USB Disk Guard Ability

imaginashawn · December 26, 2011

I believe I have a USB Controller virus that has not only completely disabled all USB ports but also causes the Processor via USBPORT.SYS to run at 99% until I suspend it in Process Explorer.

First, please let me know if I'm wrong in assuming this is in fact caused by a virus.

Second, is this something the USB Disk Guard should clear up? In other words, does USB Guard just guard or does it eliminate viruses targeted at USB drivers as well?

Thank you, Shawn 'imaginashawn'

Melvin_Deal · December 27, 2011

Hi imaginashawn!

Welcome to Iobit forum!!

It's not so easy to leap to the conclusion that a virus is causing your difficulties. I would examine the Remora software first! Examine the way you have it configured and visit Remora support to see if other instances have been reported (if they have a forum). Look in your system to see if there are multiple instances of identical Remora services running on your machine simultaneously. (Ctrl,alt,del, task manager) {although I think you have already looked at this as you report a percentage}

Try completely uninstalling it using Iobit uninstaller or Revo uninstaller (use advanced option in Revo, removing the leftover bits). Then re-boot and see if the problem is relieved.

Also after you do the un-install if the problem doesn't abate, try restoring any system settings that may have been changed by Remora. If you don't know how, you can restore or re-image to before you installed Remora if it was very recently.

Then if you wish to have us examine your system for malware we will be happy to. Just post back and we'll go from there!

Sincerely,

-Mel

Live long and prosper!

imaginashawn · December 28, 2011

Sounds good

Thank you for your reply. Looks like very sound advice. I will do the things you suggest and report back.

imaginashawn · December 29, 2011

Misunderstood

K, I think you misunderstood me. I do not have USB Disk Guard installed on my PC, I merely asked if it might solve my problem. It looks like it's just an encryption tool for usb data.

Anyways, can you take a look at this stack from USBPORT.sys thread and see if anything is unusual/wrong in it?

ntkrnlpa.exe!KiDispatchInterrupt+0x7f

hal.dll+0x2d53

usbehci.sys+0x4dc8

USBPORT.SYS+0x12a73

USBPORT.SYS+0x5b63

USBPORT.SYS+0x5fa0

ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine+0x21e

ntkrnlpa.exe!KiDispatchInterrupt+0x5a2

Thanks, Shawn

Melvin_Deal · December 29, 2011

That changes things! You never had the Remora disk guard on your machine! Lets take a look at your machine to see what is there!:-)

Please humor me by following the steps in the link I provide here ->http://forums.iobit.com/showthread.php?t=6216. Shutting down as many applications as possible beforehand will shorten the length of the logs.

We will look and see!

Please post back the logs as requested!

Thanks!

-Mel

Melvin_Deal · December 29, 2011

Please also download Piriform Speccy here-> http://www.piriform.com/speccy/download

Launch it then post a screenshot of what is displayed. Get the free version from piriform server.

Thanks!

-Mel

imaginashawn · December 30, 2011

dds

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by HP_Owner at 15:41:53 on 2011-12-30

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1215.745 [GMT -5:00]

.

============== Running Processes ===============

.

C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\IObit\Advanced SystemCare 5\DelayLoad.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [ALCMTR] ALCMTR.EXE

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

uPolicies-explorer: NoInstrumentation = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1300835056156

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{419F897B-E0EC-4D5F-8814-9DC9E4064EFB} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{80443072-5384-4D29-A197-604ECE8884D8} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243

Notify: AtiExtEvent - Ati2evxx.dll

LSA: Notification Packages = scecli scecli

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\5g4sghd3.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\5g4sghd3.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npAclmPlugin.dll

FF - plugin: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\5g4sghd3.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-23 13496]

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2011-11-26 494424]

R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-12-26 820568]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 ALSysIO;ALSysIO;\??\c:\docume~1\hp_owner\locals~1\temp\alsysio.sys --> c:\docume~1\hp_owner\locals~1\temp\ALSysIO.sys [?]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-12-26 30368]

S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-12-26 16208]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-12-26 239472]

.

=============== Created Last 30 ================

.

2011-12-30 19:44:04 42240 ------w- c:\windows\system32\drivers\viaagp.sys

2011-12-30 19:44:04 25471 ------w- c:\windows\system32\drivers\watv10nt.sys

2011-12-30 19:44:04 22271 ------w- c:\windows\system32\drivers\watv06nt.sys

2011-12-30 19:44:04 11935 ------w- c:\windows\system32\drivers\wadv11nt.sys

2011-12-30 19:44:04 11871 ------w- c:\windows\system32\drivers\wadv09nt.sys

2011-12-30 19:44:04 11807 ------w- c:\windows\system32\drivers\wadv07nt.sys

2011-12-30 19:44:04 11295 ------w- c:\windows\system32\drivers\wadv08nt.sys

2011-12-30 19:42:18 73216 ------w- c:\windows\system32\drivers\atintuxx.sys

2011-12-30 00:58:50 80992 ----a-w- C:\WINDOWSXP-KB832936-X86-ENU-Symbols.EXE

2011-12-30 00:58:50 345184 ----a-w- C:\WindowsXP-KB832936-x86-ENU.EXE

2011-12-28 04:31:31 3584 ----a-r- c:\documents and settings\hp_owner\application data\microsoft\installer\{121634b0-2f4b-11d3-ada3-00c04f52dd52}\Icon386ED4E3.exe

2011-12-28 04:31:31 -------- d-----w- c:\program files\Windows Installer Clean Up

2011-12-28 04:31:04 -------- d-----w- c:\program files\MSECACHE

2011-12-25 20:38:21 4529299 ----a-w- c:\program files\FileZilla_3.5.2_win32-setup.exe

2011-12-25 01:13:24 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\Deployment

2011-12-13 19:05:15 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll

2011-12-13 19:05:15 614532 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe

2011-12-13 19:05:15 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll

2011-12-13 19:05:15 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll

2011-12-13 15:38:04 -------- d-----w- c:\program files\iPod

2011-12-13 15:38:00 -------- d-----w- c:\program files\iTunes

2011-12-04 02:05:18 97280 ----a-w- c:\windows\system32\vspell32.ocx

2011-12-04 02:05:18 89600 ----a-w- c:\windows\system32\Leocx32.ocx

2011-12-04 02:05:18 84992 ----a-w- c:\windows\system32\Ledit32.dll

2011-12-04 02:05:18 70656 ----a-w- c:\windows\system32\vspell32.dll

2011-12-04 02:05:18 644400 ----a-w- c:\windows\system32\Mscomct2.ocx

2011-12-04 02:05:18 102912 ----a-w- c:\windows\system32\Vb6stkit.dll

2011-12-04 02:05:17 503808 ----a-w- c:\windows\system32\ChilkatFTPx.dll

2011-12-04 02:05:17 369696 ----a-w- c:\windows\system32\Comct332.ocx

.

==================== Find3M ====================

.

2011-12-30 20:01:08 45056 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe

2011-12-30 20:01:07 44032 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe

2011-12-30 20:01:07 217088 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll

2011-12-30 20:01:06 61440 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll

2011-12-30 20:01:06 40960 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll

2011-12-30 20:01:06 341048 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll

2011-12-30 20:01:06 32768 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll

2011-12-30 20:01:06 32768 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll

2011-12-30 20:01:06 163840 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll

2011-11-29 03:40:36 94208 ----a-w- C:\kompozer.exe

2011-11-13 20:32:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec

2011-10-24 18:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 18:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-20 03:16:14 20312 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2011-10-03 09:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-10-03 06:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl

.

============= FINISH: 15:42:54.75 ===============

imaginashawn · December 30, 2011

attach

Here is the zipped attach file.

attach.zip

imaginashawn · December 30, 2011

Speccy Snapshot

http://cut-it-out.us/Snapshot_Speccy123011.speccy

Melvin_Deal · December 30, 2011

Hi Imaginashawn!

I have requested that our fully trained Malware Fighter Superdave examine your DDS log to see if he needs to assist you in the removal of any Malware. I see some problems but am not fully trained. Please wait for him to respond after viewing your log.

Thanks!

-Mel

Live long and prosper!

Dave has responded and suggests you look at this thread at microsoft for a potential solution. He viewed your first log and sees no Malware issues on it, the no file entries I noticed are not a threat. I forgot to steer him to your attached file, am doing it now! As soon as he responds concerning the second log I will let you know.

Hopefully the link he has provided will offer you a solution!:-)

Please click on this link! http://support.microsoft.com/kb/817900

-Mel

imaginashawn · December 31, 2011

Very familiar link

Thank you for following up and also asking for further assistance. I read the info provided at the Microsoft link.

I should have said before that I have tried the things listed including,disabling usb ports, uninstalling and reinstalling all usb related drivers and controllers and I also updated the bios. None of this has had any affect in restoring my usb ports. I've also looked in the bios to make sure usb is not disabled.

I've even formated the hard drive and reinstalled my OS (windows xp home). Just as an experiment, I tried another operating system (Ubuntu 8.10) and the usb ports then functioned perfectly normal! So at least I know it's not the mainboard/motherboard. This is also why I suspected malware, since linux is rarely affected by it.

Melvin_Deal · December 31, 2011

Wow! You have done much work! It is definitely software related as you have ruled out so much! You have pre-empted a suggestion I was about to make!!:-)

When the USB problem was first noticed, did you have anything else curious happen that was relieved by your efforts?

When you reformatted, did you use the original system disc?

I have viewed your Speccy file extensively and can find nothing that raises red flags (another reason that I say "definitely" software related)!

Let us see what Dave says about your second DDS log (he is not here right now)

Sincerely,

-Mel

Melvin_Deal · December 31, 2011

I have also steered Dave specifically to post #4 of this thread as well as the whole thread.

:-)

Sincerely,

-Mel

Lets wait and see what his advisement is! Also other members are viewing this thread! Perhaps they will post helpful suggestions. I see suggestions to make concerning you IE browser and java as far as security is concerned, but will wait for others... (as none of my suggestions will solve the USB issue)

imaginashawn · December 31, 2011

Melvin's two questions

To answer your first question; Yes, the problem of all usb ports being dead has always been accompanied by the processor running at 99% until I disable USBPORT.sys via Process Explorer.

Answer to second question: I have tried formatting with the original Windows software and then installing Windows and I've tried formatting with Gparted and then installing Windows ... no difference.

Note: When I wiped the drive and installed Ubuntu 8.10, everything was normal (USB and Processor).

Superdave · December 31, 2011

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

*************************************************************

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)

* Double-click the icon on your desktop to run the installer.

* When asked to Update the program definitions, click Yes

* If you encounter any problems while downloading the updates, manually download and unzip them from here

* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.

* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning

•Scan for tracking cookies

•Terminate memory threats before quarantining

•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer

* On the left check the box for the drive you are scanning.

* On the right choose Perform Complete Scan

* Click Next to start the scan. Please be patient while it scans your computer.

* After the scan is complete a summary box will appear. Click OK

* Make sure everything in the white box has a check next to it, then click Next

* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:

•After reboot, double-click the SUPERAntiSpyware icon on your desktop.

•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).

•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)

* Click close and close again to exit the program.

*Copy and Paste the log in your post.

**********************************************

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

*******************************************

Please download ComboFix http://img7.imageshack.us/img7/4930/combofix.gif from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.

It would be easiest to download using Internet Explorer.

If you want to use Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab

* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here

Double click ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

http://i424.photobucket.com/albums/pp322/digistar/Query_RC.gif

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i424.photobucket.com/albums/pp322/digistar/RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

imaginashawn · January 1, 2012

SAS log

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 12/31/2011 at 09:46 PM

Application Version : 5.0.1142

Core Rules Database Version : 8091

Trace Rules Database Version: 5903

Scan type : Complete Scan

Total Scan Time : 01:00:36

Operating System Information

Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)

Administrator

Memory items scanned : 392

Memory threats detected : 0

Registry items scanned : 36315

Registry threats detected : 6

File items scanned : 162327

File threats detected : 5

Disabled.SecurityCenterOption

HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY

HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY

Adware.Tracking Cookie

C:\Documents and Settings\HP_Owner\Cookies\11SU7VQO.txt [ /atwola.com ]

C:\Documents and Settings\HP_Owner\Cookies\CZOFRBM5.txt [ /tacoda.at.atwola.com ]

C:\Documents and Settings\HP_Owner\Cookies\Y0UA5BZC.txt [ /tacoda.at.atwola.com ]

C:\DOCUMENTS AND SETTINGS\HP_OWNER\Cookies\Y6Q39DJJ.txt [ Cookie:hp_owner@adsonar.com/adserving ]

Adware.Zugo

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}

HKU\S-1-5-21-760354782-3161755103-1515528904-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D425283-D487-4337-BAB6-AB8354A81457}

HKU\S-1-5-21-760354782-3161755103-1515528904-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{9D425283-D487-4337-BAB6-AB8354A81457}

HKCR\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}

Trojan.Agent/Gen-HotBar

C:\DOCUMENTS AND SETTINGS\HP_OWNER\MY DOCUMENTS\DOWNLOADS\XVIDSETUP.EXE

imaginashawn · January 1, 2012

MBAM Log

Malwarebytes Anti-Malware (Trial) 1.60.0.1800

http://www.malwarebytes.org

Database version: v2011.12.31.06

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

HP_Owner :: ZIGGY [administrator]

Protection: Enabled

12/31/2011 10:18:18 PM

mbam-log-2011-12-31 (22-18-18).txt

Scan type: Full scan

Scan options disabled: P2P

Objects scanned: 308782

Time elapsed: 1 hour(s), 5 minute(s), 17 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP302\A0067664.exe (PUP.Adware.Downloader) -> Quarantined and deleted successfully.

(end)

imaginashawn · January 1, 2012

Combofix Log

ComboFix 11-12-31.03 - HP_Owner 01/01/2012 0:18.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1215.697 [GMT -5:00]

Running from: c:\documents and settings\HP_Owner\My Documents\Downloads\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Previous Run -------

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\HP_Owner\Application Data\HPSU_48BitScanUpdate.log

c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\5g4sghd3.default\searchplugins\bing-zugo.xml

c:\documents and settings\HP_Owner\WINDOWS

c:\documents and settings\Shawn\WINDOWS

c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\drivers\Setup.exe

c:\windows\system32\SET1330.tmp

c:\windows\system32\SET1344.tmp

c:\windows\system32\SET1345.tmp

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2011-12-01 to 2012-01-01 )))))))))))))))))))))))))))))))

.

2012-01-01 03:05 . 2012-01-01 03:05 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2012-01-01 03:05 . 2012-01-01 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-01-01 03:05 . 2012-01-01 03:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-01-01 03:05 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-01-01 01:38 . 2012-01-01 01:38 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com

2012-01-01 01:36 . 2012-01-01 01:38 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-01-01 01:36 . 2012-01-01 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-12-30 20:50 . 2011-12-30 20:50 -------- d-----w- c:\program files\Speccy

2011-12-30 20:22 . 2011-12-30 20:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-12-30 19:44 . 2008-04-13 18:36 42240 ------w- c:\windows\system32\drivers\viaagp.sys

2011-12-30 19:44 . 2004-08-04 03:29 25471 ------w- c:\windows\system32\drivers\watv10nt.sys

2011-12-30 19:44 . 2004-08-04 03:29 22271 ------w- c:\windows\system32\drivers\watv06nt.sys

2011-12-30 19:44 . 2004-08-04 03:29 11935 ------w- c:\windows\system32\drivers\wadv11nt.sys

2011-12-30 19:44 . 2004-08-04 03:29 11871 ------w- c:\windows\system32\drivers\wadv09nt.sys

2011-12-30 19:44 . 2004-08-04 03:29 11807 ------w- c:\windows\system32\drivers\wadv07nt.sys

2011-12-30 19:44 . 2004-08-04 03:29 11295 ------w- c:\windows\system32\drivers\wadv08nt.sys

2011-12-30 19:42 . 2004-08-04 03:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys

2011-12-30 00:58 . 2003-11-25 23:24 345184 ----a-w- C:\WindowsXP-KB832936-x86-ENU.EXE

2011-12-30 00:58 . 2003-11-25 23:22 80992 ----a-w- C:\WINDOWSXP-KB832936-X86-ENU-Symbols.EXE

2011-12-28 04:31 . 2011-12-28 04:31 3584 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe

2011-12-28 04:31 . 2011-12-28 04:31 -------- d-----w- c:\program files\Windows Installer Clean Up

2011-12-28 04:31 . 2011-12-28 04:31 -------- d-----w- c:\program files\MSECACHE

2011-12-25 20:38 . 2011-12-25 20:38 4529299 ----a-w- c:\program files\FileZilla_3.5.2_win32-setup.exe

2011-12-25 01:13 . 2011-12-25 01:49 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Deployment

2011-12-13 19:05 . 2002-07-25 21:07 614532 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

2011-12-13 19:05 . 2001-09-05 09:18 77824 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

2011-12-13 19:05 . 2001-09-05 09:14 176128 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

2011-12-13 19:05 . 2001-09-05 09:13 32768 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

2011-12-13 15:38 . 2011-12-13 15:38 -------- d-----w- c:\program files\iPod

2011-12-13 15:38 . 2011-12-13 15:39 -------- d-----w- c:\program files\iTunes

2011-12-04 02:05 . 1999-05-15 05:24 97280 ----a-w- c:\windows\system32\vspell32.ocx

2011-12-04 02:05 . 1998-11-22 19:23 84992 ----a-w- c:\windows\system32\Ledit32.dll

2011-12-04 02:05 . 1998-11-18 16:40 89600 ----a-w- c:\windows\system32\Leocx32.ocx

2011-12-04 02:05 . 1998-06-26 05:00 644400 ----a-w- c:\windows\system32\Mscomct2.ocx

2011-12-04 02:05 . 1998-06-18 05:00 102912 ----a-w- c:\windows\system32\Vb6stkit.dll

2011-12-04 02:05 . 1997-02-24 22:44 70656 ----a-w- c:\windows\system32\vspell32.dll

2011-12-04 02:05 . 2005-01-24 17:39 503808 ----a-w- c:\windows\system32\ChilkatFTPx.dll

2011-12-04 02:05 . 1998-06-24 05:00 369696 ----a-w- c:\windows\system32\Comct332.ocx

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-30 20:01 . 2011-12-30 20:01 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe

2011-12-30 20:01 . 2011-12-30 20:01 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe

2011-12-30 20:01 . 2011-12-30 20:01 217088 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll

2011-12-30 20:01 . 2011-12-30 20:01 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll

2011-12-30 20:01 . 2011-12-30 20:01 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll

2011-12-30 20:01 . 2011-12-30 20:01 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll

2011-12-30 20:01 . 2011-12-30 20:01 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll

2011-12-30 20:01 . 2011-12-30 20:01 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll

2011-12-30 20:01 . 2011-12-30 20:01 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll

2011-11-29 03:40 . 2007-09-01 05:47 94208 ----a-w- C:\kompozer.exe

2011-11-13 20:32 . 2011-08-07 17:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-04 19:20 . 2004-08-04 11:00 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20 . 2004-08-04 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20 . 2004-08-04 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23 . 2004-08-04 11:00 385024 ----a-w- c:\windows\system32\html.iec

2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-20 03:16 . 2011-11-26 20:59 20312 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2011-10-03 09:06 . 2011-04-16 04:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-10-03 06:37 . 2011-04-16 04:59 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-09 06:15 . 2011-03-28 20:19 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((( SnapShot@2012-01-01_04.55.03 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-01-01 05:09 . 2012-01-01 05:09 16384 c:\windows\Temp\Perflib_Perfdata_428.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2011-06-08 822456]

"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-26 619352]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 15969280]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 344064]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [bU]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-4-21 27136]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-4-21 27136]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

c:\program files\BitTorrent\BitTorrent.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]

c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]

c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

"ERSvc"=2 (0x2)

"uploadmgr"=2 (0x2)

"AppMgmt"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\Winamp\\winamp.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/23/2011 1:48 PM 13496]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [11/26/2011 3:50 PM 494424]

R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [12/26/2011 5:50 PM 820568]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/31/2011 10:05 PM 652872]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/31/2011 10:05 PM 20464]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S3 ALSysIO;ALSysIO;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\HP_Owner\LOCALS~1\Temp\ALSysIO.sys [?]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]

S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [12/26/2011 5:50 PM 30368]

S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [12/26/2011 5:50 PM 16208]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 6:00 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [12/26/2011 5:50 PM 239472]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - PROCEXP141

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]

.

2011-12-25 c:\windows\Tasks\SmartDefrag_Startup.job

- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-31 21:29]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\5g4sghd3.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-01 00:27

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,56,68,61,50,80,69,4b,81,64,a5,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,56,68,61,50,80,69,4b,81,64,a5,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(820)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(1292)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2012-01-01 01:04:57

ComboFix-quarantined-files.txt 2012-01-01 06:04

.

Pre-Run: 19,112,243,200 bytes free

Post-Run: 19,100,643,328 bytes free

.

- - End Of File - - 297082BA9DAB4F20CAFB0B8BB6BDBAAE

Superdave · January 1, 2012

P2P - I see you have P2P software installed on your machine. (BitTorrent)We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

**************************************************

SysProt Antirootkit

Download

SysProt Antirootkit from the link below (you will find it at the bottom

of the page under attachments, or you can get it from one of the

mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
[*]At the bottom of the page
- Hidden Objects Only << Selected
[*]Click on the Create Log button on the bottom right.
[*]After a few seconds a new window should appear.
[*]Select Scan Root Drive. Click on the Start button.
[*]When it is complete a new window will appear to indicate that the scan is finished.
[*]The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Please let me know how the computer is running.

imaginashawn · January 2, 2012

Sysprot

Computer still runs the same at this point: Slow boot, no USB ports work and Processor runs at 99% till I disable USBPORT.sys .

SysProt AntiRootkit v1.0.1.0

by swatkat

******************************************************************************************

Process:

Name: [system Idle Process]

PID: 0

Hidden: No

Window Visible: No

Name: System

PID: 4

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\smss.exe

PID: 484

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe

PID: 792

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe

PID: 824

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\services.exe

PID: 868

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe

PID: 880

Hidden: No

Window Visible: No

Name: C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe

PID: 1060

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe

PID: 1140

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1156

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1236

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1332

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1448

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1628

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe

PID: 1716

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe

PID: 1792

Hidden: No

Window Visible: No

Name: C:\WINDOWS\explorer.exe

PID: 1884

Hidden: No

Window Visible: No

Name: C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe

PID: 1980

Hidden: No

Window Visible: No

Name: C:\WINDOWS\RTHDCPL.EXE

PID: 676

Hidden: No

Window Visible: No

Name: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

PID: 728

Hidden: No

Window Visible: No

Name: C:\Program Files\HP\HP Software Update\hpwuschd2.exe

PID: 744

Hidden: No

Window Visible: No

Name: C:\Program Files\SUPERAntiSpyware\SASCore.exe

PID: 788

Hidden: No

Window Visible: No

Name: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

PID: 844

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system\hpsysdrv.exe

PID: 948

Hidden: No

Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe

PID: 1184

Hidden: No

Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PID: 1276

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe

PID: 1312

Hidden: No

Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe

PID: 1072

Hidden: No

Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe

PID: 376

Hidden: No

Window Visible: No

Name: C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PID: 740

Hidden: No

Window Visible: No

Name: C:\Program Files\Common Files\Motive\McciCMService.exe

PID: 1092

Hidden: No

Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

PID: 228

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 520

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 512

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\wdfmgr.exe

PID: 680

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe

PID: 2008

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe

PID: 2524

Hidden: No

Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe

PID: 3344

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe

PID: 3572

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 2064

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\alg.exe

PID: 2812

Hidden: No

Window Visible: No

Name: C:\Program Files\IObit\Advanced SystemCare 5\DelayLoad.exe

PID: 3756

Hidden: No

Window Visible: No

Name: C:\Documents and Settings\HP_Owner\Desktop\SysProt\SysProt\SysProt.exe

PID: 2444

Hidden: No

Window Visible: Yes

Name: ASCTooltips.exe

PID: 1584

Hidden: No

Window Visible: No

******************************************************************************************

Kernel Modules:

Module Name: \??\C:\Documents and Settings\HP_Owner\Desktop\SysProt\SysProt\SysProtDrv.sys

Service Name: SysProtDrv.sys

Module Base: B1D8B000

Module End: B1D96000

Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe

Service Name: ---

Module Base: 804D7000

Module End: 806D0380

Hidden: No

Module Name: \WINDOWS\system32\hal.dll

Service Name: ---

Module Base: 806D1000

Module End: 806F1300

Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL

Service Name: ---

Module Base: BA5A8000

Module End: BA5AA000

Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll

Service Name: ---

Module Base: BA4B8000

Module End: BA4BB000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys

Service Name: ACPI

Module Base: B9F79000

Module End: B9FA7000

Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS

Service Name: ---

Module Base: BA5AA000

Module End: BA5AC000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys

Service Name: PCI

Module Base: B9F68000

Module End: B9F79000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys

Service Name: isapnp

Module Base: BA0A8000

Module End: BA0B2000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys

Service Name: PCIIde

Module Base: BA670000

Module End: BA671000

Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Service Name: ---

Module Base: BA328000

Module End: BA32F000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys

Service Name: ViaIde

Module Base: BA5AC000

Module End: BA5AE000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys

Service Name: IntelIde

Module Base: BA5AE000

Module End: BA5B0000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys

Service Name: MountMgr

Module Base: BA0B8000

Module End: BA0C3000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys

Service Name: Disk

Module Base: B9F49000

Module End: B9F68000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys

Service Name: PartMgr

Module Base: BA330000

Module End: BA335000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys

Service Name: VolSnap

Module Base: BA0C8000

Module End: BA0D5000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\iaStor.sys

Service Name: iaStor

Module Base: B9E74000

Module End: B9F49000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys

Service Name: atapi

Module Base: B9E5C000

Module End: B9E74000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftsata2.sys

Service Name: ftsata2

Module Base: B9E19000

Module End: B9E5C000

Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS

Service Name: ScsiPort

Module Base: B9E01000

Module End: B9E19000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys

Service Name: ---

Module Base: BA0D8000

Module End: BA0E1000

Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Service Name: ---

Module Base: BA0E8000

Module End: BA0F5000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys

Service Name: FltMgr

Module Base: B9DE1000

Module End: B9E01000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys

Service Name: sr

Module Base: B9DCF000

Module End: B9DE1000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\bb-run.sys

Service Name: bb-run

Module Base: BA0F8000

Module End: BA101000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys

Service Name: PxHelp20

Module Base: BA108000

Module End: BA112000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys

Service Name: KSecDD

Module Base: B9DB8000

Module End: B9DCF000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys

Service Name: Ntfs

Module Base: B9D2B000

Module End: B9DB8000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys

Service Name: NDIS

Module Base: B9CFE000

Module End: B9D2B000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\SmartDefragDriver.sys

Service Name: SmartDefragDriver

Module Base: BA5B0000

Module End: BA5B2000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys

Service Name: ohci1394

Module Base: BA118000

Module End: BA128000

Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS

Service Name: ---

Module Base: BA128000

Module End: BA136000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys

Service Name: Mup

Module Base: B9CE4000

Module End: B9CFE000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys

Service Name: NIC1394

Module Base: BA248000

Module End: BA258000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys

Service Name: intelppm

Module Base: BA2F8000

Module End: BA301000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

Service Name: ati2mtag

Module Base: B9557000

Module End: B96A5000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Service Name: ---

Module Base: B9543000

Module End: B9557000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys

Service Name: usbohci

Module Base: BA3A0000

Module End: BA3A5000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Service Name: ---

Module Base: B951F000

Module End: B9543000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Service Name: usbehci

Module Base: BA3A8000

Module End: BA3B0000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys

Service Name: Imapi

Module Base: BA308000

Module End: BA313000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\MxlW2k.SYS

Service Name: MxlW2k

Module Base: BA3B0000

Module End: BA3B7000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Service Name: Cdrom

Module Base: BA318000

Module End: BA328000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys

Service Name: redbook

Module Base: B980D000

Module End: B981C000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys

Service Name: ---

Module Base: B94FC000

Module End: B951F000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

Service Name: GEARAspiWDM

Module Base: BA3B8000

Module End: BA3BE000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

Service Name: HDAudBus

Module Base: B94D4000

Module End: B94FC000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys

Service Name: Parport

Module Base: B94C0000

Module End: B94D4000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys

Service Name: i8042prt

Module Base: B97FD000

Module End: B980A000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Service Name: Kbdclass

Module Base: BA3C0000

Module End: BA3C6000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Service Name: Mouclass

Module Base: BA3C8000

Module End: BA3CE000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys

Service Name: HSXHWBS2

Module Base: B947B000

Module End: B94C0000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSX_DP.sys

Service Name: HSX_DP

Module Base: B9384000

Module End: B947B000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys

Service Name: winachsx

Module Base: B92CE000

Module End: B9384000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS

Service Name: Modem

Module Base: BA3D8000

Module End: BA3E0000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

Service Name: RTL8023xp

Module Base: B92BA000

Module End: B92CE000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys

Service Name: audstub

Module Base: BA7FF000

Module End: BA800000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Service Name: Rasl2tp

Module Base: B97ED000

Module End: B97FA000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Service Name: NdisTapi

Module Base: BA5A0000

Module End: BA5A3000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Service Name: NdisWan

Module Base: B92A3000

Module End: B92BA000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Service Name: RasPppoe

Module Base: B97DD000

Module End: B97E8000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Service Name: PptpMiniport

Module Base: B97CD000

Module End: B97D9000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Service Name: ---

Module Base: BA3E0000

Module End: BA3E5000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys

Service Name: PSched

Module Base: B9292000

Module End: B92A3000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Service Name: Gpc

Module Base: B97BD000

Module End: B97C6000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Service Name: Ptilink

Module Base: BA3E8000

Module End: BA3ED000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys

Service Name: Raspti

Module Base: BA3F0000

Module End: BA3F5000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys

Service Name: TermDD

Module Base: B97AD000

Module End: B97B7000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys

Service Name: swenum

Module Base: BA5C0000

Module End: BA5C2000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys

Service Name: Update

Module Base: B9234000

Module End: B9292000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Service Name: mssmbios

Module Base: B9CC0000

Module End: B9CC4000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Service Name: NDProxy

Module Base: B979D000

Module End: B97A7000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Service Name: usbhub

Module Base: BA198000

Module End: BA1A7000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Service Name: ---

Module Base: BA5C2000

Module End: BA5C4000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys

Service Name: IntcAzAudAddService

Module Base: B4D39000

Module End: B514C000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys

Service Name: ---

Module Base: B4D15000

Module End: B4D39000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys

Service Name: ---

Module Base: BA1C8000

Module End: BA1D7000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Service Name: Fs_Rec

Module Base: BA5CA000

Module End: BA5CC000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS

Service Name: Null

Module Base: BA6B0000

Module End: BA6B1000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS

Service Name: Beep

Module Base: BA5CC000

Module End: BA5CE000

Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys

Service Name: VgaSave

Module Base: BA410000

Module End: BA416000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Service Name: mnmdd

Module Base: BA5CE000

Module End: BA5D0000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Service Name: RDPCDD

Module Base: BA5D0000

Module End: BA5D2000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS

Service Name: Msfs

Module Base: BA418000

Module End: BA41D000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS

Service Name: Npfs

Module Base: BA420000

Module End: BA428000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Service Name: RasAcd

Module Base: B96B9000

Module End: B96BC000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Service Name: IPSec

Module Base: B4CBA000

Module End: B4CCD000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Service Name: Tcpip

Module Base: B4C61000

Module End: B4CBA000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys

Service Name: NetBT

Module Base: B4C39000

Module End: B4C61000

Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys

Service Name: AFD

Module Base: B4C17000

Module End: B4C39000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys

Service Name: NetBIOS

Module Base: BA1D8000

Module End: BA1E1000

Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

Service Name: SASKUTIL

Module Base: B4BF5000

Module End: B4C17000

Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

Service Name: SASDIFSV

Module Base: BA428000

Module End: BA42E000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Service Name: Rdbss

Module Base: B4BCA000

Module End: B4BF5000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Service Name: MRxSmb

Module Base: B4B32000

Module End: B4BA2000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS

Service Name: Fips

Module Base: BA1E8000

Module End: BA1F3000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Service Name: IpNat

Module Base: B4B0C000

Module End: B4B32000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Service Name: Fastfat

Module Base: B4AE8000

Module End: B4B0C000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Service Name: Wanarp

Module Base: BA208000

Module End: BA211000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys

Service Name: Arp1394

Module Base: BA218000

Module End: BA227000

Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys

Service Name: ---

Module Base: B4AD0000

Module End: B4AE8000

Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS

Service Name: ---

Module Base: BA5EE000

Module End: BA5F0000

Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys

Service Name: ---

Module Base: B9214000

Module End: B9217000

Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys

Service Name: ---

Module Base: BA440000

Module End: BA445000

Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys

Service Name: ---

Module Base: BA766000

Module End: BA767000

Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\mbam.sys

Service Name: MBAMProtector

Module Base: B4BB6000

Module End: B4BBA000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Service Name: Ndisuio

Module Base: B28B4000

Module End: B28B8000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys

Service Name: wdmaud

Module Base: B24BB000

Module End: B24D0000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys

Service Name: sysaudio

Module Base: BA2D8000

Module End: BA2E7000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys

Service Name: kmixer

Module Base: B246D000

Module End: B2498000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Service Name: Cdfs

Module Base: B27F8000

Module End: B2808000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys

Service Name: Srv

Module Base: B20FB000

Module End: B2153000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

Service Name: mdmxsdk

Module Base: B2187000

Module End: B218B000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

Service Name: IpFilterDriver

Module Base: B20C3000

Module End: B20CC000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys

Service Name: HTTP

Module Base: B1CFA000

Module End: B1D3B000

Hidden: No

******************************************************************************************

No SSDT Hooks found

******************************************************************************************

No Kernel Hooks found

******************************************************************************************

Hidden files/folders:

Object: C:\Qoobox\BackEnv\AppData.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat

Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat

Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00

Status: Access denied

Superdave · January 2, 2012

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.

In your next reply please include the ESET Online Scan Log

Melvin_Deal · January 2, 2012

Hi imaginashawn and Superdave!

As Dave is still advising you concerning any possible Malware, please don't follow my advisement until he says its O.K.!

This is hardware related and should not affect his process.

I have researched and some of the Intel chipsets on earlier motherboards can go into a mode whereby the device(s) they manage cease to function under the Windows platform that they were built... they will have power and will charge a device but Windows will not recognize the device. A simple main power reset may solve the problem (from what I've seen about a 5% probability... 1 in 20).

To do this shut down the machine... then after it has shut down... Unplug it from the AC socket. Unplug the machine. Then wait at least 5 minutes to allow for discharge of trace electrical charges (10 mins is preferable). Then plug back in and re-start. This will reset the chipsets to defaults.

Easy enough to try!

Please wait for Dave to say when it is ok for you to do this. It is important not to Hijack the Malware removal process!

I also discovered another possible fix (I give it about a 15% probability) but it involves external software and Dave must certainly release before that!

Sincerely,

-Mel

Live long and prosper!

imaginashawn · January 2, 2012

Esetscan

Note: Thank you Dave and Melvin for all your work. Happy New Year!

The different tools find different malware but so far, I still have the problem.

C:\Documents and Settings\HP_Owner\My Documents\Downloads\imf-setup.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined

C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP302\A0067665.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined

C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP302\A0067669.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined

C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP302\A0067671.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined

C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP307\A0074086.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined

C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP307\A0074098.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined

D:\I386\APPS\APP07618\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined

D:\I386\APPS\APP07618\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined

D:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP314\A0080192.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined

D:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP314\A0080193.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined

Superdave · January 2, 2012

Please use your Device Manager to see if there are any yellow warning signs on any of your devices. It looks like a hardware problem. You can go ahead and follow Melvin's advice.

imaginashawn · January 2, 2012

Thank you Dave!

Thank you Dave for all your help. I expanded everything in the whole tree and did not find any warning sign (yellow triangle with exclamation point). Attached is a snapshot of the USB section and Device Status for all USB items say 'The device is working properly'.

I appreciate you taking your time to try and help me with this matter. I understand that just because device manager says everything is fine, that doesn't mean I don't have a hardware problem. If I can't resolve this problem soon, I will get another board. Question: If I format the hard drive with Darells

Boot and Nuke or Gparted (verified with check sum and burned ISO) do you think it would be safe to reuse the hard drive?

Thanks again. I will see what suggestions Melvin has.

P.S. Thank you for reminding me to Uninstall Utorrent. I had decided not to take advantage of file sharing anymore due to the fact that I believe it's at least partly to blame the declining quality of our entertainment.

USB Disk Guard Ability

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived