Solved AV Sites Blocked, No Task Mgr or Regedit

[Resolved] AV Sites Blocked, No Task Mgr or Regedit

Trying to regain full access on this PC. Anti-virus and Microsoft sites blocked. Task manager and registry editor is disabled. All of the above symptoms are non-existent in Safe Mode.

Steps taken so far:

Ran online scan from BitDefender.
Installed XP SP3.
Ran Malwarebyte's Anti-Malware.


DDS (Ver_09-01-07.01) - NTFSx86
Run by Cad at 21:04:21.43 on Tue 01/27/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.263 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Pwrchute\ups.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SYSTMEM.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\HPJETDSC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Cad\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dellnet.com
mDefault_Page_URL = hxxp://www.dellnet.com
mStart Page = hxxp://www.dellnet.com
uInternet Connection Wizard,ShellNext = hxxp://www.mcafee.com/myaccount/default.asp?area=myaccount&oemid=1790-642
mWinlogon: Shell=Explorer.exe %PROGRAMFILES%\SYSTMEM.EXE
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: MoneySide: {d6a116e7-5906-42e4-87f6-e7e15936415e} - c:\program files\microsoft money\system\mnyside.dll
uRun: [HP JetDiscovery] HPJETDSC.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe "
mRun: [BuildBU] c:\dell\bldbubg.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe "
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe "
mRun: [<NO NAME>]
mRun: [POINTER] point32.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SYSTMEM.EXE] c:\program files\\SYSTMEM.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [vptray] c:\program files\navnt\vptray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: microsoft.com\www
Trusted Zone: symantec.com\www
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R4 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R4 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2003-4-30 23296]
S4 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2003-4-30 225375]
S4 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2003-4-30 94208]
S4 ptlpw;Monitor Network;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]

=============== Created Last 30 ================

2009-01-27 20:19 <DIR> --d----- c:\docume~1\cad\applic~1\Malwarebytes
2009-01-27 20:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-27 20:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-27 20:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 20:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-27 20:14 0 a------- c:\windows\VPC32.INI
2009-01-27 20:13 120,379 a------- c:\windows\system32\SYMEVNT.386
2009-01-27 20:13 57,696 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-27 20:13 36,864 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-27 20:13 4,032 a------- c:\windows\system32\SYMEVNT1.DLL
2009-01-27 20:13 <DIR> --d----- c:\windows\system32\CBA
2009-01-27 20:13 <DIR> --d----- c:\program files\Symantec
2009-01-27 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-01-27 20:13 <DIR> --d----- c:\program files\NavNT
2009-01-27 20:13 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-01-27 20:03 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-01-27 20:03 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-01-27 20:03 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-01-27 20:03 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-01-27 19:55 33,367 a------- C:\z8g5q3d3n2s9.exe
2009-01-27 19:38 <DIR> --d----- c:\windows\system32\scripting
2009-01-27 19:38 <DIR> --d----- c:\windows\l2schemas
2009-01-27 19:38 <DIR> --d----- c:\windows\system32\en
2009-01-27 19:38 <DIR> --d----- c:\windows\system32\bits
2009-01-27 19:38 <DIR> --d----- c:\windows\peernet
2009-01-27 19:28 19,569 a------- c:\windows\002509_.tmp
2009-01-27 19:27 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-01-27 19:24 <DIR> --d----- c:\windows\EHome
2009-01-03 05:03 659,968 ---shr-- c:\program files\SYSTMEM.EXE

==================== Find3M ====================

2009-01-27 20:32 3,103 a------- c:\windows\system32\HPANT.DAT
2009-01-27 19:43 83,307 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-14 10:29 91,792 ac------ c:\docume~1\cad\applic~1\GDIPFONTCACHEV1.DAT
2008-12-22 09:38 117,364 a------- c:\windows\hpoins11.dat
2002-08-29 04:00 94,784 -c-sh--- c:\windows\TWAIN.DLL
2008-04-14 05:42 50,688 ---sh--- c:\windows\twain_32.dll
2002-08-29 04:00 161,612 a--shr-- c:\windows\system32\esdezpb.dll
2008-04-14 05:41 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2008-04-14 05:42 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-14 05:42 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-14 05:42 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-14 05:42 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-14 05:42 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-14 05:42 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 21:04:37.68 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 5/2/2003 2:38:52 PM
System Uptime: 1/27/2009 8:33:08 PM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0J0592
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Microprocessor | 2524/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 56 GiB total, 39.822 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ROOT\UNKNOWN\0001
Manufacturer:
Name:
PNP Device ID: ROOT\UNKNOWN\0001
Service:

==== System Restore Points ===================

RP1: 1/3/2009 12:45:14 AM - System Checkpoint
RP2: 1/4/2009 1:11:05 AM - System Checkpoint
RP3: 1/5/2009 1:14:03 AM - System Checkpoint
RP4: 1/6/2009 2:14:00 AM - System Checkpoint
RP5: 1/7/2009 3:14:00 AM - System Checkpoint
RP6: 1/8/2009 2:26:55 PM - System Checkpoint
RP7: 1/9/2009 2:55:06 PM - System Checkpoint
RP8: 1/10/2009 3:07:46 PM - System Checkpoint
RP9: 1/11/2009 3:59:25 PM - System Checkpoint
RP10: 1/12/2009 4:59:26 PM - System Checkpoint
RP11: 1/13/2009 5:55:03 PM - System Checkpoint
RP12: 1/14/2009 6:55:04 PM - System Checkpoint
RP13: 1/15/2009 7:20:45 PM - System Checkpoint
RP14: 1/16/2009 8:16:01 PM - System Checkpoint
RP15: 1/17/2009 8:22:56 PM - System Checkpoint
RP16: 1/18/2009 9:22:56 PM - System Checkpoint
RP17: 1/19/2009 10:20:36 PM - System Checkpoint
RP18: 1/20/2009 11:13:02 PM - System Checkpoint
RP19: 1/22/2009 12:13:01 AM - System Checkpoint
RP20: 1/23/2009 1:13:01 AM - System Checkpoint
RP21: 1/24/2009 2:13:01 AM - System Checkpoint
RP22: 1/26/2009 8:21:06 PM - Restore Operation
RP23: 1/26/2009 8:40:03 PM - Restore Operation
RP24: 1/27/2009 7:57:06 PM - Installed Windows Defender
RP25: 1/27/2009 8:13:09 PM - Installed Norton AntiVirus Corporate Edition

==== Installed Programs ======================

6300
6300_Help
6300Trb
ACDSee
Adobe Acrobat 5.0
Adobe Acrobat 7.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0.1
AiO_Scan_CDA
AiOSoftwareNPI
America Online
AnswerWorks Runtime
AOL Coach Version 1.0(Build:20020823.1)
Autodesk Architectural Desktop 3.3
BCM V.92 56K Modem
BufferChm
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CueTour
CustomerResearchQFolder
DAO
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Destinations
DeviceManagementQFolder
DiMAGE Viewer
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
DVDSentry
EarthLink Free Trial
Earthlink Installer - uninstall 'Earthlink 5.0' entry first if present
Easy CD Creator 5 Basic
ELNKInst
eSupportQFolder
exPressit S.E. 2.1
Fax_CDA
FullDPAppQFolder
Help and Support Customization
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photo Imaging Software
HP Photo Printing Software
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Share-to-Web
HP Software Update
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevices
InstantShareDevicesMFC
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
JetAdmin v3.42
LiveUpdate 1.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
MarketResearch
McAfee.com SecurityCenter
McAfee.com VirusScan Online
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.1
Microsoft Encarta Encyclopedia Standard 2003
Microsoft IntelliPoint 4.1
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Picture It! Photo 7.0
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 4.0
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MUSICMATCH Jukebox
NewCopy_CDA
Norton AntiVirus Corporate Edition
NVIDIA Windows 2000/XP Display Drivers
OCR Software by I.R.I.S 7.0
Paint Shop Pro 7
PanoStandAlone
PhotoGallery
PowerChute plus 5.2.1
PowerDVD
ProductContextNPI
Qualxserve Service Agreement
QuickTime
RandMap
Readme
RealOne Player
Scan
ScannerCopy
Shockwave
SkinsHP1
SlideShow
SolutionCenter
Sonic_PrimoSDK
Status
StoneCAD 4.02
Toolbox
TrayApp
Unload
Viewpoint Media Player (Remove Only)
WebFldrs XP
WebReg
Windows Defender
Windows XP Service Pack 3
Works Suite OS Pack

==== Event Viewer Messages From Past Week ========

1/26/2009 8:26:32 PM, error: Service Control Manager [7023] - The Monitor Network service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
1/26/2009 8:23:52 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments " " in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
1/26/2009 8:20:49 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
1/25/2009 4:31:31 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Service Controler service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/25/2009 4:31:31 PM, error: Service Control Manager [7031] - The Service Controler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
1/26/2009 8:34:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/26/2009 8:34:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/26/2009 8:35:57 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/26/2009 8:35:57 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/26/2009 8:35:57 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/26/2009 8:35:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
1/26/2009 8:43:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/26/2009 8:44:13 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp Fips Processor
1/27/2009 7:51:20 PM, error: Service Control Manager [7023] - The Portable Media Serial Number service terminated with the following error: The specified module could not be found.
1/27/2009 7:57:59 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/27/2009 8:01:43 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp Fips intelppm
1/27/2009 8:03:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================

 

Welcome to WindowsBBS gsievers

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix


Download ComboFix by sUBs from here, saving the file to your desktop.


Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click ComboFix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

 

I can now access RegEdit and my Task Manager.

Access to Microsoft, Symantec, etc. still limited.


ComboFix Log:

ComboFix 09-01-31.01 - Cad 2009-01-31 13:24:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.325 [GMT -6:00]
Running from: c:\documents and settings\Cad\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\encapi32.dll
c:\windows\system32\webcl32.dll
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-31 13:20 . 2009-01-31 13:22 45,101 --a------ c:\documents and settings\Cad\xdshd.exe
2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\Cad\Application Data\Malwarebytes
2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-27 20:19 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-27 20:19 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-27 20:14 . 2009-01-27 20:14 0 --a------ c:\windows\VPC32.INI
2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\windows\SYSTEM32\CBA
2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\program files\Symantec
2009-01-27 20:13 . 2009-01-27 20:32 <DIR> d-------- c:\program files\NavNT
2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-01-27 20:13 . 2001-09-24 02:29 120,379 --a------ c:\windows\SYSTEM32\SYMEVNT.386
2009-01-27 20:13 . 2001-09-24 02:29 57,696 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
2009-01-27 20:13 . 2001-09-24 02:29 36,864 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
2009-01-27 20:13 . 2001-09-24 02:29 4,032 --a------ c:\windows\SYSTEM32\SYMEVNT1.DLL
2009-01-27 20:03 . 2008-10-16 14:09 43,544 --a------ c:\windows\SYSTEM32\wups2.dll
2009-01-27 20:03 . 2008-10-16 14:09 31,768 --a------ c:\windows\SYSTEM32\wucltui.dll.mui
2009-01-27 20:03 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuaucpl.cpl.mui
2009-01-27 20:03 . 2008-10-16 14:07 18,456 --a------ c:\windows\SYSTEM32\wuaueng.dll.mui
2009-01-27 19:57 . 2009-01-27 19:57 <DIR> d-------- c:\program files\Windows Defender
2009-01-27 19:55 . 2009-01-27 20:44 33,367 --a------ C:\z8g5q3d3n2s9.exe
2009-01-27 19:38 . 2009-01-27 19:39 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\en
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\bits
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\peernet
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\l2schemas
2009-01-27 19:28 . 2006-12-29 00:31 19,569 --a------ c:\windows\002509_.tmp
2009-01-27 19:27 . 2007-08-10 20:46 26,488 --a------ c:\windows\SYSTEM32\spupdsvc.exe
2009-01-27 19:24 . 2009-01-27 19:24 <DIR> d-------- c:\windows\EHome
2009-01-26 20:44 . 2009-01-26 21:29 <DIR> d-------- c:\windows\BDOSCAN8
2009-01-26 20:43 . 2009-01-26 20:43 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2009-01-03 05:03 . 2009-01-03 05:02 659,968 -r-hs---- c:\program files\SYSTMEM.EXE
2008-12-23 14:28 . 2008-12-23 14:28 54 --a------ c:\windows\cdplayer.ini
2008-12-22 09:38 . 2008-12-22 09:46 <DIR> d-------- c:\documents and settings\Cad\Application Data\HP
2008-12-22 09:36 . 2008-12-22 09:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-12-22 09:23 . 2008-12-22 09:23 <DIR> d-------- C:\bin
2008-12-22 09:21 . 2008-12-22 09:21 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-12-22 09:21 . 2008-12-22 09:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-12-22 09:18 . 2008-12-22 09:21 <DIR> d-------- c:\program files\Common Files\HP
2008-12-22 09:16 . 2008-12-22 09:16 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-12-22 09:14 . 2006-03-03 22:03 282,680 --a------ c:\windows\SYSTEM32\HPZidr12.dll
2008-12-22 09:14 . 2006-03-03 22:02 204,800 --a------ c:\windows\SYSTEM32\HPZipr12.dll
2008-12-22 09:14 . 2006-03-03 22:02 94,208 --a------ c:\windows\SYSTEM32\HPZipt12.dll
2008-12-22 09:14 . 2006-03-03 22:03 69,632 --a------ c:\windows\SYSTEM32\HPZipm12.exe
2008-12-22 09:14 . 2006-03-03 22:03 65,536 --a------ c:\windows\SYSTEM32\HPZinw12.exe
2008-12-22 09:14 . 2006-03-03 22:02 57,344 --a------ c:\windows\SYSTEM32\HPZisn12.dll
2008-12-22 09:12 . 2008-12-22 09:16 <DIR> d-------- c:\program files\HP
2008-12-22 09:10 . 2006-01-04 03:12 77,824 -ra------ c:\windows\SYSTEM32\HPZIDS01.dll
2008-12-22 09:10 . 2006-04-12 18:04 49,664 -ra------ c:\windows\SYSTEM32\DRIVERS\HPZid412.sys
2008-12-22 09:10 . 2006-04-10 15:03 38,400 --a------ c:\windows\SYSTEM32\hpz3l054.dll
2008-12-22 09:10 . 2006-04-12 18:04 16,496 -ra------ c:\windows\SYSTEM32\DRIVERS\HPZipr12.sys
2008-12-22 09:09 . 2006-04-12 18:02 827,392 -ra------ c:\windows\SYSTEM32\hpotiop2.dll
2008-12-22 09:09 . 2006-04-12 18:02 659,456 -ra------ c:\windows\SYSTEM32\hpowiax2.dll
2008-12-22 09:09 . 2006-04-12 18:04 282,624 -ra------ c:\windows\SYSTEM32\HPZc3212.dll
2008-12-22 09:09 . 2006-04-12 18:02 254,026 -ra------ c:\windows\SYSTEM32\hpovst09.dll
2008-12-22 09:09 . 2008-04-14 00:17 25,856 --a------ c:\windows\SYSTEM32\DRIVERS\usbprint.sys
2008-12-22 09:09 . 2006-04-12 18:04 21,568 -ra------ c:\windows\SYSTEM32\DRIVERS\HPZius12.sys
2008-12-22 09:09 . 2008-04-14 00:15 15,104 --a------ c:\windows\SYSTEM32\DRIVERS\usbscan.sys
2008-12-22 09:08 . 2008-12-22 09:38 117,364 --a------ c:\windows\hpoins11.dat
2008-12-22 09:08 . 2008-04-14 00:15 32,128 --a------ c:\windows\SYSTEM32\DRIVERS\usbccgp.sys
2008-12-15 12:47 . 2007-08-19 07:59 2,370,413 --a------ c:\windows\DSC_0009.JPG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 16:29 91,792 -c--a-w c:\documents and settings\Cad\Application Data\GDIPFONTCACHEV1.DAT
2009-01-12 18:32 --------- d-----w c:\program files\America Online 8.0
2009-01-12 18:30 --------- d-----w c:\program files\Autodesk Architectural Desktop 3
2008-12-30 14:43 --------- d-----w c:\documents and settings\Cad\Application Data\MSN6
2008-12-22 15:16 --------- d-----w c:\program files\Hewlett-Packard
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 20:12 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-04-14 11:42 50,688 --sh--w c:\windows\twain_32.dll
2002-08-29 10:00 161,612 --sha-r c:\windows\SYSTEM32\esdezpb.dll
2008-04-14 11:41 1,028,096 --sh--w c:\windows\SYSTEM32\mfc42.dll
2008-04-14 11:42 57,344 --sh--w c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 11:42 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 11:42 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 11:42 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 11:42 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
2008-04-14 11:42 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP JetDiscovery "= "HPJETDSC.EXE" [2000-03-28 c:\windows\SYSTEM32\hpjetdsc.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "NvQTwk" [X]
"DVDSentry "= "c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"AdaptecDirectCD "= "c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"BuildBU "= "c:\dell\bldbubg.exe" [2002-07-12 53248]
"DwlClient "= "c:\program files\Common Files\Dell\EUSW\Support.exe" [2002-12-13 225280]
"Microsoft Works Update Detection "= "c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"Share-to-Web Namespace Daemon "= "c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"CXMon "= "c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 45056]
"MCUpdateExe "= "c:\progra~1\McAfee.com\Agent\mcupdate.exe" [2002-09-04 151552]
"Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-04-30 151597]
"vptray "= "c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"BCMSMMSG "= "BCMSMMSG.exe" [2003-02-24 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-12-05 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2002-09-06 17:15 192512 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2002-09-04 09:28 151552 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2003-04-30 16:36 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a--c--- 2002-10-04 14:09 139264 c:\program files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001
"AntiVirusDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6926:TCP "= 6926:TCP:mglkq

R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [2003-04-30 23296]
S4 ptlpw;Monitor Network;c:\windows\system32\svchost.exe -k netsvcs [2002-08-29 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ptlpw

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-31 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

2009-01-31 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
- c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

2009-01-31 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

2009-01-31 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
- c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

2009-01-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-POINTER - point32.exe
MSConfigStartUp-ConMgr - c:\program files\EarthLink 5.0\conmgr.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dellnet.com
uInternet Connection Wizard,ShellNext = hxxp://www.mcafee.com/myaccount/default.asp?area=myaccount&oemid=1790-642
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
Trusted Zone: microsoft.com\www
Trusted Zone: symantec.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 13:27:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???????X???????????????P???? ?w? ?w)??p????????(???s????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X???????? "@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ptlpw]
"ServiceDll "= "c:\windows\System32\esdezpb.dll "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\NavLogon.dll
.
Completion time: 2009-01-31 13:31:27
ComboFix-quarantined-files.txt 2009-01-31 19:30:24

Pre-Run: 42,651,054,080 bytes free
Post-Run: 42,649,886,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

215

 

Please upload the following files to my submission channel for analysis. Leave a link back to this topic.

c:\documents and settings\Cad\xdshd.exe
C:\z8g5q3d3n2s9.exe
c:\program files\SYSTMEM.EXE

Thanks!

 

xdshd.exe & z8g5q3d3n2s9.exe uploaded.

systmem.exe file not found. Did a search...no such file.

Please let me know what steps I need to take to restore access to AV/security websites.

Thanks.

 

Files received, thank you. Please highlight and copy the bolded command below.

attrib -r -h -s "c:\program files\SYSTMEM.EXE "

Now click Start>Run and type cmd then hit Enter to open a command window.
Right click in the command window and select paste, then hit Enter to execute the command.
Close the command window, then try uploading the systmem.exe file again.

 

systmem.exe uploaded.

Awaiting the next step.

Thanks.

 

Thanks! All three are infected.

Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

http://www.windowsbbs.com/malware-virus-removal/80965-active-av-sites-blocked-no-task-mgr-regedit.html#post441749
Collect::
c:\documents and settings\Cad\xdshd.exe
C:\z8g5q3d3n2s9.exe
c:\program files\SYSTMEM.EXE
c:\windows\System32\esdezpb.dll
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
 "6926:TCP "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
NetSvcs::
ptlpw
Driver::
ptlpw

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Please note that I have instructed CFScript to collect some files. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. If the upload fails you will be be presented with instructions for uploading it manually. Please do so and let me know the results. This will assist the author in adding the files for removal in future updates. Thanks!

 

Did not remember if I was supposed to allow ComboFix to update after I drug the txt file over, so I checked no. I didn't print the instructions you had given out and I didn't want to start an IE window to double check what my response was supposed to be with ComboFix running. Let me know if I need to re-run ComboFix.

Log file as requested:

ComboFix 09-01-31.01 - Cad 2009-02-04 19:34:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.293 [GMT -6:00]
Running from: c:\documents and settings\Cad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cad\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\SYSTMEM.EXE
c:\windows\System32\esdezpb.dll
C:\z8g5q3d3n2s9.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PTLPW
-------\Service_ptlpw


((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 19:32 . 2009-02-04 19:32 45,101 --a------ c:\windows\x6cdshd.exe
2009-02-04 19:30 . 2009-02-04 19:30 45,101 --a------ c:\windows\xrdshd.exe
2009-02-03 19:36 . 2009-02-03 19:36 41,005 --a------ c:\windows\xcdshd.exe
2009-01-31 13:20 . 2009-02-03 19:34 41,005 --a------ c:\windows\xdshd.exe
2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\Cad\Application Data\Malwarebytes
2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-27 20:19 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-27 20:19 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-27 20:14 . 2009-01-27 20:14 0 --a------ c:\windows\VPC32.INI
2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\windows\SYSTEM32\CBA
2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\program files\Symantec
2009-01-27 20:13 . 2009-01-27 20:32 <DIR> d-------- c:\program files\NavNT
2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-01-27 20:13 . 2001-09-24 02:29 120,379 --a------ c:\windows\SYSTEM32\SYMEVNT.386
2009-01-27 20:13 . 2001-09-24 02:29 57,696 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
2009-01-27 20:13 . 2001-09-24 02:29 36,864 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
2009-01-27 20:13 . 2001-09-24 02:29 4,032 --a------ c:\windows\SYSTEM32\SYMEVNT1.DLL
2009-01-27 20:03 . 2008-10-16 14:09 43,544 --a------ c:\windows\SYSTEM32\wups2.dll
2009-01-27 20:03 . 2008-10-16 14:09 31,768 --a------ c:\windows\SYSTEM32\wucltui.dll.mui
2009-01-27 20:03 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuaucpl.cpl.mui
2009-01-27 20:03 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuapi.dll.mui
2009-01-27 20:03 . 2008-10-16 14:07 18,456 --a------ c:\windows\SYSTEM32\wuaueng.dll.mui
2009-01-27 19:57 . 2009-01-27 19:57 <DIR> d-------- c:\program files\Windows Defender
2009-01-27 19:38 . 2009-01-27 19:39 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\en
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\bits
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\peernet
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\l2schemas
2009-01-27 19:28 . 2006-12-29 00:31 19,569 --a------ c:\windows\002509_.tmp
2009-01-27 19:27 . 2007-08-10 20:46 26,488 --a------ c:\windows\SYSTEM32\spupdsvc.exe
2009-01-27 19:24 . 2009-01-27 19:24 <DIR> d-------- c:\windows\EHome
2009-01-26 20:44 . 2009-01-26 21:29 <DIR> d-------- c:\windows\BDOSCAN8
2009-01-26 20:43 . 2009-01-26 20:43 <DIR> d---s---- c:\documents and settings\Administrator\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 16:29 91,792 -c--a-w c:\documents and settings\Cad\Application Data\GDIPFONTCACHEV1.DAT
2009-01-12 18:32 --------- d-----w c:\program files\America Online 8.0
2009-01-12 18:30 --------- d-----w c:\program files\Autodesk Architectural Desktop 3
2008-12-30 14:43 --------- d-----w c:\documents and settings\Cad\Application Data\MSN6
2008-12-22 15:46 --------- d-----w c:\documents and settings\Cad\Application Data\HP
2008-12-22 15:36 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-12-22 15:21 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-12-22 15:21 --------- d-----w c:\program files\Common Files\HP
2008-12-22 15:21 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-12-22 15:16 --------- d-----w c:\program files\HP
2008-12-22 15:16 --------- d-----w c:\program files\Hewlett-Packard
2008-12-22 15:16 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-04-14 11:42 50,688 --sh--w c:\windows\twain_32.dll
2008-04-14 11:41 1,028,096 --sh--w c:\windows\SYSTEM32\mfc42.dll
2008-04-14 11:42 57,344 --sh--w c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 11:42 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 11:42 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 11:42 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 11:42 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
2008-04-14 11:42 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-31_13.28.49.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-10-16 20:12:20 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
+ 2008-10-16 20:08:58 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
- 2009-01-28 03:17:58 3,103 ----a-w c:\windows\SYSTEM32\HPANT.DAT
+ 2009-02-05 01:38:08 3,103 ----a-w c:\windows\SYSTEM32\HPANT.DAT
- 2008-04-14 11:42:12 430,592 ------w c:\windows\SYSTEM32\wuapi.dll
+ 2008-10-16 20:12:20 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
- 2008-04-14 11:42:12 32,256 ------w c:\windows\SYSTEM32\wups.dll
+ 2008-10-16 20:08:58 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP JetDiscovery "= "HPJETDSC.EXE" [2000-03-28 c:\windows\SYSTEM32\hpjetdsc.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "NvQTwk" [X]
"DVDSentry "= "c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"AdaptecDirectCD "= "c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"BuildBU "= "c:\dell\bldbubg.exe" [2002-07-12 53248]
"DwlClient "= "c:\program files\Common Files\Dell\EUSW\Support.exe" [2002-12-13 225280]
"Microsoft Works Update Detection "= "c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"Share-to-Web Namespace Daemon "= "c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"CXMon "= "c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 45056]
"MCUpdateExe "= "c:\progra~1\McAfee.com\Agent\mcupdate.exe" [2002-09-04 151552]
"Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-04-30 151597]
"vptray "= "c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"BCMSMMSG "= "BCMSMMSG.exe" [2003-02-24 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-12-05 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2002-09-06 17:15 192512 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2002-09-04 09:28 151552 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2003-04-30 16:36 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a--c--- 2002-10-04 14:09 139264 c:\program files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001
"AntiVirusDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=

R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [2003-04-30 23296]
.
Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

2009-02-05 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
- c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

2009-02-05 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

2009-02-05 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
- c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

2009-02-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dellnet.com
uInternet Connection Wizard,ShellNext = hxxp://www.mcafee.com/myaccount/default.asp?area=myaccount&oemid=1790-642
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
Trusted Zone: microsoft.com\www
Trusted Zone: symantec.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 19:39:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???????X???????????????P???? ?w? ?w)??p????????(???s????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X???????? "@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NavNT\defwatch.exe
c:\program files\NavNT\rtvscan.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\MSGSYS.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-02-04 19:45:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 01:45:02
ComboFix2.txt 2009-01-31 19:31:28

Pre-Run: 42,638,336,000 bytes free
Post-Run: 42,565,816,320 bytes free

200

 

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
c:\windows\x6cdshd.exe
c:\windows\xrdshd.exe
c:\windows\xcdshd.exe
c:\windows\xdshd.exe

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Log file as requested.


ComboFix 09-02-10.01 - Cad 2009-02-10 19:18:14.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.294 [GMT -6:00]
Running from: c:\documents and settings\Cad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cad\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\x6cdshd.exe
c:\windows\xcdshd.exe
c:\windows\xdshd.exe
c:\windows\xrdshd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\x6cdshd.exe
c:\windows\xcdshd.exe
c:\windows\xdshd.exe
c:\windows\xrdshd.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\Cad\Application Data\Malwarebytes
2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-27 20:19 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-27 20:19 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-27 20:14 . 2009-01-27 20:14 0 --a------ c:\windows\VPC32.INI
2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\windows\SYSTEM32\CBA
2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\program files\Symantec
2009-01-27 20:13 . 2009-01-27 20:32 <DIR> d-------- c:\program files\NavNT
2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-01-27 20:13 . 2001-09-24 02:29 120,379 --a------ c:\windows\SYSTEM32\SYMEVNT.386
2009-01-27 20:13 . 2001-09-24 02:29 57,696 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
2009-01-27 20:13 . 2001-09-24 02:29 36,864 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
2009-01-27 20:13 . 2001-09-24 02:29 4,032 --a------ c:\windows\SYSTEM32\SYMEVNT1.DLL
2009-01-27 20:03 . 2008-10-16 14:09 43,544 --a------ c:\windows\SYSTEM32\wups2.dll
2009-01-27 20:03 . 2008-10-16 14:09 31,768 --a------ c:\windows\SYSTEM32\wucltui.dll.mui
2009-01-27 20:03 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuaucpl.cpl.mui
2009-01-27 20:03 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuapi.dll.mui
2009-01-27 20:03 . 2008-10-16 14:07 18,456 --a------ c:\windows\SYSTEM32\wuaueng.dll.mui
2009-01-27 19:57 . 2009-01-27 19:57 <DIR> d-------- c:\program files\Windows Defender
2009-01-27 19:38 . 2009-01-27 19:39 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\en
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\bits
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\peernet
2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\l2schemas
2009-01-27 19:28 . 2006-12-29 00:31 19,569 --a------ c:\windows\002509_.tmp
2009-01-27 19:27 . 2007-08-10 20:46 26,488 --a------ c:\windows\SYSTEM32\spupdsvc.exe
2009-01-27 19:24 . 2009-01-27 19:24 <DIR> d-------- c:\windows\EHome
2009-01-26 20:44 . 2009-01-26 21:29 <DIR> d-------- c:\windows\BDOSCAN8
2009-01-26 20:43 . 2009-01-26 20:43 <DIR> d---s---- c:\documents and settings\Administrator\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 16:29 91,792 -c--a-w c:\documents and settings\Cad\Application Data\GDIPFONTCACHEV1.DAT
2009-01-12 18:32 --------- d-----w c:\program files\America Online 8.0
2009-01-12 18:30 --------- d-----w c:\program files\Autodesk Architectural Desktop 3
2008-12-30 14:43 --------- d-----w c:\documents and settings\Cad\Application Data\MSN6
2008-12-22 15:46 --------- d-----w c:\documents and settings\Cad\Application Data\HP
2008-12-22 15:36 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-12-22 15:21 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-12-22 15:21 --------- d-----w c:\program files\Common Files\HP
2008-12-22 15:21 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-12-22 15:16 --------- d-----w c:\program files\HP
2008-12-22 15:16 --------- d-----w c:\program files\Hewlett-Packard
2008-12-22 15:16 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-04-14 11:42 50,688 --sh--w c:\windows\twain_32.dll
2008-04-14 11:41 1,028,096 --sh--w c:\windows\SYSTEM32\mfc42.dll
2008-04-14 11:42 57,344 --sh--w c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 11:42 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 11:42 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 11:42 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 11:42 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
2008-04-14 11:42 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-31_13.28.49.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2000-08-31 14:00:00 286,720 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 14:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2008-10-16 20:12:20 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
+ 2008-10-16 20:08:58 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
- 2009-01-28 03:17:58 3,103 ----a-w c:\windows\SYSTEM32\HPANT.DAT
+ 2009-02-05 01:53:46 3,103 ----a-w c:\windows\SYSTEM32\HPANT.DAT
- 2008-04-14 11:42:12 430,592 ------w c:\windows\SYSTEM32\wuapi.dll
+ 2008-10-16 20:12:20 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
- 2008-04-14 11:42:12 32,256 ------w c:\windows\SYSTEM32\wups.dll
+ 2008-10-16 20:08:58 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP JetDiscovery "= "HPJETDSC.EXE" [2000-03-28 c:\windows\SYSTEM32\hpjetdsc.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "NvQTwk" [X]
"DVDSentry "= "c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"AdaptecDirectCD "= "c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"BuildBU "= "c:\dell\bldbubg.exe" [2002-07-12 53248]
"DwlClient "= "c:\program files\Common Files\Dell\EUSW\Support.exe" [2002-12-13 225280]
"Microsoft Works Update Detection "= "c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"Share-to-Web Namespace Daemon "= "c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"CXMon "= "c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 45056]
"MCUpdateExe "= "c:\progra~1\McAfee.com\Agent\mcupdate.exe" [2002-09-04 151552]
"Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-04-30 151597]
"vptray "= "c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"BCMSMMSG "= "BCMSMMSG.exe" [2003-02-24 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-12-05 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2002-09-06 17:15 192512 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2002-09-04 09:28 151552 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2003-04-30 16:36 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a--c--- 2002-10-04 14:09 139264 c:\program files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001
"AntiVirusDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [2003-04-30 23296]
.
Contents of the 'Scheduled Tasks' folder

2009-02-11 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

2009-02-11 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
- c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

2009-02-11 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

2009-02-11 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
- c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

2009-02-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dellnet.com
uInternet Connection Wizard,ShellNext = hxxp://www.mcafee.com/myaccount/default.asp?area=myaccount&oemid=1790-642
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
Trusted Zone: microsoft.com\www
Trusted Zone: symantec.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 19:21:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???????X???????????????P???? ?w? ?w)??p????????(???s????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X???????? "@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\NavLogon.dll
.
Completion time: 2009-02-10 19:24:14
ComboFix-quarantined-files.txt 2009-02-11 01:23:09
ComboFix2.txt 2009-02-05 01:45:40
ComboFix3.txt 2009-01-31 19:31:28

Pre-Run: 42,546,884,608 bytes free
Post-Run: 42,534,551,552 bytes free

189

 

Looks good. Lets see if we've missed anything. Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.
Let me know if any problems persist.

 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, February 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, February 11, 2009 23:44:40
Records in database: 1784406
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 63709
Threat name: 19
Infected objects: 43
Suspicious objects: 0
Duration of the scan: 01:22:25


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\x6cdshd.exe.vir Infected: Backdoor.Win32.Bifrose.alvm 1
C:\Qoobox\Quarantine\C\WINDOWS\xcdshd.exe.vir Infected: Backdoor.Win32.Bifrose.alvm 1
C:\Qoobox\Quarantine\C\WINDOWS\xdshd.exe.vir Infected: Backdoor.Win32.Bifrose.alvm 1
C:\Qoobox\Quarantine\C\WINDOWS\xrdshd.exe.vir Infected: Backdoor.Win32.Bifrose.alvm 1
C:\Qoobox\Quarantine\[4]-Submit_2009-02-04@19.34.zip Infected: Backdoor.Win32.SdBot.jdh 1
C:\Qoobox\Quarantine\[4]-Submit_2009-02-04@19.34.zip Infected: Net-Worm.Win32.Kido.em 1
C:\Qoobox\Quarantine\[4]-Submit_2009-02-04@19.34.zip Infected: Backdoor.Win32.Poison.rgj 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001775.exe Infected: Trojan.Win32.Qhost.kzn 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001776.exe Infected: Trojan.Win32.Inject.nfi 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001777.exe Infected: Trojan.Win32.Agent.bfno 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001778.exe Infected: Backdoor.Win32.SdBot.jly 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001779.exe Infected: Backdoor.Win32.SdBot.jtm 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001780.exe Infected: Backdoor.Win32.SdBot.jqo 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001782.exe Infected: Trojan.Win32.Inject.nfi 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001783.exe Infected: Trojan.Win32.Inject.nfi 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001784.exe Infected: Trojan.Win32.Inject.nfi 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001785.exe Infected: Trojan.Win32.Buzus.aejq 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001786.exe Infected: Trojan.Win32.Inject.nfi 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001787.exe Infected: Backdoor.Win32.VanBot.oj 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001788.exe Infected: Trojan.Win32.Inject.nfi 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001789.exe Infected: Backdoor.Win32.IRCBot.xt 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001790.exe Infected: Trojan.Win32.Buzus.aejq 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001791.exe Infected: Trojan.Win32.Buzus.aejq 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001792.exe Infected: Trojan.Win32.Inject.nfi 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001793.exe Infected: Trojan.Win32.Inject.nfi 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001794.exe Infected: Backdoor.Win32.Rbot.rgk 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001795.exe Infected: Trojan.Win32.Inject.nfi 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001796.exe Infected: Trojan.Win32.Inject.nfi 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001797.exe Infected: P2P-Worm.Win32.Agent.mo 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001798.exe Infected: Trojan-Dropper.Win32.VB.imc 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001799.exe Infected: Backdoor.Win32.SdBot.joq 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001800.exe Infected: P2P-Worm.Win32.Agent.mo 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP24\A0004574.exe Infected: Backdoor.Win32.Poison.rgj 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP25\A0004594.exe Infected: Backdoor.Win32.Poison.rgj 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP26\A0004674.exe Infected: Trojan.Win32.VB.jke 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP26\A0004765.exe Infected: Trojan.Win32.VB.jke 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP26\A0004777.exe Infected: Trojan.Win32.VB.jke 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP26\A0004789.exe Infected: Trojan.Win32.VB.jke 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP27\A0004837.exe Infected: Worm.Win32.AutoRun.ewp 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP28\A0004901.exe Infected: Backdoor.Win32.Bifrose.alvm 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP28\A0004902.exe Infected: Backdoor.Win32.Bifrose.alvm 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP28\A0004903.exe Infected: Backdoor.Win32.Bifrose.alvm 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP28\A0004904.exe Infected: Backdoor.Win32.Bifrose.alvm 1

The selected area was scanned.

 

Looks great! Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

Delete dds.com from the desktop.
You can delete any other logs that were created/saved too.
Empty the recycle bin when done.

That should finish things up.

 

Got it. Thanks for all your help.

 

You're welcome. Glad I could help. Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!