HP Mini 1000 - 1151nr - Problems

[Connor.S]

I'm trying to fix this netbook for my girlfriends mom.

After logging in as the normal user, administrator privileges, I'm granted with just the wallpaper. As in Windows Explorer doesn't load.

I can open task manager. Check the processes for explorer.exe and it's not there. I try open explorer.exe through New Task(Run) and it freezes task manager. I can open another task manager window, but unable to close the first. I opened regedit to check the hot keys and make sure the value of Shell for Winlogon is explorer.exe and it is, yet Windows explorer still does not load.

I can login in safe mode and explorer loads. I've run malwarebytes and it returned a clean scan. Along with running Ccleaner.

I've also ran fixNCR to try and fix the registry and iexplorer to temporarily delete any malware but it comes up clean.

Sorry if some of this doesn't make sense or is confusing, my mind is in a cluster.

Thanks for any help.

 

[johnb35]

Since you can boot to safe mode and ran malwarebytes, you still can be infected. Try this procedure and post the log.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file here :
  
  Combofix
  
  
• When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
• Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.
  
  
  
• We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
  
  
• Close all open Windows including this one.
  
• Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
  Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  
• Please click on I agree on the disclaimer window.
• ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.
  
  
  
  
  
• ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.
  
  
  
  
  
• Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
  
  
  
  
  
• At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  
• Please click on yes in the next window to continue scanning for malware.
  
• ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  
• ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  
• While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.
  
  
  
  
  
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  
• When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  
• Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.
  

In your next reply please post:

• The ComboFix log
• A fresh HiJackThis log
• An update on how your computer is running

 

[Connor.S]

Two questions..

It is okay and I should run this in safe mode, correct?

Does the netbook need an Internet connection?

I am using my laptop to respond to you and download combofix; using thumbdrive to put combofix on the netbook.

 

[johnb35]

It has to be ran inside windows and safe mode is ok to run it in. Yes, you will have to download it to a flash drive and then transfer the combofix file to your desktop screen before running it.

 

[Connor.S]

I answered my own question upon running it; it does indeed need an internet connection.

Thank you John!

I will supply the logs when I get them.

 

[johnb35]

Running combofix does not need an internet connection. It may ask you to update to a new version if there was an update applied already or to download and install the recovery console, which usually isn't needed. There are a lot of infections that screw up the internet connection and combofix is used to restore it.

 

[Connor.S]

Oh. I think I needed the internet connection to get the Recovery Console iirc. Either way combofix is running smooth and should have logs soon.

 

[Connor.S]

ComboFix log:

ComboFix 11-12-29.04 - Administrator 12/29/2011 13:52:24.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.564 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\AutocompletePro
c:\program files\AutocompletePro\64\AutocompletePro64.dll
c:\program files\AutocompletePro\chrome\autocompleteprochrome.crx
c:\program files\AutocompletePro\FireFoxExtension.exe
c:\program files\AutocompletePro\InstTracker.exe
c:\program files\AutocompletePro\[email protected]\chrome.manifest
c:\program files\AutocompletePro\[email protected]\chrome\content\browserOverlay.xul
c:\program files\AutocompletePro\[email protected]\chrome\content\options.js
c:\program files\AutocompletePro\[email protected]\chrome\content\options.xul
c:\program files\AutocompletePro\[email protected]\chrome\content\utils.js
c:\program files\AutocompletePro\[email protected]\defaults\preferences\predictad.js
c:\program files\AutocompletePro\[email protected]\install.rdf
c:\program files\AutocompletePro\unins000.dat
c:\program files\AutocompletePro\unins000.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_tn.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_vf.wav
c:\windows\system32\SETB8E.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
.
.
2011-12-29 21:40 . 2011-12-29 21:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-12-28 04:54 . 2011-12-28 04:54 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{45C1D8D8-C40E-4ED2-8D2D-0D8145F0C668}\MpKsl19d11d02.sys
2011-12-28 04:52 . 2011-12-28 04:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite
2011-12-28 04:50 . 2011-12-28 04:50 -------- d-----w- c:\documents and settings\Allyson\Application Data\Malwarebytes
2011-12-28 04:31 . 2011-12-28 04:31 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{45C1D8D8-C40E-4ED2-8D2D-0D8145F0C668}\MpKsl908689c5.sys
2011-12-28 04:06 . 2011-12-28 04:05 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-12-28 04:05 . 2011-12-28 04:53 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-12-28 04:05 . 2011-12-28 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2011-12-28 02:18 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-28 02:18 . 2011-12-28 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-28 02:15 . 2011-12-28 02:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\CrystalIdea Software
2011-12-28 02:12 . 2011-10-30 21:14 27600 ----a-w- c:\windows\system32\drivers\CisUtMonitor.sys
2011-12-28 02:11 . 2011-12-28 04:52 -------- d-----w- c:\program files\Uninstall Tool
2011-12-28 00:08 . 2011-12-28 04:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2011-12-26 00:16 . 2011-12-26 00:16 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{45C1D8D8-C40E-4ED2-8D2D-0D8145F0C668}\MpKsl489071a3.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-15 . 2E17260C4889F47F71E2B33CD13F7F3D . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BTBFirstRun"="c:\program files\Hewlett-Packard\SDP\hprun.exe" [2008-11-07 24576]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-17 273544]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-11 446556]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-03 729088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
c:\documents and settings\Allyson\Start Menu\Programs\Startup\
HP SimpleSave Monitor.lnk - c:\documents and settings\Administrator\Application Data\HP SimpleSave Application\StartHelper.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [3/9/2009 3:00 AM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [3/9/2009 3:00 AM 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [9/24/2008 10:09 PM 103792]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [9/19/2011 3:48 PM 98392]
S1 MpKsl01511777;MpKsl01511777;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl01511777.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl01511777.sys [?]
S1 MpKsl024ee902;MpKsl024ee902;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BAC6AA66-28EB-4BF2-A7C0-C2440681C11E}\MpKsl024ee902.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BAC6AA66-28EB-4BF2-A7C0-C2440681C11E}\MpKsl024ee902.sys [?]
S1 MpKsl092cdcd0;MpKsl092cdcd0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BAC6AA66-28EB-4BF2-A7C0-C2440681C11E}\MpKsl092cdcd0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BAC6AA66-28EB-4BF2-A7C0-C2440681C11E}\MpKsl092cdcd0.sys [?]
S1 MpKsl181274b3;MpKsl181274b3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl181274b3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl181274b3.sys [?]
S1 MpKsl19d11d02;MpKsl19d11d02;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{45C1D8D8-C40E-4ED2-8D2D-0D8145F0C668}\MpKsl19d11d02.sys [12/27/2011 8:54 PM 28752]
S1 MpKsl1bdaee21;MpKsl1bdaee21;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl1bdaee21.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl1bdaee21.sys [?]
S1 MpKsl2226132c;MpKsl2226132c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl2226132c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl2226132c.sys [?]
S1 MpKsl25f89b5e;MpKsl25f89b5e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D7A1D977-51A5-42E9-AA9A-487C08F9BE0F}\MpKsl25f89b5e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D7A1D977-51A5-42E9-AA9A-487C08F9BE0F}\MpKsl25f89b5e.sys [?]
S1 MpKsl316e2d3e;MpKsl316e2d3e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl316e2d3e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl316e2d3e.sys [?]
S1 MpKsl34819e1d;MpKsl34819e1d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl34819e1d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl34819e1d.sys [?]
S1 MpKsl401656f4;MpKsl401656f4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl401656f4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl401656f4.sys [?]
S1 MpKsl4562e2df;MpKsl4562e2df;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl4562e2df.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl4562e2df.sys [?]
S1 MpKsl498fa5ba;MpKsl498fa5ba;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A6179837-3CD9-4DA2-AE81-2DC883441A95}\MpKsl498fa5ba.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A6179837-3CD9-4DA2-AE81-2DC883441A95}\MpKsl498fa5ba.sys [?]
S1 MpKsl556578ab;MpKsl556578ab;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl556578ab.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl556578ab.sys [?]
S1 MpKsl616a52d2;MpKsl616a52d2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl616a52d2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl616a52d2.sys [?]
S1 MpKsl6456fd3c;MpKsl6456fd3c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA037EF8-C1CE-48AF-B0EA-4031F72484BC}\MpKsl6456fd3c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA037EF8-C1CE-48AF-B0EA-4031F72484BC}\MpKsl6456fd3c.sys [?]
S1 MpKsl7371cd0c;MpKsl7371cd0c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA037EF8-C1CE-48AF-B0EA-4031F72484BC}\MpKsl7371cd0c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA037EF8-C1CE-48AF-B0EA-4031F72484BC}\MpKsl7371cd0c.sys [?]
S1 MpKsl74924ba6;MpKsl74924ba6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl74924ba6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl74924ba6.sys [?]
S1 MpKsl75a592a5;MpKsl75a592a5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl75a592a5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl75a592a5.sys [?]
S1 MpKsl8372bc00;MpKsl8372bc00;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl8372bc00.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl8372bc00.sys [?]
S1 MpKsl840a4db8;MpKsl840a4db8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl840a4db8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl840a4db8.sys [?]
S1 MpKsl86507b7a;MpKsl86507b7a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl86507b7a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsl86507b7a.sys [?]
S1 MpKsl88596b33;MpKsl88596b33;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BAC6AA66-28EB-4BF2-A7C0-C2440681C11E}\MpKsl88596b33.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BAC6AA66-28EB-4BF2-A7C0-C2440681C11E}\MpKsl88596b33.sys [?]
S1 MpKsl908689c5;MpKsl908689c5;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{45C1D8D8-C40E-4ED2-8D2D-0D8145F0C668}\MpKsl908689c5.sys [12/27/2011 8:31 PM 28752]
S1 MpKsla66a8685;MpKsla66a8685;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsla66a8685.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsla66a8685.sys [?]
S1 MpKsla95d4954;MpKsla95d4954;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsla95d4954.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsla95d4954.sys [?]
S1 MpKslc53defa1;MpKslc53defa1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKslc53defa1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKslc53defa1.sys [?]
S1 MpKsld12f1c17;MpKsld12f1c17;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsld12f1c17.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsld12f1c17.sys [?]
S1 MpKsldad52135;MpKsldad52135;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsldad52135.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsldad52135.sys [?]
S1 MpKsle330df6d;MpKsle330df6d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsle330df6d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsle330df6d.sys [?]
S1 MpKsleaa2494a;MpKsleaa2494a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsleaa2494a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsleaa2494a.sys [?]
S1 MpKsled8c18f8;MpKsled8c18f8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsled8c18f8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{782E3E85-79B4-4C7E-A0E0-CA7EB4499800}\MpKsled8c18f8.sys [?]
S1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [3/9/2009 3:00 AM 25584]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [12/11/2008 10:46 PM 125424]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 10:25 AM 189736]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2010 8:43 AM 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2011 6:18 PM 366152]
S2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [1/14/2009 6:56 AM 345336]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [3/9/2009 2:33 AM 112128]
S3 CisUtMonitor;CisUtMonitor;c:\windows\system32\drivers\CisUtMonitor.sys [12/27/2011 6:12 PM 27600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2010 8:43 AM 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [9/20/2011 12:24 PM 23624]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/27/2011 6:18 PM 22216]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 QCFilterhp;HP USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterhp.sys [3/9/2009 2:34 AM 5248]
S3 qcusbnethp;HP USB-NDIS miniport;c:\windows\system32\drivers\qcusbnethp.sys [3/9/2009 2:34 AM 115200]
S3 qcusbserhp;HP USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserhp.sys [3/9/2009 2:34 AM 104448]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 7:29 PM 32408]
S4 BackupService;BackupService;c:\documents and settings\Allyson\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [11/28/2010 8:44 AM 83512]
S4 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [12/25/2008 6:28 PM 203248]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PXHELP20
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2008-12-26 02:28]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 16:43]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 16:43]
.
2011-12-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
.
2011-09-03 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-04 18:19]
.
2011-06-11 c:\windows\Tasks\photopadShakeIcon.job
- c:\program files\NCH Software\PhotoPad\photopad.exe [2010-12-17 20:06]
.
2010-12-17 c:\windows\Tasks\photostageSevenDays.job
- c:\program files\NCH Software\PhotoStage\photostage.exe [2010-12-17 20:08]
.
2010-12-17 c:\windows\Tasks\photostageShakeIcon.job
- c:\program files\NCH Software\PhotoStage\photostage.exe [2010-12-17 20:08]
.
2011-06-25 c:\windows\Tasks\pixillionDowngrade.job
- c:\program files\NCH Software\Pixillion\pixillion.exe [2010-12-17 20:07]
.
2011-06-11 c:\windows\Tasks\pixillionShakeIcon.job
- c:\program files\NCH Software\Pixillion\pixillion.exe [2010-12-17 20:07]
.
2011-12-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3776529232-2776693366-2901217791-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-09-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3776529232-2776693366-2901217791-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2010-12-10 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-11-30 04:06]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 205.171.3.25
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-AutocompletePro3_is1 - c:\program files\AutocompletePro\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 14:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\system32\EXT.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ayyzlwrd]
"ImagePath"="\??\c:\windows\TEMP\mdrmbpaa"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\bybdklau]
"ImagePath"="\??\c:\windows\TEMP\ocucnleo"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cgyxnwmp]
"ImagePath"="\??\c:\windows\TEMP\hbnulxdj"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cryvjnco]
"ImagePath"="\??\c:\windows\TEMP\xwjgisfl"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dkbmgcda]
"ImagePath"="\??\c:\windows\TEMP\dvfwpvsg"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dmtouuyr]
"ImagePath"="\??\c:\windows\TEMP\onovakdp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dofkeyta]
"ImagePath"="\??\c:\windows\TEMP\djmcctwp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\eazepfcw]
"ImagePath"="\??\c:\windows\TEMP\ahldtssf"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\enjgfmkb]
"ImagePath"="\??\c:\windows\TEMP\vfsuitvg"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\epbucgcp]
"ImagePath"="\??\c:\windows\TEMP\cgmseisv"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\exfbjhkb]
"ImagePath"="\??\c:\windows\TEMP\rcrnsnki"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\fkmgkqgw]
"ImagePath"="\??\c:\windows\TEMP\txofrsbd"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\fvncsjde]
"ImagePath"="\??\c:\windows\TEMP\eafsvfqo"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gtbcxkco]
"ImagePath"="\??\c:\windows\TEMP\tcpeptzh"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gyhbswnc]
"ImagePath"="\??\c:\windows\TEMP\fmphanhj"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hadcqnjx]
"ImagePath"="\??\c:\windows\TEMP\uthdgeph"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hafevudn]
"ImagePath"="\??\c:\windows\TEMP\kjroelsy"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hcixtjkz]
"ImagePath"="\??\c:\windows\TEMP\zwksbazt"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hlwzzfch]
"ImagePath"="\??\c:\windows\TEMP\ebmtevae"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hpzbucih]
"ImagePath"="\??\c:\windows\TEMP\dfdenvjk"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hydlyrap]
"ImagePath"="\??\c:\windows\TEMP\lkvvyfgo"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iawmeyuv]
"ImagePath"="\??\c:\windows\TEMP\xdsvxiik"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\igduqlyz]
"ImagePath"="\??\c:\windows\TEMP\nyantvys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iocajoxu]
"ImagePath"="\??\c:\windows\TEMP\phdiyoug"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ixsjdwan]
"ImagePath"="\??\c:\windows\TEMP\uyboveyc"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jlfohvlc]
"ImagePath"="\??\c:\windows\TEMP\grvtwjhh"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kgwwsbmo]
"ImagePath"="\??\c:\windows\TEMP\ennxfskq"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mmqsrhyo]
"ImagePath"="\??\c:\windows\TEMP\sptwefev"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\nfrzgchj]
"ImagePath"="\??\c:\windows\TEMP\egftqkbt"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\nmmawcga]
"ImagePath"="\??\c:\windows\TEMP\peaflzvt"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\nrkodqmc]
"ImagePath"="\??\c:\windows\TEMP\cvgwnhve"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\nuhjvvdu]
"ImagePath"="\??\c:\windows\TEMP\rhgiudtz"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pidfcams]
"ImagePath"="\??\c:\windows\TEMP\yynaosqv"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\psckyjnz]
"ImagePath"="\??\c:\windows\TEMP\odwmhhma"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pwvkyyyw]
"ImagePath"="\??\c:\windows\TEMP\fpfvbnok"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qdjldcag]
"ImagePath"="\??\c:\windows\TEMP\zafqzglz"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qehyfzkv]
"ImagePath"="\??\c:\windows\TEMP\zfkvcsfn"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qetroeec]
"ImagePath"="\??\c:\windows\TEMP\jqzsxhfl"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qybpdiul]
"ImagePath"="\??\c:\windows\TEMP\nwknbrre"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qzhlxilp]
"ImagePath"="\??\c:\windows\TEMP\hiawucvx"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\rpiodqqi]
"ImagePath"="\??\c:\windows\TEMP\uxknrjxz"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\snrydhno]
"ImagePath"="\??\c:\windows\TEMP\vpgvmtfw"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sodyqtdb]
"ImagePath"="\??\c:\windows\TEMP\woquamal"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sruhdpnh]
"ImagePath"="\??\c:\windows\TEMP\gjhvqvvk"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tsqirjtz]
"ImagePath"="\??\c:\windows\TEMP\izoddbyi"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ufgjasjs]
"ImagePath"="\??\c:\windows\TEMP\xqghdpiq"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ulnhdlfd]
"ImagePath"="\??\c:\windows\TEMP\guplcsvx"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vmeeepot]
"ImagePath"="\??\c:\windows\TEMP\ltwbpgoq"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vpnjdqnp]
"ImagePath"="\??\c:\windows\TEMP\mnxpugnm"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vuqhtlxx]
"ImagePath"="\??\c:\windows\TEMP\tgvclkha"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vvqyadro]
"ImagePath"="\??\c:\windows\TEMP\wxrkdzoe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wakfmwda]
"ImagePath"="\??\c:\windows\TEMP\ypvdqbrj"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wveaeclo]
"ImagePath"="\??\c:\windows\TEMP\fndcsbrj"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wwiyebfx]
"ImagePath"="\??\c:\windows\TEMP\wuoynjhb"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wyyypngx]
"ImagePath"="\??\c:\windows\TEMP\nahqhtgl"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xkwrefgh]
"ImagePath"="\??\c:\windows\TEMP\igsdptwf"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ycaecwqw]
"ImagePath"="\??\c:\windows\TEMP\braqphrs"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ydxiqtnh]
"ImagePath"="\??\c:\windows\TEMP\nipjsvke"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\yrrsfgvz]
"ImagePath"="\??\c:\windows\TEMP\becnpxld"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zjldunbr]
"ImagePath"="\??\c:\windows\TEMP\foxqtmhq"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zlvbqmka]
"ImagePath"="\??\c:\windows\TEMP\imtvsluq"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zoujmroy]
"ImagePath"="\??\c:\windows\TEMP\bbggyocm"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3776529232-2776693366-2901217791-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,4c,b2,78,20,91,5f,4c,bb,cd,37,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,4c,b2,78,20,91,5f,4c,bb,cd,37,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,4c,b2,78,20,91,5f,4c,bb,cd,37,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,4c,b2,78,20,91,5f,4c,bb,cd,37,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,4c,b2,78,20,91,5f,4c,bb,cd,37,\
.
Completion time: 2011-12-29 14:20:23
ComboFix-quarantined-files.txt 2011-12-29 22:20
.
Pre-Run: 39,944,192,000 bytes free
Post-Run: 40,333,176,832 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 94BD02125869B4D42C05407AF696189B


****

I haven't tried booting normal yet; combofix restarted back in safe mode. I will try booting in normal now. If I can get in with windows explorer working I will install and obtain a hijackthis log; can't install hijackthis in safe mode.

 

[Connor.S]

I rebooted and logged in normally; as a user with administrative privileges. Windows explorer was loaded and working.

I tried getting into My Computer to open thumbdrive and install Hijackthis.

Everything froze up.

Shutdown and rebooted and BAM, no more windows explorer..

 

[Connor.S]

Tried to open task manager, it would open before even though explorer was not working, but now it won't open.

 

[Connor.S]

Hate to flood my thread without getting responses...but I again shutdown and rebooted and windows explorer loads. It takes a loong time to load, but it does.

Upon logging in I a get a windows stating "Windows cannot find 'C:\DOCUME~1\Allyson\LOCALS~1\Temp\csrss.exe'.

I check task manager and it shows csrss.exe is running in Processes.

Another note, No one in their family is named Allyson and they're not sure how this name came about and is part of the account.

 

[johnb35]

I have not been home to reply. Please do the following.

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy. Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces

Do you have a windows XP install cd?

 

[Connor.S]

I tried to install Hijackthis in safe mode earlier and it was not letting me do so. I will try again though.

As of now, no I don't have an XP install disc. I'm waiting to hear back from the owner if they have it. If they do I'm just going to go that route and do a fresh install if I can get my hands on an external cd drive.

FatManSam, you have no idea how many times this idea has crossed my mind!

 

[johnb35]

I'm gonna do some research on some entries in your combofix log as I've never seen them before. Give me some time, it looks like you have some malware loading.

Try downloading and running ccleaner in safe mode.

 

[Connor.S]

I managed to install and run HiJackThis by accessing the files on the thumbdrive through the command prompt; here is the log..

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:40:31 PM, on 12/29/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\stacsv.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\QUALCOMM\QDLService\QDLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\vodburner\vodburner.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=minipavilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZRxdm9854QUS&ptb=WEvglQhN_v3treOcej5q9g
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...QUS&si=&a=WEvglQhN_v3treOcej5q9g&n=2010092204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\wdm\stacsv.exe

--
End of file - 9009 bytes

 

[johnb35]

Depending on the outcome of this script we may have to edit it a little. But I have a feeling this should take care of it for the most part.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Killall::


Registry::

[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ayyzlwrd]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\bybdklau]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cgyxnwmp]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cryvjnco]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dkbmgcda]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dmtouuyr]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dofkeyta]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\eazepfcw]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\enjgfmkb]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\epbucgcp]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\exfbjhkb]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\fkmgkqgw]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\fvncsjde]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gtbcxkco]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gyhbswnc]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hadcqnjx]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hafevudn]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hcixtjkz]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hlwzzfch]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hpzbucih]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hydlyrap]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iawmeyuv]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\igduqlyz]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iocajoxu]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ixsjdwan]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jlfohvlc]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kgwwsbmo]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mmqsrhyo]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\nfrzgchj]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\nmmawcga]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\nrkodqmc]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\nuhjvvdu]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pidfcams]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\psckyjnz]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pwvkyyyw]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qdjldcag]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qehyfzkv]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qetroeec]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qybpdiul]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qzhlxilp]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\rpiodqqi]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\snrydhno]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sodyqtdb]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sruhdpnh]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tsqirjtz]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ufgjasjs]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ulnhdlfd]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vmeeepot]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vpnjdqnp]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vuqhtlxx]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vvqyadro]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wakfmwda]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wveaeclo]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wwiyebfx]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wyyypngx]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xkwrefgh]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ycaecwqw]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ydxiqtnh]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\yrrsfgvz]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zjldunbr]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zlvbqmka]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zoujmroy]


Reglock::

[HKEY_USERS\S-1-5-21-3776529232-2776693366-2901217791-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

 

[Connor.S]

After dragging the script onto ComboFix and it starting it asked if I wanted to update ComboFix to a newer version. I did the update, hopefully it's still running the same from dragging the script to it. I'll update soon with the log.

 

[johnb35]

Yeah, it will tell you that it needs to restart after the update.

 

[Connor.S]

Yep it did all that. It's completing all the stages now. Updates shortly.

 

[Connor.S]

After ComboFix restarted the comp it started back in normal mode. ComboFix is open with a blue box saying please wait.. Not sure if it is frozen or not. Has it created a new log yet, or will it say when it is doing so?