RandJ

nope, no other questions. Doesn't seem to be trying to reach out and touch anyone anymore. Thanks!

Attached the 3 logs. The eset scan instructions that you have if a threat is found didn't have anything about cleaning it, just reporting on it. Right? So other than the combo fix file that I dragged over, we haven't changed anything, only run scans and reports? eset scan.txt checkup.txt combofix log 2.txt

Here is the log. Thank you again for the help! Also, in case it is helpful ... Avast was showing up as running but not in the task bar. I launched it from the start menu and it gave a message that it was not working. Sorry, brain fart and I didn't capture or write down the message (ridiculous amount of hypocrisy there BTW). I'm rebooting and reloading avast after posting this since there isn't any AV software without it. ComboFix 13-01-11.02 - Laptop 01/11/2013 20:48:29.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1110 [GMT -5:00] Running from: c:\documents and settings\Laptop\Desktop\ComboFix.exe FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\SET7D.tmp c:\windows\system32\SET81.tmp c:\windows\system32\SET82.tmp c:\windows\system32\SET89.tmp c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\regtlib.exe H:\autorun.inf . . ((((((((((((((((((((((((( Files Created from 2012-12-12 to 2013-01-12 ))))))))))))))))))))))))))))))) . . 2013-01-08 22:12 . 2013-01-08 22:12 -------- d-----w- c:\documents and settings\Laptop\.amu 2012-12-28 23:04 . 2012-12-28 23:05 -------- d-----w- c:\documents and settings\Laptop\Application Data\Spotify 2012-12-27 15:43 . 2012-12-27 15:43 -------- d-----w- c:\documents and settings\Laptop\Application Data\Visan 2012-12-27 15:41 . 2012-12-27 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Visan 2012-12-27 15:41 . 2012-12-27 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations 2012-12-27 15:41 . 2012-12-27 15:42 -------- d-----w- c:\program files\HP Photo Creations 2012-12-25 16:06 . 2002-11-12 17:22 569397 ----a-w- c:\program files\Internet Explorer\PLUGINS\RichFX\Player\nprfxins.dll 2012-12-25 16:06 . 2012-12-25 16:09 -------- d-----w- c:\program files\Rhapsody 2012-12-18 14:28 . 2012-12-18 14:28 186584 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-09 07:55 . 2012-04-10 11:53 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-01-09 07:55 . 2011-07-26 02:36 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-14 21:49 . 2011-07-22 22:36 21104 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-11-07 23:38 . 2011-06-30 16:38 99080 ----a-w- c:\windows\system32\drivers\inspect.sys 2012-11-07 23:38 . 2011-06-30 16:38 32640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys 2012-11-07 23:38 . 2011-06-30 16:38 497952 ----a-w- c:\windows\system32\drivers\cmdGuard.sys 2012-11-07 23:38 . 2011-06-30 16:38 18096 ----a-w- c:\windows\system32\drivers\cmderd.sys 2012-11-07 23:37 . 2012-11-11 13:08 34024 ----a-w- c:\windows\system32\cmdcsr.dll 2012-11-07 23:37 . 2011-06-30 16:37 301264 ----a-w- c:\windows\system32\guard32.dll 2012-07-14 00:17 . 2012-08-24 11:36 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-07 39408] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-12-03 4763008] "Amazon Cloud Drive"="c:\documents and settings\Laptop\Local Settings\Application Data\Amazon\Cloud Drive\AmazonCloudDrive.exe" [2012-11-12 646528] "SansaDispatch"="c:\documents and settings\Laptop\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2012-07-19 79872] "MusicManager"="c:\documents and settings\Laptop\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe" [2012-12-10 7416320] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504] "Persistence"="c:\windows\System32\igfxpers.exe" [2008-02-29 137752] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2008-02-29 141848] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2008-02-29 166424] "EaseUs Watch"="c:\program files\EASEUS\Todo Backup\bin\EuWatch.exe" [2011-04-23 69000] "EaseUs Tray"="c:\program files\EASEUS\Todo Backup\bin\TrayNotify.exe" [2011-04-26 733576] "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048] "Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2008-06-02 2220032] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152] "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2006-06-29 77824] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592] "SetDefPrt2"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824] "WD Quick View"="c:\program files\Western Digital\WD Quick View\WDDMStatus.exe" [2012-06-14 5235128] "HipServ Agent"="c:\program files\Roxio Streamer Desktop Applications\HipServAgent\HipServAgent.exe" [2010-06-30 2201000] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe" [2010-07-16 307184] "CPMonitor"="c:\program files\Roxio 2011\5.0\CPMonitor.exe" [2010-07-14 84464] "Desktop Disc Tool"="c:\program files\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe" [2010-06-30 477680] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-30 113024] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\guard32.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Motorola Media Link\\Lite\\MML.exe"= "c:\\Program Files\\Motorola Mobility\\MotoCast\\motocast.exe"= "c:\\Program Files\\Motorola Mobility\\MotoCast\\bin\\MotoCast-thumbnailer.exe"= "c:\\Program Files\\Roxio Streamer Desktop Applications\\QuickConnect\\AxentraSmartShortcut.exe"= "c:\\Program Files\\Roxio Streamer Desktop Applications\\HipServAgent\\HipServAgent.exe"= "c:\\Program Files\\Roxio\\Roxio Streamer\\ConfigurationWizard\\RoxioStreamer.exe"= "c:\\Program Files\\Amazon\\Utilities\\Amazon Music Importer\\Amazon Music Importer.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [7/22/2011 5:23 PM 30600] R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [7/22/2011 5:23 PM 35720] R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [7/22/2011 5:23 PM 20744] R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [8/25/2012 8:21 PM 21488] R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [8/25/2012 8:21 PM 15856] R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/30/2011 11:38 AM 497952] R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/30/2011 11:38 AM 32640] R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [7/22/2011 5:23 PM 14216] R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [8/25/2012 8:21 PM 25584] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [7/12/2011 4:55 PM 12880] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664] R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 12:54 PM 116608] R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\App\SaibSVC.exe [6/2/2009 6:05 PM 457200] R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [2/22/2007 1:28 PM 30864] R2 BOT4Service;BOT4Service;c:\program files\Roxio\BackOnTrack\App\BService.exe [7/14/2010 3:00 AM 32240] R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\Lite\NServiceEntry.exe [6/5/2012 10:48 AM 87400] R2 Motorola Device Manager;Motorola Device Manager Service;c:\program files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [7/17/2012 3:31 PM 116632] R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 1:44 AM 993848] R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 1:44 AM 399416] R2 VBoxDrv;VBox Support Driver;c:\program files\Roxio\Roxio Streamer\VBoxDrv.sys [6/29/2010 11:04 AM 122376] R2 WDBackup;WD Backup;c:\program files\Western Digital\WD SmartWare\WDBackupEngine.exe [6/14/2012 10:04 AM 1151424] R2 WDDriveService;WD Drive Manager;c:\program files\Western Digital\WD Drive Manager\WDDriveService.exe [6/14/2012 9:57 AM 248248] R2 WDRulesService;WD Rules;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [6/14/2012 10:04 AM 1177536] R3 EUDISK;EASEUS Disk Enumerator;c:\windows\system32\drivers\eudisk.sys [7/22/2011 5:23 PM 187528] R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544] R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [6/29/2010 11:04 AM 108744] R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520] S2 EASEUS Agent;EASEUS Agent;c:\program files\EASEUS\Todo Backup\bin\Agent.exe [7/22/2011 1:16 AM 56200] S2 HipServ;HipServ for Windows;c:\program files\Roxio\Roxio Streamer\srvstart\srvstart.exe [4/19/2010 12:05 PM 45056] S2 HipServUsbDetection;USB detection service for HipServ;c:\program files\Roxio\Roxio Streamer\usb_detection.exe [6/22/2010 10:26 AM 15872] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [7/22/2011 5:38 PM 95232] S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [7/16/2010 5:48 AM 354288] S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.207\McCHSvc.exe [6/17/2011 12:33 PM 237008] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?] S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?] S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?] S3 MSSQL$NR2005;MSSQL$NR2005;c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe -sNR2005 --> c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe -sNR2005 [?] S3 RoxMediaDB13;RoxMediaDB13;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [7/16/2010 5:48 AM 1099248] S3 SQLAgent$NR2005;SQLAgent$NR2005;c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlagent.EXE -i NR2005 --> c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlagent.EXE -i NR2005 [?] S3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [12/24/2011 6:44 PM 7424] S3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [12/24/2011 6:44 PM 170368] . Contents of the 'Scheduled Tasks' folder . 2013-01-11 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 07:55] . 2013-01-07 c:\windows\Tasks\defrag.job - c:\windows\system32\defrag.exe [2003-07-16 12:42] . 2013-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-07 22:18] . 2013-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-07 22:18] . 2013-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-706699826-682003330-1004Core.job - c:\documents and settings\Laptop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-07 22:18] . 2013-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-706699826-682003330-1004UA.job - c:\documents and settings\Laptop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-07 22:18] . 2013-01-12 c:\windows\Tasks\HP Photo Creations Communicator.job - c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2011-11-18 10:11] . 2013-01-12 c:\windows\Tasks\User_Feed_Synchronization-{810D34D2-7189-4241-8007-60144A5E7F04}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 11:31] . . ------- Supplementary Scan ------- . IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: ctest.elynx.net\gateway Trusted Zone: ditechsecuredocs.net\www Trusted Zone: elynx.com\gateway Trusted Zone: elynx.net\aegis Trusted Zone: elynx.net\ctest Trusted Zone: elynx.net\forms Trusted Zone: elynx.net\gateway Trusted Zone: elynx.net\gmacforms Trusted Zone: elynx.net\pro Trusted Zone: elynx.net\secure Trusted Zone: elynx.net\ssctest Trusted Zone: elynx.net\stest Trusted Zone: elynx.net\webpost Trusted Zone: gmacmsecuredocs.net\www Trusted Zone: ss3.swiftsend.com\loandocs Trusted Zone: suntrust.com\mtgdocs Trusted Zone: swiftsend.com\docs Trusted Zone: swiftsend.com\gateway Trusted Zone: swiftsend.com\loandocs Trusted Zone: swiftsend.com\www Trusted Zone: swiftsend2.com\docs Trusted Zone: swiftsend2.com\loandocs Trusted Zone: swiftview.com\products Trusted Zone: swiftview.com\www Trusted Zone: us.hsbc.com\mortgage-esign TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\documents and settings\Laptop\Application Data\Mozilla\Firefox\Profiles\usegnmt4.default\ FF - prefs.js: browser.search.selectedEngine - Secure Search FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/u/0/?shva=1#inbox FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p= . - - - - ORPHANS REMOVED - - - - . MSConfigStartUp-avast - c:\program files\AVAST Software\Avast\avastUI.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-11 20:58 Windows 5.1.2600 Service Pack 3 NTFS . detected NTDLL code modification: ZwClose . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run SansaDispatch = c:\documents and settings\Laptop\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?????????????????????????????????????????????????????????????????????????????????????????? . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1000) c:\windows\system32\guard32.dll . - - - - - - - > 'lsass.exe'(1056) c:\windows\system32\guard32.dll . - - - - - - - > 'csrss.exe'(968) c:\windows\system32\cmdcsr.dll . Completion time: 2013-01-11 21:04:22 ComboFix-quarantined-files.txt 2013-01-12 02:04 . Pre-Run: 123,686,658,048 bytes free Post-Run: 126,607,167,488 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn . - - End Of File - - 11A2B5E2389F0F27E0579B48E844BE3B

(it seems to have stripped the images... would you like me to copy/paste differently or anything) I wasn't sure if you wanted just the one tab or what you needed for results so here are all the tabs. SHA256: 3da4f51682e7d42c5569f1fb1adc6295182962e36f748219e1d0c8f2389ba516 SHA1: aabbd57e20d2e7041f9e7abce6cfd8a53c366537 MD5: e6d35f3aa51a65eb35c1f2340154a25e File size: 52.8 KB ( 54016 bytes ) File name: qbpy.sys File type: Win32 EXE Detection ratio: 1 / 46 Analysis date: 2013-01-11 01:49:54 UTC ( 0 minutes ago )https://chart.google...0,100&chd=t:-53 1 20 Less details Analysis Comments Votes Additional information Antivirus Result Update Agnitum - 20130110 AhnLab-V3 - 20130110 AntiVir - 20130107 Antiy-AVL - 20130110 Avast - 20130111 AVG - 20130111 BitDefender - 20130111 ByteHero - 20130110 CAT-QuickHeal - 20130110 ClamAV - 20130111 Commtouch - 20130111 Comodo - 20130111 DrWeb - 20130111 Emsisoft - 20130111 eSafe Win32.TrojanHorse 20130110 ESET-NOD32 - 20130110 F-Prot - 20130110 F-Secure - 20130110 Fortinet - 20130111 GData - 20130111 Ikarus - 20130111 Jiangmin - 20121221 K7AntiVirus - 20130110 Kaspersky - 20130110 Kingsoft - 20130107 Malwarebytes - 20130111 McAfee - 20130111 McAfee-GW-Edition - 20130111 Microsoft - 20130111 MicroWorld-eScan - 20130111 NANO-Antivirus - 20130111 Norman - 20130110 nProtect - 20130110 Panda - 20130110 PCTools - 20130110 Rising - 20130110 Sophos - 20130110 SUPERAntiSpyware - 20130111 Symantec - 20130111 TheHacker - 20130109 TotalDefense - 20130108 TrendMicro - 20130111 TrendMicro-HouseCall - 20130111 VBA32 - 20130109 VIPRE - 20130111 ViRobot - 20130110 Analysis Comments Votes Additional information /static/img/wait.gif contains the text string: c:\applications\windowsddk\src\myprojects\avenger\objfre_wxp_x86\i386\avenger.pdb this is part of a combofix like tool that mbam will use and occasionaly leave behind Posted 3 months, 1 week ago by samwise /static/img/wait.gif VARIANTE DE SIREFEF (ZEROACCESS) controlado a partir de ELISIREF 1.96 www.satinfo.es Posted 7 months, 2 weeks ago by SATINFO /static/img/wait.gif Confirmed by MBAM as part of their toolkit here: http://forums.malwar...16&fromsearch=1 #goodware Posted 11 months ago by Equanimity /static/img/wait.gif #hupigon Posted 1 year, 2 months ago by Kruis /static/img/wait.gif #hupigon Posted 1 year, 2 months ago by Kruis /static/img/wait.gif #hupigon Posted 1 year, 2 months ago by Kruis /static/img/wait.gif Malwarebytes driver for malware removal. Search the MD5 checksum online to see the legitimate history. #goodware #hupigon Posted 1 year, 2 months ago by anonymous /static/img/wait.gif Malwarebytes driver for malware removal. Search the MD5 checksum online to see the legitimate history. #goodware #hupigon Posted 1 year, 2 months ago by anonymous /static/img/wait.gif #malware Posted 1 year, 3 months ago by anonymous /static/img/wait.gif #malware #rootkit #hupigon Posted 1 year, 4 months ago by anonymous /static/img/wait.gif Rootkit #malware #spamattachmentorlink #impropagating #networkworm #rootkit #hupigon Posted 1 year, 4 months ago by Kruis /static/img/wait.gif #malware #rootkit #hupigon Posted 1 year, 5 months ago by anonymous /static/img/wait.gif #malware #rootkit #hupigon Posted 1 year, 5 months ago by anonymous /static/img/wait.gif I'm not running avenger on my system. This file hid a data file in one of the MS update uninstall directories. I highly doubt a legit entry would create a Current Control Set 002 entry pointing to an MS install directory with a random name file linked from a ket named --> byhaugxk #malware #rootkit Posted 1 year, 9 months ago by anonymous /static/img/wait.gif Avenger protection #goodware #rootkit Posted 1 year, 9 months ago by styx /static/img/wait.gif MBAM drops this. Goodware. #goodware #rootkit Posted 1 year, 9 months ago by Equanimity /static/img/wait.gif Suspect trojan. cleaned system remotely with malwarebytes, avg, etc, removed all detected infections. ran combofix and noticed this file... no info on web on it. was created the day before. do not have avenger on this system. sus on any system file created while cleaning system, and with no updates being installed #malware Posted 1 year, 10 months ago by anonymous /static/img/wait.gif #goodware #rootkit #2928 Posted 1 year, 11 months ago by Dashke /static/img/wait.gif avenger driver, legitimate tool. Driver is also used by MBAM. #goodware #rootkit Posted 2 years ago by anonymous /static/img/wait.gif #goodware #rootkit Posted 2 years, 1 month ago by anonymous /static/img/wait.gif This file is dropped by Malwarebytes' Anti-Malware (malwarebytes.org) when you select to clean an infection. If this file is really malware like some of you say, then how come MBAM drops it? The file itself as far as I know is in no way malware. It is used by some malware to end protected processes etc, to disable AV products just like it is used by MBAM and others to disable rootkit malware. #goodware Posted 2 years, 2 months ago by GDIcommando /static/img/wait.gif #malware #rootkit #avenger Posted 2 years, 2 months ago by anonymous /static/img/wait.gif Legit file. #goodware #rootkit #avenger Posted 2 years, 3 months ago by dr_Bora /static/img/wait.gif SIRI IS CORRECT This is part of Avenger, a low level driver to remove other malware. Delete it if you wish, Avenger always creates a new random driver when it needs to. #goodware Posted 2 years, 3 months ago by anonymous /static/img/wait.gif Legit tool: Avenger #goodware #avenger #rootkit Posted 2 years, 3 months ago by siri /static/img/wait.gif #malware Posted 2 years, 3 months ago by LT1 Analysis Comments Votes Additional information https://www.virustot...onymous/avatar/ anonymous -1 2012-09-25 17:20:04 UTC ( 3 months, 2 weeks ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-03-17 05:46:21 UTC ( 9 months, 4 weeks ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-09-26 18:02:07 UTC ( 3 months, 2 weeks ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-09-25 20:07:58 UTC ( 3 months, 2 weeks ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-06-25 11:08:47 UTC ( 6 months, 2 weeks ago ) https://www.virustot...raciani/avatar/ DouglasGraciani -40 2012-09-06 21:07:03 UTC ( 4 months ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-12-01 15:30:08 UTC ( 1 month, 1 week ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-12-20 15:25:10 UTC ( 3 weeks ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-11-08 00:44:01 UTC ( 2 months ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-12-13 10:32:23 UTC ( 4 weeks ago ) https://www.virustot...samwise/avatar/ samwise +40 2012-10-03 21:53:38 UTC ( 3 months, 1 week ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-06-25 11:12:54 UTC ( 6 months, 2 weeks ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-11-22 07:51:40 UTC ( 1 month, 2 weeks ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-10-18 18:02:15 UTC ( 2 months, 3 weeks ago ) https://www.virustot.../Techno/avatar/ Techno -35 2012-10-25 19:25:42 UTC ( 2 months, 2 weeks ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-11-20 11:45:53 UTC ( 1 month, 3 weeks ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-06-12 17:50:38 UTC ( 7 months ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-06-09 07:13:49 UTC ( 7 months ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-05-31 06:08:13 UTC ( 7 months, 2 weeks ago ) https://www.virustot...onymous/avatar/ anonymous -1 2012-08-28 19:35:49 UTC ( 4 months, 2 weeks ago ) https://www.virustot...onymous/avatar/ anonymous -1 Analysis Comments Votes Additional information ssdeep 768:Bosx0q2ph6P2Jpz8ftoSUiJP7hYTCMrhwYKUzY4q:j076P2Jpz8ftBUMPaCMrhwY TrID Clipper DOS Executable (33.3%) Generic Win/DOS Executable (33.0%) DOS Executable Generic (33.0%) VXD Driver (0.5%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) ExifTool MIMEType.................: application/octet-stream Subsystem................: Native MachineType..............: Intel 386 or later, and compatibles TimeStamp................: 2009:09:02 22:37:57+01:00 FileType.................: Win32 EXE PEType...................: PE32 CodeSize.................: 49664 LinkerVersion............: 8.0 EntryPoint...............: 0xc505 InitializedDataSize......: 3200 SubsystemVersion.........: 5.1 ImageVersion.............: 6.0 OSVersion................: 6.0 UninitializedDataSize....: 0 Portable Executable structural information Compilation timedatestamp.....: 2009-09-02 21:37:57 Target machine................: 0x14C (Intel 386 or later processors and compatible processors) Entry point address...........: 0x0000C505 PE Sections...................: Name Virtual Address Virtual Size Raw Size Entropy MD5 .text 1152 48543 48640 5.83 9474f39576a0e15bdbaa2ea3355f0a4a .rdata 49792 294 384 3.78 375b710d9f213cfced30e9fdb29567e1 .data 50176 192 256 0.33 786971ca2b109729eda604b44d6c72ad INIT 50432 968 1024 5.20 eea49a93a73afb6afc178455582133c6 .reloc 51456 2540 2560 6.62 bddd5a40c508bfc84ec87de5f8e6a5d3 PE Imports....................: [[ntoskrnl.exe]] ZwReadFile, RtlInitUnicodeString, ZwOpenKey, ZwCreateFile, swprintf, ZwEnumerateKey, ExAllocatePool, KeSetPriorityThread, DbgPrint, ZwWriteFile, RtlUpcaseUnicodeChar, KeBugCheck, KeTickCount, RtlPrefixUnicodeString, PsGetVersion, PsTerminateSystemThread, KeGetCurrentThread, ZwQueryDirectoryFile, _wcsicmp, ZwDeleteKey, ZwEnumerateValueKey, RtlCheckRegistryKey, ZwQueryValueKey, ExFreePoolWithTag, MmGetSystemRoutineAddress, memcpy, ZwSetInformationFile, RtlDeleteRegistryValue, ZwFlushKey, ZwOpenFile, PsCreateSystemThread, ZwSetValueKey, KeBugCheckEx, KeDelayExecutionThread, RtlWriteRegistryValue, ZwQueryInformationFile, ZwClose Symantec Reputation Suspicious.Insight First seen by VirusTotal 2009-09-18 00:44:25 UTC ( 3 years, 3 months ago ) Last seen by VirusTotal 2013-01-11 01:49:54 UTC ( 11 minutes ago ) File names (max. 25) yaud.sys imofugc.sys ikvpllh.sys tmwk.sys tnqognu.sys rmkgq.sys xvaq.sys vviex.sys xavwaffa.sys threy.sys.vir.vir srbiijn.sys sbkkd.sys etmga.sys ujxm.sys pcqbru.sys eighuh.sys qyvg.sys hqlthbt.sys psesfu.sys qcvjq.sys vxevyvox.sys lvbkoe.sys eytjusg.sys ghaww.sys irxvhuyy.sys\ Exited scanner without cleaning anything and attached report. RKreport1_S_01102013_02d2105.txt

If I unplug and leave it for a while I come back to numerous dial up connection setup prompts. Additionally sound and mouse have stopped working. I checked all the boxes except the (not recommended) one when I ran dds. The instructions didn't say to check or not. attach.txt dds.txt