The aftermath of trojan.bho infection

[sweeneyj7th]

This is my first post being a new member. About 4 months ago MBAM recognized the trojan.bho bug on my computer (windows xp/sp3) and removed it successfully. Three days later the same symptoms were back e.g. denial of access to my password, plus additional ones such as, failure to access MBAM, to start computer in safe mode, and to navigate the internet. I finally rested the PC, disconnecting the LAN connection, used only my kids' Windows 7 PC until now I got the time to seek your help and apply myself to fixing the disabled PC. I have read up on much of your guidance to other members but my most urgent request is how to use my working computer to repair the disabled PC. What to download etc. Your assistance will be deeply appreciated.

Have since downloaded and transferred the dds files to the disabled pc, but we are unable to login as administrators, a requirement for deploying the dds software. We are stuck. If there is any way out of this conundrum we would really appreciate your help.

sweeneyj7th

[MrCharlie]

Welcome to the forum.....see if you can do this:

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!)

Post back the report.

MrC

[sweeneyj7th]

Thanks Mr C for the quick response. We still cannot start as Administrators but here are the RogueKiller scan reports:

RK_Quarantine Report:

Time : 10/05/2012 09:42:28

--------------------------

[arpwrmsg.exe.vir] -> C:\WINDOWS\ARPWRMSG.EXE

Time : 10/05/2012 09:44:50

--------------------------

[arpwrmsg.exe.vir] -> C:\WINDOWS\ARPWRMSG.EXE

Time : 10/05/2012 09:44:59

--------------------------

[arpwrmsg.exe.vir] -> C:\WINDOWS\ARPWRMSG.EXE

Time : 10/05/2012 09:45:07

--------------------------

[arpwrmsg.exe.vir] -> C:\WINDOWS\ARPWRMSG.EXE

Time : 10/05/2012 09:48:06

--------------------------

[arpwrmsg.exe.vir] -> C:\WINDOWS\ARPWRMSG.EXE

Time : 10/05/2012 11:02:06

--------------------------

RK-Report (1)

RogueKiller V7.4.4 [05/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Sami & Mandi [Restricted rights]

Mode: Scan -- Date: 05/10/2012 09:42:30

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] arpwrmsg.exe -- C:\WINDOWS\ARPWRMSG.EXE -> KILLED [TermProc]

¤¤¤ Registry Entries: 47 ¤¤¤

[] HKLM\[...]\Run : () -> ACCESS DENIED

[] HKLM\[...]\RunOnce : () -> ACCESS DENIED

[] HKLM\[...]\RunOnceEx : () -> ACCESS DENIED

[] HKLM\[...]\Winlogon : () -> ACCESS DENIED

[] HKLM\[...]\Windows : () -> ACCESS DENIED

[] HKLM\[...]\services : () -> ACCESS DENIED

[] HKLM\[...]\services : () -> ACCESS DENIED

[] HKLM\[...]\Root : () -> ACCESS DENIED

[] HKLM\[...]\Root : () -> ACCESS DENIED

[] HKLM\[...]\Internet Settings : () -> ACCESS DENIED

[] HKLM\[...]\Parameters : () -> ACCESS DENIED

[] HKLM\[...]\Parameters : () -> ACCESS DENIED

[] HKLM\[...]\Image File Execution Options : () -> ACCESS DENIED

[] HKCU\[...]\Policies\Explorer\Explorer : () -> ACCESS DENIED

[] HKCU\[...]\Policies\Explorer\Explorer : () -> ACCESS DENIED

[] HKLM\[...]\System : () -> ACCESS DENIED

[] HKLM\[...]\System : () -> ACCESS DENIED

[] HKLM\[...]\System : () -> ACCESS DENIED

[] HKLM\[...]\Policies\Explorer\Explorer : () -> ACCESS DENIED

[] HKLM\[...]\Policies\Explorer\Explorer : () -> ACCESS DENIED

[] HKCU\[...]\Policies\Explorer\Explorer : () -> ACCESS DENIED

[] HKLM\[...]\SystemRestore : () -> ACCESS DENIED

[] HKLM\[...]\System : () -> ACCESS DENIED

[] HKLM\[...]\System : () -> ACCESS DENIED

[] HKLM\[...]\System : () -> ACCESS DENIED

[] HKLM\[...]\Security Center : () -> ACCESS DENIED

[] HKLM\[...]\Security Center : () -> ACCESS DENIED

[] HKLM\[...]\Security Center : () -> ACCESS DENIED

[] HKLM\[...]\ClassicStartMenu : () -> ACCESS DENIED

[] HKLM\[...]\NewStartPanel : () -> ACCESS DENIED

[] HKLM\[...]\ClassicStartMenu : () -> ACCESS DENIED

[] HKLM\[...]\NewStartPanel : () -> ACCESS DENIED

[] HKLM\[...]\ClassicStartMenu : () -> ACCESS DENIED

[] HKLM\[...]\NewStartPanel : () -> ACCESS DENIED

[] HKLM\[...]\command : () -> ACCESS DENIED

[] HKCR\[...]\command : () -> ACCESS DENIED

[] HKCR\[...].exe : () -> ACCESS DENIED

[] HKLM\[...]\command : () -> ACCESS DENIED

[] HKCR\[...]\command : () -> ACCESS DENIED

[] HKCR\[...]\InprocServer32 : () -> ACCESS DENIED

[] HKLM\[...]\Windows : () -> ACCESS DENIED

[] HKLM\[...]\ShellServiceObjectDelayLoad : () -> ACCESS DENIED

[] HKLM\[...]\SharedTaskScheduler : () -> ACCESS DENIED

[] HKLM\[...]\Browser Helper Objects : () -> ACCESS DENIED

[] HKLM\[...]\Run : () -> ACCESS DENIED

[] HKLM\[...]\services : () -> ACCESS DENIED

[] HKLM\[...]\services : () -> ACCESS DENIED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

Finished : << RKreport[1].txt >>

RKreport[1].txt

RK-Report (2)

RogueKiller V7.4.4 [05/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Sami & Mandi [Restricted rights]

Mode: HOSTSFix -- Date: 05/10/2012 09:44:50

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] arpwrmsg.exe -- C:\WINDOWS\ARPWRMSG.EXE -> KILLED [TermProc]

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ Resetted HOSTS: ¤¤¤

127.0.0.1 localhost

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

RK-Report (3)

RogueKiller V7.4.4 [05/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Sami & Mandi [Restricted rights]

Mode: ProxyFix -- Date: 05/10/2012 09:44:59

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] arpwrmsg.exe -- C:\WINDOWS\ARPWRMSG.EXE -> KILLED [TermProc]

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤

[] HKLM\[...]\Internet Settings : () -> ACCESS DENIED

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

RK-Report (4)

RogueKiller V7.4.4 [05/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Sami & Mandi [Restricted rights]

Mode: DNSFix -- Date: 05/10/2012 09:45:08

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] arpwrmsg.exe -- C:\WINDOWS\ARPWRMSG.EXE -> KILLED [TermProc]

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤

[] HKLM\[...]\Parameters : () -> ACCESS DENIED

[] HKLM\[...]\Parameters : () -> ACCESS DENIED

Finished : << RKreport[4].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

RK-Report (5)

RogueKiller V7.4.4 [05/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Sami & Mandi [Restricted rights]

Mode: Shortcuts HJfix -- Date: 05/10/2012 09:48:07

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] arpwrmsg.exe -- C:\WINDOWS\ARPWRMSG.EXE -> KILLED [TermProc]

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤

Desktop: Success 0 / Fail 0

Quick launch: Success 0 / Fail 0

Programs: Success 7 / Fail 0

Start menu: Success 0 / Fail 0

User folder: Success 89 / Fail 0

My documents: Success 30 / Fail 0

My favorites: Success 0 / Fail 0

My pictures: Success 0 / Fail 0

My music: Success 0 / Fail 0

My videos: Success 0 / Fail 0

Local drives: Success 457 / Fail 685

Backup: [NOT FOUND]

Drives:

[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored

[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored

[E:] \Device\CdRom0 -- 0x5 --> Skipped

[F:] \Device\Harddisk1\DP(1)0-0+7 -- 0x2 --> Restored

[G:] \Device\Harddisk2\DP(1)0-0+8 -- 0x2 --> Restored

[H:] \Device\Harddisk3\DP(1)0-0+9 -- 0x2 --> Restored

[i:] \Device\Harddisk4\DP(1)0-0+a -- 0x2 --> Restored

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[5].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt

END.

Thanks for your ongoing assistance'

Sweeneyj7th

[MrCharlie]

I see you ran RK 5 times, is there any improvement..can you run anything now?? MrC

[sweeneyj7th]

We can access the Internet once more and download games, using my kids' guest account.

We have established contact between both computers on my network. We allow this only for a short while, then disconnect.

The biggest annoyance is not being allowed to type in one's password as an administrator. Keyboard is disabled, but mouse now works on start up.

Thanks,

Sweeneyj7th.

[MrCharlie]

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:

If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[sweeneyj7th]

ComboFix is now sitting on the Desktop of the disabled PC. Hit the Run button and it says " you have to be an Administrator to run ComboFix."

Conundrum: Keyboard is disabled. Cannot type in my password as Admin. Can only log on with the guest account.

Prior to RogueKiller the mouse was seriously compromised too. But works now.

Still optimistic there is a way around this,I just dont have the smarts.

Sweeneyj7th

[MrCharlie]

See if you can run rkill first....post the log:

http://www.bleepingcomputer.com/download/anti-virus/rkill

MrC

[sweeneyj7th]

Ran rkill several times from each link without success." Error. Installation failed" every time.

Will continue trying rKill until I hear back from you.

Thanks,

Sweeneyj7th

[sweeneyj7th]

Problem solved, MrC..

Not by rKill, but by RogueKiller. Following RogueKiller yesterday, my mouse was no longer disabled. Why not the keyboard as well? I just guessed there might be a parallel coincident problem that developed in the keyboard so I tested that hypothesis by changing the keyboard and presto, the PC is alive again. Your patience and step by step guidance has been really appreciated. Kudos to you guys till I hear back from you.

Sweeneyj7th.

[MrCharlie]

Can you run ComboFix now??

MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[sweeneyj7th]

Please pardon the delay in getting back to you.

ComboFix Report:

ComboFix 12-05-14.03 - HP_Administrator 14/05/2012 22:54:48.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.231 [GMT -4:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\HP_Administrator\WINDOWS

c:\documents and settings\Lloyd\WINDOWS

c:\program files\Shared

c:\windows\system32\Cache

c:\windows\system32\Cache\2427c6dc6645c683.fb

c:\windows\system32\Cache\272512937d9e61a4.fb

c:\windows\system32\Cache\287204568329e189.fb

c:\windows\system32\Cache\28bc8f716fd76a47.fb

c:\windows\system32\Cache\2c53092c95605355.fb

c:\windows\system32\Cache\3917078cb68ec657.fb

c:\windows\system32\Cache\590ba23ce359fd0c.fb

c:\windows\system32\Cache\610289e025a3ee9a.fb

c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb

c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb

c:\windows\system32\Cache\a8556537add6dfc5.fb

c:\windows\system32\Cache\ad10a52aff5e038d.fb

c:\windows\system32\Cache\ad5b42f39240a6d2.fb

c:\windows\system32\Cache\c4d28dca2e7648be.fb

c:\windows\system32\Cache\d201ef9910cd39de.fb

c:\windows\system32\Cache\d2e94710a5708128.fb

c:\windows\system32\Cache\d79b9dfe81484ec4.fb

c:\windows\system32\Cache\e0de16f883bea794.fb

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\ps2.bat

c:\windows\system32\SET131.tmp

c:\windows\system32\SET13D.tmp

c:\windows\system32\SET14A.tmp

c:\windows\system32\SET199.tmp

c:\windows\system32\SET19E.tmp

c:\windows\system32\SETE0.tmp

c:\windows\system32\SETE1.tmp

D:\Autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2012-04-15 to 2012-05-15 )))))))))))))))))))))))))))))))

.

.

2012-05-15 02:40 . 2012-05-15 02:40 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AVG LiveKive

2012-05-15 02:40 . 2012-05-15 02:40 -------- d-----w- c:\program files\AVG LiveKive

2012-05-13 12:27 . 2012-05-13 12:27 8072272 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\BingBar\BBSvc\7.1.382.0oemBingBarSetup-Partner.EXE

2012-05-12 10:15 . 2012-05-12 10:15 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-05-11 18:19 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2012-05-11 18:19 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll

2012-05-11 18:19 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2012-05-11 18:19 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

2012-05-10 14:13 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

2012-05-10 14:13 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll

2012-05-10 13:42 . 2012-05-10 15:00 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-05-12 10:15 . 2011-05-17 18:47 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-11 13:14 . 2004-08-10 11:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-04-11 13:12 . 2004-08-10 04:00 1862272 ----a-w- c:\windows\system32\win32k.sys

2012-04-11 12:35 . 2004-08-10 11:00 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-04 19:56 . 2010-03-06 05:39 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-01 11:01 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-03-01 11:01 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-03-01 11:01 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-02-29 14:10 . 2004-08-10 11:00 148480 ----a-w- c:\windows\system32\imagehlp.dll

2012-02-29 14:10 . 2004-08-10 04:00 177664 ----a-w- c:\windows\system32\wintrust.dll

2012-02-29 12:17 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2012-01-12 1517368]

.

[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]

[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]

2012-05-11 14:25 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-05-11 1869152]

.

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 15969280]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"DISCover"="c:\program files\DISC\DISCover.exe" [2005-11-11 1064960]

"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-11-11 61440]

"DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 249856]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]

"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALuNotify.exe" [2010-03-04 66952]

"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]

"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-01 273528]

"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-05-11 982880]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

.

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-12 27136]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=

"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 4:27 PM 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 3:48 AM 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 3:48 AM 230608]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07/09/2010 3:49 AM 295248]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 6:25 AM 4433248]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 6:09 AM 192776]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [06/03/2010 1:39 AM 654408]

R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [11/05/2012 10:25 AM 918880]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 9:42 PM 134608]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 9:42 PM 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 9:42 PM 16720]

R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.382.0\SeaPort.EXE [16/04/2012 5:49 PM 240208]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [06/03/2010 1:39 AM 22344]

S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.382.0\BBSvc.EXE [16/04/2012 5:49 PM 193616]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [12/05/2012 6:16 AM 257696]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [11/04/2011 10:26 AM 1025352]

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-15 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-12 10:16]

.

2011-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

2012-05-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3647030426-3136926754-3856547561-1008.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]

.

2012-05-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3647030426-3136926754-3856547561-1010.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]

.

2012-05-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3647030426-3136926754-3856547561-1012.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]

.

2012-05-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3647030426-3136926754-3856547561-1008.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]

.

2011-12-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3647030426-3136926754-3856547561-1010.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]

.

2012-05-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3647030426-3136926754-3856547561-1012.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]

.

2012-05-15 c:\windows\Tasks\User_Feed_Synchronization-{14492628-A2DC-4C86-AA41-7E4CA304E837}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

.

.

------- Supplementary Scan -------

.

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

Trusted Zone: mbamupdates.com\data-cdn

Trusted Zone: msn.com\www.msnbc

Trusted Zone: trymedia.com

TCP: DhcpNameServer = 192.168.1.1 192.168.0.1

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)

HKLM-Run-PCDrProfiler - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-05-14 23:12

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\]*‘|€_t]

"DisplayName"="?"

"DeviceDesc"="?"

"ProviderName"=""

"MFG"="????ª"

"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\]???\\DriverFiles\\.INF"

"DeviceInstanceIds"=multi:"\0c\00"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(988)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(4264)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\hnetcfg.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-05-14 23:19:14

ComboFix-quarantined-files.txt 2012-05-15 03:19

.

Pre-Run: 46,121,172,992 bytes free

Post-Run: 46,101,991,424 bytes free

.

- - End Of File - - 49CB49FBF9FF05B43CB53C8D2A978223

Sweeneyj7th.

[MrCharlie]

How are things now?? MrC

[sweeneyj7th]

PC is much faster, more responsive. Must re-activate my Paypal a/c. Very grateful.

Sweeneyj7th.

[MrCharlie]

OK, if everything is OK...a little cleanup to do....

Please Uninstall ComboFix:

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Any other programs or logs you can manually delete.

-----------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[sweeneyj7th]

ComboFix Uninstall done.

Preventive maintenance done and ungoing.

My utmost gratitude to you.

Sweeneyj7th.

[MrCharlie]

OK, Take Care......MrC

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!