Got ComboFix to run in safe mode. Looks like it was able to do its thing this time. Scan results: ComboFix 11-10-16.02 - HP_Administrator 10/16/2011 21:10:59.20.2 - x86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3156 [GMT -7:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\WINDOWS c:\documents and settings\Default User\WINDOWS c:\documents and settings\HP_Administrator\WINDOWS c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735} c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe c:\windows\kb913800.exe c:\windows\system32\_000006_.tmp.dll c:\windows\system32\_000007_.tmp.dll c:\windows\system32\_000010_.tmp.dll c:\windows\system32\_000011_.tmp.dll c:\windows\system32\_000012_.tmp.dll c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\d3d9caps.dat D:\Autorun.inf . c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!! c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to . c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe . . . is infected!! c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe . . . was deleted!! You should re-install the program it pertains to . c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe . . . is infected!! c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe . . . was deleted!! You should re-install the program it pertains to . Infected copy of c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE was found and disinfected Restored copy from - c:\windows\system32\spool\drivers\w32x86\3\E_S40RP7.EXE . c:\windows\system32\FsUsbExService.Exe . . . is infected!! c:\windows\system32\FsUsbExService.Exe . . . was deleted!! You should re-install the program it pertains to . c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe . . . is infected!! c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe . . . was deleted!! You should re-install the program it pertains to . c:\program files\iPod\bin\iPodService.exe . . . is infected!! c:\program files\iPod\bin\iPodService.exe . . . was deleted!! You should re-install the program it pertains to . c:\program files\Java\jre6\bin\jqs.exe . . . is infected!! c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to . c:\program files\Common Files\LightScribe\LSSrvc.exe . . . is infected!! c:\program files\Common Files\LightScribe\LSSrvc.exe . . . was deleted!! You should re-install the program it pertains to . c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe . . . is infected!! c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe . . . was deleted!! You should re-install the program it pertains to . . ((((((((((((((((((((((((( Files Created from 2011-09-17 to 2011-10-17 ))))))))))))))))))))))))))))))) . . 2072-08-01 01:44 . 2004-08-24 22:27 375808 ----a-w- c:\program files\Microsoft Games\Halo\binkw32.dll 2011-10-14 19:29 . 2008-06-24 15:52 32384 ----a-r- c:\windows\system32\drivers\ax88772.sys 2011-10-14 19:08 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2011-10-14 19:08 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys 2011-10-14 02:09 . 2011-10-14 02:10 -------- dc-h--w- c:\windows\ie8 2011-10-12 02:16 . 2011-06-29 17:51 112800 ----a-w- c:\windows\system32\IPROSetMonitor.exe 2011-10-10 03:54 . 2011-10-10 03:54 -------- d-----w- c:\program files\Support Tools 2011-10-08 19:47 . 2011-10-17 04:10 -------- d-----w- c:\windows\system32\CatRoot2 2011-10-01 04:49 . 2011-10-01 04:49 -------- d-----w- c:\program files\XP TCPIP Repair 2011-10-01 04:49 . 2008-11-13 17:26 616024 ----a-w- c:\windows\system32\COMCTL32.OCX 2011-10-01 02:33 . 2011-10-01 02:33 -------- d-----w- C:\OEMSettings 2011-10-01 02:33 . 2011-10-01 02:33 -------- d-----w- c:\program files\NETGEAR 2011-09-30 05:20 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-09-30 02:07 . 2011-09-30 02:07 -------- d-----w- c:\program files\CCleaner 2011-09-30 02:00 . 2011-09-30 02:00 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes 2011-09-30 02:00 . 2011-09-30 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-09-30 02:00 . 2011-10-01 22:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-09-29 22:41 . 2011-09-29 22:41 48016 --sha-w- c:\windows\system32\c_47915.nl_ 2011-09-27 03:28 . 2011-09-27 03:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer 2011-09-21 03:41 . 2011-09-03 06:01 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll 2011-09-21 03:41 . 2011-09-03 06:01 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll 2011-09-21 03:41 . 2011-09-03 06:01 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll 2011-09-21 03:41 . 2011-09-03 06:01 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll 2011-09-21 03:41 . 2011-09-03 06:01 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll 2011-09-21 03:41 . 2011-09-03 06:01 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll 2011-09-21 03:41 . 2011-09-02 23:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll 2011-09-21 03:41 . 2011-09-02 23:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-09-25 21:58 . 2011-08-06 02:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-09 09:12 . 2004-08-09 21:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-08-04 22:51 . 2009-11-01 21:09 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2011-09-03 06:01 . 2011-09-21 03:41 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856] "Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-06-01 143360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "LanUpdate"="c:\program files\Netgear Update Assistant\LanUpdate.exe" [2008-05-02 77824] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392] "AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576] "RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856] "ftutil2"="ftutil2.dll" [2004-06-07 106496] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-06 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] . c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-6 111376] NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-1-26 1486848] Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-6 51984] Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-10-12 36903] . c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-12 27136] PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-10-12 27136] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= . R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [10/11/2011 7:16 PM 112800] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe --> c:\windows\system32\FsUsbExService.Exe [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/25/2009 11:36 AM 133104] S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\Bots\GameGuard\dump_wmimmc.sys --> c:\program files\Bots\GameGuard\dump_wmimmc.sys [?] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/12/2009 1:40 PM 13192] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/12/2009 1:40 PM 8456] S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [1/16/2011 11:38 AM 36608] S3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [10/12/2010 10:59 AM 206072] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/25/2009 11:36 AM 133104] S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?] S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [1/27/2011 9:47 PM 163840] . Contents of the 'Scheduled Tasks' folder . 2011-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57] . 2011-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-25 18:36] . 2011-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-25 18:36] . 2011-10-17 c:\windows\Tasks\User_Feed_Synchronization-{83B79092-1BCA-4C86-8B4E-AFB0C53E7217}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm Trusted Zone: hp.com\wimpro2.cce DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\i6290glg.default\ FF - prefs.js: browser.search.selectedEngine - FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/guppy/ws/redir?qcat=web&qkw= . . ------- File Associations ------- . .scr=DWGTrueViewScriptFile . - - - - ORPHANS REMOVED - - - - . WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) HKLM-Run-NPSStartup - (no file) HKLM-Run-PCDrProfiler - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-10-16 21:25 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\437a4220] "imagepath"="\??\c:\windows\TEMP\5E18.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1641569665-1972677299-149907755-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FFC6EBA8-0FD4-3D59-AC2F-5464E5BF1E30}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "oakbfehkijfdlaegbbcnddioihnldj"=hex:64,61,6a,64,61,6f,62,70,00,85 "oaocmbdegmknffhadmekecggddahfa"=hex:6a,61,6b,64,67,6f,69,69,61,65,6c,67,6f,6f, 66,70,61,6c,70,67,00,0f "naibddmlogbnjcanfokladmiofjg"=hex:6a,61,6b,64,67,6f,69,69,61,65,6c,67,6f,6f, 66,70,61,6c,70,67,00,0f . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(764) c:\windows\system32\MrvGINA.dll c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'Explorer.exe'(2696) c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Bonjour\mDNSResponder.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\windows\RTHDCPL.EXE c:\windows\eHome\ehmsas.exe c:\hp\KBD\KBD.EXE c:\windows\system\hpsysdrv.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe . ************************************************************************** . Completion time: 2011-10-16 21:30:58 - machine was rebooted ComboFix-quarantined-files.txt 2011-10-17 04:30 . Pre-Run: 73,466,458,112 bytes free Post-Run: 69,874,794,496 bytes free . - - End Of File - - 7A88BF58EE796A4AF0A6B5E2A93D9812