Major attack and I don't know who to trust?

[Kaderina]

I hope someone can help me here.  I have had a major attack on my computer.  I don't know exactly when it happened but I suspect it was around May 18th.  I became aware of the virus when the "Antimalware Doctor" window popped up.  Yes I tried to cope with it by trying to fix it myself.  Stupid move.

I had Windows Defender on my computer so I scanned and it found "Alureon".  It disabled it.  From there I used the online version of Housecall.  Can't remember if it found anything at this point.  I also had Advanced System Care on my computer.  Ran it and it found many errors.  Used it to fix them.  Then it said there was a new version - version 4 I think.  Downloaded that and ran it.  Found more errors and fixed them.  Downloaded several different things and some I used, some I didn't.  Can't remember at this point.  HijackThis was one.  Got to the point that I couldn't trust where the internet was taking me and if the tool I was downloading was legit. 

Names that can up in the scans are Alureon, FakeYak, Unruy.H and Hiloti.gen!D.

I now have Microsoft Security Essentials on my computer.  I deleted Windows Defender.  The Microsoft product says that I'm protected, clear scan.  Problems that I have:  1) Can't connect to the update page at Microsoft.  2) I am being redirected when I use the internet.  3) The Processes on my computer seem to be extreme at times.  Everything has slowed down considerably.  4) I know that I have lost something.  My start menu is missing the section called "Recently viewed documents"

I know.  Lesson learned.  Can anyone help me here?  What do you need to know?    I am running Windows XP Media Center 2002 Service Pack 3.  My computer is a HP Pavilion AMD 64 X 2 Dual Core Processor 3800+, 1.0 GHz, 960 Mb RAM. 

[Allan]

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html


Also, Windows Defender is a huge waste of time and resources. You should disable it (by disabling the Windows Defender Service) and use either MalwareBytes or SuperAntispyware instead.

[Kaderina]

Ok, here is the details:

I have Microsoft Security Essentials - This was downloaded after the attack when I dumped Windows Defender.  I now have Online Armor.  Concerns noted:

Start Menu:
AGEIA PHYS X System Tray Icon

Auto Runs:
ANIWZCSdS.exe
LSSrvc.exe  (I think this is part of the Light Scribe burner I have?)
NWIZ.exe

In the Add/Remove programs, half of that is unknown but mostly looks like hardware updates .  If I had to list anything that looks suspicious it would be What is Adobe Air?

After I finished the SuperAntiSpyware scan, Online Armor made me accept the following before it would give me the log report:

UIREPAIR.DLL
SD10005.dll
SD10006.dll
SD10007.dll
_____________________________
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/23/2011 at 05:09 PM

Application Version : 4.53.1000

Core Rules Database Version : 7119
Trace Rules Database Version: 4931

Scan type       : Complete Scan
Total Scan Time : 03:07:03

Memory items scanned      : 492
Memory threats detected   : 0
Registry items scanned    : 7734
Registry threats detected : 0
File items scanned        : 134939
File threats detected     : 132

Rogue.AntiMalwareDoctor
   C:\Documents and Settings\HP_Administrator\Application Data\A0E290C2CE1C803ADACAA27E7A9AA375

Adware.Tracking Cookie
   media.scanscout.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\VU34MZ2N ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\VU34MZ2N ]
   vitamine.networldmedia.net [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\VU34MZ2N ]
   akamai.smartadserver.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\AWU5D4D4 ]
   ictv-ic-ec.indieclicktv.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\AWU5D4D4 ]
   media.heavy.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\AWU5D4D4 ]
   media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\AWU5D4D4 ]
   media.wholesite.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\AWU5D4D4 ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\AWU5D4D4 ]
   vitamine.networldmedia.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\AWU5D4D4 ]
   C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@2o7[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adcentriconline[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adform[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adtrackrs[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adultfriendfinder[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertnation[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@clicksor[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@eclickz[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@entrepreneur[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@findology[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@friendfinder[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@indieclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@internettrafficbuilder[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@kontera[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@liveperson[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@liveperson[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@liveperson[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@liveperson[5].txt
   C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@mediaquantics[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@mediatraffic[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@networldmedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@nextag[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@pro-market[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ru4[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@smartadserver[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@specificclick[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
_________________________________
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6658

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

23/05/2011 6:00:08 PM
mbam-log-2011-05-23 (18-00-08).txt

Scan type: Quick scan
Objects scanned: 188576
Time elapsed: 24 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
__________________________
I updated Java but it didn't ask me about removing the old version?  I had Version 6, Update 22
____________________________
I hope I did the renaming of HJT properly.  The sniper link from the desktop still took me to the folder that was named HJT.  If I have to redo that one again, let me know.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:43:42 PM, on 23/05/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Online Armor\OAui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\Sniper.exe\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Online Armor\OAui.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100458 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.geni.com/ImageUploader5.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6A615BCC-676D-41AA-AB4E-C1860690FFB4} (CFXEngine Object) - http://www.blacksmemorables.com/RocketLife.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archives.ca/mrsidi_cab/MrSIDI.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: rlfile - {F541A92B-CDC2-4B7C-BEF1-C7443070F3D8} - C:\WINDOWS\Downloaded Program Files\RocketEngine.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Online Armor\OAcat.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Online Armor\oasrv.exe

--
End of file - 9565 bytes
___________________

Thank you so much for your assistance.  I really appreciate it.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************

What is Adobe Air?

Adobe Air

I updated Java but it didn't ask me about removing the old version?  I had Version 6, Update 22

You can uninstall older versions.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete any files that were put on the desktop.
*********************************************************

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
********************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*****************************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

[Kaderina]

Hi SuperDave,

Thank you for your help.  I'm at the point that I downloaded the dds program.  When I click on it, I got a flash of a black screen (Like the security check screen) then back to my normal desk top.  Is it a program that is running in the background?  If so, am I messing it up by writing to you?  Is it downloaded inproperly?

Here are some results up to that point:

HijackThis

Missing from log:

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
********************************************************
Security Check

SuperAntiSpyware made me allow these files to run:
swreg.exe
nircmdc.exe
Objlist.exe
sed.exe
____________
 Results of screen317's Security Check version 0.99.11 
 Windows XP Service Pack 3 
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 Online Armor 5.0   
 Microsoft Security Essentials   
 Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 25 
 Java(TM) 6 Update 5 
 Java(TM) 6 Update 7 
 Out of date Java installed!
 Adobe Flash Player   
Adobe Reader X (10.0.1)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSMpEng.exe
 Tall Emu Online Armor OAcat.exe
 Tall Emu Online Armor oasrv.exe
 Tall Emu Online Armor oaui.exe
 Tall Emu Online Armor OAhlp.exe
 Microsoft Security Essentials msseces.exe
 Microsoft Security Client Antimalware MsMpEng.exe 
``````````End of Log````````````
*****************************************************

[SuperDave]

Is it a program that is running in the background?  If so, am I messing it up by writing to you?  Is it downloaded inproperly?

That's not normal. We'll try something else. Your Internet Explorer is out of date and should be updated.
You can also uninstall Java(TM) 6 Update 5 and  Java(TM) 6 Update 7. These are old versions.
The Security Check shows this: On Access scanning disabled!. Please make sure it's enabled after you run this next scan.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[Kaderina]

Hi SuperDave,

The old versions of Java, Do I just find the folder and delete them.  They are not showing up on the Add/Remove Programs?

*****  Forget that comment.  Just blind.  Found and removed.

As for the Internet explorer, Do I update it to IE8?  Can that be done after we resolve the other issues or should it be done first?

How do I enable the On Access scanning you write about and what program is it associated with?

Thank you

[SuperDave]

As for the Internet explorer, Do I update it to IE8?  Can that be done after we resolve the other issues or should it be done first?

After we're finished will be ok.

How do I enable the On Access scanning you write about and what program is it associated with?

I'm speaking about MicroSoft Security Essentials. The Security Check shows that it is disabled. After you run ComboFix you should re-enable it by going to Control Panel, Security Center. You will also get a warning in the bottom right-hand corner of you desktop that your computer may be at risk.

[Kaderina]

Hi SuperDave,

More problems.  First of all, with the MSE, it is showing that it is enabled.  In the settings, Real time protection is on.  When I go to the control panel, it says that I am protected.  Here is an up to date scan using Security check:

 Results of screen317's Security Check version 0.99.11 
 Windows XP Service Pack 3 
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 Online Armor 5.0   
 Microsoft Security Essentials   
 Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 25 
 Adobe Flash Player   
Adobe Reader X (10.0.1)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
``````````End of Log````````````

***************

I downloaded Combo fix.  Turned off the MSE and the Online Armor.  The scan starts fine.  Updates the Microsoft Windows recovery.  Starts to scan, finds the RootKit.  Then it detects RootKit Activity and wants to Reboot the machine.  No choice, have to hit OK.  When the machine reboots, Online Armor is back on and hold up the scan.  Tried it twice.  Any ideas from here?  I went to the control panel security and I can't disable Online Armor there.

One other thing to mention.  When I look at the Online Armor status screen, there is a lot of activity.  For the most part they are svchost.exe/TCP.  It looks like connections from all over.  Mostly USA but also Lithuania, Russian Federation, Sweden and the Netherlands.  Are these people trying to get into my computer?  I have noticed on my Windows Task Manager a lot of activity with the svchost.exe.  Yesterday I also got a message box saying "Windows Virtual Memory Too Low" and today got the message Autolt - Error Allocating Memory.

[SuperDave]

First of all, with the MSE, it is showing that it is enabled.  In the settings, Real time protection is on.  When I go to the control panel, it says that I am protected

Ok. It must be just a hiccup with Security Check.

When the machine reboots, Online Armor is back on and hold up the scan.  Tried it twice.  Any ideas from here?  I went to the control panel security and I can't disable Online Armor there.

Do you have the option of running it anyway?

When I look at the Online Armor status screen, there is a lot of activity.  For the most part they are svchost.exe/TCP.  It looks like connections from all over.  Mostly USA but also Lithuania, Russian Federation, Sweden and the Netherlands.  Are these people trying to get into my computer?

It could be an infection on your computer or just a result of surfing the net.

Yesterday I also got a message box saying "Windows Virtual Memory Too Low" and today got the message Autolt - Error Allocating Memory.
 

That happens occasionally. It happened to me when I was cleaning a computer last weekend.

[Kaderina]

Hi SuperDave,

I can try to run Combofix again.  I know that a lot of Online Armor messages came up to Block or allow.  I will try it again but the first time it looked like it stopped working.  It may be that I just didn't wait long enough.  I'll try again.

As for the activity on my computer, I'm not doing any surfing right now due to the infection.  They are even listed when I'm offline. 

[SuperDave]

I'm not doing any surfing right now due to the infection.  They are even listed when I'm offline.

Is it possible that it's files from the past?

Please download TDSSKiller from here and save it to your Desktop.

• Doubleclick TDSSKiller.exe to run the tool
  
• Click the Start Scan button (If prompted with a "hidden service warning" do go ahead and delete it.)
  
  
• After the scan has finished, click the Close button
  
• Click the Report button and copy/paste the contents of it into your next reply
  
• Note:It will also create a log in the C:\ directory.
  

[Kaderina]

Hi SuperDave,

Tried the ComboFix again, twice.  Same results.  Computer reboots, ComboFix starts up again.  No icons on the screen for about 3 minutes, then they come back.  The blue screen of ComboFix then says access denied. Online Armor then comes up with two programs that it wants an answer on (Parts of ComboFix).  I give them access and about 30 seconds later ComboFix is dropped.

Here are the results of TDSSKiller:

2011/05/25 21:24:45.0078 3860   TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/05/25 21:24:45.0609 3860   

================================================================================
2011/05/25 21:24:45.0609 3860   SystemInfo:
2011/05/25 21:24:45.0609 3860   
2011/05/25 21:24:45.0609 3860   OS Version: 5.1.2600 ServicePack: 3.0
2011/05/25 21:24:45.0609 3860   Product type: Workstation
2011/05/25 21:24:45.0609 3860   ComputerName: NANCY
2011/05/25 21:24:45.0609 3860   UserName: HP_Administrator
2011/05/25 21:24:45.0609 3860   Windows directory: C:\WINDOWS
2011/05/25 21:24:45.0609 3860   System windows directory: C:\WINDOWS
2011/05/25 21:24:45.0609 3860   Processor architecture: Intel x86
2011/05/25 21:24:45.0609 3860   Number of processors: 2
2011/05/25 21:24:45.0609 3860   Page size: 0x1000
2011/05/25 21:24:45.0609 3860   Boot type: Normal boot
2011/05/25 21:24:45.0609 3860   

================================================================================
2011/05/25 21:24:50.0078 3860   Initialize success
2011/05/25 21:24:58.0437 2376   

================================================================================
2011/05/25 21:24:58.0437 2376   Scan started
2011/05/25 21:24:58.0437 2376   Mode: Manual;
2011/05/25 21:24:58.0437 2376   

================================================================================
2011/05/25 21:24:59.0765 2376   A5AGU           (6e0a62f76886f7c0807b2dcee0524eff)

C:\WINDOWS\system32\DRIVERS\A5AGU.sys
2011/05/25 21:25:00.0000 2376   ACPI            (8fd99680a539792a30e97944fdaecf17)

C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/25 21:25:00.0125 2376   ACPIEC          (9859c0f6936e723e4892d7141b1327d5)

C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/25 21:25:00.0406 2376   aec             (8bed39e3c35d6a489438b8141717a557)

C:\WINDOWS\system32\drivers\aec.sys
2011/05/25 21:25:00.0593 2376   AFD             (7e775010ef291da96ad17ca4b17137d7)

C:\WINDOWS\System32\drivers\afd.sys
2011/05/25 21:25:00.0953 2376   AmdK8           (59301936898ae62245a6f09c0aba9475)

C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/05/25 21:25:01.0406 2376   ANIO            (920298c7aef97d8168d219d35975d295)

C:\WINDOWS\system32\ANIO.SYS
2011/05/25 21:25:01.0625 2376   aracpi          (00523019e3579c8f8a94457fe25f0f24)

C:\WINDOWS\system32\DRIVERS\aracpi.sys
2011/05/25 21:25:01.0703 2376   arhidfltr       (9fedaa46eb1a572ac4d9ee6b5f123cf2)

C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
2011/05/25 21:25:01.0828 2376   arkbcfltr       (82969576093cd983dd559f5a86f382b4)

C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
2011/05/25 21:25:01.0875 2376   armoucfltr      (9b21791d8a78faece999fadbebda6c22)

C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
2011/05/25 21:25:02.0000 2376   Arp1394         (b5b8a80875c1dededa8b02765642c32f)

C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/25 21:25:02.0031 2376   ARPolicy        (7a2da7c7b0c524ef26a79f17a5c69fde)

C:\WINDOWS\system32\DRIVERS\arpolicy.sys
2011/05/25 21:25:02.0343 2376   AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc)

C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/25 21:25:02.0468 2376   atapi           (9f3a2f5aa6875c72bf062c712cfa2674)

C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/25 21:25:02.0812 2376   atksgt          (72bc628af75c4c3250f2a3bac260265a)

C:\WINDOWS\system32\DRIVERS\atksgt.sys
2011/05/25 21:25:03.0062 2376   Atmarpc         (9916c1225104ba14794209cfa8012159)

C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/25 21:25:03.0140 2376   audstub         (d9f724aa26c010a217c97606b160ed68)

C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/25 21:25:03.0218 2376   Beep            (da1f27d85e0d1525f6621372e7b685e9)

C:\WINDOWS\system32\drivers\Beep.sys
2011/05/25 21:25:03.0609 2376   cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9)

C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/25 21:25:03.0750 2376   Cdaudio         (c1b486a7658353d33a10cc15211a873b)

C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/25 21:25:03.0937 2376   Cdfs            (c885b02847f5d2fd45a24e219ed93b32)

C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/25 21:25:04.0140 2376   Cdrom           (1f4260cc5b42272d71f79e570a27a4fe)

C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/25 21:25:04.0828 2376   Disk            (044452051f3e02e7963599fc8f4f3e25)

C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/25 21:25:05.0046 2376   dmboot          (d992fe1274bde0f84ad826acae022a41)

C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/25 21:25:05.0218 2376   dmio            (7c824cf7bbde77d95c08005717a95f6f)

C:\WINDOWS\system32\drivers\dmio.sys
2011/05/25 21:25:05.0812 2376   dmload          (e9317282a63ca4d188c0df5e09c6ac5f)

C:\WINDOWS\system32\drivers\dmload.sys
2011/05/25 21:25:06.0062 2376   DMusic          (8a208dfcf89792a484e76c40e5f50b45)

C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/25 21:25:06.0187 2376   drmkaud         (8f5fcff8e8848afac920905fbd9d33c8)

C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/25 21:25:06.0296 2376   Fastfat         (38d332a6d56af32635675f132548343e)

C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/25 21:25:06.0625 2376   Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/25 21:25:06.0781 2376   Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/25 21:25:06.0984 2376   Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0)

C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/25 21:25:07.0156 2376   FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0)

C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/25 21:25:07.0359 2376   Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a)

C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/25 21:25:07.0484 2376   Ftdisk          (6ac26732762483366c3969c9e4d2259d)

C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/25 21:25:07.0703 2376   GEARAspiWDM     (8182ff89c65e4d38b2de4bb0fb18564e)

C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/05/25 21:25:07.0906 2376   Gpc             (0a02c63c8b144bd8c86b103dee7c86a2)

C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/25 21:25:08.0000 2376   HDAudBus        (573c7d0a32852b48f3058cfd8026f511)

C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/25 21:25:08.0093 2376   HidUsb          (ccf82c5ec8a7326c3066de870c06daf1)

C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/25 21:25:08.0234 2376   HSXHWBS2        (1f5c64b0c6b2e2f48735a77ae714ccb8)

C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys
2011/05/25 21:25:08.0468 2376   HSX_DP          (a7f8c9228898a1e871d2ae7082f50ac3)

C:\WINDOWS\system32\DRIVERS\HSX_DP.sys
2011/05/25 21:25:08.0734 2376   HTTP            (f80a415ef82cd06ffaf0d971528ead38)

C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/25 21:25:09.0062 2376   i8042prt        (4a0b06aa8943c1e332520f7440c0aa30)

C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/25 21:25:09.0437 2376   iaStor          (9a65e42664d1534b68512caad0efe963)

C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/05/25 21:25:09.0812 2376   Imapi           (083a052659f5310dd8b6a6cb05edcf8e)

C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/25 21:25:10.0421 2376   IntcAzAudAddService (64be56b8858ca0153c725c720ffd194f)

C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/05/25 21:25:10.0859 2376   IntelIde        (b5466a9250342a7aa0cd1fba13420678)

C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/25 21:25:11.0000 2376   intelppm        (8c953733d8f36eb2133f5bb58808b66b)

C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/25 21:25:11.0109 2376   Ip6Fw           (3bb22519a194418d5fec05d800a19ad0)

C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/25 21:25:11.0265 2376   IpFilterDriver  (731f22ba402ee4b62748adaf6363c182)

C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/25 21:25:11.0359 2376   IpInIp          (b87ab476dcf76e72010632b5550955f5)

C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/25 21:25:11.0421 2376   IpNat           (cc748ea12c6effde940ee98098bf96bb)

C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/25 21:25:11.0640 2376   IPSec           (23c74d75e36e7158768dd63d92789a91)

C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/25 21:25:11.0906 2376   IRENUM          (c93c9ff7b04d772627a3646d89f7bf89)

C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/25 21:25:12.0031 2376   isapnp          (05a299ec56e52649b1cf2fc52d20f2d7)

C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/25 21:25:12.0156 2376   Kbdclass        (463c1ec80cd17420a542b7f36a36f128)

C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/25 21:25:12.0375 2376   kmixer          (692bcf44383d056aed41b045a323d378)

C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/25 21:25:12.0562 2376   KSecDD          (b467646c54cc746128904e1654c750c1)

C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/25 21:25:12.0906 2376   lirsgt          (4127e8b6ddb4090e815c1f8852c277d3)

C:\WINDOWS\system32\DRIVERS\lirsgt.sys
2011/05/25 21:25:13.0031 2376   MASPINT         (a2ae666cee860babe7fa6f1662b71737)

C:\WINDOWS\system32\drivers\MASPINT.sys
2011/05/25 21:25:13.0203 2376   MCSTRM          (5bb01b9f582259d1fb7653c5c1da3653)

C:\WINDOWS\system32\drivers\MCSTRM.sys
2011/05/25 21:25:13.0375 2376   mdmxsdk         (e246a32c445056996074a397da56e815)

C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/05/25 21:25:13.0500 2376   MHNDRV          (7f2f1d2815a6449d346fcccbc569fbd6)

C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/05/25 21:25:13.0687 2376   mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6)

C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/25 21:25:13.0828 2376   Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1)

C:\WINDOWS\system32\drivers\Modem.sys
2011/05/25 21:25:13.0937 2376   Mouclass        (35c9e97194c8cfb8430125f8dbc34d04)

C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/25 21:25:14.0171 2376   MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd)

C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/25 21:25:14.0312 2376   MpFilter        (7e34bfa1a7b60bba1da03d677f16cd63)

C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/05/25 21:25:14.0765 2376   MpKsla472e9e2   (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All

Users\Application Data\Microsoft\Microsoft Antimalware\Definition

Updates\{62618C59-15DC-4B0C-89EC-447558D99863}\MpKsla472e9e2.sys
2011/05/25 21:25:15.0046 2376   MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd)

C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/25 21:25:15.0218 2376   MRxSmb          (f3aefb11abc521122b67095044169e98)

C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/25 21:25:15.0390 2376   Msfs            (c941ea2454ba8350021d774daf0f1027)

C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/25 21:25:15.0656 2376   MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1)

C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/25 21:25:15.0750 2376   MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e)

C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/25 21:25:15.0843 2376   MSPQM           (bad59648ba099da4a17680b39730cb3d)

C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/25 21:25:15.0968 2376   mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136)

C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/25 21:25:16.0062 2376   Mup             (2f625d11385b1a94360bfc70aaefdee1)

C:\WINDOWS\system32\drivers\Mup.sys
2011/05/25 21:25:16.0281 2376   NDIS            (1df7f42665c94b825322fae71721130d)

C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/25 21:25:16.0453 2376   NdisTapi        (1ab3d00c991ab086e69db84b6c0ed78f)

C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/25 21:25:16.0593 2376   Ndisuio         (f927a4434c5028758a842943ef1a3849)

C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/25 21:25:16.0640 2376   NdisWan         (edc1531a49c80614b2cfda43ca8659ab)

C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/25 21:25:16.0828 2376   NDProxy         (6215023940cfd3702b46abc304e1d45a)

C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/25 21:25:16.0937 2376   NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0)

C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/25 21:25:17.0125 2376   NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d)

C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/25 21:25:17.0359 2376   NIC1394         (e9e47cfb2d461fa0fc75b7a74c6383ea)

C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/25 21:25:17.0468 2376   Npfs            (3182d64ae053d6fb034f44b6def8034a)

C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/25 21:25:17.0687 2376   Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca)

C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/25 21:25:17.0796 2376   Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/25 21:25:18.0125 2376   nv              (ce58f42b11be20a47c3d8d2f38da254e)

C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/25 21:25:18.0437 2376   NVENETFD        (22eedb34c4d7613a25b10c347c6c4c21)

C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/05/25 21:25:18.0609 2376   nvnetbus        (5e3f6ad5cad0f12d3cccd06fd964087a)

C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/05/25 21:25:18.0921 2376   NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57)

C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/25 21:25:18.0984 2376   NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9)

C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/25 21:25:19.0125 2376   OADevice        (131b33debe75acee4604fdad3e650ef7)

C:\WINDOWS\system32\drivers\OADriver.sys
2011/05/25 21:25:19.0437 2376   oahlpXX         (c040c3baf7e9d700d54bf93a125ae0db)

C:\WINDOWS\system32\drivers\oahlp32.sys
2011/05/25 21:25:19.0656 2376   OAmon           (135a8b08e46cb03fec9d9087da9031b5)

C:\WINDOWS\system32\drivers\OAmon.sys
2011/05/25 21:25:19.0765 2376   OAnet           (c5690ac83b11e86917ef1e436926cf7e)

C:\WINDOWS\system32\drivers\OAnet.sys
2011/05/25 21:25:20.0015 2376   ohci1394        (ca33832df41afb202ee7aeb05145922f)

C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/25 21:25:20.0187 2376   Parport         (5575faf8f97ce5e713d108c2a58d7c7c)

C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/25 21:25:20.0343 2376   PartMgr         (beb3ba25197665d82ec7065b724171c6)

C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/25 21:25:20.0453 2376   ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1)

C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/25 21:25:20.0671 2376   PCI             (a219903ccf74233761d92bef471a07b1)

C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/25 21:25:21.0015 2376   PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0)

C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/25 21:25:21.0140 2376   Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1)

C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/25 21:25:21.0875 2376   pfc             (6c1618a07b49e3873582b6449e744088)

C:\WINDOWS\system32\drivers\pfc.sys
2011/05/25 21:25:21.0984 2376   PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99)

C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/25 21:25:22.0078 2376   Processor       (a32bebaf723557681bfc6bd93e98bd26)

C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/25 21:25:22.0296 2376   Ps2             (390c204ced3785609ab24e9c52054a84)

C:\WINDOWS\system32\DRIVERS\PS2.sys
2011/05/25 21:25:22.0359 2376   Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd)

C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/25 21:25:22.0421 2376   PxHelp20        (49452bfcec22f36a7a9b9c2181bc3042)

C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/25 21:25:22.0859 2376   RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c)

C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/25 21:25:23.0468 2376   Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6)

C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/25 21:25:23.0593 2376   RasPppoe        (5bc962f2654137c9909c3d4603587dee)

C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/25 21:25:23.0640 2376   Raspti          (fdbb1d60066fcfbb7452fd8f9829b242)

C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/25 21:25:23.0765 2376   Rdbss           (7ad224ad1a1437fe28d89cf22b17780a)

C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/25 21:25:23.0968 2376   RDPCDD          (4912d5b403614ce99c28420f75353332)

C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/25 21:25:24.0109 2376   rdpdr           (15cabd0f7c00c47c70124907916af3f1)

C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/25 21:25:24.0218 2376   RDPWD           (6728e45b66f93c08f11de2e316fc70dd)

C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/25 21:25:24.0437 2376   redbook         (f828dd7e1419b6653894a8f97a0094c5)

C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/25 21:25:24.0656 2376   rtl8139         (d507c1400284176573224903819ffda3)

C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/05/25 21:25:24.0750 2376   SASDIFSV        (a3281aec37e0720a2bc28034c2df2a56) C:\Program

Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/25 21:25:24.0781 2376   SASKUTIL        (61db0d0756a99506207fd724e3692b25) C:\Program

Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/25 21:25:24.0984 2376   Secdrv          (90a3935d05b494a5a39d37e71f09a677)

C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/25 21:25:25.0109 2376   Serial          (cca207a8896d4c6a0c9ce29a4ae411a7)

C:\WINDOWS\system32\drivers\Serial.sys
2011/05/25 21:25:25.0421 2376   Sfloppy         (8e6b8c671615d126fdc553d1e2de5562)

C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/05/25 21:25:25.0750 2376   sonypvf2        (f68ccc483bb85af6a8d5d751e1cc59e0)

C:\WINDOWS\system32\drivers\sonypvf2.sys
2011/05/25 21:25:26.0140 2376   sonypvl2        (4efce4ce7813b8c4d7c526ad3b821fe9)

C:\WINDOWS\system32\drivers\sonypvl2.sys
2011/05/25 21:25:26.0312 2376   sonypvt2        (04be0be6b50bac71de235c0cb766268c)

C:\WINDOWS\system32\drivers\sonypvt2.sys
2011/05/25 21:25:26.0937 2376   splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f)

C:\WINDOWS\system32\drivers\splitter.sys
2011/05/25 21:25:27.0031 2376   sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/25 21:25:27.0281 2376   Srv             (da852e3e0bf1cea75d756f9866241e57)

C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/25 21:25:27.0468 2376   swenum          (3941d127aef12e93addf6fe6ee027e0f)

C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/25 21:25:27.0796 2376   swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01)

C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/25 21:25:28.0140 2376   sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290)

C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/25 21:25:28.0312 2376   Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d)

C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/25 21:25:28.0703 2376   TDPIPE          (6471a66807f5e104e4885f5b67349397)

C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/25 21:25:28.0796 2376   TDTCP           (c56b6d0402371cf3700eb322ef3aaf61)

C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/25 21:25:28.0921 2376   TermDD          (88155247177638048422893737429d9e)

C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/25 21:25:29.0250 2376   Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9)

C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/25 21:25:29.0421 2376   Update          (402ddc88356b1bac0ee3dd1580c76a31)

C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/25 21:25:29.0656 2376   USBAAPL         (5c2bdc152bbab34f36473deaf7713f22)

C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/25 21:25:29.0796 2376   usbccgp         (173f317ce0db8e21322e71b7e60a27e8)

C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/25 21:25:29.0921 2376   usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7)

C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/25 21:25:30.0046 2376   usbhub          (1ab3cdde553b6e064d2e754efe20285c)

C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/25 21:25:30.0093 2376   usbohci         (0daecce65366ea32b162f85f07c6753b)

C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/05/25 21:25:30.0250 2376   usbprint        (a717c8721046828520c9edf31288fc00)

C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/25 21:25:30.0343 2376   usbscan         (a0b8cf9deb1184fbdd20784a58fa75d4)

C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/25 21:25:30.0390 2376   usbstor         (a32426d9b14a089eaa1d922e0c5801a9)

C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/25 21:25:30.0421 2376   usbuhci         (26496f9dee2d787fc3e61ad54821ffe6)

C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/25 21:25:30.0578 2376   VgaSave         (0d3a8fafceacd8b7625cd549757a7df1)

C:\WINDOWS\System32\drivers\vga.sys
2011/05/25 21:25:30.0734 2376   ViaIde          (3b3efcda263b8ac14fdf9cbdd0791b2e)

C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/05/25 21:25:30.0875 2376   VolSnap         (4c8fcb5cc53aab716d810740fe59d025)

C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/25 21:25:31.0093 2376   Wanarp          (e20b95baedb550f32dd489265c1da1f6)

C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/25 21:25:31.0281 2376   wdmaud          (6768acf64b18196494413695f0c3a00f)

C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/25 21:25:31.0390 2376   winachsx        (11ec1afceb5c917ce73d3c301ff4291e)

C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
2011/05/25 21:25:31.0671 2376   WS2IFSL         (6abe6e225adb5a751622a9cc3bc19ce8)

C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/25 21:25:31.0750 2376   MBR (0x1B8)     (2adb60a78d6aefd3efeae86ca9cb5e30) \Device\Harddisk0\DR0
2011/05/25 21:25:31.0750 2376   \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/25 21:25:31.0765 2376   

================================================================================
2011/05/25 21:25:31.0765 2376   Scan finished
2011/05/25 21:25:31.0765 2376   

================================================================================
2011/05/25 21:25:31.0796 3456   Detected object count: 1
2011/05/25 21:25:31.0796 3456   Actual detected object count: 1
2011/05/25 21:25:45.0734 3456   \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/25 21:25:45.0734 3456   \Device\Harddisk0\DR0 - ok
2011/05/25 21:25:45.0734 3456   Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure


That's all I can do tonight.  I will reboot as I turn my computer off at night to prevent further activity.

[SuperDave]

Just as I suspected; there was a rootkit. Let's try to run ComboFix with this:

Delete your copy of ComboFix; download a fresh copy, except before you download it, rename it to blackpudding.bat

Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\blackpudding.bat" /killall

See if ComboFix will run now

[Kaderina]

Hi SuperDave,

It ran this time.  It did reboot but I quickly turned off the Online Armor.  I Hope that didn't mess the scan up.  It must have changed my default browser as when I just went back online it asked if I wanted to make IE my default which I did.  Here is the results:

ComboFix 11-05-26.01 - HP_Administrator 26/05/2011  17:55:01.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.2.1033.18.958.498 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\desktop\blackpudding.bat
Command switches used :: /killall
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\Adobe\plugs
c:\documents and settings\HP_Administrator\Application Data\Adobe\shed
c:\documents and settings\HP_Administrator\Desktop\blackpudding.bat
c:\documents and settings\HP_Administrator\WINDOWS
c:\windows\AutoRun.ini
c:\windows\system32\config\systemprofile\WINDOWS
D:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2011-04-26 to 2011-05-26  )))))))))))))))))))))))))))))))
.
.
2011-05-26 21:47 . 2011-05-26 21:47   --------   d-----w-   c:\windows\LastGood.Tmp
2011-05-26 01:39 . 2011-05-26 01:39   28752   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62618C59-15DC-4B0C-89EC-447558D99863}\MpKsl27687e0b.sys
2011-05-26 01:21 . 2011-05-18 16:37   6962000   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62618C59-15DC-4B0C-89EC-447558D99863}\mpengine.dll
2011-05-26 01:10 . 2011-05-26 21:53   --------   d-----w-   C:\ComboFix
2011-05-23 22:37 . 2011-05-23 22:37   388096   ----a-r-   c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-23 22:36 . 2011-05-23 22:40   --------   d-----w-   c:\program files\Trend Micro
2011-05-23 22:23 . 2011-05-23 22:23   --------   d-----w-   c:\program files\TrendMicro
2011-05-23 21:33 . 2011-05-23 21:33   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2011-05-23 21:33 . 2010-12-20 22:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-23 21:33 . 2011-05-23 21:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-23 21:33 . 2010-12-20 22:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-05-23 21:33 . 2011-05-23 21:33   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-05-23 17:55 . 2011-05-23 17:55   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2011-05-23 17:55 . 2011-05-23 17:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-23 17:54 . 2011-05-23 17:55   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-05-23 17:35 . 2011-05-23 17:35   --------   d-----w-   c:\program files\CCleaner
2011-05-23 16:44 . 2011-05-23 17:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2011-05-23 16:44 . 2011-05-23 16:45   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\OnlineArmor
2011-05-23 16:43 . 2011-04-06 17:02   39048   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2011-05-23 16:43 . 2011-04-06 17:01   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2011-05-23 16:43 . 2011-04-06 17:01   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2011-05-23 16:43 . 2011-04-06 17:01   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2011-05-23 16:42 . 2011-05-26 01:20   --------   d-----w-   c:\program files\Online Armor
2011-05-23 12:38 . 2011-05-23 12:38   --------   d-----w-   C:\Softpaq
2011-05-23 07:07 . 2011-05-23 07:07   664   ----a-w-   c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2011-05-22 22:56 . 2011-05-22 22:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\nView_Profiles
2011-05-22 16:25 . 2011-05-22 16:26   --------   d-----w-   c:\program files\Microsoft Security Client
2011-05-21 13:19 . 2011-05-21 13:23   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\FixCleaner
2011-05-21 13:17 . 2011-05-21 13:28   --------   d-----w-   c:\program files\FixCleaner
2011-05-21 11:08 . 2011-05-21 11:08   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\DriverCure
2011-05-21 11:08 . 2011-05-21 11:08   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\ParetoLogic
2011-05-21 11:08 . 2011-05-22 16:18   --------   d-----w-   c:\documents and settings\All Users\Application Data\ParetoLogic
2011-05-20 23:38 . 2011-05-20 23:38   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2011-05-08 13:29 . 2011-05-19 23:47   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Nitro PDF
2011-05-08 13:28 . 2011-04-06 01:55   17712   ----a-w-   c:\windows\system32\nitrolocalui.dll
2011-05-08 13:28 . 2011-04-06 01:55   26416   ----a-w-   c:\windows\system32\nitrolocalmon.dll
2011-05-08 13:28 . 2011-05-08 13:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\Nitro PDF
2011-05-08 13:27 . 2011-05-08 13:27   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Downloaded Installations
2011-05-08 13:15 . 2011-02-28 22:37   180624   ----a-w-   c:\windows\system32\Primomonnt.dll
2011-05-08 13:15 . 2011-05-20 23:34   --------   d-----w-   c:\program files\Nitro PDF
2011-05-07 17:32 . 2011-05-07 17:32   --------   d-----w-   c:\documents and settings\HP_Administrator\Local Settings\Application Data\Kobo
2011-05-07 17:31 . 2011-05-07 17:32   --------   d-----w-   c:\program files\Kobo
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-21 11:20 . 2004-08-10 04:00   14336   ----a-w-   c:\windows\system32\svchost.exe
2011-04-14 09:07 . 2010-12-20 00:29   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-04-14 06:40 . 2008-07-08 22:01   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-03-29 19:09 . 2011-03-29 19:09   21504   ----a-w-   c:\windows\system32\drivers\libusb0.sys
2011-03-29 19:09 . 2011-03-29 19:09   37376   ----a-w-   c:\windows\system32\libusb0.dll
.

Code: [Select]

<pre>
c:\program files\Adobe\Reader 10.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG .exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08 .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\HP DigitalMedia Archive\DMAScheduler .exe
c:\program files\IObit\Advanced SystemCare 3\AWC .exe
c:\program files\IObit\Advanced SystemCare 4\ASCTray .exe
c:\program files\IObit\IObit Security 360\IS360tray .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Pando Networks\Media Booster\PMB .exe
c:\program files\QuickTime\qttask                             .exe
c:\windows\ehome\ehtray .exe
c:\windows\SMINST\RECGUARD .exe
</pre>.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-25 7311360]
"nwiz"="nwiz.exe" [2006-01-25 1519616]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"PCDrProfiler"="" [N/A]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-04-06 2477032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-6-23 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-6-5 36903]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-6-5 27136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-04-06 354720]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link RangeBooster G WUA-2340]
c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpara]
c:\windows\dmqusv2.dll [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB .exe"=
"c:\\Program Files\\Adobe\\Photoshop 5.0 LE\\photosle.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57772:TCP"= 57772:TCP:Pando Media Booster
"57772:UDP"= 57772:UDP:Pando Media Booster
.
R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [06/08/2006 1:38 PM 19478]
R1 MpKsl27687e0b;MpKsl27687e0b;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62618C59-15DC-4B0C-89EC-447558D99863}\MpKsl27687e0b.sys [25/05/2011 9:39 PM 28752]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [23/05/2011 12:43 PM 205864]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [23/05/2011 12:43 PM 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [23/05/2011 12:43 PM 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 2:41 PM 67656]
R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [06/08/2006 1:38 PM 635012]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [06/08/2006 1:38 PM 431236]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [23/05/2011 12:42 PM 381512]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [08/08/2010 7:56 AM 583640]
S1 MpKsl260ec945;MpKsl260ec945;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6DE8016F-E060-4066-9D1D-0C92C0E051F9}\MpKsl260ec945.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6DE8016F-E060-4066-9D1D-0C92C0E051F9}\MpKsl260ec945.sys [?]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [23/05/2011 12:43 PM 39048]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [23/05/2011 12:42 PM 4326472]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [08/05/2006 7:10 PM 347648]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-05-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: microsoft.com\update
Trusted Zone: sympatico.ca\www
Trusted Zone: windowsupdate.com\download
TCP: DhcpNameServer = 192.168.2.1
DPF: {861DB4B6-3838-11D2-8E50-002018200E57} - hxxp://data6.archives.ca/mrsidi_cab/MrSIDI.cab
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
AddRemove-Adobe Acrobat Connect Add-in - c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe
AddRemove-{F46BF5EA-0B4E-4A41-8C4B-3B127346E30F} - c:\documents and settings\HP_Administrator\Local Settings\Application Data\{8C881E6D-E5A1-4765-AF9A-1AE1E78B41CD}\NBCDirectInstaller.exe
.
.
.
**************************************************************************
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(464)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\system32\rundll32.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2011-05-26  18:10:35 - machine was rebooted
ComboFix-quarantined-files.txt  2011-05-26 22:10
.
Pre-Run: 90,525,421,568 bytes free
Post-Run: 90,703,499,264 bytes free
.
- - End Of File - - 4A3FDB7B3B660D7EA9D2224A6D9F45F8