Active unknown virus blocking virus protection programs

[Active] unknown virus blocking virus protection programs

Hi

I encounter a virus last night and all of a sudden my symantec endpoint protection program shut down (the antivirus and antispyware protection & proactive threat protection were turned off and can't be turned on). i also have another program called ad-aware which i used and it found 1-2 unknown viruses/ malware. it would try to remove it but when i check again, it'll come up again.

can anyone help me?

i tried using hijackthis program but it's also being blocked too. the only thing i can use is the malwarebytes' anti-malware

thanks

 

thanks. here's the logfile.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:46 PM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mandy\My Documents\amanda.exe
C:\WINDOWS\system32\HPZipm12.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.freeze.com/?AcquisitionID=2fa3db99-5388-42d6-8831-8462104dad83&s=&ipc=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe "
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [brastia] brastia.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe "
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [brastia] C:\WINDOWS\system32\brastia.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://register.resnet.stonybrook.edu/CAT/CNICAT.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://pdc.resnet.stonybrook.edu/sav/webinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9702 bytes

 

Hi
Sorry for the delay.

Download ComboFix from Here

Before saving it rename it to Mobofcix.exe then download it to your Desktop.

Please run it this way.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

If that works post the Combofix log.

Thanks
Geri
Geri

 

ComboFix 09-05-08.03 - Mandy 05/09/2009 22:44.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.585 [GMT -4:00]
Running from: c:\documents and settings\Mandy\Desktop\Mobofcix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mandy\Application Data\wiaserva.log
c:\windows\f23567.dat
c:\windows\freddy42.exe
c:\windows\ld08.exe
c:\windows\st_1241768045.exe
c:\windows\st_1241786493.exe
c:\windows\st_1241857961.exe
c:\windows\st_1241876402.exe
c:\windows\system32\a9k.bin
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\kwave.sys
c:\windows\system32\wbem\grpconv.exe
c:\windows\Sysvxd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_new_drv


((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.

2009-05-10 01:19 . 2009-05-10 01:19 2 ---h--w c:\windows\t55ft2668f44.dat
2009-05-08 09:14 . 2009-05-08 09:14 -------- d-----w c:\program files\Gpotato
2009-05-06 17:46 . 2009-05-06 17:46 2 ---h--w c:\windows\t55ft2692f44.dat
2009-05-06 02:08 . 2009-05-06 02:08 -------- d-----w c:\program files\iPod
2009-05-06 02:08 . 2009-05-06 02:09 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-06 02:08 . 2009-05-06 02:09 -------- d-----w c:\program files\iTunes
2009-05-01 08:19 . 2009-05-01 08:19 -------- d-----w c:\documents and settings\Mandy\Application Data\uniblue
2009-05-01 06:57 . 2009-05-01 06:57 -------- d-----w c:\program files\Uniblue
2009-05-01 06:46 . 2009-05-01 06:46 171304 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-01 06:45 . 2009-05-01 06:45 -------- d-----w c:\windows\system32\XPSViewer
2009-05-01 06:45 . 2009-05-01 06:45 -------- d-----w c:\program files\MSBuild
2009-05-01 06:45 . 2009-05-01 06:45 -------- d-----w c:\program files\Reference Assemblies
2009-05-01 06:44 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-05-01 06:44 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-01 06:44 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-01 06:44 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-01 06:44 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-05-01 06:44 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-05-01 06:44 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-05-01 06:44 . 2009-05-01 06:45 -------- d-----w C:\a473913bcfe8b358447af3a915
2009-05-01 06:36 . 2009-05-01 06:36 -------- d--h--r C:\AHCache
2009-05-01 02:19 . 2009-04-29 09:05 8768 ----a-w c:\windows\system32\drivers\tifm.sys
2009-05-01 01:43 . 2009-05-01 01:43 -------- d-----w c:\documents and settings\Mandy\Application Data\SuperAdBlocker.com
2009-05-01 01:42 . 2009-05-01 02:23 -------- d-----w c:\program files\SuperAdBlocker.com
2009-05-01 01:38 . 2009-05-01 01:38 -------- d-----w c:\documents and settings\Mandy\Local Settings\Application Data\Downloaded Installations
2009-04-29 20:14 . 2009-04-29 20:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-04-29 09:06 . 2009-04-29 09:06 6407 ----a-w c:\windows\system32\krncode.dat
2009-04-29 09:06 . 2009-04-29 09:06 1575 ----a-w c:\windows\system32\pwrcode.dat
2009-04-29 09:06 . 2009-04-29 09:06 19196 ----a-w c:\windows\system32\wincode.dat
2009-04-29 09:06 . 2008-04-14 00:12 17408 ----a-w c:\windows\system32\osysp.dat
2009-04-29 09:06 . 2009-03-21 14:06 989696 ----a-w c:\windows\system32\osysk.dat
2009-04-29 09:05 . 2009-03-03 00:18 826368 ----a-w c:\windows\system32\osysw.dat
2009-04-29 09:05 . 2009-04-29 09:05 8768 ----a-w c:\windows\system32\dbbin.sys
2009-04-29 09:05 . 2009-04-29 09:05 4707 ----a-w c:\windows\system32\z98a.bin
2009-04-14 19:16 . 2009-04-27 23:07 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-14 18:05 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 18:05 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-14 18:05 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 18:05 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 18:05 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 18:05 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 18:05 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 18:05 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 18:05 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 18:05 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 18:03 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 18:03 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 02:08 . 2007-11-24 16:04 -------- d-----w c:\program files\Common Files\Apple
2009-05-06 01:47 . 2008-12-07 18:09 -------- d-----w c:\program files\QuickTime Alternative
2009-05-01 06:56 . 2006-05-27 15:20 78096 ----a-w c:\documents and settings\Mandy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-27 23:06 . 2009-04-06 23:04 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-06 22:46 . 2008-05-01 07:33 -------- d-----w c:\program files\Lavasoft
2009-04-06 19:40 . 2006-05-04 10:33 -------- d-----w c:\program files\Java
2009-04-05 05:21 . 2009-04-05 05:21 -------- d-----w c:\program files\Bonjour
2009-03-31 07:05 . 2007-05-07 00:35 -------- d-----w c:\program files\DC++
2009-03-29 07:26 . 2009-03-29 07:26 -------- d-----w c:\program files\Microsoft
2009-03-29 07:25 . 2009-03-29 07:25 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-29 07:25 . 2008-02-23 20:54 -------- d-----w c:\program files\Windows Live
2009-03-29 07:23 . 2009-03-29 07:23 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-19 20:32 . 2008-12-08 17:28 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 09:19 . 2009-02-28 19:36 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-04-05 05:45 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2007-11-24 16:05 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-23 01:51 . 2009-02-23 01:51 60800 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-02-23 01:51 . 2009-02-23 01:51 123952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-20 18:09 . 2004-08-10 17:51 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-10 17:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 17:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-10 17:51 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 17:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys
2006-10-01 02:44 . 2006-07-31 01:50 88 --sh--r c:\windows\system32\024D3846D7.sys
2007-08-13 20:30 . 2006-09-21 20:45 56 -csh--r c:\windows\system32\D746384D02.sys
2007-08-13 20:31 . 2006-07-31 01:50 6372 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SYS32DLL "= "SYS32DLL" [X]
"ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"DellSupport "= "c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-20 115560]
"QuickTime Task "= "c:\program files\QuickTime Alternative\qttask.exe" [2009-01-05 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-4 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tifm.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mandy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Mandy\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"c:\\Program Files\\DC++\\DCPlusPlus.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\mIRC\\mirc.exe "=
"c:\\Program Files\\AIM6\\aolsoftware.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE "=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest "= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/6/2009 7:04 PM 64160]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/7/2009 11:33 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/3/2009 3:24 AM 101936]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/20/2008 11:28 AM 23888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78d993e1-893e-11dd-95a0-00166f854f81}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:06]

2009-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-sysfbtray - c:\windows\freddy42.exe
HKLM-Run-brastia - brastia.exe
SafeBoot-RimUsb.sys
SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.freeze.com/?AcquisitionID=2fa3db99-5388-42d6-8831-8462104dad83&s=&ipc=
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} - hxxps://register.resnet.stonybrook.edu/CAT/CNICAT.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://pdc.resnet.stonybrook.edu/sav/webinst.cab
FF - ProfilePath - c:\documents and settings\Mandy\Application Data\Mozilla\Firefox\Profiles\1f5usaed.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-veoh&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-veoh&p=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: general.useragent.extra.zencast - .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 22:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2740)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-10 22:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-10 02:59
ComboFix2.txt 2009-01-05 23:29
ComboFix3.txt 2009-01-05 23:23
ComboFix4.txt 2009-01-04 22:00

Pre-Run: 41,974,476,800 bytes free
Post-Run: 42,620,313,600 bytes free

296 --- E O F --- 2009-05-02 07:02

 

Hi
OK please run Malwarebytes Antimalware.

Make sure you update it before running a scan, and let it delete anything it finds.

Please post the MBAM log.

Thanks
Geri

 

Malwarebytes' Anti-Malware 1.25
Database version: 1066
Windows 5.1.2600 Service Pack 3

6:59:33 PM 5/10/2009
mbam-log-05-10-2009 (18-59-33).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 135127
Time elapsed: 1 hour(s), 11 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

 

Hi
OK please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Code:

File::
c:\windows\t55ft2668f44.dat
c:\windows\t55ft2692f44.dat
c:\windows\system32\krncode.dat
c:\windows\system32\pwrcode.dat
c:\windows\system32\wincode.dat
c:\windows\system32\osysp.dat
c:\windows\system32\osysk.dat
c:\windows\system32\osysw.dat
c:\windows\system32\dbbin.sys
c:\windows\system32\z98a.bin

Now please do this.
Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • C:\WINDOWS\SYSTEM32\kernel32.dll
    C:\WINDOWS\SYSTEM32\powrprof.dll
    C:\WINDOWS\SYSTEM32\wininet.dll
    C:\WINDOWS\SYSTEM32\dllcache\kernel32.dll
    C:\WINDOWS\SYSTEM32\dllcache\powrprof.dll
    C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
• Click on the submit button
  
• Please post the results in your next reply.

Please post the Combofix log and the Jotti results.

Thanks
Geri

 

ComboFix 09-05-19.08 - Mandy 05/19/2009 23:40.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.616 [GMT -4:00]
Running from: c:\documents and settings\Mandy\Desktop\Mobofcix.exe
Command switches used :: c:\documents and settings\Mandy\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point

FILE ::
c:\windows\system32\dbbin.sys
c:\windows\system32\krncode.dat
c:\windows\system32\osysk.dat
c:\windows\system32\osysp.dat
c:\windows\system32\osysw.dat
c:\windows\system32\pwrcode.dat
c:\windows\system32\wincode.dat
c:\windows\system32\z98a.bin
c:\windows\t55ft2668f44.dat
c:\windows\t55ft2692f44.dat
.

((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-12 11:54 . 2009-05-12 11:54 107848 ----a-w c:\windows\system32\SymVPN.dll
2009-05-12 11:54 . 2009-05-12 11:54 49480 ----a-w c:\windows\system32\FwsVpn.dll
2009-05-12 11:54 . 2009-05-12 11:54 43824 ----a-w c:\windows\system32\drivers\srtspx.sys
2009-05-12 11:54 . 2009-05-12 11:54 319792 ----a-w c:\windows\system32\drivers\srtspl.sys
2009-05-12 11:54 . 2009-05-12 11:54 280112 ----a-w c:\windows\system32\drivers\srtsp.sys
2009-05-08 09:14 . 2009-05-08 09:14 -------- d-----w c:\program files\Gpotato
2009-05-06 02:08 . 2009-05-06 02:08 -------- d-----w c:\program files\iPod
2009-05-06 02:08 . 2009-05-06 02:09 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-06 02:08 . 2009-05-06 02:09 -------- d-----w c:\program files\iTunes
2009-05-01 08:19 . 2009-05-01 08:19 -------- d-----w c:\documents and settings\Mandy\Application Data\uniblue
2009-05-01 06:57 . 2009-05-01 06:57 -------- d-----w c:\program files\Uniblue
2009-05-01 06:45 . 2009-05-01 06:45 -------- d-----w c:\windows\system32\XPSViewer
2009-05-01 06:45 . 2009-05-01 06:45 -------- d-----w c:\program files\MSBuild
2009-05-01 06:45 . 2009-05-01 06:45 -------- d-----w c:\program files\Reference Assemblies
2009-05-01 06:44 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-05-01 06:44 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-01 06:44 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-01 06:44 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-01 06:44 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-05-01 06:44 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-05-01 06:44 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-05-01 06:44 . 2009-05-01 06:45 -------- d-----w C:\a473913bcfe8b358447af3a915
2009-05-01 06:36 . 2009-05-01 06:36 -------- d--h--r C:\AHCache
2009-05-01 01:43 . 2009-05-01 01:43 -------- d-----w c:\documents and settings\Mandy\Application Data\SuperAdBlocker.com
2009-05-01 01:42 . 2009-05-01 02:23 -------- d-----w c:\program files\SuperAdBlocker.com
2009-05-01 01:38 . 2009-05-01 01:38 -------- d-----w c:\documents and settings\Mandy\Local Settings\Application Data\Downloaded Installations
2009-04-29 20:14 . 2009-04-29 20:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-12 12:06 . 2006-09-03 23:24 -------- d-----w c:\program files\Symantec
2009-05-12 12:06 . 2009-02-23 01:51 60800 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-05-12 12:06 . 2009-02-23 01:51 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-12 12:06 . 2009-02-23 01:51 123952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-12 12:06 . 2009-02-23 01:51 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-12 12:04 . 2006-09-03 23:24 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-12 11:54 . 2009-05-12 11:54 8390 ----a-w c:\windows\system32\drivers\srtspx.cat
2009-05-12 11:54 . 2009-05-12 11:54 1421 ----a-w c:\windows\system32\drivers\srtspx.inf
2009-05-12 11:54 . 2009-05-12 11:54 8390 ----a-w c:\windows\system32\drivers\srtspl.cat
2009-05-12 11:54 . 2009-05-12 11:54 1430 ----a-w c:\windows\system32\drivers\srtspl.inf
2009-05-12 11:54 . 2009-05-12 11:54 8386 ----a-w c:\windows\system32\drivers\srtsp.cat
2009-05-12 11:54 . 2009-05-12 11:54 1415 ----a-w c:\windows\system32\drivers\srtsp.inf
2009-05-10 21:57 . 2006-05-27 15:20 78488 ----a-w c:\documents and settings\Mandy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 02:08 . 2007-11-24 16:04 -------- d-----w c:\program files\Common Files\Apple
2009-05-06 01:47 . 2008-12-07 18:09 -------- d-----w c:\program files\QuickTime Alternative
2009-04-27 23:07 . 2009-04-14 19:16 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-27 23:06 . 2009-04-06 23:04 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-06 22:46 . 2008-05-01 07:33 -------- d-----w c:\program files\Lavasoft
2009-04-06 19:40 . 2006-05-04 10:33 -------- d-----w c:\program files\Java
2009-04-05 05:21 . 2009-04-05 05:21 -------- d-----w c:\program files\Bonjour
2009-03-31 07:05 . 2007-05-07 00:35 -------- d-----w c:\program files\DC++
2009-03-29 07:26 . 2009-03-29 07:26 -------- d-----w c:\program files\Microsoft
2009-03-29 07:25 . 2009-03-29 07:25 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-29 07:25 . 2008-02-23 20:54 -------- d-----w c:\program files\Windows Live
2009-03-29 07:23 . 2009-03-29 07:23 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-19 20:32 . 2008-12-08 17:28 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 09:19 . 2009-02-28 19:36 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-04-05 05:45 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2007-11-24 16:05 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-10 17:51 78336 ----a-w c:\windows\system32\ieencode.dll
2006-10-01 02:44 . 2006-07-31 01:50 88 --sh--r c:\windows\system32\024D3846D7.sys
2007-08-13 20:30 . 2006-09-21 20:45 56 -csh--r c:\windows\system32\D746384D02.sys
2007-08-13 20:31 . 2006-07-31 01:50 6372 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-05-13_19.39.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-20 01:34 . 2009-05-20 01:34 16384 c:\windows\Temp\Perflib_Perfdata_6fc.dat
+ 2009-05-20 01:22 . 2009-05-20 01:22 16384 c:\windows\Temp\Perflib_Perfdata_38c.dat
- 2009-02-25 22:52 . 2009-05-12 23:55 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-25 22:52 . 2009-05-19 20:38 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-05-14 00:11 . 2009-05-19 20:38 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-14 00:11 . 2009-05-12 23:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-05-14 00:11 . 2009-05-19 20:38 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-05-14 00:11 . 2009-05-12 23:55 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-05-27 15:13 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"DellSupport "= "c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6 "= "c:\program files\AIM6\aim6.exe" [2008-10-31 50480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-12 115560]
"QuickTime Task "= "c:\program files\QuickTime Alternative\qttask.exe" [2009-01-05 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-4 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mandy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Mandy\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"c:\\Program Files\\DC++\\DCPlusPlus.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\mIRC\\mirc.exe "=
"c:\\Program Files\\AIM6\\aolsoftware.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE "=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest "= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/6/2009 7:04 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/7/2009 11:33 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/3/2009 3:24 AM 101936]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/20/2008 11:28 AM 23888]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:06]

2009-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.freeze.com/?AcquisitionID=2fa3db99-5388-42d6-8831-8462104dad83&s=&ipc=
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} - hxxps://register.resnet.stonybrook.edu/CAT/CNICAT.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://pdc.resnet.stonybrook.edu/sav/webinst.cab
FF - ProfilePath - c:\documents and settings\Mandy\Application Data\Mozilla\Firefox\Profiles\1f5usaed.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-veoh&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-veoh&p=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: general.useragent.extra.zencast - .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 23:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(2216)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\WinRAR\rarext.dll
c:\program files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\FotomatShellExt.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Lavasoft\Ad-Aware\ShellExt.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\igfxpph.dll
c:\windows\system32\hccutils.DLL
c:\windows\system32\igfxres.dll
c:\windows\system32\igfxress.dll
c:\windows\system32\igfxsrvc.dll
.
Completion time: 2009-05-20 23:49
ComboFix-quarantined-files.txt 2009-05-20 03:49
ComboFix2.txt 2009-05-13 19:49
ComboFix3.txt 2009-05-10 02:59
ComboFix4.txt 2009-01-05 23:29
ComboFix5.txt 2009-05-20 03:39

Pre-Run: 42,409,742,336 bytes free
Post-Run: 42,399,105,024 bytes free

266 --- E O F --- 2009-05-14 07:27


Jotti's malware scan:

Filename: kernel32.dll
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 13 May 2009 22:16:24 (CET)
File size: 989696 bytes
Filetype: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
MD5: b921fb870c9ac0d509b2ccabbbbe95f3
SHA1: c88d57cc99f75cd928b47b6e444231f26670138f

Filename: powrprof.dll
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 13 May 2009 22:14:38 (CET)
File size: 17408 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 50a166237a0fa771261275a405646cc0
SHA1: a7d14f0da81b0f10c748936af8c3e93566f92ae5

Filename: wininet.dll
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 13 May 2009 22:15:26 (CET)
File size: 826368 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 28775945ccd53dee280ef58dea1a94c4
SHA1: 4398cec658e18cb505bb4af6a12e13cb317bf08f

Filename: kernel32.dll
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 13 May 2009 22:16:24 (CET)
File size: 989696 bytes
Filetype: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
MD5: b921fb870c9ac0d509b2ccabbbbe95f3
SHA1: c88d57cc99f75cd928b47b6e444231f26670138f

C:\WINDOWS\SYSTEM32\dllcache\powrprof.dll
file not found it says

Filename: wininet.dll
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 13 May 2009 22:15:26 (CET)
File size: 826368 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 28775945ccd53dee280ef58dea1a94c4
SHA1: 4398cec658e18cb505bb4af6a12e13cb317bf08f

Thanks

 

Hi
OK good.

Please check these files with Jotti and post the results.

c:\windows\system32\024D3846D7.sys
c:\windows\system32\D746384D02.sys

Let me know how things are running.

Geri

 

Filename: 024D3846D7.sys
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Fri 22 May 2009 05:43:36 (CET) Permalink
File size: 88 bytes
Filetype: X11 SNF font data, LSB first
MD5: c58fe282288366c38461e07a3b921bc3
SHA1: 9b8ca23f1bbca0af11164409070c77ff29c0f0c8

Filename: D746384D02.sys
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Fri 22 May 2009 05:44:33 (CET) Permalink
File size: 56 bytes
Filetype: Unknown
MD5: d854877eed84b5a508c53e408676f1f8
SHA1: 08e2297e24961a641960ba5ebfb6082f56984836

my laptop loads things slow at points. i dont know if its just the laptop itself or something is doing it.

thanks again

 

Hi
OK lets get a on line scan. Please do the following.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now the scan.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Geri

 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 25, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 25, 2009 22:18:00
Records in database: 2244592
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 105638
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 05:53:46


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E080000.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vpdd 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP132\A0061592.sys Infected: Backdoor.Win32.UltimateDefender.a 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP132\A0061593.sys Infected: Backdoor.Win32.UltimateDefender.a 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP132\A0066746.exe Infected: Net-Worm.Win32.Koobface.io 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP136\A0073997.sys Infected: Trojan-Spy.Win32.Goldun.cea 1

The selected area was scanned.

thanks again

 

Hi
OK looks good.
This one is quarantined by Symantic and not a threat.
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E080000.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vpdd 1

This is not a virus, but if you don't use mIRC, then remove it from add/remove programs.
C:\Program Files\mIRC\mirc.exe Infected:

Now lets clean up the C:\System Volume Information, this is your restore points and removing Combofix will delete them and make a new good restore point.

Please do this.

Click Start > Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.
Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file. If they weren't please delete them manually.

You can also remove DDS from your desktop.

Let me know how things are running.

Geri

 

i wasn't able to do this part because ComboFix and Qoobox kept coming up as "not found." What do I do? Also, what is DDS?

Thanks again.

 

Hi
OK please delete those folders and the file.txt manually.
C:\Qoobox, C:\ComboFix. C:\ComboFix.txt file.

Looking back you did not post a DDS log, so forget about that.

Please do this.

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
5. Click Apply, and then click OK
6. Make a new restore point.
7. Click Start, All Programs, Accessories, System Tools, System Restore.
Choose Create a restore point and clicked Next, Under “Type a description for your restore point…”put a name in the box,. Click Create. In the next window click Close.

Let me know how things are running.

Geri