Please Help With Malware Infection

[human verification]

When I try to log in at eBay I get taken to a screen which prompts me to enter all of my banking info (including ATM PIN so that eBay can "identify me". It looks like this: http://img23.imageshack.us/img23/8797/wtfebay.jpg

Same thing happens when I try to log in at Paypal. I ran Malwarebytes first, with all of the latest updates, and it could not identify the problem. So I did everything listed here, in the order it was listed. I've included my logs below. Thanks so much for any help you can give me, and please let me know what else I can do to help you.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Compaq_Administrator at 15:56:44.25 on Fri 06/18/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_03

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.339 [GMT -4:00]

AV: AVG Anti-Virus plus Firewall *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Digital Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\ALCXMNTR.EXE

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Mozilla Firefox\firefox.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\PdeSrv2.exe

C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.0&bm=ho_home

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

BHO: {B5235209-C5D7-4D7F-9655-E5258D3CDF53} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE

mRun: [<NO NAME>]

mRun: [MimBoot] c:\progra~1\musicm~1\musicm~1\mimboot.exe

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [ps2] c:\windows\system32\ps2.exe

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"

mRun: [RECGUARD] c:\windows\sminst\RECGUARD.EXE

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

Trusted Zone: turbotax.com

Trusted Zone: musicmatch.com\online

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\wtoxyaj2.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\documents and settings\compaq_administrator\application data\move networks\plugins\npqmp071504000001.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\opera\program\plugins\np32dsw.dll

FF - plugin: c:\program files\opera\program\plugins\nppopcaploader.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-12 325896]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-7 27784]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-12 108552]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 149040]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-12 298776]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-5-12 29208]

S0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]

S0 Dyv74;Dyv74; [x]

S1 japcevlf;japcevlf;\??\c:\windows\system32\drivers\japcevlf.sys --> c:\windows\system32\drivers\japcevlf.sys [?]

S1 ulkrprsu;ulkrprsu;\??\c:\windows\system32\drivers\ulkrprsu.sys --> c:\windows\system32\drivers\ulkrprsu.sys [?]

S1 xpdt;xpdt system driver;\??\c:\windows\system32\xpdt.sys --> c:\windows\system32\xpdt.sys [?]

S2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe --> c:\progra~1\avg\avg8\avgfws8.exe [?]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-5-12 29208]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

=============== Created Last 30 ================

2010-06-18 19:45:02 0 ----a-w- c:\documents and settings\compaq_administrator\defogger_reenable

2010-06-06 02:57:18 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-06-06 02:57:17 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-06-06 02:57:17 133616 ------w- c:\windows\system32\pxafs.dll

2010-06-06 02:56:33 0 d-----w- c:\program files\common files\DivX Shared

2010-06-01 18:06:23 0 d-----w- c:\program files\DivX

2010-06-01 18:06:04 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX

2010-05-24 03:11:40 0 d-----w- c:\program files\Powerbullet

==================== Find3M ====================

2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-27 18:40:40 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys

2010-04-27 18:40:40 126448 ------w- c:\windows\system32\pxinsi64.exe

2010-04-27 18:40:40 123888 ------w- c:\windows\system32\pxcpyi64.exe

============= FINISH: 15:59:20.45 ===============

ark.zip

[screen317]

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.
  

-screen317

[human verification]

Thanks, screen317. I downloaded and ran ComboFix, and after the required reboot, my cursor froze on Windows loading. I couldn't save the log ComboFix showed, and can't do anything now. I turned the computer off, waited a minute, turned it on again, cursor is still frozen. I'm using my husband's computer to post this. It's not the mouse itself, I tried his on my computer and his didn't work either. I don't know what to do now. It must be a result of the malware somehow but I don't know what I can do now.

[human verification]

I see that my keyboard is also frozen as soon as Windows boots. So I can't do anything at all. The cursor and keyboard seemed fine until I ran ComboFix. What should I do, anyone have any ideas? My computer is totally unusable, obviously. Thanks so much for any help!

[human verification]

To anyone reading this: DO NOT INSTALL OR RUN COMBOFIX!!! It's malware itself. I've spoken to two tech people today who flipped out when I told them I ran ComboFix. My computer is now useless, and I can't retrieve any files from it. The only thing I can do is reformat. I have no discs. I have to go buy Windows I guess. It will cost me hundreds of dollars that I don't have. I'm so depressed right now.

Don't do it!

[screen317]

Please calm down. ComboFix is not malware. I need to know what it did so it can be corrected.

I find it ridiculous that the "techs" you saw didn't offer you any other way to salvage your data (which you can, probably easily).

First I need to know what ComboFix did.

You will need a blank CD or flash drive, as well as software to burn .iso images, such as FreeISOBurner or BurnCDCC.

Download PuppyLinux from here and save it to your Desktop.

Open FreeISOBurner. Configure it as follows:

1) Click Open and navigate to puppy-4.2-k2.6.25.16-seamonkey.iso on your Desktop.

2) Change the Drive to reflect the drive letter of your CD or USB drive.

3) Change the Burn Speed to as slow as possible (4x or lower preferred).

4) Click Burn

When it finishes, eject the CD and put it in the computer that will not boot.

If not already done so, configure that computer to boot from CD or USB first. To do so, restart your computer. Carefully read what appears on the screen to see which key need to be pressed to enter Setup.

From there, navigate using the keyboard to the Boot section, then use the Page Up and Page Down keys to move the CDROM or USB option first. Afterward, press F10 to save and exit setup. When the computer restarts, it will boot from your CD or USB drive instead of the damaged hard drive, and you will be presented with PuppyLinux.

It will say Linux will boot automatically in 8 seconds. Let it. It will proceed to "boot the kernel." You will be presented with a number of options. Select the default option for everything and you will see an interface with several icons on it.

Click (only once) on mount and the Pmount Puppy Drive Mounter menu will open. Click MOUNT next to the hard drive that contains your Windows installation. Also mount any removable media you have inserted to transfer your data to.

A window will open titled /mnt/sda1 (or something similar).

You will now have access to all of your files in a familiar folder format. Navigate to C:\Qoobox, right-click it, place your mouse over Dir 'Qoobox', click Copy..., then click on the window containing your removable media. Right click empty space, and select Dir 'Qoobox' then Paste...

Transfer it to your husband's computer, zip up the folder, and attach it here.

When finished, click menu on the bottom left-hand corner of the screen, and click Shutdown.

[human verification]

Please calm down. ComboFix is not malware. I need to know what it did so it can be corrected.

I find it ridiculous that the "techs" you saw didn't offer you any other way to salvage your data (which you can, probably easily).

First I need to know what ComboFix did.

You will need a blank CD or flash drive, as well as software to burn .iso images, such as FreeISOBurner or BurnCDCC.

Download PuppyLinux from here and save it to your Desktop.

Open FreeISOBurner. Configure it as follows:

1) Click Open and navigate to puppy-4.2-k2.6.25.16-seamonkey.iso on your Desktop.

2) Change the Drive to reflect the drive letter of your CD or USB drive.

3) Change the Burn Speed to as slow as possible (4x or lower preferred).

4) Click Burn

When it finishes, eject the CD and put it in the computer that will not boot.

If not already done so, configure that computer to boot from CD or USB first. To do so, restart your computer. Carefully read what appears on the screen to see which key need to be pressed to enter Setup.

From there, navigate using the keyboard to the Boot section, then use the Page Up and Page Down keys to move the CDROM or USB option first. Afterward, press F10 to save and exit setup. When the computer restarts, it will boot from your CD or USB drive instead of the damaged hard drive, and you will be presented with PuppyLinux.

It will say Linux will boot automatically in 8 seconds. Let it. It will proceed to "boot the kernel." You will be presented with a number of options. Select the default option for everything and you will see an interface with several icons on it.

Click (only once) on mount and the Pmount Puppy Drive Mounter menu will open. Click MOUNT next to the hard drive that contains your Windows installation. Also mount any removable media you have inserted to transfer your data to.

A window will open titled /mnt/sda1 (or something similar).

You will now have access to all of your files in a familiar folder format. Navigate to C:\Qoobox, right-click it, place your mouse over Dir 'Qoobox', click Copy..., then click on the window containing your removable media. Right click empty space, and select Dir 'Qoobox' then Paste...

Transfer it to your husband's computer, zip up the folder, and attach it here.

When finished, click menu on the bottom left-hand corner of the screen, and click Shutdown.

[human verification]

Oops...sorry for the double.

He did offer to come over and fix my computer but to be honest I have a lot of sensitive info right there on my desktop (bank log ins, etc) and I don't feel comfortable with his suggestion, which is to come and get my cpu and take it home to work on it.

I'll follow your instructions and will report back later, thank you for still helping me even tho I'm on the verge of a meltdown....

[screen317]

Thanks for letting me know.

We can probably fix this. Just be patient and we will be able to deal with it.

[human verification]

Thanks again. Would you believe that neither cd drive on husband's computer works? This is not my weekend. I'll burn the cd tomorrow at work and report back tomorrow night!

[screen317]

Okay. You can also use a flash drive if you have one.

[human verification]

I followed your instructions, very easy! Now I'm at a snafu: I can copy the Qoobox folder, but I can't paste it into the cd-rom window. Or any other window. There is no 'paste' option whenever I right click on a window after copying something. I feel like an idiot here. I can copy anything, but can't seem to paste. Might you know what I'm doing wrong? I can drag and drop the folder into the cd-rom window, but wasn't sure if I should.

Puppy Linux is sweet! Using it right now.

[screen317]

Try dragging it into the CD-rom window; see if you can get your hands on a flash drive from someone. Using it would be far easier than burning x number of CDs.

[human verification]

Ugh. Dragging doesn't work either. I probably have to change permissions or something? I don't know what to change them to. Sorry to be such a pain in the arse here. Nothing is going according to plan yet......

[human verification]

Finally! Qoobox.zip

[screen317]

Okay.

While I analyze that, what did you do to copy it over?

In addition, when ComboFix ran, did you install the Recovery Console?

When you boot this computer, what exactly happens? Do you get any screens which prompt anything about the Recovery Console?

[human verification]

While I analyze that, what did you do to copy it over?

Not sure I follow you - I copied it onto a usb stick. Is that what you mean?

In addition, when ComboFix ran, did you install the Recovery Console?

No, my mouse and keyboard froze and still are frozen (in Windows xp mode) before CF was done running, so I couldn't install anything.

When you boot this computer, what exactly happens? Do you get any screens which prompt anything about the Recovery Console?

I get the normal boot up screens and Windows does load, I just can't do anything because the keyboard and mouse are frozen. I can go into more detail about what screens I see if you like.

[screen317]

While I analyze that, what did you do to copy it over?

Not sure I follow you - I copied it onto a usb stick. Is that what you mean?

Yes, that's what I meant.

When you boot this computer, what exactly happens? Do you get any screens which prompt anything about the Recovery Console?

I get the normal boot up screens and Windows does load, I just can't do anything because the keyboard and mouse are frozen. I can go into more detail about what screens I see if you like.

Yes please do.

[screen317]

Hi,

Try this please:

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu). If that works, let me know. If not, get back into PuppyLinux and grab this file:

C:\ComboFix.txt

Post it here.

[human verification]

Mouse and keyboard are frozen, even in Safe Mode, couldn't get file that way, so I rebooted Puppy and put it on the usb stick.

ComboFix 10-06-17.03 - Compaq_Administrator 06/18/2010 20:06:25.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.567 [GMT -4:00]

Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus plus Firewall *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\-1878694194

c:\windows\bi.dll

c:\windows\biprep.exe

c:\windows\satmat.exe

c:\windows\system32\a

c:\windows\system32\d

c:\windows\system32\dumphive.exe

c:\windows\system32\e

c:\windows\system32\fjhdyfhsn.bat

c:\windows\system32\g

c:\windows\system32\H

c:\windows\system32\IEDFix.exe

c:\windows\system32\lclcfg32.ini

c:\windows\system32\lfd32.ini

c:\windows\system32\Process.exe

c:\windows\system32\sl.bin

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\u

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\win.com

c:\windows\system32\WS2Fix.exe

c:\windows\xpsp1hfm.log

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_AvgLdx86

-------\Legacy_AvgRkx86

-------\Legacy_AvgTdiX

-------\Legacy_bb-run

-------\Legacy_diskchk

-------\Legacy_Dyv74

-------\Legacy_fasttx2k

-------\Legacy_ftsata2

-------\Legacy_MpFilter

-------\Service_aracpi

-------\Service_arhidfltr

-------\Service_arkbcfltr

-------\Service_armoucfltr

-------\Service_ARPolicy

-------\Service_Avgfwdx

-------\Service_Avgfwfd

-------\Service_AvgLdx86

-------\Service_AvgRkx86

-------\Service_AvgTdiX

-------\Service_AX88772

-------\Service_bb-run

-------\Service_cdrbsdrv

-------\Service_cdrbsvsd

-------\Service_diskchk

-------\Service_Dyv74

-------\Service_fasttx2k

-------\Service_ftsata2

-------\Service_japcevlf

-------\Service_MHNDRV

-------\Service_MpFilter

-------\Service_MR97310_USB_DUAL_CAMERA

-------\Service_NdisIP

-------\Service_Ps2

-------\Service_RTL8023xp

-------\Service_SLIP

-------\Service_ulkrprsu

-------\Service_usb

-------\Service_USB_RNDIS_XP

-------\Service_USBAAPL

-------\Service_WpdUsb

((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))

.

2010-06-18 04:17 . 2010-06-18 04:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-06-17 00:50 . 2010-06-17 00:50 -------- d-----w- c:\documents and settings\HelpAssistant\UserData

2010-06-17 00:30 . 2007-09-26 16:21 630784 ----a-w- c:\documents and settings\HelpAssistant\GoToAssist_chat2way__317_en.exe

2010-06-06 02:57 . 2010-04-27 18:40 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-06-06 02:57 . 2010-04-27 18:40 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-06-06 02:57 . 2010-04-27 18:40 133616 ------w- c:\windows\system32\pxafs.dll

2010-06-06 02:56 . 2010-06-06 02:56 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-06-01 18:10 . 2010-06-02 01:35 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\DivX

2010-06-01 18:06 . 2010-06-06 02:57 -------- d-----w- c:\program files\DivX

2010-06-01 18:06 . 2010-06-06 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-05-24 03:11 . 2010-05-26 12:44 -------- d-----w- c:\program files\Powerbullet

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-01 18:15 . 2008-08-12 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek

2010-05-21 18:14 . 2010-01-29 23:15 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-09 19:29 . 2006-02-12 18:52 -------- d-----w- c:\program files\Opera

2010-04-29 19:39 . 2009-07-26 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-07-26 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-27 18:40 . 2006-01-09 02:07 126448 ------w- c:\windows\system32\pxinsi64.exe

2010-04-27 18:40 . 2006-01-09 02:07 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-04-27 18:40 . 2005-04-25 17:03 45648 ----a-w- c:\windows\system32\drivers\pxhelp20.sys

2010-04-12 20:59 . 2010-04-12 15:43 36488 ----a-w- c:\windows\system32\drivers\klmd.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-07-12 8192]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"ps2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 344064]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]

"RECGUARD"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-29 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]

backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]

backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]

backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\SoulseekNS\\slsk.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

"5048:TCP"= 5048:TCP:Services

"8596:TCP"= 8596:TCP:Services

"3389:TCP"= 3389:TCP:Remote Desktop

"5819:TCP"= 5819:TCP:Services

"5820:TCP"= 5820:TCP:Services

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/12/2009 2:30 PM 298776]

S2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe --> c:\progra~1\AVG\AVG8\avgfws8.exe [?]

.

Contents of the 'Scheduled Tasks' folder

2010-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-06-19 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.0&bm=ho_home

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

Trusted Zone: turbotax.com

Trusted Zone: musicmatch.com\online

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB

FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\wtoxyaj2.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\documents and settings\Compaq_Administrator\Application Data\Move Networks\plugins\npqmp071504000001.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Opera\program\plugins\np32dsw.dll

FF - plugin: c:\program files\Opera\program\plugins\nppopcaploader.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe

HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe

Notify-avgrsstarter - avgrsstx.dll

MSConfigStartUp-Motive SmartBridge - c:\progra~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-18 20:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x859E578A]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7603f28

\Driver\ACPI -> ACPI.sys @ 0xf7496cb8

\Driver\atapi -> ntkrnlpa.exe @ 0x8057c2ed

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

copy of MBR has been found in sector 0x017499F00

malicious code @ sector 0x017499F03 !

PE file found in sector at 0x017499F19 !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(444)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Microsoft Security Essentials\MsMpEng.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wdfmgr.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\wscntfy.exe

c:\windows\ARPWRMSG.EXE

c:\windows\eHome\ehmsas.exe

c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe

c:\windows\ALCXMNTR.EXE

c:\windows\system32\dllhost.exe

c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\PdeSrv2.exe

c:\windows\system32\logon.scr

.

**************************************************************************

.

Completion time: 2010-06-18 20:28:39 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-19 00:28

Pre-Run: 138,148,675,584 bytes free

Post-Run: 141,461,286,912 bytes free

- - End Of File - - 3E45E1966424BDC67EE16B6B1D377468

[screen317]

Hi,

A couple of questions before we continue:

In either Safe or Normal Mode, does pressing CTRL, ALT, and Delete at the same time bring up the Task Manager? Can you see your Desktop at all? How are you able to log in if the keyboard and mouse are frozen?

[human verification]

Hi again,

In either Safe or Normal Mode, does pressing CTRL, ALT, and Delete at the same time bring up the Task Manager?

Nope, because the keyboard doesn't work. When I try those three keys nothing happens. No part of the keyboard or keypad works.

Can you see your Desktop at all? How are you able to log in if the keyboard and mouse are frozen?

Well, in regular mode my desktop just loads, there is no log-in. In Safe Mode, I can't log in. The Safe Mode screen I see is the log-in screen, with two icons on the right - Admin and All Users. I can't pick one because the keyboard and the mouse don't work. I've tried the keyboard and mouse on another computer and they both work there.

[screen317]

Hi,

Is this a USB keyboard and mouse? Do you have a PS/2 keyboard and mouse you can use instead? If not, turn off the computer, then unplug the keyboard and mouse.

Turn on your computer, wait until your Desktop is shown, then plug in your keyboard and mouse again; allow the USB drivers to install again (it should happen automatically) and see if they work now.

[human verification]

Hi,

Is this a USB keyboard and mouse? Do you have a PS/2 keyboard and mouse you can use instead? If not, turn off the computer, then unplug the keyboard and mouse.

Turn on your computer, wait until your Desktop is shown, then plug in your keyboard and mouse again; allow the USB drivers to install again (it should happen automatically) and see if they work now.

Hi Chris,

They're both PS/2. I didn't know if I should try your USB directions with them, but did - I unplugged them, turned off the computer, and rebooted to Windows, plugged them back in, and still neither works. Should I borrow a USB mouse and keyboard from work to try?

[human verification]

Hi Chris,

They're both PS/2. I didn't know if I should try your USB directions with them, but did - I unplugged them, turned off the computer, and rebooted to Windows, plugged them back in, and still neither works. Should I borrow a USB mouse and keyboard from work to try?

Ooops, got that backwards. I turned off the computer and then unplugged them. Not sure if that made a difference for you to know that!