Solved HP/Vista problems

[chanterjcd]

Hi
Not sure if this is the correct place to post this query, but here goes !
I have a HP Pavilion a6202.uk with Vista home premium 32bit installed. The pc has started crashing, not loading up properly, freezing etc all at different times. A couple of the messages i have had are:

C:\windows\system32\config\systemprofile\appdata\local\ezavofanapoxu.dll

DRIVER_IRQL_NOT_LESS_OR_EQUAL

I have also got a message on the bottom rhs of my desktop saying:
"windows vista build 6000 this copy of windows is not genuine". Vista was preinstalled on purchase.

Any help would be gratefully received,

Thanks, Charles

 

[MilesAhead]

You could try this link. Although it's a bit dated:

WIndows Vista Build 6000 This copy of Windows is not genuine | Coffeehouse | Forums | Channel 9

 

[Jacee]

Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0
Save as flush.bat to your desktop. Right click on the .batfile and run as Administrator. Your computer will reboot itself.

Now, download Malwarebytes' Anti-Malware to your desktop
|MG| Malwarebytes Anti-Malware 1.46 Download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

 

[chanterjcd]

Many thanks for the advice. I have followed your instructions Jacee and have copied the log below:
Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4724

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

30/09/2010 20:41:05
mbam-log-2010-09-30 (20-41-05).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 253084
Time elapsed: 1 hour(s), 30 minute(s), 19 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 30
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 41

Memory Processes Infected:
C:\WINDOWS\smss.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\nvsvc32.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\taskmgr.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\System32\factyww3g.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+kt0nh2ljsiv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+kt0nh2ljsiv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+kt0nh2ljsiv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkeg (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqug (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqug (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkdw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkerb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqurb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqurb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpvdr (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpvdr (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmprc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmprc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpsf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpsf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpqg (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpqg (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpxb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpxb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xwinohazo (Trojan.Hiloti) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krokewotevigulu (Trojan.Agent.U) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\System32\factyww3g.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\smss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\nvsvc32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ws19jf5p9.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winamp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\user.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\lsass.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\hexdump.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mdm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\sysedit.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\config\systemprofile\AppData\Local\krlery.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\memory.tmp (Rootkit.Agent.Gen) -> Quarantined and deleted successfully.
C:\Users\charles\AppData\Local\Temp\DFDWizb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\charles\AppData\Local\Temp\iexplorer.exe (Trojan.Clicker) -> Delete on reboot.
C:\WINDOWS\System32\up7fy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\74OT5VS5\ofmupwryg[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B7Z2J43Z\jjdlsnvtov[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\drivers\jenmqj.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\0c60ab5d.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4024371727.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ucsvcb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ybao.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\gq9tbzvzgzk13zyq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\iexplorer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\irftpa.exe (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\odbcad32a.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mdgwvqy.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ewjsekwk.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ABC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bkysxnyp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\dispdiaga.exe (Trojan.Fakealert.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\6B5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Public\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Public\Documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\1.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\charles\AppData\Local\Temp\skaioejiesfjoee.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\skaioejiesfjoee.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\config\systemprofile\AppData\Local\ezavofamanapoxu.dll (Trojan.Agent.U) -> Quarantined and deleted successfully.

 

[Jacee]

Files Infected: 41

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

After your machine has rebooted, Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

• Double click combofix.exe and follow the prompts.
• When finished, it will produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt

 

[Jacee]

One very important thing!! You are infected with a 'Backdoor Trojan'

These are the most dangerous, and most widespread, type of Trojan.
Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.
If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.

Banking and credit card institutions should be notified of the possible security breech.
More info can be found below:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
How to report ID theft, fraud, drive-by installs, hijacking and malware? Security - dslreports.com
When should I re-format? How should I reinstall?
When should I re-format? How should I reinstall? Security - dslreports.com
If you choose to format and reinstall see this link for instructions:
Windows: reformat and reinstall - Cyberwalker.com
Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted.

 

[chanterjcd]

Hi Jacee
your assistance is greatly appreciated.....but you do have me worried by the comments on the type of infections !

[B]ComboFix.txt


ComboFix 10-09-30.05 - charles 01/10/2010  18:35:01.1.1 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.44.1033.18.1982.1107 [GMT 1:00]
Running from: c:\users\charles\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee Anti-Virus and Anti-Spyware *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\systemprofile\AppData\Roaming\jsdfgs.bat

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected 
Restored copy from - Kitty had a snack :p 
Infected copy of c:\windows\explorer.exe was found and disinfected 
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!WINDOWS!explorer.exe 

Infected copy of c:\windows\System32\wininit.exe was found and disinfected 
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe 

Infected copy of c:\windows\explorer.exe was found and disinfected 
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!WINDOWS!explorer.exe
.
(((((((((((((((((((((((((   Files Created from 2010-09-01 to 2010-10-01  )))))))))))))))))))))))))))))))
.

2010-10-01 17:42 . 2010-10-01 17:42    --------    d-----w-    c:\users\Default\AppData\Local\temp
2010-10-01 17:42 . 2010-10-01 17:42    --------    d-----w-    c:\users\charles\AppData\Local\temp
2010-09-30 18:59 . 2010-09-30 18:59    --------    d-----w-    c:\windows\Sun
2010-09-30 18:07 . 2010-09-30 18:07    --------    d-----w-    c:\users\charles\AppData\Roaming\Malwarebytes
2010-09-30 18:06 . 2010-04-29 14:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-30 18:06 . 2010-09-30 18:06    --------    d-----w-    c:\programdata\Malwarebytes
2010-09-30 18:06 . 2010-04-29 14:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-09-30 17:01 . 2010-09-30 17:01    128512    ----a-w-    c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\kywezo.exe
2010-09-30 17:01 . 2010-09-30 17:01    128512    ----a-w-    c:\users\charles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ehhyud.exe
2010-09-29 23:01 . 2010-09-29 23:01    --------    d--h--w-    c:\programdata\Common Files
2010-09-29 23:00 . 2010-09-29 23:02    --------    d-----w-    c:\programdata\AVG10
2010-09-29 22:59 . 2010-09-29 22:59    --------    d-----w-    c:\program files\AVG
2010-09-29 22:53 . 2010-09-29 22:59    --------    d-----w-    c:\programdata\MFAData
2010-09-29 22:51 . 2010-09-29 22:51    --------    d-----w-    c:\program files\RarZilla Free Unrar
2010-09-29 22:09 . 2010-09-29 22:09    --------    d--h--w-    c:\programdata\CanonBJ(156)
2010-09-29 22:07 . 2010-09-29 22:07    --------    d--h--w-    c:\program files\CanonBJ
2010-09-29 22:03 . 2010-09-29 22:03    --------    d-----w-    c:\users\charles\AppData\Local\HP
2010-09-29 21:43 . 2010-09-29 21:43    --------    d-----w-    c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2010-09-29 20:05 . 2010-09-29 20:05    --------    d-----w-    c:\users\charles\AppData\Roaming\WinBatch
2010-09-29 17:01 . 2010-10-01 18:10    843264    ----a-w-    c:\windows\system32\drivers\jenmqj.sys
2010-09-28 15:01 . 2010-09-28 15:01    --------    d-----w-    c:\users\charles\AppData\Local\Mares_Spa
2010-09-28 13:34 . 2010-09-28 13:34    --------    d-----w-    c:\programdata\PC Drivers HeadQuarters
2010-09-28 13:24 . 2010-09-30 21:05    --------    d-----w-    c:\users\charles\AppData\Local\eSupport.com
2010-09-28 10:26 . 2010-09-28 10:26    378368    ----a-w-    c:\windows\system32\winhttp.dll
2010-09-28 10:23 . 2010-09-28 10:23    268800    ----a-w-    c:\windows\system32\es.dll
2010-09-27 19:07 . 2010-09-27 19:09    --------    d-----w-    c:\users\charles\AppData\Roaming\SmartDraw
2010-09-27 19:06 . 2010-09-27 19:07    --------    d-----w-    C:\SmartDraw VP
2010-09-27 18:30 . 2010-09-27 21:09    --------    d-----w-    c:\users\charles\AppData\Local\Microsoft Games
2010-09-27 17:38 . 2010-09-28 15:53    --------    d-----w-    c:\users\charles\AppData\Roaming\DVD Flick
2010-09-27 12:53 . 2010-09-29 22:51    --------    d-----w-    c:\users\charles\AppData\Roaming\Philipp Winterberg
2010-09-27 12:53 . 2010-09-30 23:34    --------    d-----w-    c:\program files\Free RAR Extract Frog
2010-09-27 12:46 . 2010-09-27 12:46    --------    d-----w-    c:\users\charles\AppData\Roaming\Roxio
2010-09-27 12:45 . 2010-09-27 12:45    423656    ----a-w-    c:\windows\system32\deployJava1.dll
2010-09-27 12:13 . 2010-09-27 12:13    441856    ----a-w-    c:\windows\system32\win32spl.dll
2010-09-27 12:13 . 2010-09-27 12:13    37376    ----a-w-    c:\windows\system32\printcom.dll
2010-09-27 12:13 . 2010-09-27 12:13    2032128    ----a-w-    c:\windows\system32\win32k.sys
2010-09-27 12:12 . 2010-09-27 12:12    14848    ----a-w-    c:\windows\system32\wshrm.dll
2010-09-27 12:12 . 2010-09-27 12:12    113664    ----a-w-    c:\windows\system32\drivers\rmcast.sys
2010-09-27 12:11 . 2010-09-27 12:11    313344    ----a-w-    c:\windows\system32\wmpdxm.dll
2010-09-27 12:10 . 2010-09-27 12:10    11776    ----a-w-    c:\windows\system32\sbunattend.exe
2010-09-26 22:01 . 2010-09-26 22:01    --------    d-----w-    c:\program files\SiteAdvisor
2010-09-26 21:50 . 2010-09-30 21:14    --------    d-----w-    c:\programdata\McAfee
2010-09-26 12:12 . 2010-09-26 12:12    34304    ----a-w-    c:\windows\system32\atmlib.dll
2010-09-26 12:12 . 2010-09-26 12:12    289792    ----a-w-    c:\windows\system32\atmfd.dll
2010-09-26 12:12 . 2010-09-26 12:12    24064    ----a-w-    c:\windows\system32\lpk.dll
2010-09-26 12:12 . 2010-09-26 12:12    156672    ----a-w-    c:\windows\system32\t2embed.dll
2010-09-26 12:12 . 2010-09-26 12:12    10240    ----a-w-    c:\windows\system32\dciman32.dll
2010-09-26 12:12 . 2010-09-26 12:12    72704    ----a-w-    c:\windows\system32\fontsub.dll
2010-09-26 12:09 . 2010-09-26 12:09    61440    ----a-w-    c:\windows\system32\winipsec.dll
2010-09-26 12:09 . 2010-09-26 12:09    361984    ----a-w-    c:\windows\system32\IPSECSVC.DLL
2010-09-26 12:09 . 2010-09-26 12:09    28672    ----a-w-    c:\windows\system32\FwRemoteSvr.dll
2010-09-26 12:09 . 2010-09-26 12:09    272896    ----a-w-    c:\windows\system32\polstore.dll
2010-09-26 12:07 . 2010-09-26 12:07    84992    ----a-w-    c:\windows\system32\drivers\srvnet.sys
2010-09-26 12:07 . 2010-09-26 12:07    306688    ----a-w-    c:\windows\system32\drivers\srv.sys
2010-09-26 12:07 . 2010-09-26 12:07    95232    ----a-w-    c:\windows\system32\PortableDeviceClassExtension.dll
2010-09-26 12:07 . 2010-09-26 12:07    241152    ----a-w-    c:\windows\system32\PortableDeviceApi.dll
2010-09-26 12:07 . 2010-09-26 12:07    160768    ----a-w-    c:\windows\system32\PortableDeviceTypes.dll
2010-09-26 12:06 . 2010-09-26 12:06    9728    ----a-w-    c:\windows\system32\TCPSVCS.EXE
2010-09-26 12:06 . 2010-09-26 12:06    8704    ----a-w-    c:\windows\system32\HOSTNAME.EXE
2010-09-26 12:06 . 2010-09-26 12:06    27136    ----a-w-    c:\windows\system32\NETSTAT.EXE
2010-09-26 12:06 . 2010-09-26 12:06    19968    ----a-w-    c:\windows\system32\ARP.EXE
2010-09-26 12:06 . 2010-09-26 12:06    17920    ----a-w-    c:\windows\system32\ROUTE.EXE
2010-09-26 12:06 . 2010-09-26 12:06    15360    ----a-w-    c:\windows\system32\netevent.dll
2010-09-26 12:06 . 2010-09-26 12:06    11264    ----a-w-    c:\windows\system32\MRINFO.EXE
2010-09-26 12:06 . 2010-09-26 12:06    103936    ----a-w-    c:\windows\system32\netiohlp.dll
2010-09-26 12:06 . 2010-09-26 12:06    10240    ----a-w-    c:\windows\system32\finger.exe
2010-09-26 12:05 . 2010-09-26 12:05    704000    ----a-w-    c:\windows\system32\PhotoScreensaver.scr
2010-09-26 12:05 . 2010-09-26 12:05    356352    ----a-w-    c:\windows\system32\wbem\wbemcomn.dll
2010-09-26 12:05 . 2010-09-26 12:05    24064    ----a-w-    c:\windows\system32\wtsapi32.dll
2010-09-26 12:05 . 2010-09-26 12:05    258232    ----a-w-    c:\windows\system32\drivers\acpi.sys
2010-09-26 12:05 . 2010-09-26 12:05    542720    ----a-w-    c:\windows\system32\sysmain.dll
2010-09-26 12:04 . 2010-09-26 12:04    194560    ----a-w-    c:\windows\system32\WebClnt.dll
2010-09-26 12:04 . 2010-09-26 12:04    110080    ----a-w-    c:\windows\system32\drivers\mrxdav.sys
2010-09-26 12:03 . 2010-09-26 12:03    123904    ----a-w-    c:\windows\system32\L2SecHC.dll
2010-09-26 12:03 . 2010-09-26 12:03    67584    ----a-w-    c:\windows\system32\wlanhlp.dll
2010-09-26 12:03 . 2010-09-26 12:03    502272    ----a-w-    c:\windows\system32\wlansvc.dll
2010-09-26 12:03 . 2010-09-26 12:03    47104    ----a-w-    c:\windows\system32\wlanapi.dll
2010-09-26 12:03 . 2010-09-26 12:03    297984    ----a-w-    c:\windows\system32\wlansec.dll
2010-09-26 12:03 . 2010-09-26 12:03    290816    ----a-w-    c:\windows\system32\wlanmsm.dll
2010-09-26 12:02 . 2010-09-26 12:02    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2010-09-26 12:02 . 2010-09-26 12:02    1260032    ----a-w-    c:\windows\system32\msxml3.dll
2010-09-26 12:02 . 2010-09-26 12:02    2048    ----a-w-    c:\windows\system32\msxml6r.dll
2010-09-26 12:02 . 2010-09-26 12:02    1406464    ----a-w-    c:\windows\system32\msxml6.dll
2010-09-26 12:01 . 2010-09-26 12:01    216576    ----a-w-    c:\windows\system32\msv1_0.dll
2010-09-26 12:00 . 2010-09-26 12:00    58368    ----a-w-    c:\windows\system32\drivers\mrxsmb20.sys
2010-09-26 12:00 . 2010-09-26 12:00    211968    ----a-w-    c:\windows\system32\drivers\mrxsmb10.sys
2010-09-26 12:00 . 2010-09-26 12:00    102400    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2010-09-26 12:00 . 2010-09-26 12:00    2855424    ----a-w-    c:\windows\system32\mf.dll
2010-09-26 12:00 . 2010-09-26 12:00    98816    ----a-w-    c:\windows\system32\mfps.dll
2010-09-26 12:00 . 2010-09-26 12:00    52736    ----a-w-    c:\windows\system32\rrinstaller.exe
2010-09-26 12:00 . 2010-09-26 12:00    24576    ----a-w-    c:\windows\system32\mfpmp.exe
2010-09-26 12:00 . 2010-09-26 12:00    2048    ----a-w-    c:\windows\system32\mferror.dll
2010-09-26 11:59 . 2010-09-26 11:59    3504008    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2010-09-26 11:59 . 2010-09-26 11:59    3470216    ----a-w-    c:\windows\system32\ntoskrnl.exe
2010-09-26 11:56 . 2010-09-26 11:56    434176    ----a-w-    c:\windows\system32\vbscript.dll
2010-09-26 11:56 . 2010-09-26 11:56    71680    ----a-w-    c:\windows\system32\atl.dll
2010-09-26 11:55 . 2010-09-26 11:55    297472    ----a-w-    c:\windows\system32\gdi32.dll
2010-09-26 11:54 . 2010-09-26 11:54    1060920    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2010-09-26 11:53 . 2010-09-26 11:53    500736    ----a-w-    c:\windows\system32\msdtcprx.dll
2010-09-26 11:53 . 2010-09-26 11:53    30208    ----a-w-    c:\windows\system32\xolehlp.dll
2010-09-26 11:52 . 2010-09-26 11:52    156160    ----a-w-    c:\windows\system32\wkssvc.dll
2010-09-26 11:51 . 2010-09-26 11:51    36352    ----a-w-    c:\windows\system32\tsgqec.dll
2010-09-26 11:51 . 2010-09-26 11:51    116736    ----a-w-    c:\windows\system32\aaclient.dll
2010-09-26 11:51 . 2010-09-26 11:51    1871872    ----a-w-    c:\windows\system32\mstscax.dll
2010-09-26 11:50 . 2010-09-26 11:50    303616    ----a-w-    c:\windows\system32\wmpeffects.dll
2010-09-26 11:48 . 2010-09-26 11:48    356864    ----a-w-    c:\windows\system32\MediaMetadataHandler.dll
2010-09-26 11:47 . 2010-09-26 11:47    63488    ----a-w-    c:\windows\system32\drivers\mpsdrv.sys
2010-09-26 11:47 . 2010-09-26 11:47    396800    ----a-w-    c:\windows\system32\MPSSVC.dll
2010-09-26 11:47 . 2010-09-26 11:47    392192    ----a-w-    c:\windows\system32\FirewallAPI.dll
2010-09-26 11:47 . 2010-09-26 11:47    86016    ----a-w-    c:\windows\system32\icfupgd.dll
2010-09-26 11:47 . 2010-09-26 11:47    61952    ----a-w-    c:\windows\system32\cmifw.dll
2010-09-26 11:47 . 2010-09-26 11:47    16896    ----a-w-    c:\windows\system32\wfapigp.dll
2010-09-26 11:44 . 2010-09-26 11:44    1244672    ----a-w-    c:\windows\system32\mcmde.dll
2010-09-26 11:44 . 2010-09-26 11:44    428032    ----a-w-    c:\windows\system32\EncDec.dll
2010-09-26 11:44 . 2010-09-26 11:44    292352    ----a-w-    c:\windows\system32\psisdecd.dll
2010-09-26 11:42 . 2010-09-26 11:42    2048    ----a-w-    c:\windows\system32\tzres.dll
2010-09-26 11:42 . 2010-09-26 11:42    696832    ----a-w-    c:\windows\system32\localspl.dll
2010-09-26 11:40 . 2010-09-26 11:40    45112    ----a-w-    c:\windows\system32\drivers\pciidex.sys
2010-09-26 11:40 . 2010-09-26 11:40    21560    ----a-w-    c:\windows\system32\drivers\atapi.sys
2010-09-26 11:40 . 2010-09-26 11:40    15928    ----a-w-    c:\windows\system32\drivers\pciide.sys
2010-09-26 11:40 . 2010-09-26 11:40    109624    ----a-w-    c:\windows\system32\drivers\ataport.sys
2010-09-26 11:40 . 2010-09-26 11:40    211000    ----a-w-    c:\windows\system32\drivers\volsnap.sys
2010-09-26 11:40 . 2010-09-26 11:40    154624    ----a-w-    c:\windows\system32\drivers\nwifi.sys
2010-09-26 11:40 . 2006-11-02 09:45    2923520    ----a-w-    c:\windows\explorer.exe
2010-09-26 11:38 . 2010-09-26 11:38    72704    ----a-w-    c:\windows\system32\secur32.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-30 23:34 . 2007-09-04 07:18    --------    d-----w-    c:\program files\PC-Doctor 5 for Windows
2010-09-30 23:33 . 2010-09-26 06:37    --------    d--h--w-    c:\programdata\CanonBJ
2010-09-30 21:14 . 2010-09-26 21:56    --------    d-----w-    c:\program files\McAfee
2010-09-30 21:14 . 2010-09-26 21:56    --------    d-----w-    c:\program files\Common Files\Mcafee
2010-09-30 21:05 . 2007-09-04 07:22    --------    d-----w-    c:\program files\Google
2010-09-30 17:01 . 2010-09-29 17:02    0    ----a-w-    c:\windows\system32\config\systemprofile\AppData\Local\Vzage.bin
2010-09-29 17:02 . 2010-09-29 17:02    120    ----a-w-    c:\windows\system32\config\systemprofile\AppData\Local\Gcobefozuje.dat
2010-09-27 12:51 . 2007-09-04 07:12    --------    d-----w-    c:\programdata\Roxio
2010-09-27 12:46 . 2007-09-04 07:07    --------    d-----w-    c:\programdata\Sonic
2010-09-27 12:45 . 2007-09-04 07:15    --------    d-----w-    c:\program files\Common Files\Java
2010-09-27 12:44 . 2007-09-04 07:15    --------    d-----w-    c:\program files\Java
2010-09-27 12:30 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Sidebar
2010-09-27 12:30 . 2006-11-02 10:25    51200    ----a-w-    c:\windows\Inf\infpub.dat
2010-09-27 12:30 . 2006-11-02 10:25    86016    ----a-w-    c:\windows\Inf\infstrng.dat
2010-09-27 12:30 . 2006-11-02 10:25    86016    ----a-w-    c:\windows\Inf\infstor.dat
2010-09-27 12:30 . 2006-11-02 10:25    665600    ----a-w-    c:\windows\Inf\drvindex.dat
2010-09-27 11:34 . 2007-09-04 07:03    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-09-26 15:30 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Calendar
2010-09-26 12:11 . 2010-09-26 12:11    72704    ----a-w-    c:\windows\system32\admparse.dll
2010-09-26 12:11 . 2010-09-26 12:11    52736    ----a-w-    c:\windows\apppatch\iebrshim.dll
2010-09-26 12:11 . 2010-09-26 12:11    832512    ----a-w-    c:\windows\system32\wininet.dll
2010-09-26 12:11 . 2010-09-26 12:11    78336    ----a-w-    c:\windows\system32\ieencode.dll
2010-09-26 12:11 . 2010-09-26 12:11    48128    ----a-w-    c:\windows\system32\mshtmler.dll
2010-09-26 12:11 . 2010-09-26 12:11    26624    ----a-w-    c:\windows\system32\ieUnatt.exe
2010-09-26 12:11 . 2010-09-26 12:11    56320    ----a-w-    c:\windows\system32\iesetup.dll
2010-09-26 11:37 . 2010-09-26 11:37    1808896    ----a-w-    c:\windows\system32\NlsLexicons0046.dll
2010-09-26 11:36 . 2010-09-26 11:36    5071872    ----a-w-    c:\windows\system32\NlsModels0011.dll
2010-09-26 11:34 . 2010-09-26 11:34    40960    ----a-w-    c:\windows\system32\srclient.dll
2010-09-26 11:29 . 2010-09-26 11:29    40960    ----a-w-    c:\windows\apppatch\apihex86.dll
2010-09-26 11:02 . 2010-09-26 11:02    2560    ----a-w-    c:\windows\apppatch\AcRes.dll
2010-09-26 11:02 . 2010-09-26 11:02    2143744    ----a-w-    c:\windows\apppatch\AcGenral.dll
2010-09-26 11:02 . 2010-09-26 11:02    537600    ----a-w-    c:\windows\apppatch\AcLayers.dll
2010-09-26 11:02 . 2010-09-26 11:02    449024    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2010-09-26 11:02 . 2010-09-26 11:02    173056    ----a-w-    c:\windows\apppatch\AcXtrnal.dll
2010-09-26 06:45 . 2007-09-04 07:23    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2010-09-26 06:45 . 2007-09-04 07:23    --------    d-----w-    c:\programdata\Symantec
2010-09-26 06:29 . 2007-09-04 07:38    --------    d-----w-    c:\programdata\Hewlett-Packard
2010-09-26 06:28 . 2010-09-26 06:22    --------    d-----w-    c:\users\charles\AppData\Roaming\Hewlett-Packard
2010-09-26 06:21 . 2010-09-26 06:21    1797    --sha-r-    c:\windows\system32\drivers\103C_HP_CPC_GQ508AA-ABU a6202.uk_YC_0Pavi_QCNX737_E74GBv3PrA1_49_INettle2_SECS_V1.0_B5.17_T070824_WUH0_L409_M1918_J250_7AMD_8Athlon 64_92.6_#080106_N10DE03EF_Z_G10DE03D0_OTSSTcorp CD DVDW TS-H653L SCSI CdRom Device.MRK
2010-09-26 06:17 . 2010-09-26 06:17    33792    ----a-w-    c:\windows\system32\wuapp.exe
2010-09-26 06:17 . 2010-09-26 06:17    171608    ----a-w-    c:\windows\system32\wuwebv.dll
2010-09-26 06:17 . 2010-09-26 06:17    --------    d-sh--we    c:\programdata\Templates
2010-09-26 06:17 . 2010-09-26 06:17    --------    d-sh--we    c:\programdata\Start Menu
2010-09-26 06:17 . 2010-09-26 06:17    --------    d-sh--we    c:\programdata\Favorites
2010-09-26 06:17 . 2010-09-26 06:17    --------    d-sh--we    c:\programdata\Documents
2010-09-26 06:17 . 2010-09-26 06:17    --------    d-sh--we    c:\programdata\Desktop
2010-08-24 13:57 . 2010-09-26 21:56    9344    ----a-w-    c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 13:57 . 2010-09-26 21:56    141792    ----a-w-    c:\windows\system32\mfevtps.exe
2010-08-24 13:57 . 2010-09-26 21:56    95600    ----a-w-    c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 13:57 . 2010-09-26 21:56    84264    ----a-w-    c:\windows\system32\drivers\mferkdet.sys
2010-08-24 13:57 . 2010-09-26 21:56    84072    ----a-w-    c:\windows\system32\drivers\mfetdi2k.sys
2010-08-24 13:57 . 2010-09-26 21:56    64304    ----a-w-    c:\windows\system32\drivers\mfenlfk.sys
2010-08-24 13:57 . 2010-09-26 21:56    55840    ----a-w-    c:\windows\system32\drivers\cfwids.sys
2010-08-24 13:57 . 2010-09-26 21:56    52104    ----a-w-    c:\windows\system32\drivers\mfebopk.sys
2010-08-24 13:57 . 2010-09-26 21:56    386712    ----a-w-    c:\windows\system32\drivers\mfehidk.sys
2010-08-24 13:57 . 2010-09-26 21:56    312904    ----a-w-    c:\windows\system32\drivers\mfefirek.sys
2010-08-24 13:57 . 2010-09-26 21:56    152992    ----a-w-    c:\windows\system32\drivers\mfeavfk.sys
2010-08-24 13:57 . 2010-09-26 21:56    24376    ----a-w-    c:\program files\mozilla firefox\components\Scriptff.dll
2008-02-04 12:30 . 2010-09-26 15:04    22    --sha-w-    c:\windows\SMINST\HPCD.SYS
2007-09-04 07:43 . 2007-09-04 07:38    8192    --sha-w-    c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-26 328056]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-06-01 1783400]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-09-27 1232896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-04-12 86016]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-09-04 1006264]
"Malwarebytes Anti-Malware (reboot)"="c:\users\charles\Desktop\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]

c:\users\charles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ehhyud.exe [2010-9-30 128512]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
kywezo.exe [2010-9-30 128512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 0254751285881017mcinstcleanup;McAfee Application Installer Cleanup (0254751285881017);c:\users\charles\AppData\Local\Temp\025475~1.EXE [x]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-08-24 55840]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-08-24 84264]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-08-24 64304]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-08-24 84072]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-08-24 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-08-24 141792]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-08-24 312904]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE
*Deregistered* - jenmqj
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=Pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\users\charles\AppData\Roaming\Mozilla\Firefox\Profiles\xg8x31gy.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {48FCF439-5B9D-440C-95FF-060A2D671D3F} - c:\windows\system32\config\systemprofile\AppData\Local\{48FCF439-5B9D-440C-95FF-060A2D671D3F}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [URL="http://www.gmer.net"]GMER - Rootkit Detector and Remover[/URL]
Rootkit scan 2010-10-01 19:11
Windows 6.0.6000  NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  MKdw+ryp.com&p=R0lGODlhyAA8APcAAAAAAIAAAACAAICAAAAAgIAAgACAgICAgMDAwP8AAAD/AP//AAAA//8A/wD/  /////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMwAAZgAAmQAAzAAA/wAzAAAzMwAzZgAzmQAzzAAz/wBm  AABmMwBmZgBmmQBmzABm/wCZAACZMwCZZgCZmQCZzACZ/wDMAADMMwDMZgDMmQDMzADM/wD/AAD/  MwD/ZgD/mQD/zAD//zMAADMAMzMAZjMAmTMAzDMA/zMzADMzMzMzZjMzmTMzzDMz/zNmADNmMzNm  ZjNmmTNmzDNm/zOZADOZMzOZZjOZmTOZzDOZ/zPMADPMMzPMZjPMmTPMzDPM/zP/ADP/MzP/ZjP/  mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm  zGZm/2aZAGaZM2aZZmaZmWaZzGaZ/2bMAGbMM2bMZmbMmWbMzGbM/2b/AGb/M2b/Zmb/mWb/zGb/  /5kAAJkAM5kAZpkAmZkAzJkA/5kzAJkzM5kzZpkzmZkzzJkz/5lmAJlmM5lmZplmmZlmzJlm/5mZ  AJmZM5mZZpmZmZmZzJmZ/5nMAJnMM5nMZpnMmZnMzJnM/5n/AJn/M5n/Zpn/mZn/zJn//8wAAMwA  M8wAZswAmcwAzMwA/8wzAMwzM8wzZswzmcwzzMwz/8xmAMxmM8xmZsxmmcxmzMxm/8yZAMyZM8yZ  ZsyZmcyZzMyZ/8zMAMzMM8zMZszMmczMzMzM/8z/AMz/M8z/Zsz/mcz/zMz///8AAP8AM/8AZv8A  mf8AzP8A//8zAP8zM/8zZv8zmf8zzP8z//9mAP9mM/9mZv9mmf9mzP9m//+ZAP+ZM/+ZZv+Zmf+Z  zP+Z///MAP/MM//MZv/Mmf/MzP/M////AP//M///Zv//mf//zP///yH5BAEAABAALAAAAADIADwA  AAj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEjRYCpqCDFK1MiQY0WCHhdqDPlxIEaOKEWq/EiyIbWX  Jf+lSuWH5kybNWfmxJkqZkQ/fv61TAjTp0mjSA++vDjUpdOeA23SrEmVZ9WqF69axQl05b8pBZcq  FRqW7EmyBqkBDZo06cumPuG2FUiToNS7O7XqZLp3582/UguuBQpVoNy4Zo8aRsv47djDiqNG3sgY  YdfJY/+xbcoUs8Epg7dS1Xyz5tyGN6ldBKx6ZuvVql/LTp1V9eLTgtlGtO3QceS1ddMeLGwUcubK  YXknPst8uUzA0KNLn06dtXS/1f8KVTslFWjdzRUa/9/uu6xy3IbPI7S5/nhGhsEhFtV8eyFhwrNd  w6Ydm/9+1yfNx5BuE42Xnlyq1eQRSuOdVd9lIJUF0lQUnnQfV9+JVtpUVN13YYcJMuWYgQQRKB95  JC5FkkaifahhVSFi9eKGWpkmoUyaDeYHZwKq995bApZkonsy+QEWgyKCNJSK4uW4o3DNOZjbYiFh  ZGOAVZIF2nc3FjQTcnTNpyKTODYZEXEO+YECWOIBeVh5YKoVn5l2DakQTUHGOCdkaCoFJFGnDRll  YmseCdOIJkHlZpCJrridThAKV2JQI4F5VE+m6SjQkYr1WV9ai3qZZ6VI2SneFKB1hFx4zhWVZY+r  Cv8U6UN99WmnlJKi2KCYgbaU0mKoUtolqR0tSmZjhY0W5aGHLqeWpmjNuVlZhQUooqdUHjdmZL8C  6uVuU6CAbWRfUoTla4ouiJNnA+nIqGA9jXsglqe9K2SEn4KEgo3m9afoQrXWam15tmGUoYJoGbkW  WN8taGmRjO3nZn0IPnToRdtZnJhkhs2aFqq+rgYwdCKZVi2zWRnkYVpGyqsUpc0W5XK9GIf1ZLYt  bRZudxvjqBqqhf0Fp3P55ipTsM2GSdvCuk01IcgyxXZbbH/KWbOUAeKLVoINa50lvq21WyivB+lm  JGi+ctfdTVoXdxGqW5rIoVSVzpfas1PEbNZIE9P/NW5PTRm55uA7m9p2RtQQLq5c08J9s5dnh6gT  sfl2qxBQW8L93WV17UeWxJACDdPJQ6v8Y7YyKQ43CqyHO63Rfy4muHc7o+kRgYlD7bdtkasMmFE0  bY65kepRZVtnSr4UbLql2+epw2oNDtSCarreZtFfuf7S2bqbbtfgrd2+5ohJC8UTxSVjjmq7wYIG  eo7xUh2zwm91hSvRG9tv0oI779utaoSLGrMStJbcqAkFHKEJ6/xnEZUF6yBwiwpcWOQXy1RFKFwS  4PaANjUsMc9N7oOX4QaEvBjt7GAtAt/XyhavNQkKVWvyXocEx7PbPDBjBaMVhwpYELgB6FLdkR/W  //Ajv+ANhYeZ2eFVZnNAcXmNPNVjU9usxDnwrYdnKLET7dxXFR8+LmP2GYxdFkW7SKEMUG+J145W  450vsnAjwcFIKqR3NUt5J4bfMsyeBOfGAWntbMLCYKqoeJ9n6UiMA0OUrNoXRJn1DGcTIs2OIqdI  bXErKngizBy19znthGWBG9MI2iR4x3A5EXWNoUtC4OYRpCmNIx6CEdW2QiWFDe9x9sKMHPXYO/LU  zCW0KZddYFhDP8GGeyzDnUaqp0AONkRQ27EiBk/ZrtC4CXD4SV4ah7e5LWHMduxaTGG4VC4V/W4p  v3vMoU54SYpVD4EYmySVElgoutAxlz4D0xYNA/+0HQLObmksWN+qmaO8VVN0crLS+XQZoJYlCpPm  pBoahSmUBeJuIaaEyhr7A8ZNra9EhQtViZJnlhPSUEHVSsi1/qI/zt1wUqyi0tyAExTguI816hGZ  Kq01p8TQMEH7u98dxQWhkcDGStaD3JpOBpsyJYR7M+mexfokpzUKhX5opEhpWraXrsrRNT1TVFMt  Uk9ZYWuZhTLRSWy3syVJUSkzK6Xg9Fax+smKLTadHjjNeji/sRGsmnHmVsTyLNGk5a/ZExdxqGpP  1hFHjmSbIzVX+DXDcURzeDzdkoD6GSNJMEx2Kef78GWT5dURa44ya42+1EyD1gmCnJzniqRJkc3/  5Ml8xJQiZfdWP8L8RnP602NX2eYcGLHHozsqX5WUQxLGInWp6JrhQEzp2jDprWMZxdpRmFO+5GzX  hxXBGL0m1TCshG2e+vFkZU6SQT2KpCmpzR08J9SamhDTvAhLCQULl55UWqZJFvqlt3z6OvdaS2Gj  pCle2qWf8JGHvvUZF0/zIhpYgm+vgnMhXXn74OdKFb6yotN28WkS34b2brdpIzklObUxdpLCw50c  doZ7pZY8tsTS0+8mlxq1vYpkxyF85mYfw2GVySg1dIFZrbiHQgo7uadG5SjF/iUp5prvdewlXHfs  27+1bdRBZHvkV1pnuY2dlTLijG508tJR3PIr/0KsOi/A+sMbH/kpJID7WJcVh1IfkahIb7UPxVI7  HCFe90YMIphaODy66XU4xO2klmx8JSq76LKJrntSDt88qPccKE2xIunEsgKph27XUq8CWJ3cSC8S  HfW9QfMTDH382q2hZ1pAEhEs78MYR9+vo4jiLt/MwzGz8PAseSYfwcLyS0pb93MSLeUY9ctgl2nX  aNudGXxGqBIwJ2emKZ3Mcfkq5pi61yGv/iTU7DwcpND5mNiD85RQTaxgV3V6jlmbo1JKEiTWBTKt  tqNEIfsxx8JEWJJrNkOrM2nP/BnKYTbqhzzWLxADzEYUPdG5lmvq6VJ3Q+UCXYP5A3ASh3Peu/+G  mYXwrWxLpkTXYg5jUHoabzqvEHWu6dDgWrc27XBX3lUmH/q0WiP9pQ3Eg/p1f82NmppKOHbsuotX  x0pDnskL6TGPyVWQGNTkKL1iOIuZRCF5c7JcJT3Is4jUkTz054gFg3g1UxrTiZ5av/fPJQl2qx5W  zTdDJyd57IjtiCW3NeOdJaT536PNFWlPU44ozBKnYZUeWgkNG654WVfbwV73T3deVWeCzqJ952nY  7a86HX3e5weM7dV75T1dRaNvgEr5E8e4S5EMZLHb3vk47x3MSd/7bnrPHCpjci+yLdDo+3p40ONe  xERqPd+vzXdI0mm8z48atm+e8TzHO/uuD78y+C1zdVt/BGHjT3/eq796OTP75KA2323VT//6h97F  7qYP9u3P/1w13y1QoW0apyThFxAAOw = c:\windows\nvsvc32.exe 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\jenmqj]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1484)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\windows\helppane.exe
.
**************************************************************************
.
Completion time: 2010-10-01  19:13:59 - machine was rebooted
ComboFix-quarantined-files.txt  2010-10-01 18:13

Pre-Run: 175,808,581,632 bytes free
Post-Run: 177,690,591,232 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - F28E06FD0FE1F2F04478209942D00544

[/B]

 

[chanterjcd]

I forgot to mention on the last post that when I boot up the PC it loads and then goes to a blue error screen, so I have to load up in safe mode. Not sure if this is relevant!
Charles

 

[Jacee]

Yes, you really should be worried ... Your computer is quite compromised!

Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[chanterjcd]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, October 2, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, October 02, 2010 01:15:27
Records in database: 4273512
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan statistics:
Objects scanned: 119982
Threats found: 2
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 01:49:32

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\explorer.exe.vir Infected: Trojan.Win32.Patched.kl 1
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir Infected: Virus.Win32.TDSS.b 1
C:\Qoobox\Quarantine\C\Windows\system32\wininit.exe.vir Infected: Trojan.Win32.Patched.kl 1
C:\WINDOWS\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys Infected: Virus.Win32.TDSS.b 1
Selected area has been scanned.

 

[Jacee]

You have a nasty rootkit -- TDSS http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html

Given the stealth nature of rootkits, some experts believe that the only reliable way to remove them is to re-install the operating system from trusted media

Rootkit - Wikipedia, the free encyclopedia

I am one of those people who won't try to fix a computer that has a rootkit. The computer has been severely compromised and I can't guarantee that it will ever be stable again. I would strongly urge you to wipe and do a clean install.

 

[chanterjcd]

Many thanks for all your assistance, how do I carry out a clean install? The PC came with Vista preloaded (licence number on side of tower) but no vista disc. I presume that it will have to be an HP disc, not another manufacturers.

 

[Jacee]

You can call HP and order your recovery disks from them, if you haven't made your own.
Order Recovery Discs for Windows 7, Vista, or XP - HP Customer Care (United States - English)
It will cost you (around $23 or so), but it will be worth it in the future.

 

[Lorien]

Many thanks for all your assistance, how do I carry out a clean install? The PC came with Vista preloaded (licence number on side of tower) but no vista disc. I presume that it will have to be an HP disc, not another manufacturers.

Yes, it must be an HP disk, and more specifically, it must be one specific to your individual computer and operating system (since it will include drivers and software for the devices on your system and the wrong disk will install the wrong drivers and may leave you stuck or unable to use the system or parts of the system - and may even cause harm - though that is extremely rare but still possible).

I'm assuming you're in the U.K. from the model of your PC so here's the site to visit for info on getting Recovery Disks: http://h10025.www1.hp.com/ewfrf/wc/document?docname=buh07342&tmp_track_link=ot_faqs/top_issues/en_uk/buh07342/loc:5&lc=en&dlc=en&cc=uk&lang=en&product=3604764. If I'm wrong and you are in the USA (but purchased it in the UK, use the same link). If you are in the USA and somehow got it in the USA despite the model number, then use the link provided above by Jacee. If it's some other country, go to Country-Language Selector - HP Customer Care (United States - English) and select the appropriate country to find the correct sites to visit.

Considering that creating recovery disks from the Recovery Partition on HP computers requires using Recovery Manager which is on your infected C:\ drive, it is not advisable to do this as I'm not sure if that may cause any transfer of the malware. Recovery from the Recovery Partition on HP computers also requires use of this software so it too may not be completely safe - and we want to be SURE that this resolves the problem - so unless you made disks earlier before the infection (which apparently isn't the case), you will need to get and pay for them them using the above link. I believe they will actually send you to: https://www.best2serve.com/sales/declare_rcd.php?part=&lc=en&cc=uk - but check to be sure that hasn't changed. You will need the serial number of your computer to get the correct part - I could get no further on the site without it so could not check the pricing or other factors (but if they have them available, they shouldn't be too expensive - much less than buying a new OS for certain). Hopefully they will still have disks available for your computer and operating system available - if not, ask them or HP what other options are available (though other options may cost a bit more).

In the case of restoring from HP Recovery Disks, the process Performing an HP System Recovery in Windows Vista HP Pavilion a6202.uk Desktop PC - HP technical support (United Kingdom - English) provides an option to backup your data files, so the following may not be required - but if for some reason you proceed and are not given that option, then abort the recovery and backup your data manually as follows. You can use Knoppix http://www.knopper.net/knoppix/index-en.html with a good ISO copier like: http://isorecorder.alexfeinman.com/isorecorder.htm along with a blank CD (perhaps made on another PC). This should give you enough access to the system (if you can't get in any other way which may or may not be a problem in your situation) to backup your important data (and ONLY the data - take nothing but your documents and pictures and such data as anything else may be infected and carry it to the new installation). If that doesn’t work, try slaving the drive to another computer and recovering the data using that other computer to access the disk.

Once done, you can do a clean install using the Recovery Disks. To do a clean install proceed as dictated by the HP recovery disk procedures. Performing an HP System Recovery in Windows Vista HP Pavilion a6202.uk Desktop PC - HP technical support (United Kingdom - English). If given the option, choose a full format rather than a quick format. Then let it proceed with the re-installation. Once done, you will need to re-install all your programs, reset all your preferences, reconfigure your network and email settings, restore your backed up data, run Windows Update with possibly nearly 150 updates pending,...

I hope this helps. If you have any further questions, please feel free to post them and we'll try our best to answer them and assist you as needed.

Good luck!

 

[chanterjcd]

Many thanks again for all the infomation and assistance that has been offered, yes I am in the UK and have contacted HP who can provide a recovery disc for £35. I have also been through all my dvd's and found the two HP recovery discs that I made a couple of weeks after buying the PC will these do the trick or do I still need a disc from HP.
Sorry if I'm sounding a bit thick over this but I want to make sure I do it correctly!

 

[Lorien]

It's very possible those recovery disks you made way back then will work without needing HP. All I can say is give it a try and see. If it doesn't work, then you'll need to get them from HP. If it does work, then you'll be back up and running in short order.

Good luck!

 

[chanterjcd]

Thanks to everyone's assistance in helping me out. I used my recovery discs and have since done a malware scan, log below. The PC is loading and running as it should so thanks !!D:D

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4736
Windows 6.0.6000
Internet Explorer 7.0.6000.16473
03/10/2010 19:13:45
mbam-log-2010-10-03 (19-13-45).txt
Scan type: Quick scan
Objects scanned: 132210
Time elapsed: 5 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

 

[Lorien]

Congratulations. It was our pleasure to help. Glad to hear you're up and running and I see from the MBAM report that you look clean.

Don't forget to close out the thread by clicking the far right triangular icon at the top of your post and typing "solved" in the box and submitting it. The moderators will notice and put a green check next to the thread title. That way others seeking answers by searching the forums will know that this thread contains a solution to the issue identified in the title - and people seeking to help will not waste time checking out this thread since it has been resolved.

And welcome to Vista Forums! Now that you know where we are, bookmark the site and post anytime you have further questions or problems or if you just want to browse and learn (especially the Tutorial section offers some excellent advice on a wide variety of topics) or even if you want to try to help answer a question if you happen to see one where you know the answer and it hasn't already been posted. While it most likely won't be us the next time (though it might), there are many very skilled, experienced, knowledgeable, and friendly people here who, like us, volunteer their time to help others and one or maybe even several will respond to your post to assist you. While there are other forums on the web that do this sort of thing, you've now found what I think is the best (and I've posted in and/or checked out quite a few) so don't lose this link - you never know when it might come in handy again.

Good luck and best wishes.

 

[Jacee]

Well done Charles!