Active Rogue Spyware, "XP Deluxe Protector"

[Active] Rogue Spyware, "XP Deluxe Protector "

Hi,

I have gotten a virus called "XP Deluxe Protector." So far I've tried running MBAM but it freezes after a while. I am running Windows XP sp 3. Here are my logs:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Marie at 1:52:52.50 on Thu 06/25/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.695 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\f.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\windows\ld10.exe
C:\windows\pp10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Marie\XP Deluxe Protector\xpdeluxe.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe -k sys
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\f.exe
C:\Documents and Settings\Marie\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://netflix.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [xpprotect] c:\documents and settings\marie\xp deluxe protector\xpdeluxe.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe "
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [sysldtray] c:\windows\ld10.exe
mRun: [pp] c:\windows\pp10.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marie\applic~1\mozilla\firefox\profiles\ybls8b3a.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\marie\application data\mozilla\firefox\profiles\ybls8b3a.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R?2 AdobeAlerter;Adobe LM Service AdobeAlerter;c:\windows\system32\f.exe service --> c:\windows\system32\f.exe service [?]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 sysdrv;sysdrv;c:\program files\sys\sys.sys [2009-6-24 9344]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
R2 sys;sys;c:\windows\system32\svchost.exe -k sys [2004-8-10 14336]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090619.004\naveng.sys [2009-6-19 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090619.004\navex15.sys [2009-6-19 876144]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-28 40160]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-4-21 189792]
SUnknown iyggveddpysl;iyggveddpysl; [x]

=============== Created Last 30 ================

2009-06-24 02:35 <DIR> --dsh--- c:\documents and settings\marie\IECompatCache
2009-06-24 01:28 29,184 a------- c:\windows\system32\iehostcx32.dll
2009-06-24 01:28 <DIR> --d----- c:\documents and settings\marie\XP Deluxe Protector
2009-06-24 01:17 1 a------- c:\windows\934fdfg34fgjf23
2009-06-24 01:17 14,848 ----h--- c:\windows\pp10.exe
2009-06-24 01:17 <DIR> --d----- c:\program files\sys
2009-06-24 01:17 2 a------- c:\windows\0101120101464849.dat
2009-06-24 01:17 2 a------- c:\windows\010112010146118114.dat
2009-06-24 01:17 184 a------- c:\windows\22678h32.bat
2009-06-24 01:17 14,848 ----h--- c:\windows\ld10.exe
2009-06-24 01:17 22,528 a---h--- c:\windows\system32\f.exe
2009-06-10 11:46 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 11:46 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-08 12:13 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-06-07 01:50 <DIR> --dsh--- c:\documents and settings\marie\IETldCache
2009-06-07 01:27 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-07 01:26 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-07 01:26 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-07 01:26 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-07 01:26 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-07 01:26 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-07 01:26 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-07 01:26 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-07 01:26 <DIR> --d----- C:\418e9cf44ad67d8b4902
2009-06-07 01:17 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-07 01:15 <DIR> -cd-h--- c:\windows\ie8
2009-06-07 00:38 7,304 a------- c:\windows\TMP0001.TMP
2009-06-05 02:01 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-05 01:56 <DIR> --d----- c:\documents and settings\marie\.SunDownloadManager
2009-06-03 20:27 <DIR> --d----- c:\program files\Trend Micro
2009-06-02 15:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-02 15:16 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-02 15:16 <DIR> --d----- c:\docume~1\marie\applic~1\SUPERAntiSpyware.com
2009-06-02 15:15 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-01 01:43 <DIR> a-dshr-- C:\cmdcons
2009-05-28 19:36 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-28 19:33 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-28 19:33 <DIR> --d----- c:\program files\Lavasoft
2009-05-28 18:03 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 18:03 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-28 18:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 14:03 <DIR> --d----- c:\docume~1\marie\applic~1\Malwarebytes
2009-05-27 14:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-06-05 02:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-20 11:40 81 a------- C:\CTX.DAT
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-03-12 20:19 22,336 a------- c:\docume~1\marie\applic~1\GDIPFONTCACHEV1.DAT
2007-11-13 22:35 4,280,320 a------- c:\program files\MouseWorks_PC_622.exe
2006-04-21 16:18 308,863 a------- c:\program files\01090285.cab
2006-03-30 03:34 488,144 a------- c:\program files\HJTsetup.exe
2006-03-30 03:19 318,775 a------- c:\program files\CleanUp40.exe
2005-12-06 02:20 895,488 a------- c:\program files\iview397.exe
2007-06-07 02:04 5,642 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 1:55:49.56 ===============

 

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/22/2005 4:58:26 PM
System Uptime: 6/25/2009 1:36:59 AM (0 hours ago)

Motherboard: Dell Inc. | | 0U6962
Processor: Intel(R) Celeron(R) M processor 1.40GHz | Microprocessor | 1396/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 7.304 GiB free.
D: is CDROM (UDF)

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 7.0.9
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AOL Instant Messenger
AOLIcon
Apple Mobile Device Support
Apple Software Update
Bonjour
Calc98
CleanUp!
Conexant D110 MDC V.9x Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Photo Printer 720
Dell Photo Printer 720 Logger
Dell Support Center
Dell System Restore
Dell Wireless WLAN Card
DellSupport
Digital Line Detect
GIMP 2.6.6
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internal Network Card Power Management
Internet Explorer Default Page
IrfanView (remove only)
iTunes
Java DB 10.4.1.3
Java(TM) 6 Update 14
Java(TM) SE Development Kit 6 Update 11
JCreator LE 2.50
Kensington MouseWorks
Learn2 Player (Uninstall Only)
LiveUpdate 3.2 (Symantec Corporation)
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Standard
Microsoft Plus! Digital Media Edition Installer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My Way Search Assistant
Netflix Movie Viewer
NetWaiting
Norton Security Center
PDF Settings
Photo Click
PowerDVD 5.5
PuTTY version 0.60
QuickSet
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SUPERAntiSpyware Free Edition
Symantec AntiVirus
Synaptics Pointing Device Driver
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Manager
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPN Client
WebCyberCoach 3.2 Dell
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

6/25/2009 1:52:58 AM, error: Service Control Manager [7028] - The iyggveddpysl Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.
6/25/2009 1:36:09 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-nw.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6/24/2009 1:20:30 AM, error: Service Control Manager [7000] - The sys service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/24/2009 1:20:29 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the sys service to connect.
6/19/2009 9:38:29 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
6/18/2009 1:33:13 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.

==== End Of File ===========================

 

Hi and welcome

Have you tried to run MBAM in safe mode?

If you have tried and still wont work:
Uninstall and download again but this time change the name (Save as mtpeak.exe) when saving to desktop.

Please download Malwarebytes' Anti-Malware to your desktop

Additional Link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Let me know if this helps.

 

Hi Juliet,

Running MBAM in Safe Mode did work. I deleted everything that it picked up, but my computer still doesn't start up properly in Normal mode. It just freezes. Is there more I can do?

Thank you.

 

I think a system critical file needed for the computer to start in normal mode has been infected by the malware.

What we can do is try another tool to scan but you will need Safe mode with Networking in order for it to download the Recovery Console.(If it can)



Download worksnow from HERE:

[color= "purple"]* IMPORTANT !!! Save worksnow to your Desktop[/color]

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
• Double click on worksnow & follow the prompts.
  
  Note: worksnow will run without the Recovery Console installed.
  
• As part of it's process, combofix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color= "blue"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/color]

​

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.[color= "red"]Do not mouse-click Combofix's window while it is running. That may cause it to stall.[/color]
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.



In your next reply post:
C:\ComboFix.txt
MBAM log
New DDS log

 

Thanks for getting back to me so quickly. Here are my logs:

ComboFix 09-06-29.04 - Marie 06/30/2009 1:36.3 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.1017 [GMT -4:00]
Running from: c:\documents and settings\Marie\Desktop\worksnow.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\sys
c:\program files\sys\sys.dll
c:\program files\sys\sys.sys
c:\windows\010112010146118114.dat
c:\windows\system32\drivers\rorxxjkxkrxp.sys
c:\windows\system32\drivers\str.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IYGGVEDDPYSL
-------\Legacy_SYS
-------\Legacy_SYSDRV
-------\Service_iyggveddpysl
-------\Service_sys
-------\Service_sysdrv


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-25 07:41 . 2009-06-25 07:41 1 ---h--w- c:\windows\bf23567.dat
2009-06-25 07:41 . 2009-06-25 07:41 2 ----a-w- c:\windows\010112010146115110.dat
2009-06-25 07:41 . 2009-06-25 07:41 2 ----a-w- c:\windows\0101120101465452.dat
2009-06-24 06:35 . 2009-06-24 06:35 -------- d-sh--w- c:\documents and settings\Marie\IECompatCache
2009-06-24 05:17 . 2009-06-24 05:17 2 ----a-w- c:\windows\0101120101464849.dat
2009-06-10 15:46 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 15:46 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-07 05:55 . 2009-06-07 05:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-07 05:50 . 2009-06-07 05:50 -------- d-sh--w- c:\documents and settings\Marie\IETldCache
2009-06-07 05:27 . 2009-06-07 05:27 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-07 05:27 . 2009-06-07 05:27 -------- d-----w- c:\program files\MSBuild
2009-06-07 05:26 . 2009-06-07 05:26 -------- d-----w- c:\program files\Reference Assemblies
2009-06-07 05:26 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-07 05:26 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-07 05:26 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-07 05:26 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-07 05:26 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-07 05:26 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-07 05:26 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-07 05:26 . 2009-06-07 05:26 -------- d-----w- C:\418e9cf44ad67d8b4902
2009-06-07 05:17 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-07 05:15 . 2009-06-07 05:17 -------- dc-h--w- c:\windows\ie8
2009-06-05 05:56 . 2009-06-05 05:57 -------- d-----w- c:\documents and settings\Marie\.SunDownloadManager
2009-06-05 02:09 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Marie\Application Data\Mozilla\Firefox\Profiles\ybls8b3a.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-04 00:27 . 2009-06-04 00:27 -------- d-----w- c:\program files\Trend Micro
2009-06-02 19:17 . 2009-06-03 00:21 117760 ----a-w- c:\documents and settings\Marie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-02 19:16 . 2009-06-02 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-02 19:16 . 2009-06-02 19:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-02 19:16 . 2009-06-02 19:16 -------- d-----w- c:\documents and settings\Marie\Application Data\SUPERAntiSpyware.com
2009-06-02 19:15 . 2009-06-02 19:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 05:46 . 2009-02-13 23:02 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-30 05:45 . 2009-06-07 04:38 7304 ----a-w- c:\windows\TMP0001.TMP
2009-06-24 05:17 . 2005-09-02 03:13 22336 ----a-w- c:\documents and settings\Marie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-05 06:01 . 2005-08-15 11:59 -------- d-----w- c:\program files\Java
2009-06-05 06:00 . 2009-01-28 03:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-30 01:57 . 2009-05-28 23:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-30 01:50 . 2009-05-28 23:33 -------- d-----w- c:\program files\Lavasoft
2009-05-28 23:36 . 2009-05-28 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-28 23:36 . 2009-05-28 23:36 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-28 22:03 . 2009-05-28 22:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 05:40 . 2008-04-19 01:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-28 04:50 . 2006-03-30 07:20 -------- d-----w- c:\program files\CleanUp!
2009-05-27 18:03 . 2009-05-27 18:03 -------- d-----w- c:\documents and settings\Marie\Application Data\Malwarebytes
2009-05-27 18:03 . 2009-05-27 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-26 17:20 . 2009-05-28 22:03 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2009-05-28 22:03 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-20 15:40 . 2009-05-20 15:40 81 ----a-w- C:\CTX.DAT
2009-05-13 05:15 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 06:37 . 2009-05-12 06:37 -------- d-----w- c:\program files\GIMP-2.0
2009-05-12 06:36 . 2009-04-27 21:52 -------- d-----w- c:\program files\MP3 WAV Converter
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-11-14 02:35 . 2007-11-14 02:33 4280320 ----a-w- c:\program files\MouseWorks_PC_622.exe
2006-04-21 20:18 . 2006-04-21 20:18 308863 ----a-w- c:\program files\01090285.cab
2006-03-30 07:34 . 2006-03-30 07:34 488144 ----a-w- c:\program files\HJTsetup.exe
2006-03-30 07:19 . 2006-03-30 07:19 318775 ----a-w- c:\program files\CleanUp40.exe
2005-12-06 06:20 . 2005-12-06 06:20 895488 ----a-w- c:\program files\iview397.exe
2007-06-07 06:04 . 2005-09-12 22:37 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AIM "= "c:\program files\AIM\aim.exe" [2005-08-05 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI "= "c:\windows\system32\WLTRAY" [X]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"PRONoMgrWired "= "c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 86016]
"DVDLauncher "= "c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DMXLauncher "= "c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"kmw_run.exe "= "kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-4-21 1466384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\AIM\\aim.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP "= 8085:TCP:sys

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 9:02 PM 101936]
S2 AdobeAlerter;Adobe LM Service AdobeAlerter;c:\windows\system32\f.exe service --> c:\windows\system32\f.exe service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 9:48 PM 116664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://netflix.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
TCP: {30B72F8C-B5D6-42A8-A31F-0C763A236CEF} = 213.174.139.72,10.0.1.1
TCP: {6C16F812-16B7-45EA-9448-80DED32B879B} = 213.174.139.72,10.0.1.1
FF - ProfilePath - c:\documents and settings\Marie\Application Data\Mozilla\Firefox\Profiles\ybls8b3a.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com
FF - plugin: c:\documents and settings\Marie\Application Data\Mozilla\Firefox\Profiles\ybls8b3a.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 01:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue "=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2684)
c:\windows\system32\WININET.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
c:\windows\system32\WLTRAY.EXE
c:\windows\system32\kmw_show.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-30 1:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 05:54
ComboFix2.txt 2009-06-01 16:06

Pre-Run: 9,114,345,472 bytes free
Post-Run: 7,748,845,568 bytes free

217 --- E O F --- 2009-06-11 14:09

 

Malwarebytes' Anti-Malware 1.37
Database version: 2220
Windows 5.1.2600 Service Pack 3

6/30/2009 1:59:10 AM
mbam-log-2009-06-30 (01-59-10).txt

Scan type: Quick Scan
Objects scanned: 91440
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

DDS (Ver_09-05-14.01) - NTFSx86
Run by Marie at 1:59:28.32 on Tue 06/30/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.680 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Marie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://netflix.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe "
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {30B72F8C-B5D6-42A8-A31F-0C763A236CEF} = 213.174.139.72,10.0.1.1
TCP: {6C16F812-16B7-45EA-9448-80DED32B879B} = 213.174.139.72,10.0.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marie\applic~1\mozilla\firefox\profiles\ybls8b3a.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com
FF - plugin: c:\documents and settings\marie\application data\mozilla\firefox\profiles\ybls8b3a.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090619.004\naveng.sys [2009-6-19 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090619.004\navex15.sys [2009-6-19 876144]
S2 AdobeAlerter;Adobe LM Service AdobeAlerter;c:\windows\system32\f.exe service --> c:\windows\system32\f.exe service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-4-21 189792]

=============== Created Last 30 ================

2009-06-30 01:53 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-30 01:35 161,792 a------- c:\windows\SWREG.exe
2009-06-30 01:35 155,136 a------- c:\windows\PEV.exe
2009-06-30 01:35 98,816 a------- c:\windows\sed.exe
2009-06-25 03:41 1 ----h--- c:\windows\bf23567.dat
2009-06-25 03:41 2 a------- c:\windows\010112010146115110.dat
2009-06-25 03:41 2 a------- c:\windows\0101120101465452.dat
2009-06-24 02:35 <DIR> --dsh--- c:\documents and settings\marie\IECompatCache
2009-06-24 01:17 1 a------- c:\windows\934fdfg34fgjf23
2009-06-24 01:17 2 a------- c:\windows\0101120101464849.dat
2009-06-10 11:46 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 11:46 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-08 12:13 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-06-07 01:50 <DIR> --dsh--- c:\documents and settings\marie\IETldCache
2009-06-07 01:27 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-07 01:26 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-07 01:26 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-07 01:26 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-07 01:26 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-07 01:26 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-07 01:26 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-07 01:26 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-07 01:26 <DIR> --d----- C:\418e9cf44ad67d8b4902
2009-06-07 01:17 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-07 01:15 <DIR> -cd-h--- c:\windows\ie8
2009-06-07 00:38 7,304 a------- c:\windows\TMP0001.TMP
2009-06-05 02:01 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-05 01:56 <DIR> --d----- c:\documents and settings\marie\.SunDownloadManager
2009-06-03 20:27 <DIR> --d----- c:\program files\Trend Micro
2009-06-02 15:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-02 15:16 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-02 15:16 <DIR> --d----- c:\docume~1\marie\applic~1\SUPERAntiSpyware.com
2009-06-02 15:15 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-01 01:43 <DIR> a-dshr-- C:\cmdcons

==================== Find3M ====================

2009-06-05 02:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-28 19:36 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-20 11:40 81 a------- C:\CTX.DAT
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-03-12 20:19 22,336 a------- c:\docume~1\marie\applic~1\GDIPFONTCACHEV1.DAT
2007-11-13 22:35 4,280,320 a------- c:\program files\MouseWorks_PC_622.exe
2006-04-21 16:18 308,863 a------- c:\program files\01090285.cab
2006-03-30 03:34 488,144 a------- c:\program files\HJTsetup.exe
2006-03-30 03:19 318,775 a------- c:\program files\CleanUp40.exe
2005-12-06 02:20 895,488 a------- c:\program files\iview397.exe
2007-06-07 02:04 5,642 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 1:59:44.17 ===============

 

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/22/2005 4:58:26 PM
System Uptime: 6/30/2009 1:45:09 AM (0 hours ago)

Motherboard: Dell Inc. | | 0U6962
Processor: Intel(R) Celeron(R) M processor 1.40GHz | Microprocessor | 1396/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 7.236 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA

==== System Restore Points ===================

RP1: 6/7/2009 12:53:31 AM - System Checkpoint
RP2: 6/7/2009 1:08:27 AM - Software Distribution Service 3.0
RP3: 6/7/2009 1:12:22 AM - Software Distribution Service 3.0
RP4: 6/8/2009 2:32:40 PM - System Checkpoint
RP5: 6/9/2009 10:46:18 AM - Software Distribution Service 3.0
RP6: 6/10/2009 9:14:14 PM - System Checkpoint
RP7: 6/11/2009 10:04:47 AM - Software Distribution Service 3.0
RP8: 6/14/2009 9:21:51 AM - System Checkpoint
RP9: 6/15/2009 10:30:43 AM - System Checkpoint
RP10: 6/16/2009 11:07:28 AM - System Checkpoint
RP11: 6/18/2009 10:53:45 AM - System Checkpoint
RP12: 6/19/2009 11:46:31 AM - System Checkpoint
RP13: 6/21/2009 7:34:10 PM - System Checkpoint
RP14: 6/23/2009 12:50:16 PM - System Checkpoint

==== Installed Programs ======================

Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 7.0.9
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AOL Instant Messenger
AOLIcon
Apple Mobile Device Support
Apple Software Update
Bonjour
Calc98
CleanUp!
Conexant D110 MDC V.9x Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Photo Printer 720
Dell Photo Printer 720 Logger
Dell Support Center
Dell System Restore
Dell Wireless WLAN Card
DellSupport
Digital Line Detect
GIMP 2.6.6
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internal Network Card Power Management
Internet Explorer Default Page
IrfanView (remove only)
iTunes
Java DB 10.4.1.3
Java(TM) 6 Update 14
Java(TM) SE Development Kit 6 Update 11
JCreator LE 2.50
Kensington MouseWorks
Learn2 Player (Uninstall Only)
LiveUpdate 3.2 (Symantec Corporation)
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Standard
Microsoft Plus! Digital Media Edition Installer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My Way Search Assistant
Netflix Movie Viewer
NetWaiting
Norton Security Center
PDF Settings
Photo Click
PowerDVD 5.5
PuTTY version 0.60
QuickSet
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SUPERAntiSpyware Free Edition
Symantec AntiVirus
Synaptics Pointing Device Driver
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Manager
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPN Client
WebCyberCoach 3.2 Dell
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

6/30/2009 1:36:44 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
6/28/2009 1:17:04 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV eeCtrl Fips intelppm SASDIFSV SASKUTIL SAVRT SAVRTPEL SYMTDI sysdrv
6/25/2009 3:59:16 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/25/2009 3:59:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
6/25/2009 3:58:34 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments " " in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
6/25/2009 3:55:28 PM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/25/2009 3:55:25 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
6/25/2009 3:54:56 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments " " in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
6/25/2009 3:49:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
6/25/2009 3:49:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
6/25/2009 1:59:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/25/2009 1:59:37 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV eeCtrl Fips intelppm SASDIFSV SASKUTIL SAVRT SAVRTPEL SPBBCDrv SYMTDI sysdrv
6/25/2009 1:52:58 AM, error: Service Control Manager [7028] - The iyggveddpysl Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.
6/25/2009 1:36:09 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-nw.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6/24/2009 1:20:30 AM, error: Service Control Manager [7000] - The sys service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/24/2009 1:20:29 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the sys service to connect.
6/23/2009 9:50:20 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.

==== End Of File ===========================

 

Welcome back


Locate the worksnow/Combofix icon on your desktop > right click and delete

We'll get an updated copy.


Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.




Download Combofix© by sUBs from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3



Example:

* IamNotMalware.exe
* PleaseDontEatMe.exe

• If you are using Firefox, make sure that your download settings are as follows:
• Tools->Options->Main tab
• Set to "Always ask me where to Save the files ".

--------------------------------------------------------------------

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.



Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

*****
If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.
********
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, so please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.



Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Ensure your external and/or USB/Flash or Pen drives are inserted during the scan.


Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.



How's your computer now?

 

Hi Juliet,

Today I followed your instructions by downloading ComboFix, renaming it, creating the notepad file and running ComboFix. Everything seemed to go fine until my computer rebooted and now my computer doesn't connect to the Internet. I changed my browser connection options to "no proxy" like you instructed in case of internet issues.. but still no internet. Also, when I restart there is a "data execution prevention" box that pops up stopping "generic host process for Win32 services" from running. I do not know if this is linked to my connectivity issues. I will post my ComboFix log for now. Also, I will be more speedy with my responses from now on.. it's for my own good anyway.

ComboFix 09-07-07.A0 - Marie 07/07/2009 16:13.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.719 [GMT -4:00]
Running from: c:\documents and settings\Marie\Desktop\KissingUnicorns.exe
Command switches used :: c:\documents and settings\Marie\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\010112010146115110.dat "
"c:\windows\0101120101464849.dat "
"c:\windows\0101120101465452.dat "
"c:\windows\bf23567.dat "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marie\My Documents\freecell.exe
c:\documents and settings\Marie\My Documents\mspaint.exe
c:\windows\010112010146115110.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465452.dat
c:\windows\bf23567.dat
c:\windows\Installer\94d2.msi
c:\windows\Installer\970a706.msp
c:\windows\system32\drivers\beep.sys
c:\windows\system32\drivers\null.sys

.
((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-07 20:18 . 2009-07-07 20:18 198144 ----a-w- c:\windows\system32\_netman.dll_.vir
2009-06-24 06:35 . 2009-06-24 06:35 -------- d-sh--w- c:\documents and settings\Marie\IECompatCache
2009-06-10 15:46 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 15:46 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 20:23 . 2009-02-13 23:02 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-07 20:21 . 2009-06-07 04:38 7304 ----a-w- c:\windows\TMP0001.TMP
2009-06-24 05:17 . 2005-09-02 03:13 22336 ----a-w- c:\documents and settings\Marie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 05:27 . 2009-06-07 05:27 -------- d-----w- c:\program files\MSBuild
2009-06-07 05:26 . 2009-06-07 05:26 -------- d-----w- c:\program files\Reference Assemblies
2009-06-05 06:01 . 2005-08-15 11:59 -------- d-----w- c:\program files\Java
2009-06-05 06:00 . 2009-01-28 03:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-04 00:27 . 2009-06-04 00:27 -------- d-----w- c:\program files\Trend Micro
2009-06-03 00:21 . 2009-06-02 19:17 117760 ----a-w- c:\documents and settings\Marie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-02 19:16 . 2009-06-02 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-02 19:16 . 2009-06-02 19:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-02 19:16 . 2009-06-02 19:16 -------- d-----w- c:\documents and settings\Marie\Application Data\SUPERAntiSpyware.com
2009-06-02 19:15 . 2009-06-02 19:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-30 01:57 . 2009-05-28 23:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-30 01:50 . 2009-05-28 23:33 -------- d-----w- c:\program files\Lavasoft
2009-05-28 23:36 . 2009-05-28 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-28 23:36 . 2009-05-28 23:36 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-28 22:03 . 2009-05-28 22:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 04:50 . 2006-03-30 07:20 -------- d-----w- c:\program files\CleanUp!
2009-05-27 18:03 . 2009-05-27 18:03 -------- d-----w- c:\documents and settings\Marie\Application Data\Malwarebytes
2009-05-27 18:03 . 2009-05-27 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-26 17:20 . 2009-05-28 22:03 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2009-05-28 22:03 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-20 15:40 . 2009-05-20 15:40 81 ----a-w- C:\CTX.DAT
2009-05-13 05:15 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 06:37 . 2009-05-12 06:37 -------- d-----w- c:\program files\GIMP-2.0
2009-05-12 06:36 . 2009-04-27 21:52 -------- d-----w- c:\program files\MP3 WAV Converter
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-11-14 02:35 . 2007-11-14 02:33 4280320 ----a-w- c:\program files\MouseWorks_PC_622.exe
2006-04-21 20:18 . 2006-04-21 20:18 308863 ----a-w- c:\program files\01090285.cab
2006-03-30 07:34 . 2006-03-30 07:34 488144 ----a-w- c:\program files\HJTsetup.exe
2006-03-30 07:19 . 2006-03-30 07:19 318775 ----a-w- c:\program files\CleanUp40.exe
2005-12-06 06:20 . 2005-12-06 06:20 895488 ----a-w- c:\program files\iview397.exe
2007-06-07 06:04 . 2005-09-12 22:37 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2009-06-30_05.47.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-15 12:05 . 2005-08-15 12:05 72704 c:\windows\Installer\9509.msi
+ 2008-07-30 01:07 . 2008-07-30 01:07 23040 c:\windows\Installer\22afa2.msp
+ 2009-06-07 05:24 . 2009-06-07 05:24 88576 c:\windows\Installer\1d6846.msi
+ 2004-08-10 17:51 . 2004-08-04 10:00 2944 c:\windows\system32\dllcache\null.sys
+ 2004-08-10 17:50 . 2004-08-04 10:00 4224 c:\windows\system32\dllcache\beep.sys
+ 2008-08-26 04:31 . 2004-07-17 15:41 366080 c:\windows\ServicePackFiles\i386\digreqex.msi
+ 2008-08-26 04:31 . 2004-07-17 15:41 863232 c:\windows\ServicePackFiles\i386\digopt.msi
+ 2009-06-07 05:28 . 2009-06-07 05:28 652800 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi
+ 2007-08-16 07:03 . 2007-08-16 07:03 431104 c:\windows\Installer\cdc170b.msi
+ 2005-08-15 12:22 . 2005-08-15 12:22 655360 c:\windows\Installer\95e5.msi
+ 2005-08-15 12:21 . 2005-08-15 12:21 557056 c:\windows\Installer\95dc.msi
+ 2005-08-15 12:15 . 2005-08-15 12:15 407040 c:\windows\Installer\9557.msi
+ 2005-08-15 12:14 . 2005-08-15 12:14 157184 c:\windows\Installer\9550.msi
+ 2005-08-15 12:11 . 2005-08-15 12:11 194048 c:\windows\Installer\9529.msi
+ 2005-08-15 12:07 . 2005-08-15 12:07 293376 c:\windows\Installer\951d.msi
+ 2005-08-15 12:05 . 2005-08-15 12:05 669696 c:\windows\Installer\9505.msi
+ 2005-08-15 12:04 . 2005-08-15 12:04 256000 c:\windows\Installer\94fd.msi
+ 2005-08-15 12:03 . 2005-08-15 12:03 171008 c:\windows\Installer\94e3.msi
+ 2005-08-15 12:01 . 2005-08-15 12:01 275968 c:\windows\Installer\94df.msi
+ 2004-08-10 18:08 . 2004-08-10 18:08 264704 c:\windows\Installer\7506.msi
+ 2009-03-20 15:48 . 2009-03-20 15:48 183808 c:\windows\Installer\7059b2a.msp
+ 2007-04-06 23:46 . 2007-04-06 23:46 492032 c:\windows\Installer\6ea4b8a.msi
+ 2009-05-28 23:33 . 2009-05-28 23:33 236032 c:\windows\Installer\6d8f12.msi
+ 2007-07-14 01:52 . 2007-07-14 01:52 474624 c:\windows\Installer\56c440a.msi
+ 2008-11-13 01:45 . 2008-11-13 01:45 432640 c:\windows\Installer\50fe960.msi
+ 2007-04-07 18:08 . 2007-04-07 18:08 428544 c:\windows\Installer\3edb534.msi
+ 2006-05-09 00:09 . 2006-05-09 00:09 270336 c:\windows\Installer\2969520e.msi
+ 2008-12-13 13:58 . 2008-12-13 13:58 754688 c:\windows\Installer\243234.msp
+ 2009-06-07 05:28 . 2009-06-07 05:28 648192 c:\windows\Installer\243211.msi
+ 2008-07-30 01:23 . 2008-07-30 01:23 250880 c:\windows\Installer\22afab.msp
+ 2008-07-30 01:28 . 2008-07-30 01:28 278016 c:\windows\Installer\22afa9.msp
+ 2008-07-29 23:40 . 2008-07-29 23:40 291840 c:\windows\Installer\22afa7.msp
+ 2009-06-07 05:27 . 2009-06-07 05:27 137728 c:\windows\Installer\22afa1.msi
+ 2009-01-28 03:05 . 2009-01-28 03:05 870400 c:\windows\Installer\1ebdb85.msi
+ 2009-01-28 03:02 . 2009-01-28 03:02 381440 c:\windows\Installer\1ebdb7a.msi
+ 2008-07-29 21:35 . 2008-07-29 21:35 553472 c:\windows\Installer\1d684b.msp
+ 2008-07-29 21:33 . 2008-07-29 21:33 506368 c:\windows\Installer\1d6849.msp
+ 2008-07-29 21:37 . 2008-07-29 21:37 911360 c:\windows\Installer\1d6848.msp
+ 2006-04-04 04:06 . 2006-04-04 04:06 700928 c:\windows\Downloaded Installations\{B795A2EA-36AA-4DE5-8471-B3FE1A3A4237}\CLEA Exercise - The Classification of Stellar Spectra.msi
+ 2005-08-15 12:03 . 2005-08-15 12:03 413428 c:\windows\Downloaded Installations\{3AE813DE-06D6-4C11-AB7D-3832AA721F16}\Get High Speed Internet!.msi
+ 2004-08-10 17:51 . 2004-08-04 10:00 1326080 c:\windows\system32\webfldrs.msi
+ 2005-08-22 20:58 . 2005-08-15 11:59 9946112 c:\windows\system32\config\systemprofile\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}\Java 2 Runtime Environment, SE v1.4.2_03.msi
+ 2008-08-26 04:32 . 2004-08-04 10:00 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2008-08-26 04:31 . 2004-07-17 15:41 5080576 c:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2007-05-25 16:08 . 2007-05-25 16:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp
+ 2009-06-05 06:00 . 2009-06-05 06:00 1563648 c:\windows\Installer\b1e20.msi
+ 2005-08-15 12:14 . 2005-08-15 12:14 1102848 c:\windows\Installer\9549.msi
+ 2005-08-15 12:14 . 2005-08-15 12:14 1096192 c:\windows\Installer\9542.msi
+ 2005-08-15 12:14 . 2005-08-15 12:14 1094656 c:\windows\Installer\953b.msi
+ 2005-08-15 12:08 . 2005-08-15 12:08 1187840 c:\windows\Installer\9521.msi
+ 2005-08-15 12:01 . 2005-08-15 12:01 1914880 c:\windows\Installer\94d9.msi
+ 2009-05-28 23:33 . 2009-05-28 23:33 1802240 c:\windows\Installer\6d8f17.msi
+ 2007-02-10 18:47 . 2007-02-10 18:47 3200000 c:\windows\Installer\6b233.msi
+ 2008-09-23 03:48 . 2008-09-23 03:48 3746304 c:\windows\Installer\613c25.msi
+ 2008-09-23 03:47 . 2008-09-23 03:47 1652224 c:\windows\Installer\613a99.msi
+ 2008-09-23 03:46 . 2008-09-23 03:46 8990208 c:\windows\Installer\613a94.msi
+ 2008-09-23 03:43 . 2008-09-23 03:43 1549312 c:\windows\Installer\6137ef.msi
+ 2008-09-23 03:43 . 2008-09-23 03:43 3152384 c:\windows\Installer\6137b3.msi
+ 2009-06-02 19:16 . 2009-06-02 19:16 1516544 c:\windows\Installer\59555.msi
+ 2004-08-10 18:09 . 2004-08-10 18:10 3443712 c:\windows\Installer\50c4.msi
+ 2005-08-30 16:20 . 2005-08-30 16:20 5864960 c:\windows\Installer\4e200a2.msp
+ 2008-12-13 13:57 . 2008-12-13 13:57 8397824 c:\windows\Installer\24321f.msp
+ 2008-07-29 23:26 . 2008-07-29 23:26 1043456 c:\windows\Installer\22afaa.msp
+ 2008-07-30 00:37 . 2008-07-30 00:37 2679808 c:\windows\Installer\22afa8.msp
+ 2008-07-30 01:15 . 2008-07-30 01:15 3697664 c:\windows\Installer\22afa6.msp
+ 2008-07-29 23:34 . 2008-07-29 23:34 1448448 c:\windows\Installer\22afa5.msp
+ 2008-07-30 00:22 . 2008-07-30 00:22 4137984 c:\windows\Installer\22afa4.msp
+ 2008-07-29 23:18 . 2008-07-29 23:18 3376640 c:\windows\Installer\22afa3.msp
+ 2008-01-27 21:56 . 2008-01-27 21:56 2051072 c:\windows\Installer\21302b.msi
+ 2008-07-29 21:45 . 2008-07-29 21:45 2543616 c:\windows\Installer\1d684f.msp
+ 2008-07-29 21:29 . 2008-07-29 21:29 2926080 c:\windows\Installer\1d684e.msp
+ 2008-07-29 21:41 . 2008-07-29 21:41 6487040 c:\windows\Installer\1d684d.msp
+ 2008-07-29 21:39 . 2008-07-29 21:39 3403264 c:\windows\Installer\1d684c.msp
+ 2008-07-29 21:43 . 2008-07-29 21:43 1013248 c:\windows\Installer\1d684a.msp
+ 2008-07-29 21:31 . 2008-07-29 21:31 6083072 c:\windows\Installer\1d6847.msp
+ 2009-02-13 23:04 . 2009-02-13 23:04 6423040 c:\windows\Installer\1b270.msi
+ 2008-10-02 03:58 . 2008-10-02 03:58 2428416 c:\windows\Installer\19b135.msi
+ 2008-10-02 03:55 . 2008-10-02 03:55 1780224 c:\windows\Installer\19b12f.msi
+ 2008-10-02 03:54 . 2008-10-02 03:54 1718272 c:\windows\Installer\19b12a.msi
+ 2008-10-02 03:54 . 2008-10-02 03:54 1725952 c:\windows\Installer\19b125.msi
+ 2008-10-02 03:53 . 2008-10-02 03:53 1954304 c:\windows\Installer\19b120.msi
+ 2008-10-02 03:53 . 2008-10-02 03:53 1826816 c:\windows\Installer\19b11b.msi
+ 2008-10-02 03:52 . 2008-10-02 03:52 1726976 c:\windows\Installer\19b116.msi
+ 2008-10-02 03:52 . 2008-10-02 03:52 1879040 c:\windows\Installer\19b111.msi
+ 2008-10-02 03:51 . 2008-10-02 03:51 1730048 c:\windows\Installer\19b10c.msi
+ 2008-10-02 03:50 . 2008-10-02 03:50 1761792 c:\windows\Installer\19b107.msi
+ 2008-10-02 03:50 . 2008-10-02 03:50 1735680 c:\windows\Installer\19b102.msi
+ 2008-10-02 03:49 . 2008-10-02 03:49 1744384 c:\windows\Installer\19b0fd.msi
+ 2008-10-02 03:48 . 2008-10-02 03:49 1842688 c:\windows\Installer\19b0f8.msi
+ 2008-10-02 03:48 . 2008-10-02 03:48 2159104 c:\windows\Installer\19b0f2.msi
+ 2008-10-02 03:45 . 2008-10-02 03:45 1715712 c:\windows\Installer\19b0ed.msi
+ 2008-10-02 03:45 . 2008-10-02 03:45 1715712 c:\windows\Installer\19b0e7.msi
+ 2008-10-02 03:44 . 2008-10-02 03:44 1716736 c:\windows\Installer\19b0e1.msi
+ 2008-10-02 03:44 . 2008-10-02 03:44 1715712 c:\windows\Installer\19b0db.msi
+ 2008-10-02 03:43 . 2008-10-02 03:43 1728000 c:\windows\Installer\19b0d5.msi
+ 2008-10-02 03:43 . 2008-10-02 03:43 1718272 c:\windows\Installer\19b0d0.msi
+ 2008-10-02 03:42 . 2008-10-02 03:42 1761792 c:\windows\Installer\19b0cb.msi
+ 2008-10-02 03:42 . 2008-10-02 03:42 1753088 c:\windows\Installer\19b0c6.msi
+ 2008-10-02 03:41 . 2008-10-02 03:41 1720832 c:\windows\Installer\19b0c1.msi
+ 2008-10-02 03:40 . 2008-10-02 03:40 2595840 c:\windows\Installer\19b0bc.msi
+ 2008-10-02 03:32 . 2008-10-02 03:32 1826304 c:\windows\Installer\19b0b7.msi
+ 2008-10-02 03:31 . 2008-10-02 03:31 1716736 c:\windows\Installer\19b0b2.msi
+ 2008-10-02 03:30 . 2008-10-02 03:30 1767424 c:\windows\Installer\19b0ad.msi
+ 2007-09-06 03:29 . 2007-09-06 03:29 2347520 c:\windows\Installer\147ac65d.msi
+ 2007-09-06 03:24 . 2007-09-06 03:24 2871296 c:\windows\Installer\147ac658.msi
+ 2007-04-10 07:27 . 2007-04-10 07:27 1392128 c:\windows\Installer\11147c2e.msi
+ 2007-07-12 15:22 . 2007-07-12 15:22 15256576 c:\windows\Installer\425b023.msp
+ 2008-12-13 14:21 . 2008-12-13 14:21 10473472 c:\windows\Installer\243229.msp
+ 2004-08-10 18:10 . 2004-08-10 18:10 19204096 c:\windows\Installer\1599f.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AIM "= "c:\program files\AIM\aim.exe" [2005-08-05 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI "= "c:\windows\system32\WLTRAY" [X]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"PRONoMgrWired "= "c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 86016]
"DVDLauncher "= "c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DMXLauncher "= "c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"kmw_run.exe "= "kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-4-21 1466384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@= "FSFilter System Recovery "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "= c:\program files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "= c:\program files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"c:\\Program Files\\America Online 9.0\\waol.exe "= c:\program files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0
"c:\\Program Files\\AIM\\aim.exe "= c:\program files\AIM\aim.exe:*:Enabled:AOL Instant Messenger
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall "= 0 (0x0)
"DoNotAllowExceptions "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
"c:\\Program Files\\AIM\\aim.exe "= c:\program files\AIM\aim.exe:*:Enabled:AOL Instant Messenger
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "= c:\program files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "= c:\program files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
"c:\\Program Files\\iTunes\\iTunes.exe "= c:\program files\iTunes\iTunes.exe:*:Enabled:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP "= 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP "= 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"139:TCP "= 139:TCP:LocalSubNetisabledxpsp2res.dll,-22004
"445:TCP "= 445:TCP:LocalSubNetisabledxpsp2res.dll,-22005
"137:UDP "= 137:UDP:LocalSubNetisabledxpsp2res.dll,-22001
"138:UDP "= 138:UDP:LocalSubNetisabledxpsp2res.dll,-22002
"8085:TCP "= 8085:TCP:*:Enabled:sys

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 9:02 PM 101936]
S2 AdobeAlerter;Adobe LM Service AdobeAlerter;c:\windows\system32\f.exe service --> c:\windows\system32\f.exe service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 9:48 PM 116664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter
DcomLaunch REG_MULTI_SZ DcomLaunch TermService
WudfServiceGroup REG_MULTI_SZ WUDFSvc
eapsvcs REG_MULTI_SZ eaphost
dot3svc REG_MULTI_SZ dot3svc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
HidServ
LanmanWorkstation
Messenger
Netman
TrkWks
W32Time
WZCSVC
wscsvc
xmlprov
WmdmPmSN
napagent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
Alerter
LmHosts


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://netflix.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
TCP: {30B72F8C-B5D6-42A8-A31F-0C763A236CEF} = 213.174.139.72,10.0.1.1
TCP: {6C16F812-16B7-45EA-9448-80DED32B879B} = 213.174.139.72,10.0.1.1
FF - ProfilePath - c:\documents and settings\Marie\Application Data\Mozilla\Firefox\Profiles\ybls8b3a.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com
FF - plugin: c:\documents and settings\Marie\Application Data\Mozilla\Firefox\Profiles\ybls8b3a.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 16:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101 "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
"{21701DD0-9D7E-43f7-A1B2-E92ED6E90A51} "=hex:44,a0,d9,63,53,e5,7c,2e,a8,d2,68,
66,05,cd,91,68,eb,8f,02,8c,00,2f,08,a0,53,10,c8,01

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@= "Shockwave Flash Object "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx "
"ThreadingModel "= "Apartment "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@= "ShockwaveFlash.ShockwaveFlash.10 "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1 "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@= "1.0 "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@= "ShockwaveFlash.ShockwaveFlash "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@= "Macromedia Flash Factory Object "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx "
"ThreadingModel "= "Apartment "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@= "FlashFactory.FlashFactory.1 "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1 "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@= "1.0 "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@= "FlashFactory.FlashFactory "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker2 "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@= "Shockwave Flash "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=" "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@= "FlashBroker "

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue "=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(256)
c:\windows\system32\WININET.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
c:\windows\system32\WLTRAY.EXE
c:\windows\system32\kmw_show.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-07 16:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-07 20:36
ComboFix2.txt 2009-06-30 05:54
ComboFix3.txt 2009-06-01 16:06

Pre-Run: 7,657,594,880 bytes free
Post-Run: 7,640,981,504 bytes free

435 --- E O F --- 2009-07-01 14:28

 

Welcome back


Have you rebooted the machine to check internet connection?


Lets check some settings on your system.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category, otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for Cable and DSL, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says "Obtain DNS servers automatically "
Press OK twice to get out of the properties screen and reboot if it asks.


That option might not be available on some systems.
Next go Start, Run and type cmd and hit OK
now type:
ipconfig /flushdns
(note that a space between ipconfig and / is needed)
then hit Enter, type exit and hit Enter again.


* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair "



Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.






Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

Reglock::
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
 "8085:TCP "=-

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If you have restored internet connection, continue with the following.

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, so please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.



Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Ensure your external and/or USB/Flash or Pen drives are inserted during the scan.


Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.


How's your computer now?

 

Also please do this for me


Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select - Show hidden files and folders.
• Uncheck- Hide protected operating system files (recommended) option.
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
• Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal

• 
  
  
  
  
  
• Click the Browse button and search for the following file: c:\windows\system32\_netman.dll_.vir
• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now "

 

Hi,

I still am unable to connect to the Internet. I've rebooted several times. I was able to do all the steps up until the repair. My wireless network can't be disabled and so it cannot go through with the repair. What should be my next steps?

 

Will the computer work if plugged into DSL/Cable wire?

I can see you have Dell wireless Manager disabled in msconfig
Let's reenable that and see if this helps.

Go to Start > Run, type in msconfig then click on OK
Go to the top and click on the Startup tab
Scroll over the list of items and place a checkmark by c:\windows\system32\WLTRAY
Click on Apply at the bottom, then OK
Reboot.

Now see if you have internet.

 

A couple of other things to try.


If behind a router.
Turn off your computer. Turn off or unplug your router and unplug the cable going to it. Wait a minute. Reboot your computer and plug your router back in again. After re-establishing a connection (all the lights stop flashing and are steady, then plug in the cable.

How to reset Internet Protocol (TCP/IP)
http://support.microsoft.com/default.aspx?scid=kb;en-us;299357

How to troubleshoot TCP/IP connectivity with Windows XP
http://support.microsoft.com/kb/314067/

 

Turn off computer. Disconnect router, and modem from power source for 30 seconds.
Power them back on.
Restart computer.

If that doesn't work, bypass router, and connect computer straight to the modem.

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew

Restart computer.

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Restart computer.

 

Still no luck with plugging into cable internet and the box was already checked in start up. I just now saw the two latest messages you sent and will try them and get back to you.

 

Let me know if anything from the last two suggestions work.

 

Hi Juliet,

I've tried all that you suggested but with no luck. What do you think caused this connection problem? Anything else I can try?

Thanks a lot.