88 replies to this topic

[Moose]

Limewire gave me a bad Rootkit called Win32:Rootkit-gen(Rtk) and now I cannot connect to internet with my laptop.I have a program called Panda Anti-Rootkit v1.08.00 which I am burning to another disc to run on my desktop to hopefully clear up this problem but now I need to know which drivers I need to reinstall so thaat I can connect to the internet again.I know I need a Ethernet Network Controller but I don't know which ones and in Device Managaer it is showing me yellow exclamations under network adapters.

[Broni]

You have to clean an infection, first. Then, we'll see.

[Moose]

Well,the thing is,I am having to go to a friends house later to put that rootkit cleaner on a CD because my laptop will not burn CD's so I was trying to get everything all in one trip.

[Broni]

Your connection may return, once the infection is taken care of.

While at friend's house, get these:
- SUPERAntiSpyware Free for Home Users: http://www.superantispyware.com/
- Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php
- GMER: http://www.gmer.net/files.php, by clicking on Download EXE button
- The Avenger - http://swandog46.gee...r2/download.php

[Moose]

Ok,thank you.I had the first 2 programs already installed so I will download the last 2 and put them on the disc. Will get back with you after I run these cleaners.

[Broni]

Those first two should be updated, first. Since you can't connect, you may want to get fresh copies at your friend's house, so they'd have pretty fresh signatures.
You may also get Combofix:
- http://download.blee...Bs/ComboFix.exe
- http://subs.geekstogo.com/ComboFix.exe

[Moose]

ok,and how about any trojan removers? I am showing something called DLOADER.trojan located in C:\Program Files\Common

[Broni]

Do you have the CD already?

If you do...

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superanti...efinitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under Configuration and Preferences, click the Preferences button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* Back on the main screen, under Scan for Harmful Software click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
NOTE: Tracking cookies may be omitted from the log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia....ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download, install, and run HijackThis:
http://www.snapfiles...hijackthis.html
Post HijackThis log.
Do NOT attempt to "fix" anything!


DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

[Moose]

Ok,all scans complete and logs have been saved.I still cannot access the internet using my desktop after using those cleaners.Do I still need to post those logs?

[Broni]

Yes.

At the same time....

Download Dial-A-Fix (DAF):
http://wiki.lunarsoft.net/wiki/Dial-a-fix#...2C_and_articles

Have XP CD available in case DAF needs a file. Likely not!

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here, one at a time, do the below:

Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset networking

Watch for any File not found or other errors and make note as this may lead to the fix!

Restart computer.

[Moose]

Ok,here are the logs:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/18/2009 at 09:28 PM

Application Version : 4.26.1000

Core Rules Database Version : 3849
Trace Rules Database Version: 1803

Scan type : Complete Scan
Total Scan Time : 00:36:36

Memory items scanned : 202
Memory threats detected : 0
Registry items scanned : 5050
Registry threats detected : 6
File items scanned : 74599
File threats detected : 2

Rootkit.Mailer/Gen
HKLM\System\ControlSet001\Services\9d2d1d04
C:\WINDOWS\SYSTEM32\DRIVERS\9D2D1D04.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_9d2d1d04
HKLM\System\ControlSet002\Services\9d2d1d04
HKLM\System\ControlSet002\Enum\Root\LEGACY_9d2d1d04
HKLM\System\CurrentControlSet\Services\9d2d1d04
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_9d2d1d04

Rootkit.Agent/Gen-Rustock
C:\DOCUMENTS AND SETTINGS\OWNER\DOCTORWEB\QUARANTINE\OVFSTHXFUXDORKM.SYS
********************************************************************************
****************
Malwarebytes' Anti-Malware 1.36
Database version: 1993
Windows 5.1.2600 Service Pack 2

4/18/2009 10:05:02 Moose
mbam-log-2009-04-18 (22-05-02).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 154711
Time elapsed: 31 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
*****************************************************
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-18 22:55:43
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswmon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat aswmon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----
********************************************************
ComboFix 09-04-19.01 - Owner 04/18/2009 23:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.558 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090417-0] *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\outlook
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-19 04:03 . 2009-04-19 04:42 -------- d-----w c:\program files\a-squared Free
2009-04-19 03:56 . 2009-04-19 03:56 -------- d-----w c:\program files\Trend Micro
2009-04-18 21:20 . 2009-04-18 21:20 -------- d-----w c:\documents and settings\Owner\Application Data\CyberLink
2009-04-18 19:06 . 2004-08-04 05:44 472007 ----a-r C:\txtsetup.sif
2009-04-18 19:06 . 2004-08-03 23:00 260272 ----a-r C:\$LDR$
2009-04-18 19:06 . 2009-04-18 19:06 -------- d-----w C:\$WIN_NT$.~BT
2009-04-17 19:59 . 2009-04-17 20:01 -------- d-----w c:\documents and settings\Owner\DoctorWeb
2009-04-17 13:57 . 2009-04-17 13:57 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-04-17 13:56 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 13:56 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 13:56 . 2009-04-17 13:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 13:56 . 2009-04-17 13:56 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 13:50 . 2009-04-17 13:50 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-17 13:49 . 2009-04-17 13:49 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-17 13:49 . 2009-04-17 13:49 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-04-17 13:37 . 2004-03-09 05:00 609824 ----a-w c:\windows\system32\comctl32.ocx
2009-04-17 13:37 . 2009-04-17 13:37 -------- d-----w c:\program files\Runtimeware.com
2009-04-17 05:03 . 2009-04-18 02:08 -------- d-----w c:\program files\GridinSoft Trojan Killer
2009-04-17 05:01 . 2009-04-17 05:01 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-17 04:43 . 2009-04-17 04:49 -------- d-----w c:\program files\Trojan Killer
2009-04-17 04:30 . 2009-04-17 04:30 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\G DATA
2009-04-17 03:04 . 2009-04-17 20:11 47104 ----a-w c:\documents and settings\Owner\otwSmSKijYr.exe
2009-04-17 03:04 . 2009-04-17 14:18 -------- d-----w c:\documents and settings\Owner\Application Data\Messenger
2009-04-17 03:04 . 2009-04-17 14:18 -------- d-----w c:\windows\system32\w2t
2009-04-17 03:04 . 2009-04-17 03:38 -------- d-----w c:\windows\system32\bm5
2009-04-17 03:04 . 2009-04-17 03:40 -------- d-----w c:\windows\system32\oSN13
2009-04-17 03:04 . 2009-04-17 03:04 -------- d-----w c:\temp\btmp2
2009-04-17 03:04 . 2009-04-17 03:04 2 ----a-w C:\-790929082
2009-04-17 02:59 . 2009-04-17 02:59 716925 ----a-w c:\windows\cekpb0726.exe
2009-04-17 00:32 . 2009-04-17 00:32 -------- d-----w c:\program files\Star Fax Cover Sheet Creator
2009-04-17 00:19 . 2009-04-17 00:32 787 ----a-w C:\ads_err.dbf
2009-04-16 16:51 . 2009-04-16 16:51 -------- d-----w c:\temp\TP-9CC33DE5-34F8-4011-941C-FCE386F21310-80030417
2009-04-16 14:10 . 2009-04-16 14:10 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\HP
2009-04-16 14:09 . 2009-04-16 14:09 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-04-16 14:08 . 2009-04-16 14:08 -------- d-----w c:\program files\Common Files\HP
2009-04-16 14:08 . 2007-01-17 16:37 16496 ----a-r c:\windows\system32\drivers\HPZipr12.sys
2009-04-16 14:08 . 2007-01-17 16:37 49920 ----a-r c:\windows\system32\drivers\HPZid412.sys
2009-04-16 14:07 . 2007-11-07 02:10 271704 ----a-r c:\windows\system32\hpzids01.dll
2009-04-16 14:07 . 2007-11-05 23:07 118272 ----a-w c:\windows\system32\hpz3l5mu.dll
2009-04-16 14:07 . 2007-01-17 16:37 21568 ----a-r c:\windows\system32\drivers\HPZius12.sys
2009-04-16 14:07 . 2007-10-31 10:35 593920 ----a-r c:\windows\system32\hpwtscl3.dll
2009-04-16 14:07 . 2007-01-17 16:37 364544 ----a-r c:\windows\system32\hppldcoi.dll
2009-04-16 14:07 . 2007-01-17 16:37 309760 ----a-r c:\windows\system32\difxapi.dll
2009-04-16 14:07 . 2007-01-17 16:31 294912 ----a-r c:\windows\system32\hpovst11.dll
2009-04-16 14:07 . 2007-10-31 10:35 729088 ----a-r c:\windows\system32\hpwwiax4.dll
2009-04-16 14:05 . 2008-01-07 14:10 10563 ----a-r c:\windows\hpwscr19.dat
2009-04-16 14:05 . 2007-11-07 02:15 1140056 ----a-r c:\windows\hpzmsi01.exe
2009-04-16 14:05 . 2007-11-07 02:04 1373528 ----a-r c:\windows\hpzshl01.exe
2009-04-16 14:05 . 2009-04-16 14:05 -------- d-----w c:\windows\yellowtail
2009-04-16 14:05 . 2009-04-18 19:30 -------- d-----w c:\program files\HP
2009-04-16 14:05 . 2004-08-04 03:01 25856 -c--a-w c:\windows\system32\dllcache\usbprint.sys
2009-04-16 14:05 . 2004-08-04 03:01 25856 ----a-w c:\windows\system32\drivers\usbprint.sys
2009-04-16 13:59 . 2009-04-16 14:10 176409 ----a-w c:\windows\hpwins19.dat
2009-04-16 13:59 . 2008-01-07 14:08 997 ----a-r c:\windows\hpwmdl19.dat
2009-03-25 17:47 . 2009-03-25 17:47 -------- d-----w c:\documents and settings\All Users\Application Data\Motive
2009-03-25 17:47 . 2005-07-12 06:28 69632 ----a-w c:\windows\system32\MCCDevice.dll
2009-03-25 17:47 . 2005-07-12 06:28 6048 ----a-w c:\windows\system32\MCC16.dll
2009-03-25 17:47 . 2009-04-01 05:08 -------- d-----w c:\program files\Common Files\Motive
2009-03-25 17:47 . 2009-03-25 17:47 51183516 ----a-w C:\BellSouthIW.re~
2009-03-25 17:46 . 2002-02-14 00:53 6345 ----a-r c:\windows\system32\DevMngr.vxd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 04:02 . 2009-04-19 04:02 886 ----a-w C:\avenger.txt
2009-04-18 21:20 . 2008-10-08 17:33 -------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-04-17 20:21 . 2008-06-07 02:17 -------- d-----w c:\program files\MySpace
2009-04-17 13:49 . 2008-07-14 07:50 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-17 04:51 . 2009-04-17 04:51 118784 ----a-w c:\windows\Web\Wallpaper\Bouganvelia Clock.exe
2009-04-17 04:41 . 2008-05-19 02:40 -------- d-----w c:\program files\RegCleaner
2009-04-17 04:19 . 2008-05-19 02:25 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-17 04:19 . 2008-05-19 02:25 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-17 03:47 . 2008-05-19 04:06 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-17 03:46 . 2008-05-19 04:03 -------- d-----w c:\program files\SpywareBlaster
2009-04-17 03:46 . 2008-05-19 02:17 -------- d-----w c:\program files\SpywareGuard
2009-04-17 03:00 . 2007-11-10 04:38 94880 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 00:45 . 2009-04-17 00:45 118784 ----a-w c:\windows\Web\Wallpaper\Bouganvelia Clock dir\uninstall.exe
2009-04-16 16:54 . 2008-05-19 02:43 -------- d-----w c:\program files\CCleaner
2009-04-16 14:46 . 2008-05-21 17:29 -------- d-----w c:\program files\Mah Jong Quest
2009-04-16 14:43 . 2008-12-17 20:50 -------- d-----w c:\program files\21stMahJong
2009-04-16 14:41 . 2008-12-17 21:02 -------- d-----w c:\program files\Hasbro Interactive
2009-04-16 14:41 . 2007-11-10 03:58 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-01 05:47 . 2008-05-22 23:47 452 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-06-17 23:42 . 2008-06-21 17:47 57733 -c--a-w c:\program files\4069124464.jpg
2007-11-10 04:38 . 2009-01-20 17:10 38768 -c--a-w c:\documents and settings\Administrator.MOOSE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-10 04:36 . 2008-05-19 01:19 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-05-19 01:18 . 2008-05-19 01:17 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051820080519\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli dherthix.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MRU-Blaster Silent Clean.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MRU-Blaster Silent Clean.lnk
backup=c:\windows\pss\MRU-Blaster Silent Clean.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=c:\windows\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57305:TCP"= 57305:TCP:Pando P2P TCP Listening Port
"57305:UDP"= 57305:UDP:Pando P2P UDP Listening Port

R1 aswsp;avast! Self Protection; [x]
R2 aswfsblk;aswfsblk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\DRIVERS\el575nd5.sys [2001-08-18 69692]
R3 sasenum;sasenum;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S1 KernelPatch_Helper;KernelPatch_Helper;c:\windows\system32\KPHelper.sys [2002-09-20 3192]
S1 sasdifsv;sasdifsv;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 saskutil;saskutil;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 KPService;KPService;c:\windows\system32\KPService.exe [2004-10-01 36864]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{E2BA40A2-74F3-42BD-F434-2604812C8953} - (no file)
Notify-!saswinlogon - (no file)
Notify-opnopned - opnopNeD.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myembarq.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3644
uInternet Settings,ProxyOverride = *.local;<local>
IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hkhrsntg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/default.aspx
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 23:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\UnlockerDriver5]
"ImagePath"="\??\c:\program files\Unlocker\UnlockerDriver5.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3300)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-19 23:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-19 04:48

Pre-Run: 139,603,243,008 bytes free
Post-Run: 139,616,256,000 bytes free

209 --- E O F --- 2008-11-12 05:44
*********************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:11 Moose, on 4/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\KPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3644
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3644
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=W3644
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
F2 - REG:system.ini: Shell=explorer.exe
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2bc66f54-93a8-11d3-beb6-00105aa9b6ae} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644e432f-49d3-41a1-8dd5-e099162eeec5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: !saswinlogon - C:\WINDOWS\
O20 - Winlogon Notify: opnopned - opnopNeD.dll (file missing)
O22 - SharedTaskScheduler: sdfg54y54yhhgth6w4efvrg - {E2BA40A2-74F3-42BD-F434-2604812C8953} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: KPService - Unknown owner - C:\WINDOWS\system32\KPService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 4939 bytes
********************************************************************************
*****************************************
I cannot Download anything else because I am back home now. Don't know when I will be able to get back to friends house to put programs on a CD. But will as soon as
I can.Thanks so far for your help.

[Broni]

I'm checking your logs, but you'll have re-run Combofix, because you didn't follow instructions, and you didn't disable your AV program:

Quote

AV: avast! antivirus 4.8.1335 [VPS 090417-0] *On-access scanning enabled* (Updated)

[Moose]

Guess I got confused with all the different things to download and put on CD then all the scans...

[Broni]

That's fine.
Simply re-run Combofix with Avast disabled, post its log, and then post fresh HJT log (run it AFTER Combofix).
I'll check both tomorrow morning.

[Moose]

ComboFix 09-04-19.01 - Owner 04/19/2009 8:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.549 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090417-0] *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-19 04:03 . 2009-04-19 04:42 -------- d-----w c:\program files\a-squared Free
2009-04-19 03:56 . 2009-04-19 03:56 -------- d-----w c:\program files\Trend Micro
2009-04-18 21:20 . 2009-04-18 21:20 -------- d-----w c:\documents and settings\Owner\Application Data\CyberLink
2009-04-17 19:59 . 2009-04-17 20:01 -------- d-----w c:\documents and settings\Owner\DoctorWeb
2009-04-17 13:57 . 2009-04-17 13:57 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-04-17 13:56 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 13:56 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 13:56 . 2009-04-17 13:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 13:56 . 2009-04-17 13:56 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 13:50 . 2009-04-17 13:50 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-17 13:49 . 2009-04-17 13:49 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-17 13:49 . 2009-04-17 13:49 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-04-17 13:37 . 2004-03-09 05:00 609824 ----a-w c:\windows\system32\comctl32.ocx
2009-04-17 13:37 . 2009-04-17 13:37 -------- d-----w c:\program files\Runtimeware.com
2009-04-17 05:03 . 2009-04-18 02:08 -------- d-----w c:\program files\GridinSoft Trojan Killer
2009-04-17 05:01 . 2009-04-17 05:01 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-17 04:43 . 2009-04-17 04:49 -------- d-----w c:\program files\Trojan Killer
2009-04-17 04:30 . 2009-04-17 04:30 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\G DATA
2009-04-17 03:04 . 2009-04-17 20:11 47104 ----a-w c:\documents and settings\Owner\otwSmSKijYr.exe
2009-04-17 03:04 . 2009-04-17 14:18 -------- d-----w c:\documents and settings\Owner\Application Data\Messenger
2009-04-17 03:04 . 2009-04-17 14:18 -------- d-----w c:\windows\system32\w2t
2009-04-17 03:04 . 2009-04-17 03:38 -------- d-----w c:\windows\system32\bm5
2009-04-17 03:04 . 2009-04-17 03:40 -------- d-----w c:\windows\system32\oSN13
2009-04-17 03:04 . 2009-04-17 03:04 -------- d-----w c:\temp\btmp2
2009-04-17 03:04 . 2009-04-17 03:04 2 ----a-w C:\-790929082
2009-04-17 02:59 . 2009-04-17 02:59 716925 ----a-w c:\windows\cekpb0726.exe
2009-04-17 00:32 . 2009-04-17 00:32 -------- d-----w c:\program files\Star Fax Cover Sheet Creator
2009-04-17 00:19 . 2009-04-17 00:32 787 ----a-w C:\ads_err.dbf
2009-04-16 16:51 . 2009-04-16 16:51 -------- d-----w c:\temp\TP-9CC33DE5-34F8-4011-941C-FCE386F21310-80030417
2009-04-16 14:10 . 2009-04-16 14:10 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\HP
2009-04-16 14:09 . 2009-04-16 14:09 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-04-16 14:08 . 2009-04-16 14:08 -------- d-----w c:\program files\Common Files\HP
2009-04-16 14:08 . 2007-01-17 16:37 16496 ----a-r c:\windows\system32\drivers\HPZipr12.sys
2009-04-16 14:08 . 2007-01-17 16:37 49920 ----a-r c:\windows\system32\drivers\HPZid412.sys
2009-04-16 14:07 . 2007-11-07 02:10 271704 ----a-r c:\windows\system32\hpzids01.dll
2009-04-16 14:07 . 2007-11-05 23:07 118272 ----a-w c:\windows\system32\hpz3l5mu.dll
2009-04-16 14:07 . 2007-01-17 16:37 21568 ----a-r c:\windows\system32\drivers\HPZius12.sys
2009-04-16 14:07 . 2007-10-31 10:35 593920 ----a-r c:\windows\system32\hpwtscl3.dll
2009-04-16 14:07 . 2007-01-17 16:37 364544 ----a-r c:\windows\system32\hppldcoi.dll
2009-04-16 14:07 . 2007-01-17 16:37 309760 ----a-r c:\windows\system32\difxapi.dll
2009-04-16 14:07 . 2007-01-17 16:31 294912 ----a-r c:\windows\system32\hpovst11.dll
2009-04-16 14:07 . 2007-10-31 10:35 729088 ----a-r c:\windows\system32\hpwwiax4.dll
2009-04-16 14:05 . 2008-01-07 14:10 10563 ----a-r c:\windows\hpwscr19.dat
2009-04-16 14:05 . 2007-11-07 02:15 1140056 ----a-r c:\windows\hpzmsi01.exe
2009-04-16 14:05 . 2007-11-07 02:04 1373528 ----a-r c:\windows\hpzshl01.exe
2009-04-16 14:05 . 2009-04-16 14:05 -------- d-----w c:\windows\yellowtail
2009-04-16 14:05 . 2009-04-18 19:30 -------- d-----w c:\program files\HP
2009-04-16 14:05 . 2004-08-04 03:01 25856 -c--a-w c:\windows\system32\dllcache\usbprint.sys
2009-04-16 14:05 . 2004-08-04 03:01 25856 ----a-w c:\windows\system32\drivers\usbprint.sys
2009-04-16 13:59 . 2009-04-16 14:10 176409 ----a-w c:\windows\hpwins19.dat
2009-04-16 13:59 . 2008-01-07 14:08 997 ----a-r c:\windows\hpwmdl19.dat
2009-03-25 17:47 . 2009-03-25 17:47 -------- d-----w c:\documents and settings\All Users\Application Data\Motive
2009-03-25 17:47 . 2005-07-12 06:28 69632 ----a-w c:\windows\system32\MCCDevice.dll
2009-03-25 17:47 . 2005-07-12 06:28 6048 ----a-w c:\windows\system32\MCC16.dll
2009-03-25 17:47 . 2009-04-01 05:08 -------- d-----w c:\program files\Common Files\Motive
2009-03-25 17:47 . 2009-03-25 17:47 51183516 ----a-w C:\BellSouthIW.re~
2009-03-25 17:46 . 2002-02-14 00:53 6345 ----a-r c:\windows\system32\DevMngr.vxd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 05:15 . 2007-11-10 04:01 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-19 05:14 . 2007-11-10 04:28 -------- d-----w c:\documents and settings\Owner\Application Data\Spare Backup
2009-04-19 04:02 . 2009-04-19 04:02 886 ----a-w C:\avenger.txt
2009-04-18 21:20 . 2008-10-08 17:33 -------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-04-17 20:21 . 2008-06-07 02:17 -------- d-----w c:\program files\MySpace
2009-04-17 13:49 . 2008-07-14 07:50 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-17 04:51 . 2009-04-17 04:51 118784 ----a-w c:\windows\Web\Wallpaper\Bouganvelia Clock.exe
2009-04-17 04:41 . 2008-05-19 02:40 -------- d-----w c:\program files\RegCleaner
2009-04-17 04:19 . 2008-05-19 02:25 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-17 04:19 . 2008-05-19 02:25 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-17 03:47 . 2008-05-19 04:06 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-17 03:46 . 2008-05-19 04:03 -------- d-----w c:\program files\SpywareBlaster
2009-04-17 03:46 . 2008-05-19 02:17 -------- d-----w c:\program files\SpywareGuard
2009-04-17 03:00 . 2007-11-10 04:38 94880 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 00:45 . 2009-04-17 00:45 118784 ----a-w c:\windows\Web\Wallpaper\Bouganvelia Clock dir\uninstall.exe
2009-04-16 16:54 . 2008-05-19 02:43 -------- d-----w c:\program files\CCleaner
2009-04-16 14:46 . 2008-05-21 17:29 -------- d-----w c:\program files\Mah Jong Quest
2009-04-16 14:43 . 2008-12-17 20:50 -------- d-----w c:\program files\21stMahJong
2009-04-16 14:41 . 2008-12-17 21:02 -------- d-----w c:\program files\Hasbro Interactive
2009-04-16 14:41 . 2007-11-10 03:58 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-01 05:47 . 2008-05-22 23:47 452 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-06-17 23:42 . 2008-06-21 17:47 57733 -c--a-w c:\program files\4069124464.jpg
2007-11-10 04:38 . 2009-01-20 17:10 38768 -c--a-w c:\documents and settings\Administrator.MOOSE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-10 04:36 . 2008-05-19 01:19 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-05-19 01:18 . 2008-05-19 01:17 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051820080519\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-19_04.46.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-05-07 00:24 . 2009-04-19 05:29 62344 c:\windows\system32\perfc009.dat
- 2006-05-07 00:24 . 2009-04-16 23:11 62344 c:\windows\system32\perfc009.dat
+ 2006-05-07 00:24 . 2009-04-19 05:29 401064 c:\windows\system32\perfh009.dat
- 2006-05-07 00:24 . 2009-04-16 23:11 401064 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli dherthix.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MRU-Blaster Silent Clean.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MRU-Blaster Silent Clean.lnk
backup=c:\windows\pss\MRU-Blaster Silent Clean.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=c:\windows\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57305:TCP"= 57305:TCP:Pando P2P TCP Listening Port
"57305:UDP"= 57305:UDP:Pando P2P UDP Listening Port

R1 aswsp;avast! Self Protection; [x]
R2 aswfsblk;aswfsblk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\DRIVERS\el575nd5.sys [2001-08-18 69692]
R3 sasenum;sasenum;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S1 KernelPatch_Helper;KernelPatch_Helper;c:\windows\system32\KPHelper.sys [2002-09-20 3192]
S1 sasdifsv;sasdifsv;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 saskutil;saskutil;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 KPService;KPService;c:\windows\system32\KPService.exe [2004-10-01 36864]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myembarq.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3644
uInternet Settings,ProxyOverride = *.local;<local>
IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hkhrsntg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/default.aspx
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 08:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\UnlockerDriver5]
"ImagePath"="\??\c:\program files\Unlocker\UnlockerDriver5.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1892)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-19 8:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-19 13:45
ComboFix2.txt 2009-04-19 04:48

Pre-Run: 139,638,542,336 bytes free
Post-Run: 139,623,972,864 bytes free

206 --- E O F --- 2008-11-12 05:44
*********************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:46 Moose, on 4/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\KPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3644
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2bc66f54-93a8-11d3-beb6-00105aa9b6ae} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644e432f-49d3-41a1-8dd5-e099162eeec5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: KPService - Unknown owner - C:\WINDOWS\system32\KPService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 4398 bytes

[Broni]

A. Install Recovery Console:

If you have Windows XP CD...

1. Insert the Windows XP Bootable CD into CD-Rom drive
2. Click on Start > Run
3. Type d:\i386\winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive.
4. A Windows Setup Dialog will appear press Yes to confirm the installation.
5. Restart your computer after installation, and the next time you restart your computer you will see Microsoft Windows Recovery Console in the startup boot menu.


If you don't have Windows XP CD...

1. Download Windows Recovery Console: http://www.thecomput...om/files/rc.iso
2. Download, and install free Imgburn: http://www.imgburn.c...hp?act=download
3. Using Imgburn, burn rc.iso to a CD.
4. The above will create bootable Recovery Console CD.


B. Attempt to restore your internet connection, following steps from my reply #10 (Dial-A-Fix)


Report on progress.

[Moose]

Is there anything I can do with my emachines operating system disc recovery cd? I can't make it over to my friends house to burn a cd with the programs you provided.
I also have a windows XP Prof. CD.Or maybe get the drivers off of the disc that I need for internet??

[Broni]

As for Recovery Console, you can use your Windows CD to install it.
Just follow: If you have Windows XP CD... part.

BTW, what computer are you replying from?

As for the connection, it may not be possible without some extra downloads, but let's give it a shot.

A.
1. 1. Click Start>Run (Start>"Start search" in Vista).

2. Type in (or copy and paste):

cmd /c ping google.com>%temp%\$.$&notepad %temp%\$.$

and press Enter.

3. Notepad will open.

4. Copy all text in Notepad ([Ctrl-A], then [Ctrl-C]), and then post it (paste = [Ctrl-V]) in your next reply.

B.
Turn off computer. Disconnect router, and modem from power source for 30 seconds.
Power them back on.
Restart computer.

If that doesn't work, bypass router, and connect computer straight to the modem.

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew

Restart computer.

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Restart computer.

[Moose]

I am replying from my laptop. The computer that is having troubles is my desktop which is a windows XP Home

[Broni]

You don't have any USB stick to transfer things from the laptop to the desktop?