Elchupocabra

Yeah! Been waiting to see that post for some time now. Before we close this thread, let me pick your brain real quick. I haven't really been satisfied with the antivirus software options that I have used. (Symantec, Norton, and AVG) They tend to be super annoying and AVG has been my favorite as the other two seem to cause more problems than they prevent. (also helps that AVG is free. Anyway I was wondering what antivirus software you recommend and what you think of the AVG 2011 that AVG insists on me downloading. Also, What are your thoughts on SpybotS&D? Unnecessary if I do the above recommendations? I kinda liked the teatimer but struggled to remember to turn it on when I had to turn it off.

I had it delete the quarantined files and uninstall. Hope that's not a problem. C:\Qoobox\Quarantine\C\WINDOWS\system32\fjhdyfhsn.bat.vir BAT/Agent.NGA trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\qtplugin.exe.vir a variant of Win32/Kryptik.IGB trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{2134AF20-2523-42E6-84BD-A5F95071EBBE}\RP1\A0001084.exe a variant of Win32/Kryptik.IKS trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{2134AF20-2523-42E6-84BD-A5F95071EBBE}\RP4\A0001516.bat BAT/Agent.NGA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{2134AF20-2523-42E6-84BD-A5F95071EBBE}\RP4\A0001517.exe a variant of Win32/Kryptik.IGB trojan cleaned by deleting - quarantined

11 infected items! Malwarebytes' Anti-Malware 1.50 www.malwarebytes.org Database version: 5296 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 12/11/2010 1:39:39 PM mbam-log-2010-12-11 (13-39-39).txt Scan type: Full scan (A:\|C:\|D:\|E:\|G:\|) Objects scanned: 249876 Time elapsed: 1 hour(s), 38 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\Qoobox\quarantine\C\documents and settings\networkservice\application data\svchost.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully. c:\Qoobox\quarantine\C\program files\microsoft\watermark.exe.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\Qoobox\quarantine\C\WINDOWS\system32\config\systemprofile\application data\svchost.exe.vir (Trojan.Zbot) -> Quarantined and deleted successfully. c:\system volume information\_restore{2134af20-2523-42e6-84bd-a5f95071ebbe}\RP1\A0001001.exe (Trojan.Zbot) -> Quarantined and deleted successfully. c:\system volume information\_restore{2134af20-2523-42e6-84bd-a5f95071ebbe}\RP1\A0001083.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\system volume information\_restore{2134af20-2523-42e6-84bd-a5f95071ebbe}\RP1\A0001085.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\system volume information\_restore{2134af20-2523-42e6-84bd-a5f95071ebbe}\RP4\A0001511.exe (Trojan.Dropper) -> Quarantined and deleted successfully. c:\system volume information\_restore{2134af20-2523-42e6-84bd-a5f95071ebbe}\RP4\A0001512.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\system volume information\_restore{2134af20-2523-42e6-84bd-a5f95071ebbe}\RP4\A0001515.exe (Trojan.Zbot) -> Quarantined and deleted successfully. c:\documents and settings\networkservice\application data\abpzlw.dat (Malware.Trace) -> Quarantined and deleted successfully. c:\WINDOWS\system32\config\systemprofile\application data\abpzlw.dat (Malware.Trace) -> Quarantined and deleted successfully.

I tried to update java but it didn't like that I'm running Windows SP2 5.1 so I neeed to update that first. Isn't this stuff supposed to update itself. Automated updates only seem to pop up when I don't want them to; now I can't seem to trigger them. Other than that everything seems to be running fine.

GooredFix by jpshortstuff (03.07.10.1) Log created at 04:02 on 09/01/2005 (Aaron) Firefox version 3.6.12 (en-US) ========== GooredScan ========== Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{CFE55696-EEEE-4BA7-8BBC-1EAF70550430} -> Success! Deleting C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{CFE55696-EEEE-4BA7-8BBC-1EAF70550430} -> Success! ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ {3112ca9c-de6d-4884-a869-9855de68056c} [05:37 05/03/2007] {972ce4c6-7e08-4474-a285-3208198ce6fd} [08:27 11/09/2005] {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [18:22 26/04/2007] {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [15:08 16/10/2007] {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [08:08 04/02/2009] {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [18:37 21/04/2009] {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [13:34 13/10/2009] C:\Documents and Settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\ youtube2mp3@mondayx.de [21:36 27/04/2010] {3112ca9c-de6d-4884-a869-9855de68056c} [19:19 12/04/2010] {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} [23:30 19/09/2010] {463F6CA5-EE3C-4be1-B7E6-7FEE11953374}(2) [20:27 14/09/2007] {463F6CA5-EE3C-4be1-B7E6-7FEE11953374}(3) [19:24 16/09/2007] {987311C6-B504-4aa2-90BF-60CC49808D42} [19:16 15/09/2009] {AE93811A-5C9A-4d34-8462-F7B864FC4696} [17:43 10/11/2010] {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [03:48 06/11/2010] {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} [00:23 23/10/2010] {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}(2) [00:37 25/01/2008] {da7f40f0-8675-11db-b606-0800200c9a66} [18:09 02/05/2010] {E2883E8F-472F-4fb0-9522-AC9BF37916A7} [22:59 20/10/2010] {e968fc70-8f95-4ab9-9e79-304de2a71ee1} [05:01 16/12/2009] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [08:08 04/02/2009] -=E.O.F=-

It might have done regular scan because it had to update. I tried it again. Here's the log: ComboFix 10-12-09.04 - Aaron 01/08/2005 19:39:40.6.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1724 [GMT -7:00] Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Aaron\Desktop\CFScript.txt FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((( Files Created from 2004-12-09 to 2005-01-09 ))))))))))))))))))))))))))))))) . 2010-11-29 20:49 . 2010-11-29 20:49 -------- d-----w- C:\_OTL 2010-03-20 03:38 . 2010-03-20 03:38 -------- d-----w- C:\Linksys Driver 2009-02-05 06:26 . 2009-02-05 06:26 -------- d-----w- C:\fsaua.data 2008-06-28 12:20 . 2005-01-08 09:34 -------- d-----w- C:\$AVG8.VAULT$ 2007-09-14 20:45 . 2007-09-14 20:45 -------- d-----w- C:\NVIDIA 2007-02-28 22:00 . 2007-02-28 22:00 -------- d-----w- C:\Temp 2005-09-19 04:02 . 2005-09-19 04:03 -------- d-----w- C:\My Downloads 2005-09-15 17:54 . 2005-09-15 17:54 696320 ----a-w- C:\StubInstaller.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-07 02:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll 2008-09-04 16:42 . 2004-08-04 12:00 1106944 ----a-w- c:\windows\system32\msxml3(2).dll 2008-04-14 00:11 . 2007-04-30 03:39 39424 ----a-w- c:\windows\apppatch\acadproc.dll 2006-10-23 15:17 . 2004-08-04 12:00 658944 ----a-w- c:\windows\system32\wininet(3).dll 2006-10-23 15:17 . 2004-08-04 12:00 613888 ----a-w- c:\windows\system32\urlmon(3).dll 2006-10-23 15:17 . 2004-08-04 12:00 474112 ----a-w- c:\windows\system32\shlwapi(3).dll 2006-10-23 15:17 . 2004-08-04 12:00 1022976 ----a-w- c:\windows\system32\browseui(2).dll 2006-04-25 05:51 . 2003-03-19 04:20 1060864 ----a-w- c:\windows\system32\MFC71.DLL 2006-04-25 05:51 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\MSVCR71.DLL 2005-09-29 22:02 . 2005-09-29 22:02 359808 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL 2004-10-27 13:24 . 2004-10-27 13:24 223104 ----a-w- c:\windows\system32\drivers\yk51x86.sys . ((((((((((((((((((((((((((((( SnapShot@2005-01-08_10.44.41 ))))))))))))))))))))))))))))))))))))))))) . + 2005-01-09 02:38 . 2005-01-09 02:38 16384 c:\windows\temp\Perflib_Perfdata_4d4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ResChanger 2005"="c:\program files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 885248] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2005-11-09 36864] "DAEMON Tools Lite"="c:\program files\DAEMON Tools\daemon.exe" [2007-12-15 482760] "Google Update"="c:\documents and settings\Aaron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656] "nwiz"="nwiz.exe" [2005-07-21 1519616] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 49152] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-11-9 196608] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2005-9-11 434176] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Soulseek\\slsk.exe"= "c:\\StubInstaller.exe"= "c:\\Documents and Settings\\Aaron\\Desktop\\Emulator\\SNES\\zsnesw.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"= "c:\\Documents and Settings\\Aaron\\Desktop\\utorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Last.fm\\LastFM.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\SoulseekNS\\slsk.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= S0 cduqo;cduqo; [x] S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/16/2007 5:22 PM 715248] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 10:28 AM 135664] S3 nosGetPlusHelper;getPlus

ComboFix 10-12-09.04 - Aaron 01/08/2005 13:08:04.5.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1723 [GMT -7:00] Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Aaron\Desktop\CFScript.txt FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((( Files Created from 2004-12-08 to 2005-01-08 ))))))))))))))))))))))))))))))) . 2010-11-29 20:49 . 2010-11-29 20:49 -------- d-----w- C:\_OTL 2010-03-20 03:38 . 2010-03-20 03:38 -------- d-----w- C:\Linksys Driver 2009-02-05 06:26 . 2009-02-05 06:26 -------- d-----w- C:\fsaua.data 2008-06-28 12:20 . 2005-01-08 09:34 -------- d-----w- C:\$AVG8.VAULT$ 2007-09-14 20:45 . 2007-09-14 20:45 -------- d-----w- C:\NVIDIA 2007-02-28 22:00 . 2007-02-28 22:00 -------- d-----w- C:\Temp 2005-09-19 04:02 . 2005-09-19 04:03 -------- d-----w- C:\My Downloads 2005-09-15 17:54 . 2005-09-15 17:54 696320 ----a-w- C:\StubInstaller.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-07 02:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll 2008-09-04 16:42 . 2004-08-04 12:00 1106944 ----a-w- c:\windows\system32\msxml3(2).dll 2008-04-14 00:11 . 2007-04-30 03:39 39424 ----a-w- c:\windows\apppatch\acadproc.dll 2006-10-23 15:17 . 2004-08-04 12:00 658944 ----a-w- c:\windows\system32\wininet(3).dll 2006-10-23 15:17 . 2004-08-04 12:00 613888 ----a-w- c:\windows\system32\urlmon(3).dll 2006-10-23 15:17 . 2004-08-04 12:00 474112 ----a-w- c:\windows\system32\shlwapi(3).dll 2006-10-23 15:17 . 2004-08-04 12:00 1022976 ----a-w- c:\windows\system32\browseui(2).dll 2006-04-25 05:51 . 2003-03-19 04:20 1060864 ----a-w- c:\windows\system32\MFC71.DLL 2006-04-25 05:51 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\MSVCR71.DLL 2005-09-29 22:02 . 2005-09-29 22:02 359808 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL 2004-10-27 13:24 . 2004-10-27 13:24 223104 ----a-w- c:\windows\system32\drivers\yk51x86.sys . ((((((((((((((((((((((((((((( SnapShot@2005-01-08_10.44.41 ))))))))))))))))))))))))))))))))))))))))) . + 2005-01-08 20:07 . 2005-01-08 20:07 16384 c:\windows\temp\Perflib_Perfdata_244.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ResChanger 2005"="c:\program files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 885248] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2005-11-09 36864] "DAEMON Tools Lite"="c:\program files\DAEMON Tools\daemon.exe" [2007-12-15 482760] "Google Update"="c:\documents and settings\Aaron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656] "nwiz"="nwiz.exe" [2005-07-21 1519616] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 49152] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-11-9 196608] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2005-9-11 434176] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Soulseek\\slsk.exe"= "c:\\StubInstaller.exe"= "c:\\Documents and Settings\\Aaron\\Desktop\\Emulator\\SNES\\zsnesw.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"= "c:\\Documents and Settings\\Aaron\\Desktop\\utorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Last.fm\\LastFM.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\SoulseekNS\\slsk.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= S0 cduqo;cduqo; [x] S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/16/2007 5:22 PM 715248] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 10:28 AM 135664] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2005-01-08 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-01 00:44] 2005-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:27] 2010-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:27] 2010-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1767777339-839522115-1004Core.job - c:\documents and settings\Aaron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-29 02:36] 2010-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1767777339-839522115-1004UA.job - c:\documents and settings\Aaron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-29 02:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\ FF - prefs.js: browser.startup.homepage - google.com FF - HiddenExtension: XUL Cache: {CFE55696-EEEE-4BA7-8BBC-1EAF70550430} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{CFE55696-EEEE-4BA7-8BBC-1EAF70550430}\ FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} FF - Extension: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374} FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} FF - Extension: FOXSCAPE: {da7f40f0-8675-11db-b606-0800200c9a66} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{da7f40f0-8675-11db-b606-0800200c9a66} FF - Extension: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42} FF - Extension: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1} FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\youtube2mp3@mondayx.de FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} FF - Extension: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Extension: XUL Cache: {CFE55696-EEEE-4BA7-8BBC-1EAF70550430} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{CFE55696-EEEE-4BA7-8BBC-1EAF70550430} FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2005-01-08 13:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(820) c:\windows\System32\BCMLogon.dll . Completion time: 2005-01-08 13:19:43 ComboFix-quarantined-files.txt 2005-01-08 20:19 ComboFix2.txt 2005-01-08 10:47 Pre-Run: 62,445,613,056 bytes free Post-Run: 62,428,131,328 bytes free Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6 - - End Of File - - 1F4ED565E81E71E3D39FD628CA71A701

I forgot to plug in my slave before I ran combofix but here it is anyways: ComboFix 10-12-09.02 - Aaron 01/08/2005 3:36.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1723 [GMT -7:00] Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Aaron\Application Data\avdrn.dat c:\documents and settings\Aaron\Local Settings\Application Data\{BFBBF72C-A835-44DC-8618-00FCE64E359A} c:\documents and settings\Aaron\Local Settings\Application Data\{BFBBF72C-A835-44DC-8618-00FCE64E359A}\chrome.manifest c:\documents and settings\Aaron\Local Settings\Application Data\{BFBBF72C-A835-44DC-8618-00FCE64E359A}\chrome\content\_cfg.js c:\documents and settings\Aaron\Local Settings\Application Data\{BFBBF72C-A835-44DC-8618-00FCE64E359A}\chrome\content\c.js c:\documents and settings\Aaron\Local Settings\Application Data\{BFBBF72C-A835-44DC-8618-00FCE64E359A}\chrome\content\overlay.xul c:\documents and settings\Aaron\Local Settings\Application Data\{BFBBF72C-A835-44DC-8618-00FCE64E359A}\install.rdf c:\documents and settings\NetworkService\Application Data\svchost.exe c:\program files\microsoft\watermark.exe c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\run.log c:\windows\system32\CmdLineExt.dll c:\windows\system32\config\systemprofile\Application Data\shire.bat c:\windows\system32\config\systemprofile\Application Data\svchost.exe c:\windows\system32\Data c:\windows\system32\dmlconf.dat c:\windows\system32\fjhdyfhsn.bat c:\windows\system32\qtplugin.exe . ((((((((((((((((((((((((( Files Created from 2004-12-08 to 2005-01-08 ))))))))))))))))))))))))))))))) . 2010-11-29 20:49 . 2010-11-29 20:49 -------- d-----w- C:\_OTL 2010-03-20 03:38 . 2010-03-20 03:38 -------- d-----w- C:\Linksys Driver 2009-02-05 06:26 . 2009-02-05 06:26 -------- d-----w- C:\fsaua.data 2008-06-28 12:20 . 2005-01-08 09:34 -------- d-----w- C:\$AVG8.VAULT$ 2007-09-14 20:45 . 2007-09-14 20:45 -------- d-----w- C:\NVIDIA 2007-02-28 22:00 . 2007-02-28 22:00 -------- d-----w- C:\Temp 2005-09-19 04:02 . 2005-09-19 04:03 -------- d-----w- C:\My Downloads 2005-09-15 17:54 . 2005-09-15 17:54 696320 ----a-w- C:\StubInstaller.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-07 02:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll 2008-09-04 16:42 . 2004-08-04 12:00 1106944 ----a-w- c:\windows\system32\msxml3(2).dll 2008-04-14 00:11 . 2007-04-30 03:39 39424 ----a-w- c:\windows\apppatch\acadproc.dll 2006-10-23 15:17 . 2004-08-04 12:00 658944 ----a-w- c:\windows\system32\wininet(3).dll 2006-10-23 15:17 . 2004-08-04 12:00 613888 ----a-w- c:\windows\system32\urlmon(3).dll 2006-10-23 15:17 . 2004-08-04 12:00 474112 ----a-w- c:\windows\system32\shlwapi(3).dll 2006-10-23 15:17 . 2004-08-04 12:00 1022976 ----a-w- c:\windows\system32\browseui(2).dll 2006-04-25 05:51 . 2003-03-19 04:20 1060864 ----a-w- c:\windows\system32\MFC71.DLL 2006-04-25 05:51 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\MSVCR71.DLL 2005-09-29 22:02 . 2005-09-29 22:02 359808 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL 2004-10-27 13:24 . 2004-10-27 13:24 223104 ----a-w- c:\windows\system32\drivers\yk51x86.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ResChanger 2005"="c:\program files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 885248] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2005-11-09 36864] "DAEMON Tools Lite"="c:\program files\DAEMON Tools\daemon.exe" [2007-12-15 482760] "Google Update"="c:\documents and settings\Aaron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656] "nwiz"="nwiz.exe" [2005-07-21 1519616] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 49152] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-11-9 196608] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2005-9-11 434176] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Soulseek\\slsk.exe"= "c:\\StubInstaller.exe"= "c:\\Documents and Settings\\Aaron\\Desktop\\Emulator\\SNES\\zsnesw.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"= "c:\\Documents and Settings\\Aaron\\Desktop\\utorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Last.fm\\LastFM.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\SoulseekNS\\slsk.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= S0 cduqo;cduqo; [x] S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/16/2007 5:22 PM 715248] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 10:28 AM 135664] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2005-01-08 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-01 00:44] 2005-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:27] 2010-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:27] 2010-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1767777339-839522115-1004Core.job - c:\documents and settings\Aaron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-29 02:36] 2010-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1767777339-839522115-1004UA.job - c:\documents and settings\Aaron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-29 02:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\ FF - prefs.js: browser.startup.homepage - google.com FF - component: c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll FF - plugin: c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\documents and settings\Aaron\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - HiddenExtension: XUL Cache: {CFE55696-EEEE-4BA7-8BBC-1EAF70550430} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{CFE55696-EEEE-4BA7-8BBC-1EAF70550430}\ FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} FF - Extension: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374} FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} FF - Extension: FOXSCAPE: {da7f40f0-8675-11db-b606-0800200c9a66} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{da7f40f0-8675-11db-b606-0800200c9a66} FF - Extension: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42} FF - Extension: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1} FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\youtube2mp3@mondayx.de FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} FF - Extension: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\fp88zdo1.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Extension: XUL Cache: {CFE55696-EEEE-4BA7-8BBC-1EAF70550430} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{CFE55696-EEEE-4BA7-8BBC-1EAF70550430} FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . - - - - ORPHANS REMOVED - - - - Notify-avgrsstarter - avgrsstx.dll AddRemove-HijackThis - c:\documents and settings\Aaron\Desktop\HijackThis.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2005-01-08 03:44 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(820) c:\windows\System32\BCMLogon.dll . Completion time: 2005-01-08 03:47:57 ComboFix-quarantined-files.txt 2005-01-08 10:47 Pre-Run: 62,468,239,360 bytes free Post-Run: 62,495,895,552 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6 - - End Of File - - 980D4DD3E6441B2BCE87405A32431460

So combofix is requesting I uninstall AVG 8.5. But when I try to uninstall it via control panel, I get the following error: Action Failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key... error 0x80070005 It wn't let me uninstall it. Also that list of programs to deactivate didn't include Zonealarms. Do I need to deactivate it? How?

I'l have to do this when I get back from work. Can it be done from safe mode? my computer was chugging pretty hard.

Success!!! At Last!!! So good to see my desktop again But we still have work to do. AVG greeted me with a "Multiple Threat Detections" alert. It found the following Trojan Horse: PSW.Generic8.AIXY (found 4 of these) FakeAV.FUT I simply turned off the computer without taking action on these infections and await your direction. Would now be a good time to plug the "slave" HDD back in?

I can't seem to find those drivers on that disk. Anywhere else I can get 'em? Is that last link I provided good? What about this one: http://www.nvidia.com/object/nforce_nf4_winxp2k_6.53 It's looking fr nvenetfd.inf and nvenetfd.in_

Longest repair install ever Now it wants "Some files on NVIDIA Network Bus installation Disk #1" Would those be on my "NVIDIA nForce4 Series Utility CD" or do I need to get them from this:http://www.soft32.com/download_183252.html

Well I did the repair. I got a message saying something along the lines of "Windows had previously tried a repair install but it was incomplete." My options were to retry a repair install, escape, or maybe a fresh install. I should have consulted with you before choosing but my impatience got the best of me and I chose to retry the repair install. Now I'm at this screen: http://www.ianneubert.com/wp/wp-content/up...-xp-install.jpg I don't remember this screen from previous repair installs and I just wanted to make absolutely sure that I am on the correct path? Also I would like to get a couple word documents off the sick PC and was wondering if I should just wait or if I could get them with xPUD or BartPE.

your gonna have to provide more detail here. Should I disable "IDE/SATA RAID function" in Integrated Peripherals? What are "slipstreamed SATA Drivers? Where would I get them? You are remembering that I did a repair install of windows previously, Yes?

Tue Jan 4 15:42:29 2005 Command line: TestDisk TestDisk 6.12-WIP, Data Recovery Utility, April 2010 Christophe GRENIER <grenier@cgsecurity.org> http://www.cgsecurity.org OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686 Compiler: GCC 4.4 - Jul 27 2010 17:00:22 ext2fs lib: 1.41.9, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20080501 /dev/sda: LBA, HPA, LBA48, DCO support /dev/sda: size 312581808 sectors /dev/sda: user_max 312581808 sectors /dev/sda: native_max 312581808 sectors /dev/sda: dco 312581808 sectors Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512 /dev/sr0 is not an ATA disk /dev/sr1 is not an ATA disk Warning: can't get size for Disk /dev/sr1 - 0 B - CHS 1 1 1 (RO), sector size=2048 - SONY DVD RW DW-Q28A Hard disk list Disk /dev/sda - 160 GB / 149 GiB - CHS 19457 255 63, sector size=512 - ATA WDC WD1600JD-22H Disk /dev/sdc - 8019 MB / 7648 MiB - CHS 1022 247 62, sector size=512 - UFD USB Flash Drive Disk /dev/sr0 - 67 MB / 64 MiB - CHS 32770 1 1 (RO), sector size=2048 - SONY DVD-ROM DDU1615 Partition table type (auto): Intel Disk /dev/sda - 160 GB / 149 GiB - ATA WDC WD1600JD-22H Partition table type: Intel Interface Advanced Geometry from i386 MBR: head=255 sector=63 NTFS at 0/1/1 get_geometry_from_list_part_aux head=255 nbr=2 get_geometry_from_list_part_aux head=8 nbr=2 get_geometry_from_list_part_aux head=16 nbr=2 get_geometry_from_list_part_aux head=32 nbr=2 get_geometry_from_list_part_aux head=64 nbr=2 get_geometry_from_list_part_aux head=128 nbr=2 get_geometry_from_list_part_aux head=240 nbr=2 get_geometry_from_list_part_aux head=255 nbr=2 1 * HPFS - NTFS 0 1 1 19455 254 63 312560577 NTFS, 160 GB / 149 GiB ntfs_boot_sector 1 * HPFS - NTFS 0 1 1 19455 254 63 312560577 NTFS, 160 GB / 149 GiB NTFS at 0/1/1 NTFS at 0/1/1 filesystem size 312560577 sectors_per_cluster 8 mft_lcn 786432 mftmirr_lcn 19535036 clusters_per_mft_record -10 clusters_per_index_record 1 Boot sector Status: OK Backup boot sector Status: OK Sectors are identical. A valid NTFS Boot sector must be present in order to access any data; even if the partition is not bootable. Boot sector Backup boot sector 0000 eb52904e 54465320 .R.NTFS eb52904e 54465320 .R.NTFS 0008 20202000 02080000 ..... 20202000 02080000 ..... 0010 00000000 00f80000 ........ 00000000 00f80000 ........ 0018 3f00ff00 3f000000 ?...?... 3f00ff00 3f000000 ?...?... 0020 00000000 80008000 ........ 00000000 80008000 ........ 0028 c04ba112 00000000 .K...... c04ba112 00000000 .K...... 0030 00000c00 00000000 ........ 00000c00 00000000 ........ 0038 bc142a01 00000000 ..*..... bc142a01 00000000 ..*..... 0040 f6000000 01000000 ........ f6000000 01000000 ........ 0048 b22f5488 5d548864 ./T.]T.d b22f5488 5d548864 ./T.]T.d 0050 00000000 fa33c08e .....3.. 00000000 fa33c08e .....3.. 0058 d0bc007c fbb8c007 ...|.... d0bc007c fbb8c007 ...|.... 0060 8ed8e816 00b8000d ........ 8ed8e816 00b8000d ........ 0068 8ec033db c6060e00 ..3..... 8ec033db c6060e00 ..3..... 0070 10e85300 68000d68 ..S.h..h 10e85300 68000d68 ..S.h..h 0078 6a02cb8a 162400b4 j....$.. 6a02cb8a 162400b4 j....$.. 0080 08cd1373 05b9ffff ...s.... 08cd1373 05b9ffff ...s.... 0088 8af1660f b6c64066 ..f...@f 8af1660f b6c64066 ..f...@f 0090 0fb6d180 e23ff7e2 .....?.. 0fb6d180 e23ff7e2 .....?.. 0098 86cdc0ed 0641660f .....Af. 86cdc0ed 0641660f .....Af. 00A0 b7c966f7 e166a320 ..f..f. b7c966f7 e166a320 ..f..f. 00A8 00c3b441 bbaa558a ...A..U. 00c3b441 bbaa558a ...A..U. 00B0 162400cd 13720f81 .$...r.. 162400cd 13720f81 .$...r.. 00B8 fb55aa75 09f6c101 .U.u.... fb55aa75 09f6c101 .U.u.... 00C0 7404fe06 1400c366 t......f 7404fe06 1400c366 t......f 00C8 601e0666 a1100066 `..f...f 601e0666 a1100066 `..f...f 00D0 03061c00 663b0620 ....f;. 03061c00 663b0620 ....f;. 00D8 000f823a 001e666a ...:..fj 000f823a 001e666a ...:..fj 00E0 00665006 53666810 .fP.Sfh. 00665006 53666810 .fP.Sfh. 00E8 00010080 3e140000 ....>... 00010080 3e140000 ....>... 00F0 0f850c00 e8b3ff80 ........ 0f850c00 e8b3ff80 ........ 00F8 3e140000 0f846100 >.....a. 3e140000 0f846100 >.....a. 0100 b4428a16 2400161f .B..$... b4428a16 2400161f .B..$... 0108 8bf4cd13 66585b07 ....fX[. 8bf4cd13 66585b07 ....fX[. 0110 66586658 1feb2d66 fXfX..-f 66586658 1feb2d66 fXfX..-f 0118 33d2660f b70e1800 3.f..... 33d2660f b70e1800 3.f..... 0120 66f7f1fe c28aca66 f......f 66f7f1fe c28aca66 f......f 0128 8bd066c1 ea10f736 ..f....6 8bd066c1 ea10f736 ..f....6 0130 1a0086d6 8a162400 ......$. 1a0086d6 8a162400 ......$. 0138 8ae8c0e4 060accb8 ........ 8ae8c0e4 060accb8 ........ 0140 0102cd13 0f821900 ........ 0102cd13 0f821900 ........ 0148 8cc00520 008ec066 ... ...f 8cc00520 008ec066 ... ...f 0150 ff061000 ff0e0e00 ........ ff061000 ff0e0e00 ........ 0158 0f856fff 071f6661 ..o...fa 0f856fff 071f6661 ..o...fa 0160 c3a0f801 e80900a0 ........ c3a0f801 e80900a0 ........ 0168 fb01e803 00fbebfe ........ fb01e803 00fbebfe ........ 0170 b4018bf0 ac3c0074 .....<.t b4018bf0 ac3c0074 .....<.t 0178 09b40ebb 0700cd10 ........ 09b40ebb 0700cd10 ........ 0180 ebf2c30d 0a412064 .....A d ebf2c30d 0a412064 .....A d 0188 69736b20 72656164 isk read 69736b20 72656164 isk read 0190 20657272 6f72206f error o 20657272 6f72206f error o 0198 63637572 72656400 ccurred. 63637572 72656400 ccurred. 01A0 0d0a4e54 4c445220 ..NTLDR 0d0a4e54 4c445220 ..NTLDR 01A8 6973206d 69737369 is missi 6973206d 69737369 is missi 01B0 6e67000d 0a4e544c ng...NTL 6e67000d 0a4e544c ng...NTL 01B8 44522069 7320636f DR is co 44522069 7320636f DR is co 01C0 6d707265 73736564 mpressed 6d707265 73736564 mpressed 01C8 000d0a50 72657373 ...Press 000d0a50 72657373 ...Press 01D0 20437472 6c2b416c Ctrl+Al 20437472 6c2b416c Ctrl+Al 01D8 742b4465 6c20746f t+Del to 742b4465 6c20746f t+Del to 01E0 20726573 74617274 restart 20726573 74617274 restart 01E8 0d0a0000 00000000 ........ 0d0a0000 00000000 ........ 01F0 00000000 00000000 ........ 00000000 00000000 ........ 01F8 83a0b3c9 000055aa ......U. 83a0b3c9 000055aa ......U. ntfs_boot_sector 1 * HPFS - NTFS 0 1 1 19455 254 63 312560577 NTFS, 160 GB / 149 GiB NTFS at 0/1/1 NTFS at 0/1/1 filesystem size 312560577 sectors_per_cluster 8 mft_lcn 786432 mftmirr_lcn 19535036 clusters_per_mft_record -10 clusters_per_index_record 1 Boot sector Status: OK Backup boot sector Status: OK Sectors are identical. A valid NTFS Boot sector must be present in order to access any data; even if the partition is not bootable. SIGHUP detected! TestDisk has been killed.

I never got this warning before so, I will wait for your direction on this.

I'm getting the following warning: This computer appears to have a non-standard or invalid master boot record. FIXMBR may damage your partition tables if you proceed. This could cause all the partitions on the current hard disk to become inaccesible. If you are not having problems accessing your drive to not continue. Are you sure you want to write a new MBR? Kind of frightening warning

I tried quiting all the way out and the log only consisted of the date stamp.

Tue Jan 4 15:42:29 2005 Command line: TestDisk TestDisk 6.12-WIP, Data Recovery Utility, April 2010 Christophe GRENIER <grenier@cgsecurity.org> http://www.cgsecurity.org OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686 Compiler: GCC 4.4 - Jul 27 2010 17:00:22 ext2fs lib: 1.41.9, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20080501 /dev/sda: LBA, HPA, LBA48, DCO support /dev/sda: size 312581808 sectors /dev/sda: user_max 312581808 sectors /dev/sda: native_max 312581808 sectors /dev/sda: dco 312581808 sectors Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512 /dev/sr0 is not an ATA disk /dev/sr1 is not an ATA disk Warning: can't get size for Disk /dev/sr1 - 0 B - CHS 1 1 1 (RO), sector size=2048 - SONY DVD RW DW-Q28A Hard disk list Disk /dev/sda - 160 GB / 149 GiB - CHS 19457 255 63, sector size=512 - ATA WDC WD1600JD-22H Disk /dev/sdc - 8019 MB / 7648 MiB - CHS 1022 247 62, sector size=512 - UFD USB Flash Drive Disk /dev/sr0 - 67 MB / 64 MiB - CHS 32770 1 1 (RO), sector size=2048 - SONY DVD-ROM DDU1615 Partition table type (auto): Intel Disk /dev/sda - 160 GB / 149 GiB - ATA WDC WD1600JD-22H Partition table type: Intel Interface Advanced Geometry from i386 MBR: head=255 sector=63 NTFS at 0/1/1 get_geometry_from_list_part_aux head=255 nbr=2 get_geometry_from_list_part_aux head=8 nbr=2 get_geometry_from_list_part_aux head=16 nbr=2 get_geometry_from_list_part_aux head=32 nbr=2 get_geometry_from_list_part_aux head=64 nbr=2 get_geometry_from_list_part_aux head=128 nbr=2 get_geometry_from_list_part_aux head=240 nbr=2 get_geometry_from_list_part_aux head=255 nbr=2 1 * HPFS - NTFS 0 1 1 19455 254 63 312560577 NTFS, 160 GB / 149 GiB ntfs_boot_sector 1 * HPFS - NTFS 0 1 1 19455 254 63 312560577 NTFS, 160 GB / 149 GiB NTFS at 0/1/1 NTFS at 0/1/1 filesystem size 312560577 sectors_per_cluster 8 mft_lcn 786432 mftmirr_lcn 19535036 clusters_per_mft_record -10 clusters_per_index_record 1 Boot sector Status: OK Backup boot sector Status: OK Sectors are identical. A valid NTFS Boot sector must be present in order to access any data; even if the partition is not bootable. Boot sector Backup boot sector 0000 eb52904e 54465320 .R.NTFS eb52904e 54465320 .R.NTFS 0008 20202000 02080000 ..... 20202000 02080000 ..... 0010 00000000 00f80000 ........ 00000000 00f80000 ........ 0018 3f00ff00 3f000000 ?...?... 3f00ff00 3f000000 ?...?... 0020 00000000 80008000 ........ 00000000 80008000 ........ 0028 c04ba112 00000000 .K...... c04ba112 00000000 .K...... 0030 00000c00 00000000 ........ 00000c00 00000000 ........ 0038 bc142a01 00000000 ..*..... bc142a01 00000000 ..*..... 0040 f6000000 01000000 ........ f6000000 01000000 ........ 0048 b22f5488 5d548864 ./T.]T.d b22f5488 5d548864 ./T.]T.d 0050 00000000 fa33c08e .....3.. 00000000 fa33c08e .....3.. 0058 d0bc007c fbb8c007 ...|.... d0bc007c fbb8c007 ...|.... 0060 8ed8e816 00b8000d ........ 8ed8e816 00b8000d ........ 0068 8ec033db c6060e00 ..3..... 8ec033db c6060e00 ..3..... 0070 10e85300 68000d68 ..S.h..h 10e85300 68000d68 ..S.h..h 0078 6a02cb8a 162400b4 j....$.. 6a02cb8a 162400b4 j....$.. 0080 08cd1373 05b9ffff ...s.... 08cd1373 05b9ffff ...s.... 0088 8af1660f b6c64066 ..f...@f 8af1660f b6c64066 ..f...@f 0090 0fb6d180 e23ff7e2 .....?.. 0fb6d180 e23ff7e2 .....?.. 0098 86cdc0ed 0641660f .....Af. 86cdc0ed 0641660f .....Af. 00A0 b7c966f7 e166a320 ..f..f. b7c966f7 e166a320 ..f..f. 00A8 00c3b441 bbaa558a ...A..U. 00c3b441 bbaa558a ...A..U. 00B0 162400cd 13720f81 .$...r.. 162400cd 13720f81 .$...r.. 00B8 fb55aa75 09f6c101 .U.u.... fb55aa75 09f6c101 .U.u.... 00C0 7404fe06 1400c366 t......f 7404fe06 1400c366 t......f 00C8 601e0666 a1100066 `..f...f 601e0666 a1100066 `..f...f 00D0 03061c00 663b0620 ....f;. 03061c00 663b0620 ....f;. 00D8 000f823a 001e666a ...:..fj 000f823a 001e666a ...:..fj 00E0 00665006 53666810 .fP.Sfh. 00665006 53666810 .fP.Sfh. 00E8 00010080 3e140000 ....>... 00010080 3e140000 ....>... 00F0 0f850c00 e8b3ff80 ........ 0f850c00 e8b3ff80 ........ 00F8 3e140000 0f846100 >.....a. 3e140000 0f846100 >.....a. 0100 b4428a16 2400161f .B..$... b4428a16 2400161f .B..$... 0108 8bf4cd13 66585b07 ....fX[. 8bf4cd13 66585b07 ....fX[. 0110 66586658 1feb2d66 fXfX..-f 66586658 1feb2d66 fXfX..-f 0118 33d2660f b70e1800 3.f..... 33d2660f b70e1800 3.f..... 0120 66f7f1fe c28aca66 f......f 66f7f1fe c28aca66 f......f 0128 8bd066c1 ea10f736 ..f....6 8bd066c1 ea10f736 ..f....6 0130 1a0086d6 8a162400 ......$. 1a0086d6 8a162400 ......$. 0138 8ae8c0e4 060accb8 ........ 8ae8c0e4 060accb8 ........ 0140 0102cd13 0f821900 ........ 0102cd13 0f821900 ........ 0148 8cc00520 008ec066 ... ...f 8cc00520 008ec066 ... ...f 0150 ff061000 ff0e0e00 ........ ff061000 ff0e0e00 ........ 0158 0f856fff 071f6661 ..o...fa 0f856fff 071f6661 ..o...fa 0160 c3a0f801 e80900a0 ........ c3a0f801 e80900a0 ........ 0168 fb01e803 00fbebfe ........ fb01e803 00fbebfe ........ 0170 b4018bf0 ac3c0074 .....<.t b4018bf0 ac3c0074 .....<.t 0178 09b40ebb 0700cd10 ........ 09b40ebb 0700cd10 ........ 0180 ebf2c30d 0a412064 .....A d ebf2c30d 0a412064 .....A d 0188 69736b20 72656164 isk read 69736b20 72656164 isk read 0190 20657272 6f72206f error o 20657272 6f72206f error o 0198 63637572 72656400 ccurred. 63637572 72656400 ccurred. 01A0 0d0a4e54 4c445220 ..NTLDR 0d0a4e54 4c445220 ..NTLDR 01A8 6973206d 69737369 is missi 6973206d 69737369 is missi 01B0 6e67000d 0a4e544c ng...NTL 6e67000d 0a4e544c ng...NTL 01B8 44522069 7320636f DR is co 44522069 7320636f DR is co 01C0 6d707265 73736564 mpressed 6d707265 73736564 mpressed 01C8 000d0a50 72657373 ...Press 000d0a50 72657373 ...Press 01D0 20437472 6c2b416c Ctrl+Al 20437472 6c2b416c Ctrl+Al 01D8 742b4465 6c20746f t+Del to 742b4465 6c20746f t+Del to 01E0 20726573 74617274 restart 20726573 74617274 restart 01E8 0d0a0000 00000000 ........ 0d0a0000 00000000 ........ 01F0 00000000 00000000 ........ 00000000 00000000 ........ 01F8 83a0b3c9 000055aa ......U. 83a0b3c9 000055aa ......U. ntfs_boot_sector 1 * HPFS - NTFS 0 1 1 19455 254 63 312560577 NTFS, 160 GB / 149 GiB NTFS at 0/1/1 NTFS at 0/1/1 filesystem size 312560577 sectors_per_cluster 8 mft_lcn 786432 mftmirr_lcn 19535036 clusters_per_mft_record -10 clusters_per_index_record 1 Boot sector Status: OK Backup boot sector Status: OK Sectors are identical. A valid NTFS Boot sector must be present in order to access any data; even if the partition is not bootable. SIGHUP detected! TestDisk has been killed.

my HDD comes up as sda1; is the '1' missing in that last bit of code?

also, sbd1 doesn't show up after the boot; I have unplug the usb and replug it to get an sbd1. If I unplug it again, the sbd1 stays there and upon replugging the usb it comes up as sbc1. (sbd1 is still available at this point as well.)

I get the same in/out message

I do get a mbr.bin

when I type bash dump.sh in the terminal it responds: 1-0 records in 1-0 records out and no log comes up. i deleted the dump.sh came up with a .txt extension even though it didn't have that extension on my clean PC