Active I think my PC has been Hijacked-Random Shutdown?

[Active] I think my PC has been Hijacked-Random Shutdown?

Hi everyone,
I'm new to this forum so 'hello to all'....I not too long ago downloaded some music and ever since the my computer has been shutting down on me sort of randomly. I hear constant pop/clicking in the background while I am viewing different internet pages. I have Malware/malbytes, search&destroyspybot, adwareSE, Haxfix, and Norton Antivirus. I've run them all. Malware cleaned out 18 infected files in my Local registry from Popcap, Myweb, etc. to no avail. However, whether on the net or not my computer shuts down. I dont believe it is a overheating issue because before i downloaded the music my computer ran fine all day. It has no dust, i checked. Also the shut off seems to be more frequent at a certain time of the evening. When i am shopping online or net it is fine. case in point was on all day on PC from 3p-11p -nothing. but as soon as i begin watching a movie or not online shopping (ie typing on a word doc) it shuts down. I always hear clicking in background like someone popping/clicking a mouse before it comes. I've run all i could think of and I dont know what else to do. I appreciate any assistance in this area. Also I received a weird message dialog message about program had to close and a new icon (AOL) showed up on my desktop today. I've dwnlded nothing since the shutdown problem that has lasted for days now -mostly only in evenings. Ok -below you will find my 2 logs from DDS as the site suggest I posts for diagnostic. I've already run Malware and Haxfix and have there logs on file should someone need to see it but for now here is DDS.txt and Attach.txt.:
DDS:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 15:55:28.95 on Mon 02/23/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.606.80 [GMT -8:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uWindow Title = Microsoft Internet Explorer
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: H - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [<NO NAME>]
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe "
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [HostManager] c:\program files\common files\aol\1188570643\ee\AOLSoftware.exe
mRun: [LXCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCCtime.dll,_RunDLLEntry@16
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\windows\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: &Search - ?p=ZJman000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: Yahoo! Dominoes - hxxp://download2.games.yahoo.com/games/clients/y/dot9_x.cab
DPF: Yahoo! Literati - hxxp://download2.games.yahoo.com/games/clients/y/tt5_x.cab
DPF: Yahoo! Spades - hxxp://download2.games.yahoo.com/games/clients/y/st3_x.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\4xpq6p92.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\4xpq6p92.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149352]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-3-8 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-9 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090222.003\NAVENG.SYS [2009-2-22 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090222.003\NAVEX15.SYS [2009-2-22 876144]
S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [2006-3-18 515803]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-21 33752]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-23 38496]
S3 USBCamera;Icatch(IV) Still Camera Device;c:\windows\system32\drivers\Bulk533.sys [2006-3-18 10986]

=============== Created Last 30 ================

2009-02-23 15:35 127 a------- c:\windows\_delis43.ini
2009-02-23 15:34 106 a------- c:\windows\MSREGUSR.INI
2009-02-23 15:33 <DIR> --d----- c:\program files\Broderbund
2009-02-23 15:33 5,607 a------- c:\windows\~GLH0000.TMP
2009-02-23 15:32 128,720 a------- c:\windows\~GLC0000.TMP
2009-02-23 02:18 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-23 02:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-23 02:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 02:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-23 02:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 01:57 512,782 ac------ C:\HaxFix.exe
2009-02-22 15:00 <DIR> -cd----- C:\HaxFix
2009-02-19 20:50 22,218,761 ac------ C:\Disney-Pixar - 2007 ratatouille.avi.3GP
2009-02-19 20:49 6,997,903 ac------ C:\TransformersEnergonCybertronCity13.flv.3gp.3GP
2009-02-19 20:48 9,482,453 ac------ C:\TomandJerryCartoonEp.4FraidyCat.flv.3gp.3GP
2009-02-19 20:47 11,079 ac------ C:\That Girl.wmv.3gp.3GP
2009-02-19 20:46 4,289,403 ac------ C:\Sean Paul - Temperature.3gp.3GP
2009-02-15 10:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Disney Interactive
2009-02-07 00:48 719,872 a------- c:\windows\system32\devil.dll
2009-02-07 00:48 318,976 a------- c:\windows\system32\avisynth.dll
2009-02-07 00:48 70,656 a------- c:\windows\system32\yv12vfw.dll
2009-02-07 00:48 27,648 a------- c:\windows\system32\AVSredirect.dll
2009-02-07 00:48 70,656 a------- c:\windows\system32\i420vfw.dll
2009-02-07 00:48 <DIR> --d----- c:\program files\AviSynth 2.5
2009-02-07 00:44 123,904 ---shr-- c:\windows\system32\AVCDX.ax
2009-02-07 00:44 227,328 ---shr-- c:\windows\system32\ac3DX.ax
2009-02-07 00:44 81,920 ---shr-- c:\windows\system32\aac_parser.ax
2009-02-07 00:43 <DIR> --d----- c:\program files\eRightSoft
2009-02-05 20:41 <DIR> --d----- c:\windows\SxsCaPendDel
2009-02-05 15:00 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-05 14:57 14,048 -------- c:\windows\system32\spmsg2.dll
2009-02-02 21:20 323 a------- c:\windows\wininit.ini
2009-01-31 23:12 14,968,808 a------- c:\program files\spybotsd160.exe
2009-01-31 23:12 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-31 23:12 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-31 23:12 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-31 23:12 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)

==================== Find3M ====================

2009-01-08 16:25 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 16:25 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 16:25 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-08 16:25 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-18 22:45 737,280 a------- c:\windows\iun6002.exe
2008-06-25 20:09 1,427,520 a------- c:\program files\Silverlight.exe
2006-05-03 02:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 03:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 05:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2008-08-20 18:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 15:56:22.21 ===============

 

P.2 I think my PC has been Hijacked-Random Shutdown?

Ok, Here is my second post for DDS attach.txt as didnt have enough room on the other. I hope I did this correctly. Please let me know if not
attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/8/2006 5:36:30 PM
System Uptime: 2/23/2009 3:40:53 PM (0 hours ago)

Motherboard: | | SiS-661
Processor: Intel(R) Celeron(R) CPU 2.66GHz | Socket 775 | 2672/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 3.284 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP509: 1/7/2009 3:54:46 PM - System Checkpoint
RP510: 1/8/2009 12:32:35 AM - Removed Apple Mobile Device Support
RP511: 1/8/2009 2:26:14 AM - Removed Apple Software Update
RP512: 1/8/2009 3:10:00 AM - Removed InstallShield Restore Point
RP513: 1/8/2009 3:13:42 AM - Removed iTunes
RP514: 1/8/2009 3:34:34 AM - Configured PRODUCT_NAME
RP515: 1/8/2009 3:41:12 AM - Removed InstallShield Restore Point
RP516: 1/8/2009 3:45:35 AM - Removed Windows Live Mail
RP517: 1/8/2009 3:48:01 AM - Removed Windows Live Photo Gallery
RP518: 1/9/2009 12:56:37 AM - Installed Windows Media Player 11
RP519: 1/9/2009 1:19:35 AM - Installed Windows XP MSCompPackV1.
RP520: 1/9/2009 7:00:27 PM - Software Distribution Service 3.0
RP521: 1/11/2009 8:22:53 PM - System Checkpoint
RP522: 1/13/2009 12:34:06 AM - System Checkpoint
RP523: 1/14/2009 3:49:30 AM - Software Distribution Service 3.0
RP524: 1/15/2009 4:59:55 AM - Installed BulkFriendAdder
RP525: 1/15/2009 5:04:32 AM - Removed BulkFriendAdder
RP526: 1/15/2009 5:06:21 AM - Removed OpenOffice.org Installer 1.0
RP527: 1/15/2009 5:07:30 AM - Removed ToolBook Neuron
RP528: 1/15/2009 6:07:09 AM - Configured VeohTV BETA
RP529: 1/16/2009 3:45:52 PM - System Checkpoint
RP530: 1/17/2009 5:18:31 PM - System Checkpoint
RP531: 1/19/2009 11:40:08 PM - System Checkpoint
RP532: 1/21/2009 12:27:48 AM - System Checkpoint
RP533: 1/22/2009 6:26:51 PM - System Checkpoint
RP534: 1/23/2009 7:01:36 PM - System Checkpoint
RP535: 1/25/2009 3:56:34 PM - System Checkpoint
RP536: 1/27/2009 2:14:13 PM - System Checkpoint
RP537: 1/28/2009 3:58:54 PM - System Checkpoint
RP538: 1/29/2009 4:51:34 PM - System Checkpoint
RP539: 1/30/2009 5:36:45 PM - System Checkpoint
RP540: 1/31/2009 8:18:30 PM - System Checkpoint
RP541: 2/2/2009 5:24:45 PM - System Checkpoint
RP542: 2/3/2009 7:18:28 PM - System Checkpoint
RP543: 2/4/2009 8:37:02 PM - System Checkpoint
RP544: 2/5/2009 2:57:45 PM - Installed %1 %2.
RP545: 2/5/2009 2:58:28 PM - Printer Driver Microsoft XPS Document Writer Installed
RP546: 2/5/2009 6:13:43 PM - Installed MyArtistPromo Buddy Adder
RP547: 2/5/2009 8:27:29 PM - Removed MyArtistPromo Buddy Adder
RP548: 2/5/2009 8:36:21 PM - Removed MyArtistPromo Buddy Adder
RP549: 2/8/2009 7:42:40 PM - System Checkpoint
RP550: 2/9/2009 9:40:28 PM - System Checkpoint
RP551: 2/11/2009 8:18:36 PM - System Checkpoint
RP552: 2/12/2009 1:28:24 AM - Software Distribution Service 3.0
RP553: 2/13/2009 9:40:44 AM - System Checkpoint
RP554: 2/15/2009 12:53:21 AM - System Checkpoint
RP555: 2/15/2009 10:11:22 AM - Installed Buzz Lightyear of Star Command
RP556: 2/16/2009 2:28:42 PM - System Checkpoint
RP557: 2/17/2009 10:04:51 PM - System Checkpoint
RP558: 2/19/2009 4:15:51 AM - System Checkpoint
RP559: 2/21/2009 12:31:59 PM - System Checkpoint
RP560: 2/21/2009 6:16:55 PM - Shockwave Player
RP561: 2/22/2009 10:33:32 PM - System Checkpoint

==== Installed Programs ======================

Ad-Aware SE Personal
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
AppCore
ArcSoft PhotoImpression
ArcSoft VideoImpression 1.6
AT&T Yahoo! Applications
AT&T Yahoo! Music Jukebox
Before You Know It 3.6
BlueVoda Website Builder 10.2
Bonjour
Buzz Lightyear of Star Command
Byki
Byki Express
C-Media WDM Audio Driver
ccCommon
Component Framework
CutePDF Writer 2.7
Digital Camera
Disney's Extremely Goofy Skateboarding
Disney Interactive Compatibility Update May 2002
Educo Learning System
Google Toolbar for Internet Explorer
Hot Wheels(tm) Velocity X
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HSP56 Modem Drivers
HTML-Kit
Icatch(IV) Camera Driver
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 7
Jay Jay Sky Heroes to the Rescue
Kar Racing
Learn to Speak French Essentials 9.5
Lexmark 3300 Series
Lexmark Fax Solutions
Lexmark Supplies Monitor
LimeWire 4.18.8
LiveUpdate (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
MathPlayer
Mavis Beacon Teaches Typing 10
Mickey Mouse Kindergarten
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Reader
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Move Networks Media Player for Internet Explorer
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (3.0.6)
Mozilla Thunderbird (1.5.0.2)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero Suite
Netflix Movie Viewer
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton Protection Center
Norton Security Scan
Norton Security Scan (Symantec Corporation)
Paint.NET v3.36
Phonics Quest
Photo Explosion SE 2.0
Picasa 2
PowerDVD
QuickBooks Simple Start Special Edition
QuickTime
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
SiS Mirage Graphics
SPBBC 32bit
SpiralFrog Download Manager 0.8.25
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
StreamPlug Player
Study Helpers Math Booster
Study Helpers Spelling Bee
SUPER © Version 2009.bld.35 (Jan 5, 2009)
Symantec KB-DocID:2003093015493306
Symantec Real Time Storage Protection Component
SymNet
Tight Backgrounds
U3Launcher
Ultimate Business Planner
Uninstall TONKA Monster Trucks
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Veoh Web Player Beta
VeohTV BETA
Watchtower Library 2001 - English Edition
WebFldrs XP
WinAce Archiver 2.0
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Writer
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

2/19/2009 10:55:22 PM, error: Service Control Manager [7000] - The Icatch(IV) Video Camera Device service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/19/2009 10:55:21 PM, error: Service Control Manager [7000] - The Print Port Scanner Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/20/2009 11:58:40 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments " " in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
2/20/2009 11:58:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
2/21/2009 11:47:27 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
2/22/2009 1:02:45 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/22/2009 1:03:09 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/22/2009 1:03:18 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2009 1:03:18 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2009 1:03:18 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2009 1:03:18 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2009 1:03:18 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2009 1:03:18 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SPBBCDrv SRTSP SRTSPX SYMTDI Tcpip
2/23/2009 2:45:14 AM, error: W32Time [46] - The time service encountered an error and was forced to shut down. The error was: 0x8007045B
2/23/2009 2:48:44 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm SPBBCDrv SRTSP SRTSPX SYMTDI
2/23/2009 3:07:53 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/23/2009 3:41:41 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

==== End Of File ===========================

 

Thanks for moving

Thanks for that as i Was unsure how to thread this being my post did not show up afterwards. I guess I was supposed to wait? I'll make sure I wait next time.

 

Hi E2040

Please do the following.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now this.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on "Accept" If your pop "“up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the "Scan Report" On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

Reply..Help

Hi Geri
Thank for the information. I have followed the instruct above. Apparently the other malware softwares have turned up false positives but Kapersky found something. However, It ran for about an hour and 20 minutes on my PC before the culprit shut me out. I was able to stop midway after it reported it a threat. What I found is that there is a threatening file hiding under Documents and Settings/Owner/Exploit.Java.Gama.s.....the last name is not full as I could not read complete path. Do you have any suggestions on how to get this to stop so I can run Kaspersky for the full 2 or so hours needed?
Thanks.

 

Hi
Ok lets see if we can get it this way.

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
2. It will say "Java Plug-in" under the icon.
   Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
3. If you are unable to update you can manually update by going here:
   • 
     http://java.sun.com/javase/downloads/index.jsp
4. After the reboot, go back into the Control Panel and double-click the Java Icon.
5. On the general tab, at the bottom it has "temporary internet files "
6. Click the settings button. Then the Delete files button.
7. There are two options in the window to clear the cache - Leave both Checked
   • 
     Applications and Applets
     Trace and Log files
8. Click OK
   Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
9. Click OK to leave the Java Control Panel.
10. Delete older versions from Add/Remove list.

J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 7

Then do this.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "),
See it this file is still presant.

C:\Documents and Settings/Owner/Exploit.Java.Gama.s...

Let me know.

Thanks
Geri

 

Hi Geri

The popping/clicking in the background as I have my computer is on is still running. I get random messages/pop ups from Spybot saying that values are being deleted and added in my registry keys. most of the time it asks me to allow or deny these changes which i always choose 'deny'. but this time it would not allow for 'deny' only had 'allow' option. i ignored it and then it went away. I took your advice about updating the Java and the popping stopped yesterday with no computer shut off, but clicking returned today. The problem with the Exploit.Java file is that it does not show up when I go to 'explore' under the path Kaspersky showed it under so i do not know if it is gone but Kaspersky did not show it on the second scan (the first was showed Exploit.Java... right before computer shut off so unable to retrieve).

However, under C:/Windows/Prefetch/...i noticed a file called 'twunk 32' which appeared twice. I tried to delete it and moments later it reappears. I could not get rid of this. When I updated Java, I went back to Windows and noticed Twunk32 seemed to be gone but saw a 'Rundll32.exe' it says was created today. Whatever and whomever is doing this to my computer seems to be moving its file or readding what i delete because malware shows infected files, i remove them but soon after clicking resumes. could someone have my IP address and hijacking, monitoring, or exploiting my computer on a deeper level? I ran Kaspersky fully after following your advice concerning the shut off problem and it ran without incident. However it says it showed no infection. Obviously this is a false positive because the clicking and strange dialog boxes that pop up remain.

There is nothing to copy from the Kaspersky scan because now it says there are no threats and does not show a scan report. I think this is another false positive. What do you advise.
Thanks,

 

Hi E2040

Please do this.

Download RootRepeal.zip to your Desktop.

• Extract the compressed file to it's own folder.
• Open the folder and doubleclick on RootRepeal.exe to run it.
• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.

The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

Post the contents of the report in a reply here

Thanks
Geri

 

Hi,
Here is the report from Root Repeal. Thanks.

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/03/04 19:49
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7A7A000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8F96000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB672B000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\Yahoo! Games\Text Twist\TextTwist.exe:{EFFF072C-05E8-E450-9C30-71171B5C717A}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Temp\etilqs_orlmxYiuBDzwn8LffdD3
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Owner\Local Settings\Temp\etilqs_ZlBiG1aHHiA6xH7Sn8aJ
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT
Status: Allocation size mismatch (API: 288, Raw: 136)

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090302.040\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4xpq6p92.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x82ff59a8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x82ff5a88

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x830235e8

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x830bbda8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7d98020

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x82ff56f8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x830252e0

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x82ff5378

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7d982a0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7d98800

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x82ff64f0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x82ff57e8

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x82ff58c8

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x82ff63f0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x82ff5618

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x830285f8

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x82ff5458

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x82ff5f60

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x83096ca0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x82ff5e80

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x82ff6220

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x82ff5d90

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7d98a50

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x82ff5538

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x82ff5bd0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x83061a08

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x82ff5cb0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x82ff6310

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x830625c0

 

Hi
Was that the full report? Please check and make sure everything was posted.

Thanks
Geri

 

Hi Geri,
I went back to the RootRepeal report that was saved and that is all it gave me. Should there be more? I'll do another scan report and see what it comes up with.

 

Hi
Ok, I ran the report again just to be sure everything was captured:
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/03/05 22:56
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7A7A000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8F9C000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB6562000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
Status: Size mismatch (API: 37956, Raw: 43690)

Path: C:\Program Files\Yahoo! Games\Text Twist\TextTwist.exe:{EFFF072C-05E8-E450-9C30-71171B5C717A}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Temp\etilqs_HNCNxLAMbIKBT01A12yZ
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\fi.lproj\QuickTimeEssentialsLocalized.qtr
Status: Allocation size mismatch (API: 16384, Raw: 70931694131101696)

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090302.040\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4xpq6p92.default\sessionstore.js
Status: Size mismatch (API: 80603, Raw: 80034)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x83031450

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x83031510

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x82f5d370

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x832a6210

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7d98020

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x83029db8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x83029630

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8302bc28

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7d982a0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7d98800

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x830303b8

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x82773ca8

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x82773d88

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x830302d8

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x83029cd8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x83056e78

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8302bd08

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x82fdd2a8

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x830930d0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8302b688

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x82fdd378

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8302b598

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7d98a50

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8302bdc8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x83031b08

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x83083ac8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x83031be8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8302c058

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x82f5d2a0

Stealth Objects
-------------------
Object: Hidden Handle [Index: 3072, Type: File]
Process: firefox.exe (PID: 1232) Address: 0x8235ea30 Size: -

Object: Hidden Handle [Index: 4536, Type: File]
Process: firefox.exe (PID: 1232) Address: 0x8241f2d8 Size: -

Object: Hidden Handle [Index: 4716, Type: File]
Process: firefox.exe (PID: 1232) Address: 0x824f6930 Size: -

 

Hi
Please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Thanks
Geri

 

Hi Geri,
Here are the Combo results:
ComboFix 09-03-06.02 - Owner 2009-03-08 3:01:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.606.232 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\sph264.dll
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\spmpeg4.dll
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\sptheo.dll
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\StreamPlug.dll
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\IE4 Error Log.txt
c:\windows\system32\AVSredirect.dll
c:\windows\system32\bszip.dll

----- BITS: Possible infected sites -----

hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.

2009-02-28 12:08 . 2009-02-28 12:07 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-23 21:58 . 2009-02-23 21:58 <DIR> d-------- c:\documents and settings\Owner\Application Data\Uniblue
2009-02-23 21:11 . 2009-02-23 21:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-02-23 21:10 . 2009-02-26 22:12 <DIR> d-------- c:\program files\Security Task Manager
2009-02-23 16:35 . 2009-02-23 16:35 127 --a------ c:\windows\_delis43.ini
2009-02-23 16:34 . 2009-02-23 16:34 106 --a------ c:\windows\MSREGUSR.INI
2009-02-23 16:33 . 2009-02-23 16:33 <DIR> d-------- c:\program files\Broderbund
2009-02-23 16:33 . 2009-02-23 16:33 5,607 --a------ c:\windows\~GLH0000.TMP
2009-02-23 16:32 . 2009-02-23 16:32 128,720 --a------ c:\windows\~GLC0000.TMP
2009-02-23 03:18 . 2009-02-23 03:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-02-23 03:17 . 2009-02-23 03:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 03:17 . 2009-02-23 03:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-23 03:17 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 03:17 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-23 02:57 . 2009-02-22 15:51 512,782 --a--c--- C:\HaxFix.exe
2009-02-22 16:00 . 2009-02-23 19:05 <DIR> d----c--- C:\HaxFix
2009-02-22 02:02 . 2007-09-16 20:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\FaxCtr
2009-02-22 02:02 . 2009-02-22 02:02 <DIR> d-------- c:\documents and settings\Administrator
2009-02-19 21:50 . 2009-02-19 21:53 22,218,761 --a--c--- C:\Disney-Pixar - 2007 ratatouille.avi.3GP
2009-02-19 21:49 . 2009-02-19 21:49 6,997,903 --a--c--- C:\TransformersEnergonCybertronCity13.flv.3gp.3GP
2009-02-19 21:48 . 2009-02-19 21:48 9,482,453 --a--c--- C:\TomandJerryCartoonEp.4FraidyCat.flv.3gp.3GP
2009-02-19 21:47 . 2009-02-19 21:47 11,079 --a--c--- C:\That Girl.wmv.3gp.3GP
2009-02-19 21:46 . 2009-02-19 21:47 4,289,403 --a--c--- C:\Sean Paul - Temperature.3gp.3GP
2009-02-19 13:03 . 2009-02-19 13:03 579,464 --a------ c:\windows\system32\SymNeti.dll
2009-02-19 13:03 . 2009-02-19 13:03 207,240 --a------ c:\windows\system32\SymRedir.dll
2009-02-19 12:31 . 2009-02-19 12:31 184,496 --a------ c:\windows\system32\drivers\symtdi.sys
2009-02-19 12:31 . 2009-02-19 12:31 96,560 --a------ c:\windows\system32\drivers\symfw.sys
2009-02-19 12:31 . 2009-02-19 12:31 41,008 --a------ c:\windows\system32\drivers\symndisv.sys
2009-02-19 12:31 . 2009-02-19 12:31 38,576 --a------ c:\windows\system32\drivers\symids.sys
2009-02-19 12:31 . 2009-02-19 12:31 37,424 --a------ c:\windows\system32\drivers\symndis.sys
2009-02-19 12:31 . 2009-02-19 12:31 31,280 --a------ c:\windows\system32\drivers\SymIM.sys
2009-02-19 12:31 . 2009-02-19 12:31 22,320 --a------ c:\windows\system32\drivers\symredrv.sys
2009-02-19 12:31 . 2009-02-19 12:31 13,616 --a------ c:\windows\system32\drivers\symdns.sys
2009-02-19 12:31 . 2009-02-19 12:31 9,844 --a------ c:\windows\system32\drivers\SymRedir.cat
2009-02-19 12:31 . 2009-02-19 12:31 1,611 --a------ c:\windows\system32\drivers\SymRedir.inf
2009-02-15 11:08 . 2009-02-15 11:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Disney Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 07:21 --------- d-----w c:\program files\Lx_cats
2009-03-04 04:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-04 03:55 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-03 04:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-28 19:18 --------- d-----w c:\program files\Java
2009-02-28 18:40 --------- d-----w c:\program files\SpiralFrog
2009-02-27 02:44 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 04:34 --------- d-----w c:\program files\Google
2009-02-24 03:55 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-02-24 00:51 --------- d-----w c:\program files\Bonjour
2009-02-23 02:00 --------- d-----w c:\program files\Norton Security Scan
2009-02-20 04:09 --------- d-----w c:\program files\LimeWire
2009-02-19 07:35 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-02-18 09:46 --------- d-----w c:\program files\AvRack
2009-02-15 18:10 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-15 18:09 --------- d-----w c:\program files\Disney Interactive
2009-02-07 08:48 --------- d-----w c:\program files\AviSynth 2.5
2009-02-07 08:43 --------- d-----w c:\program files\eRightSoft
2009-02-05 23:01 --------- d-----w c:\program files\MSBuild
2009-02-05 23:00 --------- d-----w c:\program files\Reference Assemblies
2009-02-01 07:14 14,968,808 ----a-w c:\program files\spybotsd160.exe
2009-02-01 07:12 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-02-01 07:12 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-02-01 07:12 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-01 07:12 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-31 03:19 --------- d-----w c:\program files\QuickTime
2009-01-21 05:12 --------- d-----w c:\program files\Common Files\aol
2009-01-21 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-01-21 02:08 --------- d-----w c:\documents and settings\Owner\Application Data\AOL
2009-01-21 01:47 --------- d-----w c:\program files\Common Files\click2learn
2009-01-11 22:35 --------- d-----w c:\program files\Setup NetZero
2009-01-09 09:18 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-09 00:26 --------- d-----w c:\program files\Symantec
2009-01-09 00:25 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 00:25 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 00:25 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 11:48 --------- d-----w c:\program files\Windows Live
2009-01-08 11:44 --------- d-----w c:\documents and settings\Owner\Application Data\MSNInstaller
2009-01-08 11:37 --------- d-----w c:\program files\eBay
2009-01-08 08:55 --------- d-----w c:\program files\Common Files\Apple
2008-12-19 06:45 737,280 ----a-w c:\windows\iun6002.exe
2008-06-26 04:09 1,427,520 ----a-w c:\program files\Silverlight.exe
2006-05-03 10:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 13:30 216,064 --sh--r c:\windows\system32\nbDX.dll
2008-08-21 02:43 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080821\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]
"Veoh "= "c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"VeohPlugin "= "c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-12-16 3528440]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"LXCCCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-02-28 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector "= "c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-10-21 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-07-24 217088]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-06-12 22486]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-26 811008]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-02-05 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= i420vfw.dll
"VIDC.SP54 "= SP5X_32.DLL
"VIDC.SP55 "= SP5X_32.DLL
"VIDC.SP56 "= SP5X_32.DLL
"VIDC.SP57 "= SP5X_32.DLL
"VIDC.SP58 "= SP5X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe "=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe "=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe "=

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-24 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-02 101936]
S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [2006-03-18 515803]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-21 33752]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-02-23 38496]
S3 USBCamera;Icatch(IV) Still Camera Device;c:\windows\system32\drivers\Bulk533.sys [2006-03-18 10986]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e8910ed-e4dd-11dd-8a01-00115bd82329}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dd819d6-3852-11dd-88b4-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 18:19]

2009-02-23 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 05:18]

2009-03-08 c:\windows\Tasks\User_Feed_Synchronization-{FD520346-B1B4-4FB5-AF98-011E59577605}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKLM-Run-HostManager - c:\program files\Common Files\AOL\1188570643\ee\AOLSoftware.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: &Search - ?p=ZJman000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\4xpq6p92.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\4xpq6p92.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 03:07:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
.
**************************************************************************
.
Completion time: 2009-03-08 3:15:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-08 10:14:17

Pre-Run: 3,131,052,032 bytes free
Post-Run: 3,151,400,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

263 --- E O F --- 2009-02-26 09:24:39

 

Hi
Please do this.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • c:\windows\system32\flvDX.dll
    c:\windows\system32\msfDX.dll
    c:\windows\system32\nbDX.dll
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

Hi Geri,
Jotti's does not allow me to copy and paste the path you listed into the 'File to Upload & Scan' field. It automatically brings a dialog box to manually click on. When I tried to follow the path you gave 'manually' i could not see the flv. file. Is there another way to do this besides manually clicking each file and subfolder to get to the file?
Thanks,

 

Below is the scan it pulled up when I visited the site automatically. One more to come:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus W32/FakeAlert.AG.gen!Eldorado
F-Secure Anti-Virus not-a-virus:FraudTool.Win32.SystemSecurity.cc
Ikarus X
Kaspersky Anti-Virus not-a-virus:FraudTool.Win32.SystemSecurity.cc
NOD32 a variant of Win32/Adware.WinWebSecurity application
Norman Virus Control W32/Agent.FXGD
Panda Antivirus X
Quick Heal TrojanDownloader.FraudLoad.vl
Sophos Antivirus Mal/FakeAV-AA
VirusBuster X
VBA32 Trojan-Downloader.Win32.FraudLoad.vlka

 

Hi
That's OK

Do you have this installed, or ever had it installed?

Product Name: FLV Splitter
Company Name: Gabest

Geri

 

Hi Geri,
I think I may have. I'm not familiar with the name Gabest, but I know a did download an FLV viewer to convert movies so i'd be able to watch them a month ago or so -around the time i started having problems. Interestingly, while the file did not show up on Jotti, i dwnldd WindowsWasher and the file you mentioned flv... did show up just where it shows on the other scan, under windows. I tried deleting the icon shortcut on my desktop to get rid of it manually. However, the bubble popping sound is still in the background and causes my computer to crash and shutdown. I believe this may have come from a download but any ideas on how to get rid of it? I tried doing a search for the file but does not show up nor in Explore so i'm thinking is hidden...?
Thanks