VanHelsing

Scans all clear. So was this a false positive or just the AI? Again thanks to you both for helping me! MB scan.txt

Thank you both so much! I will update to latest version of Malwarebytes thanks again!

Hello Advanced Setup! Here is the file. Thanks! 2864a72d-8605-47c8-bcb8-e65983930706.zip

hmmm. ok so I restored the file and tried to go its location (copied and pasted location from text file) but it gives me multiple folders? So i dont know how to proceed from here?

OAvastfile detection.txtk here is the file. Hope this is what you need?

Hello- Malwarebytes picked up a malware file with this string and put in quarantine... ProgramData\Avastsoftware\cleanup\backups\Old_installations\2864a72d-8605-47c8-e65983930706.zip. Just thinking this might be a false positive? Thanks!

Hello- MBAM reported this in a scan this morning. Is this a FP? Thanks in advance! Malwarebytes' Anti-Malware 1.34 Database version: 1851 Windows 5.1.2600 Service Pack 2 3/15/2009 12:52:09 PM mbam-log-2009-03-15 (12-52-09).txt Scan type: Quick Scan Objects scanned: 74485 Time elapsed: 3 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected)

Hello Advanced- I restored Wextract.exe from quarantine and did a re-scan with database 1790. Results below: Malwarebytes' Anti-Malware 1.34 Database version: 1790 Windows 5.1.2600 Service Pack 2 2/21/2009 11:31:18 PM mbam-log-2009-02-21 (23-31-18).txt Scan type: Quick Scan Objects scanned: 75822 Time elapsed: 4 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) looks to be ok! thanks!

Hello- I looked Googled this .exe and it said it was a Windows file? Is that correct or am I actually infected? thanks! Log below: Malwarebytes' Anti-Malware 1.34 Database version: 1785 Windows 5.1.2600 Service Pack 2 2/21/2009 12:14:03 PM mbam-log-2009-02-21 (12-14-03).txt Scan type: Quick Scan Objects scanned: 74101 Time elapsed: 4 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\wextract.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Thanks for the quick replys Exile- I ran a quick scan and everything ran and looks ok. Thanks!

Hello- When I say upgraded again i meant I upgraded the database. Sorry didnt make that clear before. On re-boots since then though I get no errors so do you think its okay? thanks!

Hello- My MBAM automatically upgraded to version 1.34 the other night. Now when I do a scan it does not say that it does a heiristic scan after scanning the files. Is this right? Or is this a bad install? I had an 2 error's on the re-boot after the upgrade saying it could not find certain files. I upgraded again and the warnings went away. Just wondering if this is new to the version? Thanks!

Advanced--Man I about had a stroke when I ran that Oldtimer tool. My computer froze at the recovery console. I had to do a forced re-start then it booted into windows. (Is this normal?) On the HiJack log you will notice a few new anti-spyware items I have installed as im trying to take a pro-active approach to this crud. The best defense is a good offense. Thinking of getting rid of the All-seeing Eye though as you have to ok every process. I think its still in the "learning mode". Also have Win Patrol and Key Scambler. Anyway thanks again sir for all your help! Logs are below: Malwarebytes' Anti-Malware 1.33 Database version: 1675 Windows 5.1.2600 Service Pack 2 1/21/2009 10:22:06 PM mbam-log-2009-01-21 (22-22-06).txt Scan type: Quick Scan Objects scanned: 58533 Time elapsed: 6 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:29:34 PM, on 1/21/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\SMINST\Scheduler.exe C:\WINDOWS\system32\AccelerometerSt.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Fortego Security\All-Seeing Eye\ase.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\PDF Complete\pdfsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/ O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [Pthosttr] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [AllSeeingEye] "C:\Program Files\Fortego Security\All-Seeing Eye\ase.exe" -auto O4 - HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'Default user') O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204604116367 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1224913255875 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O20 - AppInit_DLLs: APSHook.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: DeviceNP - C:\WINDOWS\SYSTEM32\DeviceNP.dll O20 - Winlogon Notify: OneCard - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 11805 bytes

Advanced- I think I discovered the problem of why combofix did not work the first time. I know it is very important that the anti-virus not run during this process and if it is does the process may not work or hang. I had disabled the anti-virus til re-start the first time around (did not expect the re-boot) and even though combo fix finished it did not work. The second time i made sure I used the 5-hour disable ont he anti-virus and combofix removed all of the infection. It ran alot longer (hard-drive light action) this time as well as after the re-boot. I ran Kasperskys to do a clean up and all is well. Used CCleaner again to also do some clean up. I re-installed the latest Java and everything seems fine. MBAM scans reveal no infection as well. Unistalled combofix from the Run prompt to delete the quarantine and re-set the restore point. Want to say thanks again for all your hard work. If not for your help I would still be in the soup.

hey how about this. If I get a new C: drive (my Hp notebook features a hot swappable drive) and use the old C: as storage. Of course Wiping the Windows folders on that drive. Would that kill it? Also, I had an external WD Passport drive on the usb port. Could this thing have migrated to it? thanks!

Advanced- doing some troubleshooting I started up with the network cable unplugged and Norton did not flag the trojan. As soon as I plugged in the cable and it found the connection the Norton boxes popped up saying it had found the trojan. Im assuming this thing was phoning home? I have cancelled the credit cards and banking log-ins via contacting my credit institutions as a precaution. Thanks!

Advanced- Doing some research on-line this trojan has files with .wow (World of Warcraft) that come up as infected. I looked in the system32 folder and I have following ".wow" files: (do these look legit?) wow32.dll wowded.exe wowexec.exe wowfax.dll wowfaxiui.dll wowformf83_401.dll as well as those Altsystem9979.exe and Altsystem723733.exe hope this helps? thanks again!

Cool- Have a good weekend! Let me amend what what I said about not finding those files in the System32 folder. I looked for them after the Mbam scan so they were deleted by the tool at that point. Today I went and looked before running anything (Norton now finds the same trojan on every start-up) and there were 2 Altsystem files in the system32 folder. I removed both. But I know they'll be back upon re-boot. Thanks again Advanced for your patience and help!

Advanced- Bad news. The full Norton scan was clean but when I re-booted the Trojan (infostealer.gampass) was back and Norton picked it up Temp internet files. This after running CCleaner? I ran another Mbam scan (log below) and it found 2 more Altsystem files in the System32 folder. Only this time those files were not there. I had folder option as show hidden files but I could not see them. Malwarebytes' Anti-Malware 1.33 Database version: 1659 Windows 5.1.2600 Service Pack 2 1/17/2009 3:39:34 AM mbam-log-2009-01-17 (03-39-34).txt Scan type: Quick Scan Objects scanned: 54098 Time elapsed: 3 minute(s), 44 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\atlsystem215601.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\atlsystem996109.exe (Trojan.Agent) -> Quarantined and deleted successfully. Thanks!

Advanced- Doing a full system antivirus scan now. Can you post the info on how to update Java now that I appear to be clean? Also should I do a System Restore off/on to flush the restore points? Thanks!

Advanced- I deleted those files in the System32 folder and ran CCleaner as instructed. Then another update of Mbam and ran that as well: Result below... Malwarebytes' Anti-Malware 1.33 Database version: 1659 Windows 5.1.2600 Service Pack 2 1/16/2009 7:47:42 PM mbam-log-2009-01-16 (19-47-42).txt Scan type: Quick Scan Objects scanned: 53990 Time elapsed: 2 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) is this trojan (infostealer.gampass) just used for stealing gaming passwords or does it mine for financial info as well? once again thank you Advanced for all your hard work. hoping im a little closer to the end of this nightmare!

Hello advanced- ok looking in the System32 folder their are 7 of those "atlsystem" executables. altsystem175215.exe altsystem241345.exe altsystem262856.exe altsystem329969.exe altsystem652304.exe altsystem734837.exe altsystem926783.exe booting up tonite Norton found the "infostealer.gampass" in the temporary internet files in documents and settings. should I delete the temp folder? also should I go ahead and delete all of the above. they include the 2 files you told me to delete earlier. thanks!

Advanced--good to know scan looks ok. I will look at those files and try to delete them tonight when i get home. I did a re-boot last night to test things and Norton found the "infostealer.gampass" again instantly. It said it cleaned some and could not clean others. Are those files in the System32 directory related to this virus? thanks again!

I notice that I have alot of processes in that log. I disabled the Norton/script detection and also Zone Alarm and SuperAnitSpyware but I was not expecting a restart so those loaded right back up. Hope that did not taint the scan? Does the fact that the scan completed on its own mean those did not have an adverse effect on the tool? Hope so cause I thought I was being really carefull with the instructions. Just didn't count on the reboot. P.S. Is Zone Alarm a valid firewall or is it mickey mouse? I have a router but I've always used the free version of Zone Alarm as well. Thanks Advanced!

Advanced after a lengthy wait it finally finished....whew!!!! here is the log below: thanks again for all your help! ComboFix 09-01-13.04 - Van Halen 2009-01-15 18:35:04.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2513 [GMT -5:00] Running from: c:\documents and settings\Van Halen\Desktop\ComboFix.exe AV: Norton AntiVirus 2005 *On-access scanning disabled* (Updated) FW: Norton Internet Worm Protection *enabled* FW: ZoneAlarm Firewall *enabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . F:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_DEFAULTLIB ((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 ))))))))))))))))))))))))))))))) . 2009-01-15 18:07 . 2009-01-15 18:07 65,244 --a------ c:\windows\system32\atlsystem652304.exe 2009-01-15 18:06 . 2009-01-15 18:07 106,203 --a------ c:\windows\system32\atlsystem329969.exe 2009-01-12 22:43 . 2009-01-14 18:05 250 --a------ c:\windows\gmer.ini 2009-01-11 23:02 . 2009-01-11 23:02 <DIR> d-------- c:\program files\Trend Micro 2009-01-11 21:15 . 2009-01-11 21:15 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-01-11 21:15 . 2009-01-11 21:15 <DIR> d-------- c:\documents and settings\Van Halen\Application Data\SUPERAntiSpyware.com 2009-01-11 21:15 . 2009-01-11 21:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-01-11 02:57 . 2009-01-14 17:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-11 02:57 . 2009-01-11 02:57 <DIR> d-------- c:\documents and settings\Van Halen\Application Data\Malwarebytes 2009-01-11 02:57 . 2009-01-11 02:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-11 02:57 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-11 02:57 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-10 15:45 . 2004-08-04 00:56 116,224 --a------ c:\windows\system32\dllcache\xrxwiadr.dll 2009-01-10 15:45 . 2001-08-17 22:37 27,648 --a------ c:\windows\system32\dllcache\xrxftplt.exe 2009-01-10 15:45 . 2001-08-17 22:36 23,040 --a------ c:\windows\system32\dllcache\xrxwbtmp.dll 2009-01-10 15:45 . 2001-08-17 22:36 17,408 --a------ c:\windows\system32\dllcache\xrxscnui.dll 2009-01-10 15:45 . 2001-08-17 22:37 4,608 --a------ c:\windows\system32\dllcache\xrxflnch.exe 2009-01-10 15:43 . 2001-08-17 13:28 794,654 --a------ c:\windows\system32\dllcache\usr1801.sys 2009-01-10 15:42 . 2001-08-17 22:36 525,568 --a------ c:\windows\system32\dllcache\tridxp.dll 2009-01-10 15:41 . 2001-08-17 14:01 241,664 --a------ c:\windows\system32\dllcache\tosdvd02.sys 2009-01-10 15:40 . 2001-08-17 12:18 285,760 --a------ c:\windows\system32\dllcache\stlnata.sys 2009-01-10 15:39 . 2004-08-04 08:00 456,704 --a------ c:\windows\system32\dllcache\smtpsvc.dll 2009-01-10 15:38 . 2001-08-17 22:36 386,560 --a------ c:\windows\system32\dllcache\sgiul50.dll 2009-01-10 15:37 . 2001-08-17 22:36 495,616 --a------ c:\windows\system32\dllcache\sblfx.dll 2009-01-10 15:36 . 2001-08-17 13:28 899,146 --a------ c:\windows\system32\dllcache\r2mdkxga.sys 2009-01-10 15:35 . 2004-08-04 00:56 259,328 --a------ c:\windows\system32\dllcache\perm3dd.dll 2009-01-10 15:34 . 2001-08-17 14:05 351,616 --a------ c:\windows\system32\dllcache\ovcodek2.sys 2009-01-10 15:33 . 2004-08-04 00:56 1,737,856 --a------ c:\windows\system32\dllcache\mtxparhd.dll 2009-01-10 15:32 . 2001-08-17 12:50 320,384 --a------ c:\windows\system32\dllcache\mgaum.sys 2009-01-10 15:31 . 2001-08-17 13:28 802,683 --a------ c:\windows\system32\dllcache\ltsm.sys 2009-01-10 15:30 . 2004-08-04 00:56 702,845 --a------ c:\windows\system32\dllcache\i81xdnt5.dll 2009-01-10 15:29 . 2004-08-03 22:41 1,041,536 --a------ c:\windows\system32\dllcache\hsfdpsp2.sys 2009-01-10 15:28 . 2001-08-17 14:56 1,733,120 --a------ c:\windows\system32\dllcache\g400d.dll 2009-01-10 15:27 . 2001-08-17 12:17 629,952 --a------ c:\windows\system32\dllcache\eqn.sys 2009-01-10 15:26 . 2001-08-17 12:14 952,007 --a------ c:\windows\system32\dllcache\diwan.sys 2009-01-10 15:25 . 2001-08-17 12:13 980,034 --a------ c:\windows\system32\dllcache\cicap.sys 2009-01-10 15:24 . 2004-08-04 00:56 1,888,992 --a------ c:\windows\system32\dllcache\ati3duag.dll 2009-01-10 15:23 . 2001-08-17 13:28 762,780 --a------ c:\windows\system32\dllcache\3cwmcru.sys 2009-01-10 15:22 . 2004-08-04 08:00 2,134,528 --a------ c:\windows\system32\dllcache\smtpsnap.dll 2009-01-06 01:13 . 2009-01-06 01:13 20 --a------ c:\windows\syscheck 2009-01-06 01:13 . 2009-01-06 01:13 19 --a------ c:\windows\sysche 2009-01-06 01:12 . 2009-01-06 01:12 69,632 --a------ c:\windows\system32\wowformf83_401.dll 2009-01-06 01:12 . 2009-01-06 01:12 19 --a------ c:\windows\sysche2 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-15 23:43 87,994,400 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-01-15 23:37 1,032,116 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-01-15 23:10 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-01-14 22:46 --------- d-----w c:\program files\FlashGet 2009-01-12 02:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-01-02 17:16 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-01 22:33 --------- d-----w c:\program files\SpywareGuard 2009-01-01 22:32 --------- d-----w c:\program files\SpywareBlaster 2008-12-10 07:08 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-10 06:42 --------- d-----w c:\program files\WinPcap 2008-11-28 05:28 --------- d-----w c:\program files\Neoretix 2008-11-23 17:54 --------- d-----w c:\program files\2BrightSparks 2008-12-21 20:38 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-12-21 20:38 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-21 20:38 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-12-21 20:38 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-12-21 20:38 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2008-03-03 23:55 56 --sha-w c:\windows\SMINST\hpboot.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-25 8429568] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-25 81920] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448] "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-05-08 331552] "Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912] "Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280] "Pthosttr"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392] "CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2008-03-20 100056] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016] "nwiz"="nwiz.exe" [2007-05-25 c:\windows\system32\nwiz.exe] "MsmqIntCert"="mqrt.dll" [2007-07-06 c:\windows\system32\mqrt.dll] c:\documents and settings\Van Halen\Start Menu\Programs\Startup\ SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyDocs"= 01000000 "NoSMMyPictures"= 01000000 [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2007-02-06 20:30 74240 c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP] 2007-04-30 10:19 49152 c:\windows\system32\DeviceNP.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=APSHook.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] -ra------ 2001-07-09 04:50 155648 c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-04-26 100095] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-09 44720] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-03-29 13696] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-04-26 5808] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-01-23 36608] R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-07-16 47616] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408] R4 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2004-08-04 14336] R4 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2004-08-04 14336] R4 download02;Remote TCP/IP v9;c:\windows\System32\svchost.exe -k netsvcs [2004-08-04 14336] R4 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-04-27 221184] R4 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2007-07-16 540448] S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2007-04-23 30008] S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-04-30 172131] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064] S4 wowsystemcode123;Remote TCP/IP;c:\windows\System32\svchost.exe -k netsvcs [2004-08-04 14336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 Cognizance REG_MULTI_SZ ASBroker ASChannel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs download02 wowsystemcode123 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - e:\wd_windows_tools\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cd8a059-f161-11dc-bc7c-001f3b080859}] \Shell\AutoRun\command - e:\wd_windows_tools\setup.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2009-01-10 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Van Halen.job - c:\progra~1\NORTON~1\Navw32.exe [2005-10-19 11:54] . - - - - ORPHANS REMOVED - - - - Notify-NavLogon - (no file) . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/ FF - ProfilePath - c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-15 18:41:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@ scanning hidden files ... c:\windows\system32\atlsystem175215.exe 65244 bytes executable c:\windows\system32\atlsystem734837.exe 106203 bytes executable scan completed successfully hidden files: 2 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher] "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1052) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\DeviceNP.dll - - - - - - - > 'lsass.exe'(1108) c:\windows\SbHpNp.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\windows\system32\ZoneLabs\vsmon.exe c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE c:\program files\Common Files\Symantec Shared\SNDSrvc.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\scardsvr.exe c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe c:\windows\system32\rundll32.exe c:\windows\system32\msdtc.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Norton AntiVirus\NAVAPSVC.EXE c:\program files\Norton AntiVirus\IWP\NPFMNTOR.EXE c:\windows\system32\nvsvc32.exe c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe c:\windows\system32\mqsvc.exe c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe c:\windows\system32\mqtgsvc.exe . ************************************************************************** . Completion time: 2009-01-15 20:24:15 - machine was rebooted [Van Halen] ComboFix-quarantined-files.txt 2009-01-15 23:47:17 Pre-Run: 25,587,085,312 bytes free Post-Run: 25,735,954,432 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 256 --- E O F --- 2009-01-14 00:31:24