Kolchak

Lonny. Hello. Everything seems fine. I have not read the tutorials you listed yet. I will delete the programs you listed. Here's a non-virus related question. Do you think I would see any improvement if I added more memory to my computer? It has 1Gb, and can support up to 4Gb. Thanks!!!!

Lonny. Hi. I copied that file as instructed, what was the purpose of that? I also updated Java, and deleted the old versions. Thanks for all your help!!!!! Doug

Lonny. I guess you wanted me to post this too, the result of the 'add-remove' command. 7-Zip 4.57 Ad-Aware Ad-Aware 2007 Adobe Flash Player 10 ActiveX Adobe Reader 7.0.9 Apple Mobile Device Support Apple Software Update ArcSoft Print Creations ArcSoft Print Creations - Album Page ArcSoft Print Creations - Funhouse ArcSoft Print Creations - Greeting Card ArcSoft Print Creations - Photo Book ArcSoft Print Creations - Photo Calendar ArcSoft Print Creations - Scrapbook ArcSoft Print Creations - Slimline Card Auctiva PowerTools AutoUpdate AVG Anti-Rootkit Free AVG Free 8.5 BufferChm CCleaner (remove only) CCScore Coupon Printer for Windows CP_AtenaShokunin1Config CP_CalendarTemplates1 cp_LightScribeConfig cp_OnlineProjectsConfig CP_Package_Basic1 CP_Package_Variety1 CP_Package_Variety2 CP_Package_Variety3 CP_Panorama1Config cp_PosterPrintConfig cp_UpdateProjectsConfig Critical Update for Windows Media Player 11 (KB959772) CueTour Data Fax SoftModem with SmartCP Destinations DeviceFunctionQFolder DivX DjVu Browser Plug-in 3.5 Driver Updater Easy Internet Sign-up Enhanced Multimedia Keyboard Solution ESSBrwr ESSCDBK ESScore ESSgui ESSini ESSPCD ESSPDock ESSTOOLS essvatgt eSupportQFolder Express Burn Express Rip Flickr Uploadr 2.5.0.15 FullDPAppQFolder GemMaster Mystic GOM Player High Definition Audio Driver Package - KB888111 HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows Media Player 10 (KB910393) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB932716-v2) Hotfix for Windows XP (KB945060-v3) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) HP Boot Optimizer HP Deskjet 3900 series HP DigitalMedia Archive HP DVD Play 2.1 HP Image Zone Express HP Imaging Device Functions 7.0 HP Photosmart for Media Center PC HP Photosmart Premier Software 6.5 HP Solution Center & Imaging Support Tools 5.0 HP Update HP Web Helper HPDeskjet3900Series HPPhotoSmartExpress HPProductAssistant HpSdpAppCoreApp InstantShareDevices Intel® Graphics Media Accelerator Driver Intel® Matrix Storage Manager Intel® PRO Network Connections Drivers Intel® Quick Resume Technology Drivers Intel

Lonny. I performed the operation again, ComboFix did update. Below is the log. ================================= ComboFix 09-09-29.04 - HP_Administrator 09/30/2009 14:54.3.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.415 [GMT -4:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\HP_Administrator\Desktop\cfscript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\HP_Administrator\Application Data\Desktopicon c:\documents and settings\HP_Administrator\Application Data\Desktopicon\config.ini c:\documents and settings\HP_Administrator\Application Data\Desktopicon\eBayShortcuts.exe . ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 ))))))))))))))))))))))))))))))) . 2009-09-24 14:37 . 2009-09-24 14:37 1615732 ----a-w- c:\program files\ProcessExplorer.zip 2009-09-23 14:46 . 2009-09-23 14:46 -------- d-----w- c:\program files\Trend Micro 2009-09-22 15:46 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys 2009-09-17 14:59 . 2009-09-17 14:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-09-17 14:16 . 2009-09-22 02:03 -------- d-----w- C:\$AVG8.VAULT$ 2009-09-17 14:16 . 2009-09-17 14:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-09-15 14:57 . 2009-09-15 14:57 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys 2009-09-15 14:57 . 2009-09-22 14:06 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Spyware Terminator 2009-09-15 14:57 . 2009-09-30 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator 2009-09-15 14:57 . 2009-09-22 15:19 -------- d-----w- c:\program files\Spyware Terminator 2009-09-15 13:58 . 2009-09-15 13:58 -------- d-----w- c:\program files\CCleaner 2009-09-12 18:49 . 2002-12-11 20:13 44032 ----a-w- c:\windows\unwash.exe 2009-09-09 15:07 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll 2009-09-06 16:07 . 2009-09-06 16:07 -------- d-----w- c:\program files\Carambis . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-30 14:33 . 2007-03-06 21:23 25468 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat 2009-09-26 20:48 . 2006-10-12 08:39 59536 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-25 17:16 . 2006-10-12 09:03 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-09-23 20:23 . 2007-06-26 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-09-20 20:22 . 2006-10-12 08:22 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-15 17:05 . 2008-04-23 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-15 15:54 . 2006-10-12 08:32 -------- d-----w- c:\program files\music_now 2009-09-12 18:49 . 2007-07-01 14:52 -------- d-----w- c:\program files\Washer 2009-09-10 18:54 . 2008-08-19 23:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 18:53 . 2008-06-04 19:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-06 17:37 . 2009-09-06 17:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf 2009-09-06 17:37 . 2009-09-06 17:37 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2009-08-25 13:34 . 2008-05-28 15:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-25 13:34 . 2008-05-28 15:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-25 13:34 . 2008-05-28 15:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-15 22:36 . 2009-08-15 22:36 -------- d-----w- c:\program files\MSBuild 2009-08-15 22:36 . 2009-08-15 22:36 -------- d-----w- c:\program files\Reference Assemblies 2009-08-12 20:26 . 2008-06-09 22:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer 2009-08-05 20:51 . 2007-06-26 14:28 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-05 09:01 . 2004-08-09 21:00 204800 ------w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-08-09 21:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2004-08-09 21:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-08-09 21:00 915456 ------w- c:\windows\system32\wininet.dll 2007-07-06 20:38 . 2007-07-06 20:38 599 ----a-w- c:\program files\Microsoft PowerPoint.lnk 2007-07-06 20:38 . 2007-07-06 20:38 587 ----a-w- c:\program files\Microsoft Office Shortcut Bar.lnk 2007-07-06 20:38 . 2007-07-06 20:38 548 ----a-w- c:\program files\Getting Results Book.lnk 2007-07-06 20:38 . 2007-07-06 20:38 599 ----a-w- c:\program files\Microsoft Schedule+.lnk 2007-07-06 20:38 . 2007-07-06 20:38 561 ----a-w- c:\program files\Microsoft Excel.lnk 2007-07-06 20:38 . 2007-07-06 20:38 587 ----a-w- c:\program files\Microsoft Access.lnk 2007-07-06 20:38 . 2007-07-06 20:38 580 ----a-w- c:\program files\MS Access Workgroup Administrator.lnk 2007-07-06 20:38 . 2007-07-06 20:38 667 ----a-w- c:\program files\Setup.lnk 2007-07-06 20:38 . 2007-07-06 20:38 585 ----a-w- c:\program files\Microsoft Word.lnk 2007-07-06 20:38 . 2007-07-06 20:38 575 ----a-w- c:\program files\Microsoft Binder.lnk 2001-12-03 21:09 . 2009-06-07 13:46 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll . ((((((((((((((((((((((((((((( SnapShot@2009-09-26_11.57.52 ))))))))))))))))))))))))))))))))))))))))) . + 2009-09-30 15:08 . 2009-09-30 15:08 16384 c:\windows\temp\Perflib_Perfdata_944.dat + 2005-08-30 13:51 . 2009-09-30 14:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-08-30 13:51 . 2009-09-26 11:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-09-17 14:59 . 2009-09-30 14:47 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat - 2009-09-17 14:59 . 2009-09-26 11:35 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-09-15 3055616] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] "washindex"="c:\program files\Washer\washidx.exe" [2002-08-15 33792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360] "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-25 2007832] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-13 16239616] c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ PhotoWise QuickLink.lnk - c:\program files\PhotoWise\quicklnk.exe [2007-3-6 59904] c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ PhotoWise QuickLink.lnk - c:\program files\PhotoWise\quicklnk.exe [2007-3-6 59904] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-25 13:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/28/2008 11:37 AM 335240] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/28/2008 11:37 AM 108552] R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9/15/2009 10:57 AM 142592] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 9:23 AM 908056] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 9:23 AM 297752] S3 esihdrv;esihdrv;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys [?] S3 PsSdk31;PsSdk31;c:\windows\system32\drivers\pssdk31.drv [7/15/2008 6:16 PM 30272] S3 PsSdkLBF;PsSdkLBF;c:\windows\system32\drivers\pssdklbf.drv [7/15/2008 6:16 PM 37440] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ebay.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop uInternet Settings,ProxyOverride = *.local . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-30 15:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk31] "ImagePath"="\??\c:\windows\system32\Drivers\pssdk31.drv" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdkLBF] "ImagePath"="\??\c:\windows\system32\Drivers\pssdklbf.drv" . Completion time: 2009-09-30 15:03 ComboFix-quarantined-files.txt 2009-09-30 19:03 ComboFix2.txt 2009-09-30 17:43 ComboFix3.txt 2009-09-26 12:09 Pre-Run: 201,198,215,168 bytes free Post-Run: 201,176,084,480 bytes free 175 --- E O F --- 2009-09-22 23:09

Lonny, below is the ComboFix log. What did you mean by the following at the end of your last post: Post this text to C:\Qoobox\Add-Remove Programs.txt ===================================== ComboFix 09-09-22.01 - HP_Administrator 09/30/2009 13:39.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.405 [GMT -4:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\HP_Administrator\Desktop\cfscript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} * Created a new restore point . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 ))))))))))))))))))))))))))))))) . 2009-09-24 14:37 . 2009-09-24 14:37 1615732 ----a-w- c:\program files\ProcessExplorer.zip 2009-09-23 14:46 . 2009-09-23 14:46 -------- d-----w- c:\program files\Trend Micro 2009-09-22 15:46 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys 2009-09-17 14:59 . 2009-09-17 14:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-09-17 14:16 . 2009-09-22 02:03 -------- d-----w- C:\$AVG8.VAULT$ 2009-09-17 14:16 . 2009-09-17 14:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-09-15 14:57 . 2009-09-15 14:57 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys 2009-09-15 14:57 . 2009-09-22 14:06 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Spyware Terminator 2009-09-15 14:57 . 2009-09-30 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator 2009-09-15 14:57 . 2009-09-22 15:19 -------- d-----w- c:\program files\Spyware Terminator 2009-09-15 13:58 . 2009-09-15 13:58 -------- d-----w- c:\program files\CCleaner 2009-09-12 18:49 . 2002-12-11 20:13 44032 ----a-w- c:\windows\unwash.exe 2009-09-09 15:07 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll 2009-09-06 16:07 . 2009-09-06 16:07 -------- d-----w- c:\program files\Carambis . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-30 14:33 . 2007-03-06 21:23 25468 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat 2009-09-26 20:48 . 2006-10-12 08:39 59536 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-25 17:16 . 2006-10-12 09:03 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-09-23 20:23 . 2007-06-26 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-09-20 20:22 . 2006-10-12 08:22 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-15 17:05 . 2008-04-23 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-15 15:54 . 2006-10-12 08:32 -------- d-----w- c:\program files\music_now 2009-09-12 18:49 . 2007-07-01 14:52 -------- d-----w- c:\program files\Washer 2009-09-10 18:54 . 2008-08-19 23:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 18:53 . 2008-06-04 19:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-06 17:37 . 2009-09-06 17:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf 2009-09-06 17:37 . 2009-09-06 17:37 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2009-08-25 13:34 . 2008-05-28 15:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-25 13:34 . 2008-05-28 15:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-25 13:34 . 2008-05-28 15:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-15 22:36 . 2009-08-15 22:36 -------- d-----w- c:\program files\MSBuild 2009-08-15 22:36 . 2009-08-15 22:36 -------- d-----w- c:\program files\Reference Assemblies 2009-08-12 20:26 . 2008-06-09 22:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer 2009-08-05 20:51 . 2007-06-26 14:28 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-05 09:01 . 2004-08-09 21:00 204800 ------w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-08-09 21:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2004-08-09 21:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-08-09 21:00 915456 ------w- c:\windows\system32\wininet.dll 2007-07-06 20:38 . 2007-07-06 20:38 599 ----a-w- c:\program files\Microsoft PowerPoint.lnk 2007-07-06 20:38 . 2007-07-06 20:38 587 ----a-w- c:\program files\Microsoft Office Shortcut Bar.lnk 2007-07-06 20:38 . 2007-07-06 20:38 548 ----a-w- c:\program files\Getting Results Book.lnk 2007-07-06 20:38 . 2007-07-06 20:38 599 ----a-w- c:\program files\Microsoft Schedule+.lnk 2007-07-06 20:38 . 2007-07-06 20:38 561 ----a-w- c:\program files\Microsoft Excel.lnk 2007-07-06 20:38 . 2007-07-06 20:38 587 ----a-w- c:\program files\Microsoft Access.lnk 2007-07-06 20:38 . 2007-07-06 20:38 580 ----a-w- c:\program files\MS Access Workgroup Administrator.lnk 2007-07-06 20:38 . 2007-07-06 20:38 667 ----a-w- c:\program files\Setup.lnk 2007-07-06 20:38 . 2007-07-06 20:38 585 ----a-w- c:\program files\Microsoft Word.lnk 2007-07-06 20:38 . 2007-07-06 20:38 575 ----a-w- c:\program files\Microsoft Binder.lnk 2001-12-03 21:09 . 2009-06-07 13:46 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll . ((((((((((((((((((((((((((((( SnapShot@2009-09-26_11.57.52 ))))))))))))))))))))))))))))))))))))))))) . + 2009-09-30 15:08 . 2009-09-30 15:08 16384 c:\windows\temp\Perflib_Perfdata_944.dat + 2005-08-30 13:51 . 2009-09-30 14:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-08-30 13:51 . 2009-09-26 11:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-09-17 14:59 . 2009-09-30 14:47 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat - 2009-09-17 14:59 . 2009-09-26 11:35 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2005-08-30 13:51 . 2009-09-30 14:47 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2005-08-30 13:51 . 2009-09-26 11:35 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-09-15 3055616] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] "washindex"="c:\program files\Washer\washidx.exe" [2002-08-15 33792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360] "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-25 2007832] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-13 16239616] c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ PhotoWise QuickLink.lnk - c:\program files\PhotoWise\quicklnk.exe [2007-3-6 59904] c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ PhotoWise QuickLink.lnk - c:\program files\PhotoWise\quicklnk.exe [2007-3-6 59904] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-25 13:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/28/2008 11:37 AM 335240] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/28/2008 11:37 AM 108552] R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9/15/2009 10:57 AM 142592] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 9:23 AM 908056] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 9:23 AM 297752] S3 esihdrv;esihdrv;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys [?] S3 PsSdk31;PsSdk31;c:\windows\system32\drivers\pssdk31.drv [7/15/2008 6:16 PM 30272] S3 PsSdkLBF;PsSdkLBF;c:\windows\system32\drivers\pssdklbf.drv [7/15/2008 6:16 PM 37440] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ebay.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop uInternet Settings,ProxyOverride = *.local . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-30 13:41 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk31] "ImagePath"="\??\c:\windows\system32\Drivers\pssdk31.drv" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdkLBF] "ImagePath"="\??\c:\windows\system32\Drivers\pssdklbf.drv" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2724) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-09-30 13:43 ComboFix-quarantined-files.txt 2009-09-30 17:43 ComboFix2.txt 2009-09-26 12:09 Pre-Run: 201,203,458,048 bytes free Post-Run: 201,196,290,048 bytes free 184 --- E O F --- 2009-09-22 23:09

Lonny: Hello. I ran Avenger2, below is the log, and following that the Malwarebytes log. Looks like it worked! I had to step away from my computer, but I think it booted up quicker, and Google searches are not taking me to random pages!!! How do Io prevent this from happening again? I have AVG anti-virus and ZoneAlarm always running, and regularly use AdAware, Spyboy and MalwareBytes. I still have almost constant low-level Internet acitivity, is that something to worry about? Maybe it is ZoneAlarm reacting to programs I have blocked? Thanks again!!!!!!!!!!!!!!!!!!! Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File move operation "C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" completed successfully. Completed script processing. ******************* Finished! Terminate. Malwarebytes' Anti-Malware 1.41 Database version: 2876 Windows 5.1.2600 Service Pack 3 9/30/2009 11:38:43 AM mbam-log-2009-09-30 (11-38-43).txt Scan type: Quick Scan Objects scanned: 103341 Time elapsed: 6 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

OK, here you go. SERVICE_NAME: atapi DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: iaStor DISPLAY_NAME: Intel RAID Controller TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 "C:\WINDOWS\system32\drivers\iaStor.sys" 250368 02/21/2006 12:44 PM "C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\iaStor.sys" 250368 02/21/2006 12:44 PM -------------------------

Lonny, hi. Here is the sysinspector log. SysInspector_HP_A1620N_090929_1132.zip

Hello. Before I got your last reply, I ran the check.bat file in taskmanager, similar to the way you said. It created a look.txt file, but it was empty. I deleted the look.txt file, then re-ran it again with your instructions. I let it run over an hour, and think it was finished. It created another look.txt file, but it was also empty. I turned off yahoo messenger and closed the explorer file, should I have closed other prgrams too? ----------------------------------------------------

Lonny. Hello. When you say 'run that batch file', how do I do that? The screen is blank (all blue) after closing explorer. Approximately how long will it take to run? I forgot to mention, but their is ALWAYS internet traffic on this computer, I can tell by the modem activitiy light and the ZoneLabs activity icon. Has the system been hijacked? I can turn off Interent activity through zome alarm, but need to use the computer quite a bit every day. Should I change passwords?

Lonny. Hello. I deleted Norton program suite. I ran Combofix, and have pasted the log below. I could not run GMER the way you specified (not sure of my administrator login, or if I have one). I ran it 'default'. It had 'errors' when it finished, and seems it did not save a log file. It only found one 'red line' error, and I saved that as a jpeg screen shot for you to view (see attachment). Hopefully, this will be enough information for you. If not, let me know what to do next. ComboFix 09-09-22.01 - HP_Administrator 09/25/2009 19:29.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.563 [GMT -4:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-527237240-179605362-725345543-500 c:\windows\Installer\838d65.msi c:\windows\kb913800.exe c:\windows\system32\geyekriyqkeppf.dat c:\windows\system32\geyekrkniaqlqn.dat c:\windows\winhelp.ini D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_geyekrrvimpsxm -------\Legacy_TDSSSERV.SYS -------\Service_geyekrrvimpsxm ((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 ))))))))))))))))))))))))))))))) . 2009-09-24 14:37 . 2009-09-24 14:37 1615732 ----a-w- c:\program files\ProcessExplorer.zip 2009-09-23 14:46 . 2009-09-23 14:46 -------- d-----w- c:\program files\Trend Micro 2009-09-22 15:46 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys 2009-09-17 14:59 . 2009-09-17 14:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-09-17 14:16 . 2009-09-22 02:03 -------- d-----w- C:\$AVG8.VAULT$ 2009-09-17 14:16 . 2009-09-17 14:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-09-15 14:57 . 2009-09-15 14:57 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys 2009-09-15 14:57 . 2009-09-22 14:06 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Spyware Terminator 2009-09-15 14:57 . 2009-09-25 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator 2009-09-15 14:57 . 2009-09-22 15:19 -------- d-----w- c:\program files\Spyware Terminator 2009-09-15 13:58 . 2009-09-15 13:58 -------- d-----w- c:\program files\CCleaner 2009-09-12 18:49 . 2002-12-11 20:13 44032 ----a-w- c:\windows\unwash.exe 2009-09-09 15:07 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll 2009-09-06 16:07 . 2009-09-06 16:07 -------- d-----w- c:\program files\Carambis . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-25 17:16 . 2006-10-12 09:03 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-09-25 16:57 . 2007-03-06 21:23 25472 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat 2009-09-23 20:23 . 2007-06-26 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-09-20 20:22 . 2006-10-12 08:22 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-15 17:05 . 2008-04-23 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-15 15:54 . 2006-10-12 08:32 -------- d-----w- c:\program files\music_now 2009-09-12 18:49 . 2007-07-01 14:52 -------- d-----w- c:\program files\Washer 2009-09-10 18:54 . 2008-08-19 23:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 18:53 . 2008-06-04 19:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-06 17:37 . 2009-09-06 17:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf 2009-09-06 17:37 . 2009-09-06 17:37 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2009-08-25 13:34 . 2008-05-28 15:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-25 13:34 . 2008-05-28 15:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-25 13:34 . 2008-05-28 15:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-15 22:36 . 2009-08-15 22:36 -------- d-----w- c:\program files\MSBuild 2009-08-15 22:36 . 2009-08-15 22:36 -------- d-----w- c:\program files\Reference Assemblies 2009-08-12 20:26 . 2008-06-09 22:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer 2009-08-05 20:51 . 2007-06-26 14:28 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-05 09:01 . 2004-08-09 21:00 204800 ------w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-08-09 21:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2004-08-09 21:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-08-09 21:00 915456 ----a-w- c:\windows\system32\wininet.dll 2007-07-06 20:38 . 2007-07-06 20:38 599 ----a-w- c:\program files\Microsoft PowerPoint.lnk 2007-07-06 20:38 . 2007-07-06 20:38 587 ----a-w- c:\program files\Microsoft Office Shortcut Bar.lnk 2007-07-06 20:38 . 2007-07-06 20:38 548 ----a-w- c:\program files\Getting Results Book.lnk 2007-07-06 20:38 . 2007-07-06 20:38 599 ----a-w- c:\program files\Microsoft Schedule+.lnk 2007-07-06 20:38 . 2007-07-06 20:38 561 ----a-w- c:\program files\Microsoft Excel.lnk 2007-07-06 20:38 . 2007-07-06 20:38 587 ----a-w- c:\program files\Microsoft Access.lnk 2007-07-06 20:38 . 2007-07-06 20:38 580 ----a-w- c:\program files\MS Access Workgroup Administrator.lnk 2007-07-06 20:38 . 2007-07-06 20:38 667 ----a-w- c:\program files\Setup.lnk 2007-07-06 20:38 . 2007-07-06 20:38 585 ----a-w- c:\program files\Microsoft Word.lnk 2007-07-06 20:38 . 2007-07-06 20:38 575 ----a-w- c:\program files\Microsoft Binder.lnk 2001-12-03 21:09 . 2009-06-07 13:46 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-09-15 3055616] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] "washindex"="c:\program files\Washer\washidx.exe" [2002-08-15 33792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360] "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-25 2007832] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-13 16239616] c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ PhotoWise QuickLink.lnk - c:\program files\PhotoWise\quicklnk.exe [2007-3-6 59904] c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ PhotoWise QuickLink.lnk - c:\program files\PhotoWise\quicklnk.exe [2007-3-6 59904] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-25 13:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/28/2008 11:37 AM 335240] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/28/2008 11:37 AM 108552] R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9/15/2009 10:57 AM 142592] S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 9:23 AM 908056] S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 9:23 AM 297752] S3 PsSdk31;PsSdk31;c:\windows\system32\drivers\pssdk31.drv [7/15/2008 6:16 PM 30272] S3 PsSdkLBF;PsSdkLBF;c:\windows\system32\drivers\pssdklbf.drv [7/15/2008 6:16 PM 37440] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ebay.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop uInternet Settings,ProxyOverride = *.local . - - - - ORPHANS REMOVED - - - - WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file) HKLM-Run-PCDrProfiler - (no file) Notify-WgaLogon - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-26 07:55 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk31] "ImagePath"="\??\c:\windows\system32\Drivers\pssdk31.drv" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdkLBF] "ImagePath"="\??\c:\windows\system32\Drivers\pssdklbf.drv" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(604) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(664) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3272) c:\windows\system32\WININET.dll tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\iaStor0\sviwwxbj\sviwwxbj\tdlwsp.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\ZoneLabs\vsmon.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\wscntfy.exe c:\windows\ehome\ehmsas.exe c:\windows\ehome\ehSched.exe c:\windows\system32\dllhost.exe . ************************************************************************** . Completion time: 2009-09-26 8:09 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-26 12:09 Pre-Run: 201,787,494,400 bytes free Post-Run: 201,641,480,192 bytes free 205 --- E O F --- 2009-09-22 23:09

Yes, I found instructions to remove it. Looks like I have to run it, register it, then uninstall it. I'll try and do that, and then run combofix again.

Lonny. Hello again. I tried running Combofix and it said it found 'Norton Internet Security 2006' to be active. My computer came with a Norton suite, but I dont think I ever 'used it'. It's not running as far as I can tell. What should I do? ---------------------------------------------

Lonny. Attached is the tdlwsp.dll text file. tdlwsp.dll.txt

Lonny. Hello, thank you for your reply. No, I have not posted in any other forums. I ran the internals process explorer. It only found "tdlwsp.dll" In the bottom half of the process explorer screen, it only shows the name of that file, if I click on properties it says: "\\?\globalroot\Device\Ide\iaStor0\tqxxtadc\tqxxtadc\tdlwsp.dll If I use the 'Process Explorer Search' box function, it finds 3 entires for tdlwsp.dll ( I can't copy and paste them however). Right clicking on it (or any others), does not show a unload option. Also; I have had no sound on my computer for the last couple days! ------------------------------------