps\\jcbehrens\\condition zero\\hl.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-10-15 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-10-15 24336]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2008-12-04 234888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-03-13 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-10-18 04:04]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\Paltalk Messenger\Paltalk.exe
LSP: c:\windows\system32\CavEmLSP.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\92bc366j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage - hxxp://www2.firesearch.com/
FF - plugin: c:\progra~1\palmOne\PACKAG~1\NPInstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-23 06:59:46
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????P??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1021110209-3373441594-2293552223-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:1f,0d,37,25,44,ab,d1,1e,8f,87,e9,80,e9,d7,6f,0e,08,e6,4a,26,55,14,1b,
f3,dd,64,2d,f8,f2,f9,e1,a9,9d,5d,af,b1,77,69,78,e5,d0,85,dd,be,6f,20,25,54,\
"?? "=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(1004)
c:\windows\system32\guard32.dll
c:\windows\system32\CavEmLSP.dll
.
Completion time: 2009-03-23 7:01:20
ComboFix-quarantined-files.txt 2009-03-23 13:01:17

Pre-Run: 18,289,971,200 bytes free
Post-Run: 19,119,456,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

311 --- E O F --- 2009-03-16 17:20:43


Just in case, here is the log you requested.

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/03/23 07:18
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9F4C1000 Size: 876544 File Visible: No
Status: -

Name: kdgv.sys
Image Path: kdgv.sys
Address: 0xF7487000 Size: 61440 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9E9AE000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\software.LOG
Status: Size mismatch (API: 24576, Raw: 32768)

Path: C:\Documents and Settings\Owner\Local Settings\temp\hpodvd09.log
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Owner\Local Settings\temp\WCESLog.log
Status: Allocation size mismatch (API: 288, Raw: 0)

Path: C:\Documents and Settings\Owner\Local Settings\temp\~ROMFN_00000A28
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b32a0

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b27c2

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b2e5c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b3a6a

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b251c

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b4776

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b3486

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b20ea

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b36d4

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b3884

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b1e4c

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b43f8

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b2a46

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b3094

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b1b7c

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b2cd6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b1cf4

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b3e30

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b263a

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b4194

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b45a6

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b3c30

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b29e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b2bca

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b23e6

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0x9f7b22b4

 

Here is the Malware Bytes Log

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

23/03/2009 7:08:57 AM
mbam-log-2009-03-23 (07-08-57).txt

Scan type: Quick Scan
Objects scanned: 66603
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\pcsd (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\pcsd (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\Local Page (Hijack.Search) -> Bad: (http://www2.iesearch.com/) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.8,85.255.112.156 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{09ff28e6-e4ec-4da5-a253-80a7e436a762}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.8,85.255.112.156 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{336eb217-e5cd-43ea-bcb5-4545093ee65e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.8,85.255.112.156 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Owner\Application Data\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Application Data\PC-Cleaner\log.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\PC-Cleaner\settings.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.

 

Hi

I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them,

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

Please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Code:

File::
c:\windows\system32\HOT3A.tmp

Folder::
c:\documents and settings\All Users\Application Data\Tick Find Close Surf

Regietry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Please post the combofix log.

Geri

 

I'm going to be needing a reliable computer now for the new job, and I tried to just start fresh and erase everything and reinstall XP back to factory settings. When I tried, I got an error message saying there was "no drives detected.. make sure they are powered up and retry" or something along those lines.. How do I just kick everything off and start from scratch?

Here is the requested log. Thanks again for everything!
ComboFix 09-03-23.01 - Owner 2009-03-25 7:00:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1599 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Tick Find Close Surf

.
((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-24 06:51 . 2009-03-24 06:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\WildTangent
2009-03-24 06:48 . 2009-03-24 06:50 <DIR> d-------- c:\program files\WildGames
2009-03-24 06:48 . 2009-03-24 10:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\WildTangent
2009-03-23 07:05 . 2009-03-23 07:05 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-22 17:14 . 2009-03-22 17:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware.com
2009-03-22 17:14 . 2009-03-22 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-22 17:14 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-22 17:14 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-22 10:21 . 2009-03-22 10:21 153 --a------ c:\windows\cavscan.INI
2009-03-22 10:02 . 2009-03-25 06:40 <DIR> d-------- c:\program files\Autorun Eater
2009-03-22 09:29 . 2009-03-22 09:29 <DIR> d-------- c:\documents and settings\Guest\Application Data\HP
2009-03-21 13:37 . 2009-03-23 12:26 <DIR> d-------- c:\documents and settings\Owner\The Rocker 2008 Angus DvDRIP
2009-03-19 13:36 . 2009-03-19 13:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\LearnLift
2009-03-18 09:58 . 2009-03-18 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-03-18 08:40 . 2009-03-23 12:27 <DIR> d-------- c:\documents and settings\Owner\Twilight[2008]DvDrip-aXXo
2009-03-17 09:32 . 2009-03-17 09:32 <DIR> d-------- C:\bin
2009-03-17 09:26 . 2009-03-17 09:26 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-03-17 09:25 . 2006-04-10 14:03 38,400 --a------ c:\windows\system32\hpz3l054.dll
2009-03-17 09:24 . 2006-03-03 21:03 282,680 --a------ c:\windows\system32\HPZidr12.dll
2009-03-17 09:24 . 2006-03-03 21:02 204,800 --a------ c:\windows\system32\HPZipr12.dll
2009-03-17 09:24 . 2006-03-03 21:02 94,208 --a------ c:\windows\system32\HPZipt12.dll
2009-03-17 09:24 . 2007-08-09 01:27 73,728 --a------ c:\windows\system32\HPZipm12.exe
2009-03-17 09:24 . 2006-03-03 21:03 65,536 --a------ c:\windows\system32\HPZinw12.exe
2009-03-17 09:24 . 2006-03-03 21:02 57,344 --a------ c:\windows\system32\HPZisn12.dll
2009-03-17 09:00 . 2009-03-17 09:47 117,155 --a------ c:\windows\hpoins11.dat
2009-03-17 09:00 . 2006-04-12 18:04 49,664 --a------ c:\windows\system32\drivers\HPZid412.sys
2009-03-17 09:00 . 2006-04-12 18:04 21,568 --a------ c:\windows\system32\drivers\HPZius12.sys
2009-03-17 09:00 . 2006-04-12 18:04 16,496 --a------ c:\windows\system32\drivers\HPZipr12.sys
2009-03-17 08:59 . 2006-04-12 18:02 827,392 --a------ c:\windows\system32\hpotiop2.dll
2009-03-17 08:59 . 2006-04-12 18:02 659,456 --a------ c:\windows\system32\hpowiax2.dll
2009-03-17 08:59 . 2006-04-12 18:04 282,624 --a------ c:\windows\system32\HPZc3212.dll
2009-03-17 08:59 . 2006-04-12 18:02 254,026 --a------ c:\windows\system32\hpovst09.dll
2009-03-17 08:59 . 2005-07-18 19:38 98,304 --a------ c:\windows\system32\hpzjsn01.dll
2009-03-17 08:59 . 2006-01-04 02:12 77,824 --a------ c:\windows\system32\HPZIDS01.dll
2009-03-17 08:57 . 2006-05-05 15:18 11,634 --a------ c:\windows\hpomdl11.dat
2009-03-09 10:43 . 2009-03-09 10:43 0 --a------ c:\windows\system32\HOT3A.tmp
2009-03-09 07:39 . 2009-03-09 07:39 <DIR> d-------- c:\program files\uTorrent
2009-03-09 07:38 . 2009-03-09 07:38 <DIR> d-------- c:\documents and settings\Owner\Application Data\HotSync
2009-03-09 07:38 . 2009-03-09 07:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\HotSync
2009-03-09 07:37 . 2009-03-09 07:37 <DIR> d-------- c:\documents and settings\Guest\Application Data\HotSync
2009-03-08 17:29 . 2009-03-09 07:35 <DIR> d-------- c:\program files\Registry Mechanic(3)
2009-02-25 23:52 . 2009-03-22 14:24 <DIR> d-------- c:\program files\RegVac Registry Cleaner
2009-02-25 23:19 . 2009-02-25 23:19 4,470 --a------ c:\windows\system32\CompTracker 4.7.un1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 04:05 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-03-23 17:53 --------- d-----w c:\program files\Steam
2009-03-23 13:52 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-23 13:52 --------- d-----w c:\program files\Java
2009-03-22 22:34 --------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-03-20 00:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-20 00:33 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-19 18:54 --------- d-----w c:\program files\Common Files\Apple
2009-03-18 16:00 --------- d-----w c:\program files\HP
2009-03-17 15:31 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-17 15:31 --------- d-----w c:\program files\Common Files\HP
2009-03-17 15:27 --------- d-----w c:\program files\Hewlett-Packard
2009-03-12 15:51 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-12 12:59 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-11 20:02 --------- d-----w c:\program files\palmOne
2009-03-09 17:13 --------- d-----w c:\documents and settings\All Users\Application Data\CompTracker
2009-03-09 13:39 --------- d-----w c:\program files\CompTracker
2009-03-09 13:39 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2009-03-09 13:38 --------- d-----w c:\documents and settings\Owner\Application Data\ArcSoft
2009-03-09 13:32 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 03:07 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-02-28 17:26 155,384 ----a-w c:\windows\system32\guard32.dll
2009-02-28 17:26 110,992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-20 18:10 24,336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-17 04:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-01-04 23:32 404 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-07-16 19:13 67,696 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2008-07-16 19:13 54,376 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-16 19:13 34,952 -c--a-w c:\program files\mozilla firefox\components\myspell.dll
2008-07-16 19:13 46,720 -c--a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-07-16 19:13 172,144 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-18 01:12 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-23_ 7.00.24.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-07 18:12:18 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-03-23 13:52:37 144,792 ----a-w c:\windows\system32\java.exe
- 2008-12-07 18:12:18 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-23 13:52:37 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-12-07 18:12:18 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-23 13:52:37 148,888 ----a-w c:\windows\system32\javaws.exe
- 2009-03-22 23:33:52 72,554 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-25 12:44:22 72,554 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-22 23:33:52 445,096 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-25 12:44:22 445,096 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-25 12:40:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-24 21:25 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-24 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-24 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EPSON Stylus CX7400 Series "= "c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DetectorApp "= "c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe" [2005-10-20 102400]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 761945]
"hpWirelessAssistant "= "c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"QPService "= "c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl "= "c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"Cpqset "= "c:\program files\HPQ\Default Settings\cpqset.exe" [2005-05-18 233534]
"RecGuard "= "c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder "= "c:\windows\CREATOR\Remind_XP.exe" [2005-10-28 679936]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"COMODO Firewall Pro "= "c:\program files\COMODO\Firewall\cfp.exe" [2009-02-28 1851128]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"COMODO Internet Security "= "c:\program files\COMODO\Firewall\cfp.exe" [2009-02-28 1851128]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Autorun Eater "= "c:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 148888]
"High Definition Audio Property Page Shortcut "= "CHDAudPropShortcut.exe" [2006-04-18 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-01-03 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2008-05-08 10452992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Steam\\Steam.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Steam\\steamapps\\jcbehrens\\condition zero\\hl.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-10-15 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-10-15 24336]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2008-12-04 234888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-03-13 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-10-18 04:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\CavEmLSP.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\92bc366j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage - hxxp://www2.firesearch.com/
FF - plugin: c:\progra~1\palmOne\PACKAG~1\NPInstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 07:02:37
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????P??|?@???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1021110209-3373441594-2293552223-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:1f,0d,37,25,44,ab,d1,1e,8f,87,e9,80,e9,d7,6f,0e,08,e6,4a,26,55,14,1b,
f3,dd,64,2d,f8,f2,f9,e1,a9,9d,5d,af,b1,77,69,78,e5,d0,85,dd,be,6f,20,25,54,\
"?? "=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(1012)
c:\windows\system32\guard32.dll
c:\windows\system32\CavEmLSP.dll
.
Completion time: 2009-03-25 7:04:11
ComboFix-quarantined-files.txt 2009-03-25 13:04:09
ComboFix2.txt 2009-03-23 13:01:21

Pre-Run: 21,203,865,600 bytes free
Post-Run: 21,227,843,584 bytes free

255 --- E O F --- 2009-03-16 17:20:43

 

Hi
If you wish to reformat here is some instructions,

How to partition and format a hard disk

Let me know what you decide to do.

Geri

 

Hey,

Sorry my reply took so long. I have a lot of stuff on my computer right now that I am too scared of losing and I am going to get a new computer in a few months anyway, so there is no point in wiping it clean.

I forget where we are at now. Let me know what the next step is or what you need.

Thanks

 

Hi
OK please do this.

Please delete the Combofix you have and download the newer version and run it like this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Then run RootRepeal and post the log.

Download RootRepeal.zip to your Desktop.

• Extract the compressed file to it's own folder.
• Open the folder and doubleclick on RootRepeal.exe to run it.
• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.

The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

Post the contents of the report in a reply here

Post the new Combofix log and the RootRepeal log.

Thanks
Geri

 

Hey Geri,

Here are the logs you have requested. After I performed these, I was unable to access the internet with IE and Firefox, but could use MSN and Limewire, so I did a system restore to undo it... not sure what to do.

ComboFix 09-04-28.02 - Owner 28/04/2009 16:08.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1612 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\freddy41.exe
c:\windows\ld08.exe
c:\windows\pp06.exe
c:\windows\system32\796525
c:\windows\system32\796525\796525.dll
c:\windows\system32\dll32.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 02:11 . 2009-04-28 20:35 2466 ---h--w c:\windows\f5087.dat
2009-04-28 02:09 . 2009-04-28 02:09 1 ---h--w c:\windows\f23567.dat
2009-04-28 02:09 . 2009-04-28 02:09 2 ---h--w c:\windows\t55ft2667f44.dat
2009-04-23 05:57 . 2009-04-23 05:57 -------- d-----w c:\documents and settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-04-15 23:16 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:16 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 23:16 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:16 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 23:16 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:16 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:16 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:16 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:16 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:16 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:12 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:12 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 20:53 . 2009-04-28 21:33 -------- d-----w c:\documents and settings\Owner\Incomplete
2009-04-13 00:54 . 2009-04-13 00:54 -------- d-----w c:\documents and settings\Guest\Tracing
2009-04-10 03:37 . 2009-04-28 21:58 -------- d-----w c:\documents and settings\Owner\Tracing
2009-04-10 01:26 . 2009-04-16 09:13 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-10 01:26 . 2009-04-10 01:26 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-04-10 01:26 . 2009-02-07 00:08 55152 ----a-w c:\windows\system32\drivers\fssfltr_tdi.sys
2009-04-10 01:25 . 2009-04-10 01:25 -------- d-----w c:\program files\Microsoft Sync Framework
2009-04-10 01:24 . 2009-04-10 01:24 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-04-10 01:20 . 2009-04-10 01:26 -------- d-----w c:\program files\Microsoft
2009-04-10 01:20 . 2009-04-10 01:20 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-10 01:09 . 2009-04-10 01:09 -------- d-----w c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 21:38 . 2009-02-26 05:52 -------- d-----w c:\program files\RegVac Registry Cleaner
2009-04-28 21:36 . 2009-01-08 04:18 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-04-25 16:07 . 2008-12-20 08:25 -------- d-----w c:\program files\palmOne
2009-04-10 01:26 . 2008-02-27 06:07 -------- d-----w c:\program files\Windows Live
2009-04-08 01:45 . 2008-04-04 17:40 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-26 13:52 . 2009-03-24 12:48 -------- d-----w c:\program files\WildGames
2009-03-25 21:49 . 2009-03-22 16:02 -------- d-----w c:\program files\Autorun Eater
2009-03-25 21:44 . 2007-07-22 13:40 -------- d-----w c:\program files\Common Files\Adobe
2009-03-23 17:53 . 2007-07-28 16:28 -------- d-----w c:\program files\Steam
2009-03-23 13:52 . 2008-12-07 18:12 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-23 13:52 . 2006-01-03 11:59 -------- d-----w c:\program files\Java
2009-03-22 23:14 . 2009-03-22 23:14 -------- d-----w c:\program files\Malwarebytes' Anti-Malware.com
2009-03-22 15:29 . 2008-04-13 23:14 56840 -c--a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-20 00:33 . 2008-04-25 19:15 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-20 00:33 . 2006-01-03 11:34 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-19 18:54 . 2008-11-09 00:39 -------- d-----w c:\program files\Common Files\Apple
2009-03-18 16:00 . 2006-01-03 11:31 -------- d-----w c:\program files\HP
2009-03-17 15:47 . 2009-03-17 15:00 117155 ----a-w c:\windows\hpoins11.dat
2009-03-17 15:37 . 2006-01-03 11:54 56840 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-17 15:31 . 2006-01-03 11:24 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-17 15:31 . 2006-01-03 11:31 -------- d-----w c:\program files\Common Files\HP
2009-03-17 15:27 . 2006-01-03 11:14 -------- d-----w c:\program files\Hewlett-Packard
2009-03-17 15:26 . 2009-03-17 15:26 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-12 15:51 . 2006-01-03 11:04 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-09 16:43 . 2009-03-09 16:43 0 ----a-w c:\windows\system32\HOT3A.tmp
2009-03-09 13:39 . 2008-12-24 05:51 -------- d-----w c:\program files\CompTracker
2009-03-09 13:39 . 2009-03-09 13:39 -------- d-----w c:\program files\uTorrent
2009-03-09 13:35 . 2009-03-08 23:29 -------- d-----w c:\program files\Registry Mechanic(3)
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 17:26 . 2008-10-15 22:33 155384 ----a-w c:\windows\system32\guard32.dll
2009-02-28 17:26 . 2008-10-15 22:33 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-20 18:10 . 2008-10-15 22:33 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-20 18:09 . 2004-08-04 08:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-11 16:19 . 2009-03-22 23:14 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 . 2009-03-22 23:14 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 12:10 . 2004-08-04 08:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 08:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 08:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 01:03 . 2009-02-07 01:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-07 00:52 . 2009-02-07 00:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-04 08:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 08:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 08:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 08:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-07-16 19:13 . 2007-08-03 17:43 67696 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2008-07-16 19:13 . 2007-08-03 17:43 54376 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-16 19:13 . 2007-08-03 17:43 34952 -c--a-w c:\program files\mozilla firefox\components\myspell.dll
2008-07-16 19:13 . 2007-08-03 17:43 46720 -c--a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-07-16 19:13 . 2007-08-03 17:43 172144 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-25 03:25 333192 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}]
c:\windows\system32\796525\796525.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-25 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-25 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EPSON Stylus CX7400 Series "= "c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DetectorApp "= "c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe" [2005-10-20 102400]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 761945]
"hpWirelessAssistant "= "c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"QPService "= "c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl "= "c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"Cpqset "= "c:\program files\HPQ\Default Settings\cpqset.exe" [2005-05-18 233534]
"RecGuard "= "c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder "= "c:\windows\CREATOR\Remind_XP.exe" [2005-10-28 679936]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"COMODO Firewall Pro "= "c:\program files\COMODO\Firewall\cfp.exe" [2009-02-28 1851128]
"COMODO Internet Security "= "c:\program files\COMODO\Firewall\cfp.exe" [2009-02-28 1851128]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 148888]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"sysfbtray "= "c:\windows\freddy41.exe" [BU]
"High Definition Audio Property Page Shortcut "= "CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2008-5-8 10452992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Steam\\Steam.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Steam\\steamapps\\jcbehrens\\condition zero\\hl.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-07 533360]
S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2009-02-28 110992]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2009-02-20 24336]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2008-11-25 234888]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2009-02-07 55152]
S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-10-18 10:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\CavEmLSP.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\92bc366j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage - hxxp://www2.firesearch.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\progra~1\palmOne\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 16:11
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????? ?n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1021110209-3373441594-2293552223-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:1f,0d,37,25,44,ab,d1,1e,8f,87,e9,80,e9,d7,6f,0e,08,e6,4a,26,55,14,1b,
f3,dd,64,2d,f8,f2,f9,e1,a9,9d,5d,af,b1,77,69,78,e5,d0,85,dd,be,6f,20,25,54,\
"?? "=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(1012)
c:\windows\system32\guard32.dll
c:\windows\system32\CavEmLSP.dll
.
Completion time: 2009-04-28 16:12
ComboFix-quarantined-files.txt 2009-04-28 22:12
ComboFix2.txt 2009-04-28 21:22
ComboFix3.txt 2009-04-28 21:02
ComboFix4.txt 2009-03-25 13:04
ComboFix5.txt 2009-04-28 22:07

Pre-Run: 18,900,205,568 bytes free
Post-Run: 18,894,536,704 bytes free

274 --- E O F --- 2009-04-16 09:07



ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/04/28 16:15
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys
Address: 0xF7807000 Size: 31744 File Visible: No
Status: -

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA142F000 Size: 876544 File Visible: No
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF7A15000 Size: 6464 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6947000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wbem\Logs\wbemess.log
Status: Size mismatch (API: 14592, Raw: 14304)

Path: C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa17212a0

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa17207c2

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1720e5c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1721a6a

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa172051c

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1722776

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1721486

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa17200ea

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa17216d4

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1721884

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa171fe4c

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa17223f8

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1720a46

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1721094

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa171fb7c

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1720cd6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa171fcf4

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1721e30

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa172063a

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1722194

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa17225a6

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1721c30

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa17209e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa1720bca

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa17203e6

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa17202b4

 

Hi
Sorry for the delay, my wife was in the hospital.

Please do this.

Delete the Combofix you have and download the newer version to your Desktop.

Now do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Code:

KillAll::
File::
c:\windows\freddy41.exe
c:\windows\f5087.dat
c:\windows\f23567.dat
c:\windows\t55ft2667f44.dat

Folder::
c:\windows\system32\796525

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "sysfbtray "=- 

Plese post the Combofix log.

Thanks
Geri

 

Hey Geri,

Sorry to hear about your wife. I hope all is well.

Here is the log requested. Thanks again for all your hard work.

ComboFix 09-05-06.02 - Owner 06/05/2009 18:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1509 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090506-0] *On-access scanning disabled* (Updated)
AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*

FILE ::
c:\windows\f23567.dat
c:\windows\f5087.dat
c:\windows\freddy41.exe
c:\windows\t55ft2667f44.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\f23567.dat
c:\windows\f5087.dat
c:\windows\pp06.exe
c:\windows\system32\796525
c:\windows\system32\dl32.exe
c:\windows\t55ft2667f44.dat

.
((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-02 18:06 . 2009-05-02 18:06 -------- d-----w c:\program files\Alwil Software
2009-04-30 00:57 . 2009-04-30 00:58 -------- d-----w C:\RECYCLER(2)
2009-04-23 05:57 . 2009-04-23 05:57 -------- d-----w c:\documents and settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-04-15 23:16 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:16 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 23:16 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:16 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 23:16 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:16 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:16 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:16 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:16 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:16 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:12 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:12 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 20:53 . 2009-05-06 06:22 -------- d-----w c:\documents and settings\Owner\Incomplete
2009-04-13 00:54 . 2009-04-13 00:54 -------- d-----w c:\documents and settings\Guest\Tracing
2009-04-10 03:37 . 2009-05-07 00:56 -------- d-----w c:\documents and settings\Owner\Tracing
2009-04-10 01:26 . 2009-04-16 09:13 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-10 01:26 . 2009-04-10 01:26 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-04-10 01:26 . 2009-02-07 00:08 55152 ----a-w c:\windows\system32\drivers\fssfltr_tdi.sys
2009-04-10 01:25 . 2009-04-10 01:25 -------- d-----w c:\program files\Microsoft Sync Framework
2009-04-10 01:24 . 2009-04-10 01:24 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-04-10 01:20 . 2009-04-10 01:26 -------- d-----w c:\program files\Microsoft
2009-04-10 01:20 . 2009-04-10 01:20 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-10 01:09 . 2009-04-10 01:09 -------- d-----w c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 00:57 . 2009-02-26 05:52 -------- d-----w c:\program files\RegVac Registry Cleaner
2009-05-02 23:41 . 2008-12-20 08:25 -------- d-----w c:\program files\palmOne
2009-04-28 21:36 . 2009-01-08 04:18 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-04-10 01:26 . 2008-02-27 06:07 -------- d-----w c:\program files\Windows Live
2009-04-08 01:45 . 2008-04-04 17:40 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-26 13:52 . 2009-03-24 12:48 -------- d-----w c:\program files\WildGames
2009-03-25 21:49 . 2009-03-22 16:02 -------- d-----w c:\program files\Autorun Eater
2009-03-25 21:44 . 2007-07-22 13:40 -------- d-----w c:\program files\Common Files\Adobe
2009-03-23 17:53 . 2007-07-28 16:28 -------- d-----w c:\program files\Steam
2009-03-23 13:52 . 2008-12-07 18:12 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-23 13:52 . 2006-01-03 11:59 -------- d-----w c:\program files\Java
2009-03-22 23:14 . 2009-03-22 23:14 -------- d-----w c:\program files\Malwarebytes' Anti-Malware.com
2009-03-22 15:29 . 2008-04-13 23:14 56840 -c--a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-20 00:33 . 2008-04-25 19:15 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-20 00:33 . 2006-01-03 11:34 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-19 18:54 . 2008-11-09 00:39 -------- d-----w c:\program files\Common Files\Apple
2009-03-18 16:00 . 2006-01-03 11:31 -------- d-----w c:\program files\HP
2009-03-17 15:47 . 2009-03-17 15:00 117155 ----a-w c:\windows\hpoins11.dat
2009-03-17 15:37 . 2006-01-03 11:54 56840 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-17 15:31 . 2006-01-03 11:24 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-17 15:31 . 2006-01-03 11:31 -------- d-----w c:\program files\Common Files\HP
2009-03-17 15:27 . 2006-01-03 11:14 -------- d-----w c:\program files\Hewlett-Packard
2009-03-17 15:26 . 2009-03-17 15:26 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-12 15:51 . 2006-01-03 11:04 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-09 16:43 . 2009-03-09 16:43 0 ----a-w c:\windows\system32\HOT3A.tmp
2009-03-09 13:39 . 2008-12-24 05:51 -------- d-----w c:\program files\CompTracker
2009-03-09 13:39 . 2009-03-09 13:39 -------- d-----w c:\program files\uTorrent
2009-03-09 13:35 . 2009-03-08 23:29 -------- d-----w c:\program files\Registry Mechanic(3)
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 17:26 . 2008-10-15 22:33 155384 ----a-w c:\windows\system32\guard32.dll
2009-02-28 17:26 . 2008-10-15 22:33 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-27 04:56 . 2009-02-27 04:56 177152 ----a-w c:\windows\system32\SET8B.tmp
2009-02-20 18:10 . 2008-10-15 22:33 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-20 18:09 . 2004-08-04 08:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-11 16:19 . 2009-03-22 23:14 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 . 2009-03-22 23:14 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 12:10 . 2004-08-04 08:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 08:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 08:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 01:03 . 2009-02-07 01:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-07 00:52 . 2009-02-07 00:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-04 08:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 08:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 08:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-07-16 19:13 . 2007-08-03 17:43 67696 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2008-07-16 19:13 . 2007-08-03 17:43 54376 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-16 19:13 . 2007-08-03 17:43 34952 -c--a-w c:\program files\mozilla firefox\components\myspell.dll
2008-07-16 19:13 . 2007-08-03 17:43 46720 -c--a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-07-16 19:13 . 2007-08-03 17:43 172144 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-25 03:25 333192 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-25 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-25 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32 "= "DL32" [X]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EPSON Stylus CX7400 Series "= "c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DetectorApp "= "c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe" [2005-10-20 102400]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 761945]
"hpWirelessAssistant "= "c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"QPService "= "c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl "= "c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"Cpqset "= "c:\program files\HPQ\Default Settings\cpqset.exe" [2005-05-18 233534]
"RecGuard "= "c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder "= "c:\windows\CREATOR\Remind_XP.exe" [2005-10-28 679936]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"COMODO Firewall Pro "= "c:\program files\COMODO\Firewall\cfp.exe" [2009-02-28 1851128]
"COMODO Internet Security "= "c:\program files\COMODO\Firewall\cfp.exe" [2009-02-28 1851128]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 148888]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut "= "CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
RegVac.lnk - c:\program files\RegVac Registry Cleaner\regvac.exe [2009-2-25 2665720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2008-5-8 10452992]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Steam\\Steam.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Steam\\steamapps\\jcbehrens\\condition zero\\hl.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [02/05/2009 12:06 PM 114768]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [15/10/2008 4:33 PM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [15/10/2008 4:33 PM 24336]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [04/12/2008 10:04 AM 234888]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [02/05/2009 12:06 PM 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [09/04/2009 7:26 PM 55152]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [14/01/2009 5:53 PM 226656]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 6:08 PM 533360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-10-18 10:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\CavEmLSP.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\92bc366j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage - hxxp://www2.firesearch.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\progra~1\palmOne\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 18:58
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????? "?n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1021110209-3373441594-2293552223-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:1f,0d,37,25,44,ab,d1,1e,8f,87,e9,80,e9,d7,6f,0e,08,e6,4a,26,55,14,1b,
f3,dd,64,2d,f8,f2,f9,e1,a9,9d,5d,af,b1,77,69,78,e5,d0,85,dd,be,6f,20,25,54,\
"?? "=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(1032)
c:\windows\system32\guard32.dll
c:\windows\system32\CavEmLSP.dll

- - - - - - - > 'explorer.exe'(172)
c:\windows\system32\guard32.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\Firewall\cmdagent.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\progra~1\MICROS~2\rapimgr.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-05-07 19:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 01:01
ComboFix2.txt 2009-04-28 22:12
ComboFix3.txt 2009-04-28 21:22
ComboFix4.txt 2009-04-28 21:02
ComboFix5.txt 2009-05-07 00:48

Pre-Run: 20,339,408,896 bytes free
Post-Run: 20,318,523,392 bytes free

304 --- E O F --- 2009-04-30 18:45

 

Hi
Did you by chance use a USB Thumb drive or Flash Drive at any time you were infected?

Geri

 

No, not to my knowledge. I have one, but I only use it for pictures. I have an MP3 player that I switch up from time to time too that connects via USB

 

Geri,

I am really thinking that reformatting my computer and erasing everything back to factory settings is the route to go and then stay away from P2P stuff. It wont let me do it though. I get a message saying there are no hard drives installed or that there is no power to the hard drives. Any ideas what that means?

 

Hi
Did you follow the instructions in the earlier post on reformatting?

Geri

 

Hey Geri,
I read the link you sent me, but it is all quite confusing and much of the information is for Windows 2000 and ME, I use XP Home Edition

 

Geri,
Just to add to that.. I have the disk for it, but when I opt to boot from disc and start the process, thats when I get the message that there is no Hard Drives powered up.

Thanks again,
James Behrens

 

Hi
It sounds like its looking for drivers, are you prompted to press F6 ?

Geri

 

no prompt, it gives me the error message and tells me it has to exit. My computer has a "destructive rcovery" partition too, but it always blue screens me when I use it, and then I have to take it in to a tech to fix.