rootkit.TDSS infection, need help removing

Kolchak · September 23, 2009

Hello. I have a rootkit.TDSS infection I can not remove (MalwareBytes removes it, but it comes back.) I tried a couple rootkit removal programs, but they failed to find any rootkits on my computer. Below are the MBAM and HiJack this file logs.

My AVG anti-virus program also finds "Virus identified Packed.Monder";"Infected", maybe this is the same thing.

Thank You!!

Malwarebytes' Anti-Malware 1.41

Database version: 2850

Windows 5.1.2600 Service Pack 3

9/23/2009 11:02:55 AM

mbam-log-2009-09-23 (11-02-55).txt

Scan type: Quick Scan

Objects scanned: 113222

Time elapsed: 12 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\Device\Ide\iaStor0\qvcxtitu\qvcxtitu\tdlwsp.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\Device\Ide\iaStor0\qvcxtitu\qvcxtitu\tdlwsp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:47:17 AM, on 9/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\PhotoWise\quicklnk.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\HP\KBD\KBD.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\YouTube Downloader\MoyeaCth.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [spywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"

O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

O4 - S-1-5-18 Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')

O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe

O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 11132 bytes

LonnyRJ · September 24, 2009

Welcome to the forum Kolchak

Have you posted for help at any other forums ?

Are you familiar with system internals process explorer ?

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

I would like to know if using it to do a dll search for tdlwsp.dll tdlcmd.dll or qvcxtitu shows results ?

If a right-click on the handle/dll you see an unload option ?

And if the properties of the dll's show a true path or just for example (globalroot\Device\Ide\IdePort1\jgnbdwpt\jgnbdwpt\tdlwsp.dll/globalroot\Device\Ide\IdePort1\jgnbdwpt\jgnbdwpt\tdlwsp.dll)

If you need more precise instruction i will provide them.

Kolchak · September 24, 2009

Lonny. Hello, thank you for your reply.

No, I have not posted in any other forums.

I ran the internals process explorer. It only found "tdlwsp.dll" In the bottom half of the process explorer screen, it only shows the name of that file, if I click on properties it says:

"\\?\globalroot\Device\Ide\iaStor0\tqxxtadc\tqxxtadc\tdlwsp.dll

If I use the 'Process Explorer Search' box function, it finds 3 entires for tdlwsp.dll ( I can't copy and paste them however).

Right clicking on it (or any others), does not show a unload option.

Also; I have had no sound on my computer for the last couple days!

------------------------------------

Welcome to the forum Kolchak
Have you posted for help at any other forums ?
Are you familiar with system internals process explorer ?
http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx
I would like to know if using it to do a dll search for tdlwsp.dll tdlcmd.dll or qvcxtitu shows results ?
If a right-click on the handle/dll you see an unload option ?
And if the properties of the dll's show a true path or just for example (globalroot\Device\Ide\IdePort1\jgnbdwpt\jgnbdwpt\tdlwsp.dll/globalroot\Device\Ide\IdePort1\jgnbdwpt\jgnbdwpt\tdlwsp.dll)
If you need more precise instruction i will provide them.

LonnyRJ · September 24, 2009

In proccess explorer for that dll (tdlwsp.dll)

search for it again > double click it in the lower panel > is there two tabs ? one image and the other strings ?

if so use strings tab > check [x] memory > use the save button and post that text.

Kolchak · September 24, 2009

Lonny. Attached is the tdlwsp.dll text file.

tdlwsp.dll.txt

LonnyRJ · September 24, 2009

Thanks

Visit the webpage below for instructions for downloading and running ComboFix:

But proir to running Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This is because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it.

A right click disable is not enough they need to be thoughly disbled.

Please visit HERE if you don't know how. http://www.bleepingcomputer.com/forums/topic114351.html

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post combofix's log which will open automaticly when complete, if not it is located here. C:\combofix.txt

Note: If windows auto-update comes up cancel it for now.

For others looking for a solution, please do not try my advice to this user, post for help yourself.

LonnyRJ · September 24, 2009

After that

Download MBR.exe from http://www.gmer.net/#files

Place it on your desktop but run it in this fashion, go start run type in

"%userprofile%\desktop\mbr.exe" -t

press enter and post the mbr.log that will be next to the mbr.exe tool

Kolchak · September 24, 2009

Lonny. Hello again. I tried running Combofix and it said it found 'Norton Internet Security 2006' to be active. My computer came with a Norton suite, but I dont think I ever 'used it'.

It's not running as far as I can tell. What should I do?

---------------------------------------------

After that
Download MBR.exe from http://www.gmer.net/#files
Place it on your desktop but run it in this fashion, go start run type in
"%userprofile%\desktop\mbr.exe" -t
press enter and post the mbr.log that will be next to the mbr.exe tool

LonnyRJ · September 25, 2009

Could you uninstall any norton/symantec programs ?

Kolchak · September 25, 2009

Yes, I found instructions to remove it. Looks like I have to run it, register it, then uninstall it. I'll try and do that, and then run combofix again.

Could you uninstall any norton/symantec programs ?

Kolchak · September 27, 2009

Lonny. Hello. I deleted Norton program suite. I ran Combofix, and have pasted the log below.

I could not run GMER the way you specified (not sure of my administrator login, or if I have one). I ran it 'default'. It had 'errors' when it finished, and seems it did not save a log file. It only found one 'red line' error, and I saved that as a jpeg screen shot for you to view (see attachment).

Hopefully, this will be enough information for you. If not, let me know what to do next.

ComboFix 09-09-22.01 - HP_Administrator 09/25/2009 19:29.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.563 [GMT -4:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-527237240-179605362-725345543-500

c:\windows\Installer\838d65.msi

c:\windows\kb913800.exe

c:\windows\system32\geyekriyqkeppf.dat

c:\windows\system32\geyekrkniaqlqn.dat

c:\windows\winhelp.ini

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_geyekrrvimpsxm

-------\Legacy_TDSSSERV.SYS

-------\Service_geyekrrvimpsxm

((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))

.

2009-09-24 14:37 . 2009-09-24 14:37 1615732 ----a-w- c:\program files\ProcessExplorer.zip

2009-09-23 14:46 . 2009-09-23 14:46 -------- d-----w- c:\program files\Trend Micro

2009-09-22 15:46 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys

2009-09-17 14:59 . 2009-09-17 14:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-17 14:16 . 2009-09-22 02:03 -------- d-----w- C:\$AVG8.VAULT$

2009-09-17 14:16 . 2009-09-17 14:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-09-15 14:57 . 2009-09-15 14:57 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys

2009-09-15 14:57 . 2009-09-22 14:06 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Spyware Terminator

2009-09-15 14:57 . 2009-09-25 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator

2009-09-15 14:57 . 2009-09-22 15:19 -------- d-----w- c:\program files\Spyware Terminator

2009-09-15 13:58 . 2009-09-15 13:58 -------- d-----w- c:\program files\CCleaner

2009-09-12 18:49 . 2002-12-11 20:13 44032 ----a-w- c:\windows\unwash.exe

2009-09-09 15:07 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-09-06 16:07 . 2009-09-06 16:07 -------- d-----w- c:\program files\Carambis

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-25 17:16 . 2006-10-12 09:03 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-09-25 16:57 . 2007-03-06 21:23 25472 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat

2009-09-23 20:23 . 2007-06-26 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-20 20:22 . 2006-10-12 08:22 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-15 17:05 . 2008-04-23 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-15 15:54 . 2006-10-12 08:32 -------- d-----w- c:\program files\music_now

2009-09-12 18:49 . 2007-07-01 14:52 -------- d-----w- c:\program files\Washer

2009-09-10 18:54 . 2008-08-19 23:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2008-06-04 19:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-06 17:37 . 2009-09-06 17:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf

2009-09-06 17:37 . 2009-09-06 17:37 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-08-25 13:34 . 2008-05-28 15:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-25 13:34 . 2008-05-28 15:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-25 13:34 . 2008-05-28 15:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-15 22:36 . 2009-08-15 22:36 -------- d-----w- c:\program files\MSBuild

2009-08-15 22:36 . 2009-08-15 22:36 -------- d-----w- c:\program files\Reference Assemblies

2009-08-12 20:26 . 2008-06-09 22:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer

2009-08-05 20:51 . 2007-06-26 14:28 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-05 09:01 . 2004-08-09 21:00 204800 ------w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-09 21:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-09 21:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-08-09 21:00 915456 ----a-w- c:\windows\system32\wininet.dll

2007-07-06 20:38 . 2007-07-06 20:38 599 ----a-w- c:\program files\Microsoft PowerPoint.lnk

2007-07-06 20:38 . 2007-07-06 20:38 587 ----a-w- c:\program files\Microsoft Office Shortcut Bar.lnk

2007-07-06 20:38 . 2007-07-06 20:38 548 ----a-w- c:\program files\Getting Results Book.lnk

2007-07-06 20:38 . 2007-07-06 20:38 599 ----a-w- c:\program files\Microsoft Schedule+.lnk

2007-07-06 20:38 . 2007-07-06 20:38 561 ----a-w- c:\program files\Microsoft Excel.lnk

2007-07-06 20:38 . 2007-07-06 20:38 587 ----a-w- c:\program files\Microsoft Access.lnk

2007-07-06 20:38 . 2007-07-06 20:38 580 ----a-w- c:\program files\MS Access Workgroup Administrator.lnk

2007-07-06 20:38 . 2007-07-06 20:38 667 ----a-w- c:\program files\Setup.lnk

2007-07-06 20:38 . 2007-07-06 20:38 585 ----a-w- c:\program files\Microsoft Word.lnk

2007-07-06 20:38 . 2007-07-06 20:38 575 ----a-w- c:\program files\Microsoft Binder.lnk

2001-12-03 21:09 . 2009-06-07 13:46 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-09-15 3055616]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

"washindex"="c:\program files\Washer\washidx.exe" [2002-08-15 33792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-25 2007832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-13 16239616]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\

PhotoWise QuickLink.lnk - c:\program files\PhotoWise\quicklnk.exe [2007-3-6 59904]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\

PhotoWise QuickLink.lnk - c:\program files\PhotoWise\quicklnk.exe [2007-3-6 59904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-25 13:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/28/2008 11:37 AM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/28/2008 11:37 AM 108552]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9/15/2009 10:57 AM 142592]

S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 9:23 AM 908056]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 9:23 AM 297752]

S3 PsSdk31;PsSdk31;c:\windows\system32\drivers\pssdk31.drv [7/15/2008 6:16 PM 30272]

S3 PsSdkLBF;PsSdkLBF;c:\windows\system32\drivers\pssdklbf.drv [7/15/2008 6:16 PM 37440]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ebay.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uInternet Settings,ProxyOverride = *.local

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)

HKLM-Run-PCDrProfiler - (no file)

Notify-WgaLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-26 07:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk31]

"ImagePath"="\??\c:\windows\system32\Drivers\pssdk31.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdkLBF]

"ImagePath"="\??\c:\windows\system32\Drivers\pssdklbf.drv"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(664)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3272)

c:\windows\system32\WININET.dll

tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\iaStor0\sviwwxbj\sviwwxbj\tdlwsp.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\system32\ZoneLabs\vsmon.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\wscntfy.exe

c:\windows\ehome\ehmsas.exe

c:\windows\ehome\ehSched.exe

c:\windows\system32\dllhost.exe

.

**************************************************************************

.

Completion time: 2009-09-26 8:09 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-26 12:09

Pre-Run: 201,787,494,400 bytes free

Post-Run: 201,641,480,192 bytes free

205 --- E O F --- 2009-09-22 23:09

LonnyRJ · September 27, 2009

Keep that pc offline except to visit here please

Create this batch file

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).

Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

For /F "TOKENS=*" %%g IN ('dir %systemdrive%\*.exe;%systemdrive%\*.dll /A/B/S ^|findstr /V /I "dllcache ServicePackFiles Framework NtUninstallKB $NtServicePackUninstall$" '
) Do @(
Findstr -mi "tdlwsp sviwwxbj tdlcmd OPHELIA sicklied" "%%g">> look.txt
	  )2>nul

start notepad look.txt

Close any messenger programs and browsers

Open task manager and end explorer.exe (press ctrl alt and del at the same time)

Now run that batch file then post the text that will open please

It will take awhile to run be patient

once its done start explorer, in taskmanager go new task type explorer and click ok.

Kolchak · September 27, 2009

Lonny. Hello. When you say 'run that batch file', how do I do that? The screen is blank (all blue) after closing explorer. Approximately how long will it take to run?

I forgot to mention, but their is ALWAYS internet traffic on this computer, I can tell by the modem activitiy light and the ZoneLabs activity icon. Has the system been hijacked? I can turn off Interent activity through zome alarm, but need to use the computer quite a bit every day. Should I change passwords?

Keep that pc offline except to visit here please
Create this batch file
Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).
Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.
For /F "TOKENS=*" %%g IN ('dir %systemdrive%\*.exe;%systemdrive%\*.dll /A/B/S ^|findstr /V /I "dllcache ServicePackFiles Framework NtUninstallKB $NtServicePackUninstall$" '
) Do @(
Findstr -mi "tdlwsp sviwwxbj tdlcmd OPHELIA sicklied" "%%g">> look.txt
	  )2>nul

start notepad look.txt
Close any messenger programs and browsers
Open task manager and end explorer.exe (press ctrl alt and del at the same time)
Now run that batch file then post the text that will open please
It will take awhile to run be patient
once its done start explorer, in taskmanager go new task type explorer and click ok.

LonnyRJ · September 28, 2009

My fault, i didnt include this part

If you made check.bat on the desktop, in taskmanager go file > new task >

"%userprofile%\desktop\check.bat"

(Or just double click it to run then in task manager end explorer.)

On my PC it took 7 minutes, since your is infected it could take 30.

Yes use ZA to turn off Interent activity when your not here, dont worry just now about passwords etc.

Kolchak · September 28, 2009

Hello. Before I got your last reply, I ran the check.bat file in taskmanager, similar to the way you said. It created a look.txt file, but it was empty. I deleted the look.txt file, then re-ran it again with your instructions. I let it run over an hour, and think it was finished. It created another look.txt file, but it was also empty. I turned off yahoo messenger and closed the explorer file, should I have closed other prgrams too?

----------------------------------------------------

My fault, i didnt include this part
If you made check.bat on the desktop, in taskmanager go file > new task >
"%userprofile%\desktop\check.bat"
(Or just double click it to run then in task manager end explorer.)
On my PC it took 7 minutes, since your is infected it could take 30.
Yes use ZA to turn off Interent activity when your not here, dont worry just now about passwords etc.

LonnyRJ · September 29, 2009

Id like to see a differant kind of log (meanwhile patience please)

Download and run sysinspector

http://www.eset.com/download/sysinspector.php

once it opens go file (top right) generate > suitable for sending

when its finished go file save log.

It will save a a compressed file (zip), attach that please.

If by chance it is to large to attach submit it here

http://www.bleepingcomputer.com/submit-malware.php

Kolchak · September 29, 2009

Lonny, hi. Here is the sysinspector log.

Id like to see a differant kind of log (meanwhile patience please)
Download and run sysinspector
http://www.eset.com/download/sysinspector.php
once it opens go file (top right) generate > suitable for sending
when its finished go file save log.
It will save a a compressed file (zip), attach that please.
If by chance it is to large to attach submit it here
http://www.bleepingcomputer.com/submit-malware.php

SysInspector_HP_A1620N_090929_1132.zip

LonnyRJ · September 29, 2009

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).

Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

sc query type= driver group= "SCSI Miniport" >>report.txt
For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\iastor.sys'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
start notepad report.txt & exit

A text should open post it please.

Kolchak · September 29, 2009

OK, here you go.

SERVICE_NAME: atapi

DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: iaStor

DISPLAY_NAME: Intel RAID Controller

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

"C:\WINDOWS\system32\drivers\iaStor.sys" 250368 02/21/2006 12:44 PM

"C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\iaStor.sys" 250368 02/21/2006 12:44 PM

-------------------------

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).
Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.
sc query type= driver group= "SCSI Miniport" >>report.txt
For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\iastor.sys'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
start notepad report.txt & exit
A text should open post it please.

LonnyRJ · September 30, 2009

Please download The Avenger2 by SwanDog46. http://swandog46.geekstogo.com/avenger.zip

Unzip avenger.exe to your desktop.

Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"

(dont include the word code)

Comment:
begin copy here
files to move:
C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys

Now start The Avenger2 by double clicking avenger.exe on your desktop.

Read the prompt that appears, and press OK.

Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".

(what you pasted in must be at the very top) Press the "Execute" button.

You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.

Note: It is possible that Avenger will reboot your system TWICE.

Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open.

Please paste that log here in your next post.

Restart your PC

run Mbam do a quickscan and post a log

Edited to remove quotes

Kolchak · September 30, 2009

Lonny: Hello. I ran Avenger2, below is the log, and following that the Malwarebytes log.

Looks like it worked! I had to step away from my computer, but I think it booted up quicker, and Google searches are not taking me to random pages!!!

How do Io prevent this from happening again? I have AVG anti-virus and ZoneAlarm always running, and regularly use AdAware, Spyboy and MalwareBytes.

I still have almost constant low-level Internet acitivity, is that something to worry about? Maybe it is ZoneAlarm reacting to programs I have blocked?

Thanks again!!!!!!!!!!!!!!!!!!!

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Malwarebytes' Anti-Malware 1.41

Database version: 2876

Windows 5.1.2600 Service Pack 3

9/30/2009 11:38:43 AM

mbam-log-2009-09-30 (11-38-43).txt

Scan type: Quick Scan

Objects scanned: 103341

Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

LonnyRJ · September 30, 2009

Well done Kolchak

Launch Notepad (Important, not wordpad or other third party text editor), and copy and paste the contents

of the code box below into a new text file. (dont include the word code)

Save it as file name: cfscript.txt

Fcopy::
"C:\WINDOWS\system32\drivers\iaStor.sys" |"C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\iaStor.sys"

As in the picture above drag and drop cfscript.txt onto combofix.exe

When it is finished a text will open, post it.

Post this text to

C:\Qoobox\Add-Remove Programs.txt

Kolchak · September 30, 2009

Lonny, below is the ComboFix log.

What did you mean by the following at the end of your last post:

Post this text to

C:\Qoobox\Add-Remove Programs.txt

=====================================

ComboFix 09-09-22.01 - HP_Administrator 09/30/2009 13:39.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.405 [GMT -4:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Administrator\Desktop\cfscript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Created a new restore point

.

- REDUCED FUNCTIONALITY MODE -

.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))