Active Won't run programs, some kind of virus!

DareDevil · 2009/07/31

[Active] Won't run programs, some kind of virus!

So here is my problem, after my computer rebooted I see black boxes everywhere from errors running start up programs. If I try to run any programs I get the same error...

C:\PROGRA~1\Symantec\S32EVNT1.DLL An installable Virtual Device Driver failed Dll initialization. Choosed 'Close' to terminate the application.

Ok so how do I fix this problem? I'm not running an Norton or Symantec products so I don't understand the sudden problem. The only thing I can run is internet explorer and it randomly gets intercepted by Windows Antivirus Pro (obviously fake AV program) redirects. We are gonna have to go about this in a different way than anything I've seen on this Forum... I've tried to download hijack this and I get the same error when trying to install it. Seems to be a problem running any .exe files/programs. Can't run Malware bytes(already had program on computer).

I've tried to access registry using Run from start window... same error
Tried cmd... same error

And lastly I've checked for autoexec.nt and config.nt and replaced them in system 32 with the ones from repair as I've heard that could be a cause. However the files were not missing from system32. Please help me and Thank You in advance.

PeteC · 2009/07/31

Welcome to WindowsBBS

Your computer looks to be infected - I have moved your thread to the Malware & Virus Removal forum where one of our Malware analysts will advise you as to how to proceed.

Please read this as indicated at the head of the forum and post the logs requested in this thread - if you can.

DareDevil · 2009/07/31

HJT log follows...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:54 AM, on 7/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ICQSys (IE PlugIn) - {F54AF7DE-6038-4026-8433-CC30E3F17212} - C:\WINDOWS\system32\dddesot.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Doc Pro Scheduler] C:\Program Files\PC Doc Pro v5\PC Doc Pro Scheduler.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: SATARAID5.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
O23 - Service: AntipyPro_12 (AntipPro2009_12) - Unknown owner - C:\WINDOWS\svchast.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7873 bytes

PeteC · 2009/07/31

If you re-read this you were asked to run DDS and post .....

DDS.txt
Attach.txt
Click to expand...

HJT alone is no longer adequate.

As a new member with less than 10 posts any post you make which contains a URL requires approval (moderation) before it is visible.

DareDevil · 2009/07/31

Ok sorry, I tried to run dds, but it just says not enough main memory to complete the sort.

However an update... After getting HJT to run I was suddenly able to run .exe files, so I immediately ran malware bytes. Upon doing so it found 52 infections, but I can't find the report after it rebooted. The main problem has mysteriously been solved, however I'm sure there are some other things that need to be resolved so what is the problem with dds?

PeteC · 2009/07/31

I'll leave that for our Malware analysts to advise - Malware Removal is not within my area of competence - and only trained analysts are permitted to assist.

Juliet · 2009/07/31

Hi and welcome

Download and run the Norton Removal Tool
http://service1.symantec.com/SUPPOR...007082908475279&nsf=norton2008.nsf&view=docid

The below will obtain the MBAM log.

Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

In your next reply post:
MBAM log
new HJT log

DareDevil · 2009/08/03

Here is most recent MBAM Log, and the Windows Anti Virus Pro thing is back...

Malwarebytes' Anti-Malware 1.39
Database version: 2548
Windows 5.1.2600 Service Pack 3

8/3/2009 6:03:39 AM
mbam-log-2009-08-03 (06-03-39).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 184927
Time elapsed: 28 minute(s), 58 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 41

Memory Processes Infected:
C:\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntivirus) -> Unloaded process successfully.
C:\WINDOWS\svchast.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\antippro2009_12 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\antippro2009_12 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_12 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\desot.exe "%1" %*) Good: ( "%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\svchast.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\dbsinit.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\desot.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\msvcm80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\msvcp80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\msvcr80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\wispex.html (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\i1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\i2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\i3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\j1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\j2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\j3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\jj1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\jj2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\jj3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\l1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\l2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\l3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\pix.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\t1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\t2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\up1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\up2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\w1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\w11.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\w2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\w3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\w3.jpg (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\wt1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\wt2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
c:\program files\windows antivirus pro\tmp\images\wt3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.

DareDevil · 2009/08/03

And here is HJT....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:19 AM, on 8/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Doc Pro v5\PC Doc Pro Scheduler.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe "
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Doc Pro Scheduler] C:\Program Files\PC Doc Pro v5\PC Doc Pro Scheduler.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: SATARAID5.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8043 bytes

Juliet · 2009/08/03

Welcome back

MBAM log shows deletions?

Did you run the Symantec/Norton removal tool?....I can see a couple of services remaining. We can remove those.

Download Combofix© by sUBs from any of the links below.

Save it to your desktop.

Link 1
Link 2

If you are using Firefox, make sure that your download settings are as follows:

Tools->Options->Main tab

Set to "Always ask me where to Save the files ".

--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

KASPERSKY ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a sign.

right click it-> select Pause Protection.

click on -> By User Request

a popup will claim that protection is now disabled and a sign like this: will now be shown.

Click to expand...

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html

Please leave the flash drive plugged in while completing the following.

Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

** Please Note:
At times ComboFix may appear to stall, please be patient.

When finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

DareDevil · 2009/08/04

Ok I ran combofix, but it never produced the log. It said please wait while it made one but it never completed after 3 hours. Now the PC randomly stalls while doing things for about 20 secs at random intervals like its out of memory or something if not run in safe mode. Please advise as to the next step I should follow. Kaspersky is detecting things now but it says it needs to restart to complete deletion, however after the restart it is still there. Again tells me it needs to restart to complete removal.

DareDevil · 2009/08/04

Ok here is a combo log. I had to run it a second time in order to get it to compile one though so I don't know if its gonna be helpful.

ComboFix 09-08-04.02 - owner 08/04/2009 16:06.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1502 [GMT -5:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\drivers\str.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNEToyrdlmlk
-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC

((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.

2009-08-04 21:01 . 2009-08-04 21:01 152576 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-04 12:37 . 2009-08-04 21:05 327712 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-04 12:37 . 2009-08-04 19:15 2956832 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-04 11:51 . 2009-08-04 11:51 -------- d-----w- c:\program files\PrivacyCenter
2009-07-31 07:15 . 2009-07-31 07:15 -------- d-----w- c:\program files\Trend Micro
2009-07-26 03:59 . 2009-07-26 03:59 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-07-26 03:53 . 2009-07-26 04:07 -------- d-----w- C:\My Games
2009-07-26 03:52 . 2009-07-26 03:52 -------- d-----w- C:\users
2009-07-17 18:51 . 2009-07-17 18:52 -------- d-----w- c:\windows\system32\Adobe
2009-07-13 19:26 . 2009-08-04 11:51 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-12 16:11 . 2009-07-12 16:11 272384 ----a-w- c:\documents and settings\owner\Application Data\Acreon\WowMatrix\Modules\curl.exe
2009-07-12 16:11 . 2009-07-12 16:11 192512 ----a-w- c:\documents and settings\owner\Application Data\Acreon\WowMatrix\Libraries\wmweb.dll
2009-07-12 16:11 . 2009-07-12 16:11 258048 ----a-w- c:\documents and settings\owner\Application Data\Acreon\WowMatrix\Libraries\wmzip.dll
2009-07-12 16:10 . 2009-07-12 16:10 -------- d-----w- c:\documents and settings\owner\Application Data\Acreon
2009-07-12 16:10 . 2009-07-26 06:40 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\._Revolution_
2009-07-10 20:26 . 2009-07-10 20:27 -------- d-----w- c:\documents and settings\owner\Application Data\Save
2009-07-10 03:18 . 2009-07-10 03:18 -------- d-----w- c:\documents and settings\owner\Application Data\Flood Light Games
2009-07-10 03:18 . 2009-07-10 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Flood Light Games
2009-07-07 16:01 . 2009-07-07 16:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-07-07 16:00 . 2009-07-07 16:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-04 21:05 . 2009-08-04 12:37 2200 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-04 21:03 . 2008-04-15 05:21 -------- d-----w- c:\program files\Java
2009-08-04 19:22 . 2009-06-29 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-08-04 19:15 . 2009-08-04 12:37 25228 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-04 14:31 . 2009-06-27 04:26 -------- d-----w- c:\program files\World of Warcraft
2009-08-04 11:52 . 2009-06-30 22:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 18:56 . 2009-06-29 07:23 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-03 18:36 . 2009-06-30 22:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-06-30 22:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 07:49 . 2008-09-03 01:18 -------- d-----w- c:\program files\Yahoo!
2009-07-31 05:24 . 2008-06-01 17:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-26 04:07 . 2009-06-11 09:20 -------- d-----w- c:\program files\RealArcade
2009-07-25 10:23 . 2009-06-11 09:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 11:46 . 2009-06-29 22:34 208616 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\avp.exe
2009-07-17 07:32 . 2009-05-06 15:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-15 14:12 . 2008-08-25 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-14 02:26 . 2008-04-15 22:31 -------- d-----w- c:\documents and settings\owner\Application Data\LimeWire
2009-07-11 16:00 . 2009-05-06 08:46 -------- d-----w- c:\program files\MSN Games
2009-07-10 03:15 . 2009-05-06 08:46 -------- d-----w- c:\program files\Oberon Media
2009-07-07 14:09 . 2008-04-13 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-05 13:10 . 2009-07-05 13:10 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2009-07-05 13:10 . 2008-04-15 01:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-05 11:08 . 2009-07-05 10:30 -------- d-----w- c:\program files\PC Doc Pro v5
2009-07-05 10:07 . 2009-07-05 10:07 -------- d-----w- c:\program files\Free Window Registry Repair
2009-07-05 09:56 . 2009-07-05 09:54 -------- d-----w- c:\program files\RegistryPatrol3.0
2009-07-05 09:54 . 2009-07-05 09:54 743621 ----a-w- c:\windows\system32\RPUpdates.zip
2009-07-05 09:16 . 2009-07-05 09:16 -------- d-----w- c:\program files\KeyScrambler
2009-07-05 07:35 . 2009-07-05 07:35 -------- d-----w- c:\program files\BurnInTest
2009-07-05 07:35 . 2009-07-05 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark
2009-07-05 07:16 . 2009-07-05 07:16 -------- d-----w- c:\documents and settings\owner\Application Data\IObit
2009-07-05 07:16 . 2009-07-05 07:16 -------- d-----w- c:\program files\IObit
2009-07-05 06:29 . 2009-07-05 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-07-05 06:20 . 2009-07-05 06:20 -------- d-----w- c:\documents and settings\owner\Application Data\GamesCafe
2009-07-05 06:20 . 2009-07-05 06:20 4096 ----a-w- c:\windows\d3dx.dat
2009-07-05 04:52 . 2009-07-05 04:52 -------- d-----w- c:\documents and settings\owner\Application Data\Oberonv1001
2009-07-04 19:09 . 2009-07-04 19:09 -------- d-----w- c:\program files\CCleaner
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-01 05:34 . 2009-07-01 05:17 -------- d-----w- c:\program files\Setup Files
2009-07-01 05:31 . 2009-07-01 05:31 -------- d-----w- c:\program files\Realtek AC97
2009-07-01 05:29 . 2009-07-01 05:29 -------- d-----w- c:\program files\Silicon Image
2009-07-01 05:24 . 2009-07-01 05:24 -------- d-----w- c:\program files\DIFX
2009-07-01 02:44 . 2009-07-01 02:44 -------- d-----w- c:\program files\MSI
2009-07-01 02:31 . 2008-04-13 15:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-01 02:30 . 2009-06-29 22:00 -------- d-----w- c:\program files\AGEIA Technologies
2009-07-01 02:20 . 2009-07-01 02:20 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-30 22:25 . 2009-06-30 22:25 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
2009-06-30 22:19 . 2009-06-30 22:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-30 22:19 . 2009-06-30 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-30 02:44 . 2009-06-29 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-29 22:34 . 2009-06-29 22:24 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-29 22:34 . 2009-06-29 22:24 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-29 22:34 . 2008-01-29 22:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-06-29 22:34 . 2009-06-29 22:34 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-06-29 22:34 . 2009-06-29 22:34 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-06-29 22:30 . 2008-04-13 15:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-29 22:23 . 2009-06-29 22:23 -------- d-----w- c:\program files\Kaspersky Lab
2009-06-29 22:16 . 2009-06-29 22:16 69232 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 21:54 . 2008-04-15 05:06 -------- d-----w- c:\program files\ATI Technologies
2009-06-29 07:20 . 2008-04-13 15:15 69232 ----a-w- c:\documents and settings\owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 06:59 . 2009-06-29 06:59 -------- d-----w- c:\program files\MSBuild
2009-06-29 06:59 . 2009-06-29 06:59 -------- d-----w- c:\program files\Reference Assemblies
2009-06-29 06:50 . 2008-08-25 05:13 -------- d-----w- c:\program files\Microsoft Works
2009-06-27 11:06 . 2009-06-27 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Fugazo
2009-06-27 07:07 . 2009-06-27 03:54 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-27 03:57 . 2009-06-27 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-06-26 05:53 . 2009-06-26 05:53 -------- d-----w- c:\documents and settings\owner\Application Data\FloodLightGames
2009-06-26 05:53 . 2009-06-26 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FloodLightGames
2009-06-26 04:40 . 2009-06-26 04:40 -------- d-----w- c:\documents and settings\owner\Application Data\iWin
2009-06-25 21:45 . 2009-06-25 21:45 -------- d-----w- c:\documents and settings\owner\Application Data\TikGames
2009-06-25 21:45 . 2009-06-25 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\TikGames
2009-06-22 16:04 . 2009-06-22 16:04 152576 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-19 14:03 . 2008-08-18 02:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-13 23:14 . 2009-06-13 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\97328586
2009-06-13 22:54 . 2009-06-13 22:54 -------- d-----w- c:\documents and settings\owner\Application Data\PC Tools
2009-06-13 18:42 . 2009-06-13 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\17318594
2009-06-12 03:14 . 2009-06-12 02:23 -------- d-----w- c:\documents and settings\owner\Application Data\Connectivity
2009-06-12 02:22 . 2009-06-12 02:22 -------- d--h--r- c:\documents and settings\owner\Application Data\SecuROM
2009-06-12 02:22 . 2009-06-12 02:22 3774 ----a-r- c:\documents and settings\owner\Application Data\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\controlPanelIcon.exe
2009-06-12 02:22 . 2009-06-12 02:22 3774 ----a-r- c:\documents and settings\owner\Application Data\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\BoneTown.exe
2009-06-12 02:22 . 2009-06-12 02:22 10134 ----a-r- c:\documents and settings\owner\Application Data\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\SystemFolder_msiexec.exe
2009-06-12 02:22 . 2009-06-11 06:59 -------- d-----w- c:\program files\Connectivity
2009-06-11 09:45 . 2009-06-11 09:45 152576 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-11 09:44 . 2009-06-11 09:26 -------- d-----w- c:\program files\Zylom Games
2009-06-11 09:43 . 2009-06-11 09:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-06-11 09:42 . 2008-04-15 22:22 -------- d-----w- c:\program files\Google
2009-06-11 09:27 . 2009-06-11 09:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-06-11 09:26 . 2009-06-11 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Zylom
2009-06-11 09:10 . 2009-06-11 09:09 -------- d-----w- c:\program files\Yahoo! Games
2009-06-11 09:10 . 2009-06-11 09:10 -------- d-----w- c:\program files\TryMedia
2009-06-11 06:58 . 2009-06-11 06:59 286720 ----a-w- c:\windows\iun507.exe
2009-06-11 06:25 . 2008-09-03 01:15 -------- d-----w- c:\program files\HP
2009-06-11 05:41 . 2008-06-23 07:28 -------- d-----w- c:\program files\Diablo II
2009-06-10 13:28 . 2009-06-10 13:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 13:28 . 2009-06-10 13:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 13:28 . 2009-06-10 13:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 13:28 . 2009-06-10 13:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 13:28 . 2009-06-10 13:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 13:28 . 2009-06-10 13:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-15 68856]
"PC Doc Pro Scheduler "= "c:\program files\PC Doc Pro v5\PC Doc Pro Scheduler.exe" [2009-06-16 183784]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AVP "= "c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SATARAID5.lnk - c:\program files\Silicon Image\3114 SATARAID5\sam.jar [2009-7-1 1578096]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop "= 1 (0x1)
"NoActiveDesktopChanges "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe "=
"c:\\Program Files\\World of Warcraft\\Launcher.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP "= 3724:TCP:Blizzard Downloader
"6112:TCP "= 6112:TCP:Blizzard Downloader

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [7/5/2009 4:16 AM 114024]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 smjilhb;smjilhb;\??\c:\windows\system32\drivers\imdfgqh.sys --> c:\windows\system32\drivers\imdfgqh.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\owner\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\owner\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-03 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-07-05 14:22]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-AtiExtEvent - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 16:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-562591055-725345543-1003\Software\SecuROM\License information*]
"datasecu "=hex:b7,0e,aa,18,0a,40,ac,e1,7c,97,a3,fc,8f,f4,f9,63,c0,3c,88,23,84,
6c,28,4e,97,29,63,31,cc,06,2f,da,6a,cb,46,84,c0,86,31,a9,36,bb,e5,b6,61,02,\
"rkeysecu "=hex:6d,dc,47,0e,16,97,38,19,9b,52,6a,9d,ff,95,93,8a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3648)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-04 16:13
ComboFix-quarantined-files.txt 2009-08-04 21:13

Pre-Run: 30,986,375,168 bytes free
Post-Run: 30,962,561,024 bytes free

248 --- E O F --- 2009-07-31 05:10

DareDevil · 2009/08/04

And here is a new HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:26 PM, on 8/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Doc Pro v5\PC Doc Pro Scheduler.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe "
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PC Doc Pro Scheduler] C:\Program Files\PC Doc Pro v5\PC Doc Pro Scheduler.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: SATARAID5.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7267 bytes

Juliet · 2009/08/04

Kaspersky is detecting things now but it says it needs to restart to complete deletion, however after the restart it is still there. Again tells me it needs to restart to complete removal.
Click to expand...

Can you give me the file paths of what it's trying to delete or is saying is infected?

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.
Code:
Folder::
c:\documents and settings\All Users\Application Data\Symantec
e:\docume~1\ADMINI~1\LOCALS~1\Temp\cpuz130
File::
c:\windows\system32\drivers\imdfgqh.sys
Driver::
cpuz130
smjilhb
ccEvtMgr
ccPwdSvc
ccSetMgr
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================

NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, so please be patient.

This online scan is different then the purchased Antivirus for home users.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Ensure your external and/or USB/Flash or Pen drives are inserted during the scan.

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition
files.

After the files have been downloaded on the left side of the page in the Scan section select My Computer.

This will start the program and scan your system.

The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run

You may need several replies to post the requested logs, otherwise they might get cut off.

DareDevil · 2009/08/04

Here is the updated Combofix log, about to run the Kasp online scanner post will follow completion:

ComboFix 09-08-04.02 - owner 08/04/2009 18:06.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1429 [GMT -5:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\owner\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\system32\drivers\imdfgqh.sys "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec\Common Client\settings.bak
c:\documents and settings\All Users\Application Data\Symantec\Common Client\settings.dat
c:\documents and settings\All Users\Application Data\Symantec\Common Client\Temp\ccdt.ph
c:\documents and settings\All Users\Application Data\Symantec\LiveSubscribe\Catalog.LiveSubscribe
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\rmt.dat
c:\documents and settings\All Users\Application Data\Symantec\wds.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CCEVTMGR
-------\Legacy_CCSETMGR
-------\Legacy_CPUZ130
-------\Legacy_SMJILHB
-------\Service_ccEvtMgr
-------\Service_ccPwdSvc
-------\Service_ccSetMgr
-------\Service_cpuz130
-------\Service_smjilhb

((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.

2009-08-04 21:01 . 2009-08-04 21:01 152576 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-04 12:37 . 2009-08-04 23:12 335904 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-04 12:37 . 2009-08-04 23:12 2956832 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-04 11:51 . 2009-08-04 11:51 -------- d-----w- c:\program files\PrivacyCenter
2009-07-31 07:15 . 2009-07-31 07:15 -------- d-----w- c:\program files\Trend Micro
2009-07-26 03:59 . 2009-07-26 03:59 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-07-26 03:53 . 2009-07-26 04:07 -------- d-----w- C:\My Games
2009-07-26 03:52 . 2009-07-26 03:52 -------- d-----w- C:\users
2009-07-17 18:51 . 2009-07-17 18:52 -------- d-----w- c:\windows\system32\Adobe
2009-07-13 19:26 . 2009-08-04 11:51 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-12 16:11 . 2009-07-12 16:11 272384 ----a-w- c:\documents and settings\owner\Application Data\Acreon\WowMatrix\Modules\curl.exe
2009-07-12 16:11 . 2009-07-12 16:11 192512 ----a-w- c:\documents and settings\owner\Application Data\Acreon\WowMatrix\Libraries\wmweb.dll
2009-07-12 16:11 . 2009-07-12 16:11 258048 ----a-w- c:\documents and settings\owner\Application Data\Acreon\WowMatrix\Libraries\wmzip.dll
2009-07-12 16:10 . 2009-07-12 16:10 -------- d-----w- c:\documents and settings\owner\Application Data\Acreon
2009-07-12 16:10 . 2009-07-26 06:40 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\._Revolution_
2009-07-10 20:26 . 2009-07-10 20:27 -------- d-----w- c:\documents and settings\owner\Application Data\Save
2009-07-10 03:18 . 2009-07-10 03:18 -------- d-----w- c:\documents and settings\owner\Application Data\Flood Light Games
2009-07-10 03:18 . 2009-07-10 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Flood Light Games
2009-07-07 16:01 . 2009-07-07 16:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-07-07 16:00 . 2009-07-07 16:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-04 23:13 . 2009-06-29 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-08-04 23:12 . 2009-08-04 12:37 25228 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-04 23:12 . 2009-08-04 12:37 2228 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-04 21:03 . 2008-04-15 05:21 -------- d-----w- c:\program files\Java
2009-08-04 14:31 . 2009-06-27 04:26 -------- d-----w- c:\program files\World of Warcraft
2009-08-04 11:52 . 2009-06-30 22:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 18:56 . 2009-06-29 07:23 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-03 18:36 . 2009-06-30 22:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-06-30 22:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 07:49 . 2008-09-03 01:18 -------- d-----w- c:\program files\Yahoo!
2009-07-31 05:24 . 2008-06-01 17:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-26 04:07 . 2009-06-11 09:20 -------- d-----w- c:\program files\RealArcade
2009-07-25 10:23 . 2009-06-11 09:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 11:46 . 2009-06-29 22:34 208616 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\avp.exe
2009-07-17 07:32 . 2009-05-06 15:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-15 14:12 . 2008-08-25 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-14 02:26 . 2008-04-15 22:31 -------- d-----w- c:\documents and settings\owner\Application Data\LimeWire
2009-07-11 16:00 . 2009-05-06 08:46 -------- d-----w- c:\program files\MSN Games
2009-07-10 03:15 . 2009-05-06 08:46 -------- d-----w- c:\program files\Oberon Media
2009-07-05 13:10 . 2009-07-05 13:10 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2009-07-05 13:10 . 2008-04-15 01:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-05 11:08 . 2009-07-05 10:30 -------- d-----w- c:\program files\PC Doc Pro v5
2009-07-05 10:07 . 2009-07-05 10:07 -------- d-----w- c:\program files\Free Window Registry Repair
2009-07-05 09:56 . 2009-07-05 09:54 -------- d-----w- c:\program files\RegistryPatrol3.0
2009-07-05 09:54 . 2009-07-05 09:54 743621 ----a-w- c:\windows\system32\RPUpdates.zip
2009-07-05 09:16 . 2009-07-05 09:16 -------- d-----w- c:\program files\KeyScrambler
2009-07-05 07:35 . 2009-07-05 07:35 -------- d-----w- c:\program files\BurnInTest
2009-07-05 07:35 . 2009-07-05 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark
2009-07-05 07:16 . 2009-07-05 07:16 -------- d-----w- c:\documents and settings\owner\Application Data\IObit
2009-07-05 07:16 . 2009-07-05 07:16 -------- d-----w- c:\program files\IObit
2009-07-05 06:29 . 2009-07-05 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-07-05 06:20 . 2009-07-05 06:20 -------- d-----w- c:\documents and settings\owner\Application Data\GamesCafe
2009-07-05 06:20 . 2009-07-05 06:20 4096 ----a-w- c:\windows\d3dx.dat
2009-07-05 04:52 . 2009-07-05 04:52 -------- d-----w- c:\documents and settings\owner\Application Data\Oberonv1001
2009-07-04 19:09 . 2009-07-04 19:09 -------- d-----w- c:\program files\CCleaner
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-01 05:34 . 2009-07-01 05:17 -------- d-----w- c:\program files\Setup Files
2009-07-01 05:31 . 2009-07-01 05:31 -------- d-----w- c:\program files\Realtek AC97
2009-07-01 05:29 . 2009-07-01 05:29 -------- d-----w- c:\program files\Silicon Image
2009-07-01 05:24 . 2009-07-01 05:24 -------- d-----w- c:\program files\DIFX
2009-07-01 02:44 . 2009-07-01 02:44 -------- d-----w- c:\program files\MSI
2009-07-01 02:31 . 2008-04-13 15:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-01 02:30 . 2009-06-29 22:00 -------- d-----w- c:\program files\AGEIA Technologies
2009-07-01 02:20 . 2009-07-01 02:20 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-30 22:25 . 2009-06-30 22:25 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
2009-06-30 22:19 . 2009-06-30 22:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-30 22:19 . 2009-06-30 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-30 02:44 . 2009-06-29 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-29 22:34 . 2009-06-29 22:24 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-29 22:34 . 2009-06-29 22:24 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-29 22:34 . 2008-01-29 22:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-06-29 22:34 . 2009-06-29 22:34 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-06-29 22:34 . 2009-06-29 22:34 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-06-29 22:30 . 2008-04-13 15:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-29 22:23 . 2009-06-29 22:23 -------- d-----w- c:\program files\Kaspersky Lab
2009-06-29 22:16 . 2009-06-29 22:16 69232 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 21:54 . 2008-04-15 05:06 -------- d-----w- c:\program files\ATI Technologies
2009-06-29 07:20 . 2008-04-13 15:15 69232 ----a-w- c:\documents and settings\owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 06:59 . 2009-06-29 06:59 -------- d-----w- c:\program files\MSBuild
2009-06-29 06:59 . 2009-06-29 06:59 -------- d-----w- c:\program files\Reference Assemblies
2009-06-29 06:50 . 2008-08-25 05:13 -------- d-----w- c:\program files\Microsoft Works
2009-06-27 11:06 . 2009-06-27 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Fugazo
2009-06-27 07:07 . 2009-06-27 03:54 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-27 03:57 . 2009-06-27 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-06-26 05:53 . 2009-06-26 05:53 -------- d-----w- c:\documents and settings\owner\Application Data\FloodLightGames
2009-06-26 05:53 . 2009-06-26 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FloodLightGames
2009-06-26 04:40 . 2009-06-26 04:40 -------- d-----w- c:\documents and settings\owner\Application Data\iWin
2009-06-25 21:45 . 2009-06-25 21:45 -------- d-----w- c:\documents and settings\owner\Application Data\TikGames
2009-06-25 21:45 . 2009-06-25 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\TikGames
2009-06-22 16:04 . 2009-06-22 16:04 152576 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-19 14:03 . 2008-08-18 02:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-13 23:14 . 2009-06-13 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\97328586
2009-06-13 22:54 . 2009-06-13 22:54 -------- d-----w- c:\documents and settings\owner\Application Data\PC Tools
2009-06-13 18:42 . 2009-06-13 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\17318594
2009-06-12 03:14 . 2009-06-12 02:23 -------- d-----w- c:\documents and settings\owner\Application Data\Connectivity
2009-06-12 02:22 . 2009-06-12 02:22 -------- d--h--r- c:\documents and settings\owner\Application Data\SecuROM
2009-06-12 02:22 . 2009-06-12 02:22 3774 ----a-r- c:\documents and settings\owner\Application Data\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\controlPanelIcon.exe
2009-06-12 02:22 . 2009-06-12 02:22 3774 ----a-r- c:\documents and settings\owner\Application Data\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\BoneTown.exe
2009-06-12 02:22 . 2009-06-12 02:22 10134 ----a-r- c:\documents and settings\owner\Application Data\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\SystemFolder_msiexec.exe
2009-06-12 02:22 . 2009-06-11 06:59 -------- d-----w- c:\program files\Connectivity
2009-06-11 09:45 . 2009-06-11 09:45 152576 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-11 09:44 . 2009-06-11 09:26 -------- d-----w- c:\program files\Zylom Games
2009-06-11 09:43 . 2009-06-11 09:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-06-11 09:42 . 2008-04-15 22:22 -------- d-----w- c:\program files\Google
2009-06-11 09:27 . 2009-06-11 09:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-06-11 09:26 . 2009-06-11 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Zylom
2009-06-11 09:10 . 2009-06-11 09:09 -------- d-----w- c:\program files\Yahoo! Games
2009-06-11 09:10 . 2009-06-11 09:10 -------- d-----w- c:\program files\TryMedia
2009-06-11 06:58 . 2009-06-11 06:59 286720 ----a-w- c:\windows\iun507.exe
2009-06-11 06:25 . 2008-09-03 01:15 -------- d-----w- c:\program files\HP
2009-06-11 05:41 . 2008-06-23 07:28 -------- d-----w- c:\program files\Diablo II
2009-06-10 13:28 . 2009-06-10 13:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 13:28 . 2009-06-10 13:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 13:28 . 2009-06-10 13:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 13:28 . 2009-06-10 13:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 13:28 . 2009-06-10 13:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 13:28 . 2009-06-10 13:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 13:28 . 2009-06-10 13:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-04_21.12.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-04 23:13 . 2009-08-04 23:13 16384 c:\windows\Temp\Perflib_Perfdata_6f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Doc Pro Scheduler "= "c:\program files\PC Doc Pro v5\PC Doc Pro Scheduler.exe" [2009-06-16 183784]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP "= "c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SATARAID5.lnk - c:\program files\Silicon Image\3114 SATARAID5\sam.jar [2009-7-1 1578096]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop "= 1 (0x1)
"NoActiveDesktopChanges "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe "=
"c:\\Program Files\\World of Warcraft\\Launcher.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP "= 3724:TCP:Blizzard Downloader
"6112:TCP "= 6112:TCP:Blizzard Downloader

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [7/5/2009 4:16 AM 114024]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 18:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-562591055-725345543-1003\Software\SecuROM\License information*]
"datasecu "=hex:b7,0e,aa,18,0a,40,ac,e1,7c,97,a3,fc,8f,f4,f9,63,c0,3c,88,23,84,
6c,28,4e,97,29,63,31,cc,06,2f,da,6a,cb,46,84,c0,86,31,a9,36,bb,e5,b6,61,02,\
"rkeysecu "=hex:6d,dc,47,0e,16,97,38,19,9b,52,6a,9d,ff,95,93,8a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3952)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-04 18:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-04 23:17
ComboFix2.txt 2009-08-04 21:13

Pre-Run: 30,975,983,616 bytes free
Post-Run: 30,973,947,904 bytes free

263 --- E O F --- 2009-07-31 05:10

Juliet · 2009/08/04

about to run the Kasp online scanner post will follow completion:
Click to expand...

Good deal.

The last CF log looks better, how's the computer now?

DareDevil · 2009/08/04

I attempted to run the Kaspersky online scanner, but was unable to do it. The error said I could not run it as I already had Kaspersky internet security 8.0(9.0) so I continued and made a new HJT. And the detected threats that Kasp picked up that aren't removing are:
C:\WINDOWS\system32\drivers\imdfgqh.sys
C:\WINDOWS\system32\drivers\str.sys

DareDevil · 2009/08/04

It is doing much better it isn't pausing randomly anymore, Here is the new HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:24 PM, on 8/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PC Doc Pro v5\PC Doc Pro Scheduler.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe "
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PC Doc Pro Scheduler] C:\Program Files\PC Doc Pro v5\PC Doc Pro Scheduler.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SATARAID5.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6451 bytes

DareDevil · 2009/08/04

Well as far as the malware, the PC seems to be in much better condition... However, the dely in performing actions has returned. To better describe this, if I click on something or attempt to type something it takes an abnormal amount of time for it to process(5-20 sec). This happens consistantly but not constantly. I can continue to input actions and the will happen after the "freeze" lets up a few seconds later. I'm not sure if this a related problem, but this didn't happen before. But even when the PC actions cease I can move the mouse about the screen.

Juliet · 2009/08/04

It is doing much better it isn't pausing randomly anymore,
Well as far as the malware, the PC seems to be in much better condition... However, the dely in performing actions has returned.
Click to expand...

I like the first part of the statement the best, lol,
As to the delays I have no idea really what has brought that on unless a recent update to Kaspersky possibly.....
Low memory/ram?

And the detected threats that Kasp picked up that aren't removing are:
C:\WINDOWS\system32\drivers\imdfgqh.sys
C:\WINDOWS\system32\drivers\str.sys
Click to expand...

The scan results from ComboFix show these files as being removed.
By chance is the full file path pointing to C:\qoobox\Quarantinec:\windows\system32\drivers\imdfgqh.sys
C:/System Volume/c:\windows\system32\drivers\imdfgqh.sys

It does make a difference.

Let's try a different online scanner....

Perform an online scan with Panda ActiveScan
* Click on Scan Your PC Now
* A "pop up" window will appear, or a new tab will open.
* Click on Register
* Choose the option you like most, but we recommend the Free Registration.

Click on Register
# Enter your e-mail address, and create a password.
# Select "I do not want to receive any type of information ". (unless you want to receive such information)
# Click on Send
# Confirm registration, and continue by entering your user name and password, then click on Enter
# Select Full Scan, then Click on Scan Now
# Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
# If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
# Please ignore the offer to buy the program. Click on Export To

* Export the log and save it to your desktop.
* Please post the contents of that log in your next reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

NEXT** download GMER Rootkit Scanner from here.

Extract the contents of the zipped file to desktop.

Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .

If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

In the right panel, you will see several boxes that have been checked.

Uncheck the following ...

[*]Sections
[*]IAT/EAT
[*]Drives/Partition other than Systemdrive (typically C:\)
[*]Show All (don't miss this one)

Then click the Scan button & wait for it to finish.

Once done click on the [Save..] button, and in the File name area, type in ark.txt

Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

In your next reply please post:
Panda log
ark.txt

You may need several replies to post the requested logs, otherwise they might get cut off.

Log in or Sign up

Active Won't run programs, some kind of virus!

DareDevil Inactive Thread Starter

PeteC SuperGeek Staff

DareDevil Inactive Thread Starter

PeteC SuperGeek Staff

DareDevil Inactive Thread Starter

PeteC SuperGeek Staff

Juliet Well-Known Member

DareDevil Inactive Thread Starter

DareDevil Inactive Thread Starter

Juliet Well-Known Member

DareDevil Inactive Thread Starter

DareDevil Inactive Thread Starter

DareDevil Inactive Thread Starter

Juliet Well-Known Member

DareDevil Inactive Thread Starter

Juliet Well-Known Member

DareDevil Inactive Thread Starter

DareDevil Inactive Thread Starter

DareDevil Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Log in or Sign up

Active Won't run programs, some kind of virus!

DareDevil Inactive Thread Starter

PeteC SuperGeek Staff

DareDevil Inactive Thread Starter

PeteC SuperGeek Staff

DareDevil Inactive Thread Starter

PeteC SuperGeek Staff

Juliet Well-Known Member

DareDevil Inactive Thread Starter

DareDevil Inactive Thread Starter

Juliet Well-Known Member

DareDevil Inactive Thread Starter

DareDevil Inactive Thread Starter

DareDevil Inactive Thread Starter

Juliet Well-Known Member

DareDevil Inactive Thread Starter

Juliet Well-Known Member

DareDevil Inactive Thread Starter

DareDevil Inactive Thread Starter

DareDevil Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Useful Searches