Solved Malware, plus I can't end any processes

jmooney5115 · 2010/05/01

[Resolved] Malware, plus I can't end any processes

Hello. The OS is XP. My friends computer is infected with some kind of malware. I download Malwarebytes and Clamware anti-virus last week for her protection. I started the Malwarebytes scan and when it finished scanning, she clicked the 'fix now' button. She said the computer reset and gave her the BSOD in a few minutes. She restarted the computer many times, still getting the BSOD. She finally did a system restore and it's back to where it was. Microsoft Word doesn't save files, be it the hdd or a flash drive. Also, I cannot end any process while in the task manager. I click a process, press delete, hit yes; and the process doesn't end. One is running called 'yoayo.exe', google said it's malware.

I just did a DDS scan, the files are long so I put them on my server for my convenience (if it's not good, I'll post them here). I'm afraid of trying Malwarebytes again for fear of Windows crashing. Please let me know if there's anything I can do.

dds.txt
Attach.txt

Thanks.

broni · 2010/05/01

Please, always paste all logs into your post.

jmooney5115 · 2010/05/01

Sorry,
dds.txt

DDS (Ver_10-03-17.01) - NTFSx86
Run by Kellie at 19:07:00.07 on Sat 05/01/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.561 [GMT -5:00]

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
D:\Documents and Settings\Kellie\yoayo.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
svchost.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\msiexec.exe
D:\Documents and Settings\Kellie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Service Pack 3 Internet Explorer
uInternet Settings,ProxyOverride = *.local
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [yoayo] d:\documents and settings\kellie\yoayo.exe
uRun: [H/PC Connection Agent] "d:\program files\microsoft activesync\wcescomm.exe "
mRun: [Lexmark X1100 Series] "d:\program files\lexmark x1100 series\lxbkbmgr.exe "
dRun: [msnsc] d:\windows\system32\msnsc.exe
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll "
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: GootkitSSO - {16B6C9E4-B1BA-4128-B0C7-7414B24B3363} - d:\windows\system32\msxsltsso.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\kellie\applic~1\mozilla\firefox\profiles\tfjg2d48.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxps://www.mypoints.com/emp/u/mysearch.vm?st=mypWeb&fctb.dns=1&q=
FF - component: d:\documents and settings\kellie\application data\mozilla\firefox\profiles\tfjg2d48.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: d:\documents and settings\kellie\application data\mozilla\firefox\profiles\tfjg2d48.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: d:\documents and settings\kellie\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: d:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - trued:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
d:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
d:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
d:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
d:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

S4 Amazon Download Agent;Amazon Download Agent;d:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-8-27 297472]

=============== Created Last 30 ================

2010-05-02 00:04:48 0 d-----w- d:\windows\system32\appmgmt
2010-04-27 20:40:07 148 ----a-w- d:\documents and settings\kellie\Video.lnk
2010-04-27 20:40:07 148 ----a-w- d:\documents and settings\kellie\Pictures.lnk
2010-04-27 20:40:07 148 ----a-w- d:\documents and settings\kellie\Passwords.lnk
2010-04-27 20:40:07 148 ----a-w- d:\documents and settings\kellie\New Folder.lnk
2010-04-27 20:40:07 148 ----a-w- d:\documents and settings\kellie\Music.lnk
2010-04-27 20:40:07 148 ----a-w- d:\documents and settings\kellie\Documents.lnk
2010-04-27 20:40:07 124 --sh--r- d:\documents and settings\kellie\autorun.inf
2010-04-27 02:09:22 49152 --sh--r- d:\documents and settings\kellie\yoayo.scr
2010-04-27 02:09:22 49152 --sh--r- d:\documents and settings\kellie\yoayo.exe
2010-04-27 00:19:28 0 d-----w- d:\windows\system32\wbem\Repository
2010-04-27 00:19:00 0 d-----w- d:\program files\Symantec AntiVirus
2010-04-27 00:18:52 0 d-----w- d:\program files\Yahoo! Games
2010-04-27 00:13:56 42496 ----a-w- d:\windows\system32\msxsltsso.dll
2010-04-27 00:10:20 49664 ----a-w- d:\windows\system32\pragmabbr.dll
2010-04-27 00:10:20 1162 ----a-w- d:\docume~1\alluse~1\applic~1\pragmamfeklnmal.dll
2010-04-27 00:10:19 49664 ----a-w- d:\windows\system32\pragmaserf.dll
2010-04-27 00:06:11 144 ----a-w- d:\windows\system32\PRAGMAsrcr.dat
2010-04-27 00:06:10 0 d-----w- d:\windows\PRAGMAobdutiompe
2010-04-27 00:05:28 182912 ----a-w- d:\windows\system32\dllcache\ndis.sys
2010-04-27 00:03:37 65024 ----a-w- d:\windows\system32\h7t.wt
2010-04-27 00:03:37 32768 ----a-w- d:\windows\system32\hgtd.ruy
2010-04-27 00:03:33 317440 ----a-w- d:\windows\system32\cooper.mine
2010-04-27 00:03:13 0 d-----w- d:\windows\system32\lowsec
2010-04-26 21:27:20 0 d-----w- d:\docume~1\kellie\applic~1\.clamwin
2010-04-26 21:26:52 0 d-----w- d:\program files\ClamWin
2010-04-26 21:26:52 0 d-----w- d:\documents and settings\all users\.clamwin
2010-04-26 21:20:28 0 d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-04-26 21:20:28 0 d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-03 21:51:46 0 d-----w- d:\docume~1\kellie\applic~1\Intuit
2010-04-03 21:51:41 0 d-----w- d:\program files\common files\AnswerWorks 5.0
2010-04-03 21:47:03 0 d-----w- d:\program files\common files\Intuit
2010-04-03 21:46:34 0 d-----w- d:\program files\TurboTax
2010-04-03 21:46:11 0 d-----w- d:\docume~1\alluse~1\applic~1\Intuit

==================== Find3M ====================

2010-04-27 00:05:28 182912 ----a-w- d:\windows\system32\drivers\ndis.sys

============= FINISH: 19:07:20.56 ===============

jmooney5115 · 2010/05/01

attach.txt (I double posted dds.txt)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/15/2009 11:45:49 AM
System Uptime: 5/1/2010 2:01:36 PM (5 hours ago)

Motherboard: Dell Inc. | | 0KD882
Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | Microprocessor | 1828/133mhz
Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | Microprocessor | 1828/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 81 GiB total, 37.525 GiB free.
D: is FIXED (NTFS) - 26 GiB total, 10.52 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&2973568E&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&2973568E&0&0102
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
Service:

==== System Restore Points ===================

RP140: 5/1/2010 7:01:57 PM - System Checkpoint
RP141: 5/1/2010 7:02:06 PM - Removed Symantec AntiVirus

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.5
Adobe Stock Photos 1.0
Amazon Games & Software Downloader
Amazon MP3 Downloader 1.0.5
Apple Application Support
Apple Software Update
Big Kahuna Reef
Bonjour
BootSkin
Coupon Printer for Windows
Dell Photo Printer 720
Driver Magician 3.0
Facebook Plug-In
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 12
Lexmark X1100 Series
LiveUpdate 2.0 (Symantec Corporation)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Notepad++
QuickTime
QuickTime Alternative 1.67
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Software Update for Web Folders
Text Twist (remove only)
TurboTax 2009
TurboTax 2009 waliper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977839)
Update for Windows XP (KB925720)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
VLC media player 0.9.9
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Media Player 10 Hotfix - KB894476
Windows Media Player Firefox Plugin
Windows Presentation Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

4/28/2010 11:19:49 PM, error: DCOM [10001] - Unable to start a DCOM Server: {5D6A9C42-1859-4806-8A77-ED6767F96EA9} as ./lxbk_AEA95DDF0182449. The error: "%1450" Happened while starting this command: D:\WINDOWS\system32\lxbklsnt.exe -Embedding
4/27/2010 7:37:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/27/2010 7:37:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm ohci1394 SAVRT SYMTDI
4/27/2010 6:50:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SAVRT
4/27/2010 6:50:04 PM, error: SAVRT [20] -
4/27/2010 6:50:03 PM, error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
4/27/2010 6:43:06 PM, error: DCOM [10000] - Unable to start a DCOM Server: {7EA9A8FA-F5D2-49E1-99E8-C26EE07FCEEB}. The error: "%1450" Happened while starting this command: D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\OFFICE~1\SETUP.EXE -Embedding
4/27/2010 6:30:12 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'change.log' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume.
4/27/2010 6:07:38 PM, error: Service Control Manager [7023] - The Symantec AntiVirus service terminated with the following error: The environment is incorrect.
4/27/2010 6:03:12 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume D:.
4/27/2010 5:07:09 PM, error: HTTP [15012] - Unable to write to the error log file. Disk may be full. The data field contains the error number.
4/27/2010 3:22:18 PM, error: Dhcp [1008] - Your computer was unable to initialize a Network Interface attached to the system. The error code is: A device attached to the system is not functioning. .
4/26/2010 8:32:35 PM, error: DCOM [10000] - Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}. The error: "%1450" Happened while starting this command: "D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe" /PDFShell -Embedding
4/26/2010 7:18:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/26/2010 10:44:11 PM, error: HTTP [15005] - Unable to bind to the underlying transport for 0.0.0.0:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.

==== End Of File ===========================

broni · 2010/05/01

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

=================================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://free.antivirus.com/hijackthis/
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

jmooney5115 · 2010/05/02

exeHelper log
exeHelper by Raktor
Build 20100414
Run at 11:23:59 on 05/02/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

rKill log
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Kellie on 05/02/2010 at 11:22:44.

Processes terminated by Rkill or while it was running:

D:\Documents and Settings\Kellie\yoayo.exe
D:\Documents and Settings\Kellie\My Documents\Downloads\rkill.scr

Rkill completed on 05/02/2010 at 11:22:46.

Combofix log
ComboFix 10-05-01.04 - Kellie 05/02/2010 11:37:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.748 [GMT -5:00]
Running from: d:\documents and settings\Kellie\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\desktop.ini
d:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
d:\documents and settings\All Users\Favorites\_favdata.dat
d:\documents and settings\Kellie\autorun.inf
d:\documents and settings\Kellie\Local Settings\Temporary Internet Files\3max7y085.jpg
d:\documents and settings\Kellie\Local Settings\Temporary Internet Files\4X2NB2p77.jpg
d:\documents and settings\Kellie\Local Settings\Temporary Internet Files\MyY6BK1L.jpg
d:\documents and settings\Kellie\Local Settings\Temporary Internet Files\NPXKY7myX.jpg
d:\documents and settings\Kellie\yoayo.exe
d:\documents and settings\Kellie\yoayo.scr
d:\program files\WindowsUpdate
d:\recycler\S-1-5-21-2229576367-1391792426-2723360822-1006
d:\windows\PRAGMAobdutiompe
d:\windows\PRAGMAobdutiompe\PRAGMAc.dll
d:\windows\PRAGMAobdutiompe\PRAGMAcfg.ini
d:\windows\system32\BSTIEPrintCtl1.dll
d:\windows\system32\cooper.mine
d:\windows\system32\lowsec
d:\windows\system32\msxsltsso.dll
d:\windows\system32\pragmabbr.dll
d:\windows\system32\pragmaserf.dll
d:\windows\system32\PRAGMAsrcr.dat
d:\windows\system32\spool\prtprocs\w32x86\00005a5d.tmp
d:\windows\system32\winstartup.log
d:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
d:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

d:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-04-02 to 2010-05-02 )))))))))))))))))))))))))))))))
.

2010-05-02 00:12 . 2010-05-02 00:14 -------- d-----w- d:\documents and settings\Kellie\Application Data\FileZilla
2010-05-02 00:12 . 2010-05-02 00:12 -------- d-----w- d:\program files\FileZilla FTP Client
2010-04-28 00:37 . 2006-12-11 15:20 180224 ----a-w- d:\documents and settings\Kellie\Application Data\U3\0000187DA573B173\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\U3AppWrapper.exe
2010-04-28 00:37 . 2006-12-11 15:20 72192 ----a-w- d:\documents and settings\Kellie\Application Data\U3\0000187DA573B173\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKLIST.EXE
2010-04-28 00:37 . 2006-12-11 15:20 72192 ----a-w- d:\documents and settings\Kellie\Application Data\U3\0000187DA573B173\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKKILL.EXE
2010-04-27 00:19 . 2010-04-27 00:19 -------- d-----w- d:\windows\system32\wbem\Repository
2010-04-27 00:19 . 2010-05-02 00:02 -------- d-----w- d:\program files\Symantec AntiVirus
2010-04-27 00:18 . 2010-04-27 00:18 -------- d-----w- d:\program files\Yahoo! Games
2010-04-27 00:05 . 2010-04-27 00:05 212736 ----a-w- d:\windows\system32\dllcache\ndis.sys
2010-04-26 21:27 . 2010-04-26 21:28 -------- d-----w- d:\documents and settings\Kellie\Application Data\.clamwin
2010-04-26 21:26 . 2010-04-27 00:18 -------- d-----w- d:\program files\ClamWin
2010-04-26 21:26 . 2010-04-27 00:18 -------- d-----w- d:\documents and settings\All Users\.clamwin
2010-04-26 21:20 . 2010-04-27 00:18 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-04-26 21:20 . 2010-04-26 21:20 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-18 20:24 . 2010-04-18 21:23 -------- d-----w- d:\documents and settings\Kellie\Application Data\Notepad++
2010-04-18 20:24 . 2010-04-18 20:24 -------- d-----w- d:\program files\Notepad++
2010-04-03 22:59 . 2010-04-06 20:45 2352 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-03 21:53 . 2010-04-03 21:53 -------- d-----w- d:\documents and settings\Kellie\Local Settings\Application Data\Intuit
2010-04-03 21:51 . 2010-04-03 21:51 -------- d-----w- d:\documents and settings\Kellie\Application Data\Intuit
2010-04-03 21:51 . 2010-04-03 21:51 -------- d-----w- d:\program files\Common Files\AnswerWorks 5.0
2010-04-03 21:47 . 2010-04-03 21:47 -------- d-----w- d:\documents and settings\Kellie\Local Settings\Application Data\IsolatedStorage
2010-04-03 21:47 . 2010-04-03 21:51 -------- d-----w- d:\program files\Common Files\Intuit
2010-04-03 21:46 . 2010-04-03 21:46 -------- d-----w- d:\program files\TurboTax
2010-04-03 21:46 . 2010-04-03 21:48 -------- d-----w- d:\documents and settings\All Users\Application Data\Intuit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 00:06 . 2009-10-01 14:37 -------- d-----w- d:\program files\Common Files\Apple
2010-05-02 00:02 . 2009-02-16 00:45 -------- d-----w- d:\program files\Symantec
2010-05-02 00:02 . 2009-02-16 00:45 -------- d-----w- d:\program files\Common Files\Symantec Shared
2010-05-02 00:02 . 2009-02-16 00:45 -------- d-----w- d:\documents and settings\All Users\Application Data\Symantec
2010-04-28 00:37 . 2009-02-16 00:43 -------- d-----w- d:\documents and settings\Kellie\Application Data\U3
2010-04-27 00:05 . 2006-01-13 01:23 212736 ----a-w- d:\windows\system32\drivers\ndis.sys
2010-04-06 20:44 . 2009-08-20 12:23 -------- d-----w- d:\program files\Lexmark X1100 Series
2010-04-03 21:53 . 2009-09-11 20:29 68688 ----a-w- d:\documents and settings\Kellie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-25 13:35 . 2009-08-25 12:57 -------- d-----w- d:\program files\Microsoft Silverlight
2010-03-22 21:34 . 2009-06-15 19:43 -------- d-----w- d:\program files\Coupons
2010-03-22 20:57 . 2009-12-01 18:15 423464 ----a-w- d:\documents and settings\Kellie\Application Data\E-centives\BSTIEPrintCtl1.dll
2010-03-17 00:24 . 2010-03-17 00:24 -------- d-----w- d:\documents and settings\All Users\Application Data\Trymedia
2010-03-10 02:07 . 2010-03-07 21:42 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2010-03-07 05:53 . 2009-10-01 14:40 -------- d-----w- d:\program files\Bonjour
2010-03-07 00:02 . 2010-03-07 00:01 -------- d-----w- d:\program files\Microsoft ActiveSync
2010-03-04 13:24 . 2009-11-24 07:58 79488 ----a-w- d:\documents and settings\Kellie\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-21 21:08 . 2010-02-21 21:08 50354 ----a-w- d:\documents and settings\Kellie\Application Data\Facebook\uninstall.exe
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- d:\documents and settings\Kellie\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- d:\documents and settings\Kellie\Application Data\Facebook\npfbplugin_1_0_1.dll
.

------- Sigcheck -------

[-] 2010-04-27 00:05 . 90847AF308BBEA2C84696DEB21F3CE49 . 212736 . . [------] . . d:\windows\system32\drivers\ndis.sys
[-] 2010-04-27 00:05 . 90847AF308BBEA2C84696DEB21F3CE49 . 212736 . . [------] . . d:\windows\system32\DllCache\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2006-01-13 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . d:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X1100 Series "= "d:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc "= "d:\windows\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf "= "move" [X]
"tscuninstall "= "d:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

[HKLM\~\startupfolder\D:^Documents and Settings^Kellie^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=d:\documents and settings\Kellie\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=d:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-05-20 13:17 223744 ----a-w- d:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2006-01-13 01:13 15360 ----a-w- d:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 17:44 31072 ----a-w- d:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 19:39 1289000 ----a-w- d:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 15:41 77824 ----a-w- d:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 15:45 118784 ----a-w- d:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 15:44 98304 ----a-w- d:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 15:36 305440 ----a-w- d:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2005-12-14 12:13 7095344 ----a-w- d:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- d:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 21:30 282624 ----a-w- d:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-20 12:14 148888 ----a-w- d:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry "=2 (0x2)
"RDSessMgr "=3 (0x3)
"RasMan "=3 (0x3)
"RasAuto "=3 (0x3)
"lanmanworkstation "=2 (0x2)
"lanmanserver "=2 (0x2)
"iPod Service "=3 (0x3)
"ImapiService "=3 (0x3)
"FastUserSwitchingCompatibility "=3 (0x3)
"Apple Mobile Device "=2 (0x2)
"Amazon Download Agent "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"d:\\Program Files\\iTunes\\iTunes.exe "=
"d:\\WINDOWS\\system32\\LEXPPS.EXE "=
"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe "=
"d:\program files\Microsoft ActiveSync\rapimgr.exe "= d:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft ActiveSync\wcescomm.exe "= d:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft ActiveSync\WCESMgr.exe "= d:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 SavRoam;SAVRoam; "d:\program files\Symantec AntiVirus\SavRoam.exe" --> d:\program files\Symantec AntiVirus\SavRoam.exe [?]
S4 Amazon Download Agent;Amazon Download Agent;d:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [8/27/2009 5:20 AM 297472]
.
Contents of the 'Scheduled Tasks' folder

2010-05-01 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - d:\documents and settings\Kellie\Application Data\Mozilla\Firefox\Profiles\tfjg2d48.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxps://www.mypoints.com/emp/u/mysearch.vm?st=mypWeb&fctb.dns=1&q=
FF - component: d:\documents and settings\Kellie\Application Data\Mozilla\Firefox\Profiles\tfjg2d48.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: d:\documents and settings\Kellie\Application Data\Mozilla\Firefox\Profiles\tfjg2d48.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: d:\documents and settings\Kellie\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - trued:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-yoayo - d:\documents and settings\Kellie\yoayo.exe
SSODL-GootkitSSO-{812EC799-F9BF-4977-A79E-BD2ED5A99A64} - d:\windows\System32\msxsltsso.dll
MSConfigStartUp-ccApp - d:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-vptray - d:\progra~1\SYMANT~1\VPTray.exe
MSConfigStartUp-yoayo - d:\documents and settings\Kellie\yoayo.exe
AddRemove-Big Kahuna Reef_is1 - d:\program files\Big Kahuna Reef\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 11:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-02 11:42:51
ComboFix-quarantined-files.txt 2010-05-02 16:42

Pre-Run: 11,312,406,528 bytes free
Post-Run: 11,675,983,872 bytes free

- - End Of File - - 0D50915F3D9639FE853E692BD6687790

jmooney5115 · 2010/05/02

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:45:48 AM, on 5/2/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\Kellie\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - HKUS\S-1-5-18\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - D:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - Unknown owner - D:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - D:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

--
End of file - 5751 bytes

broni · 2010/05/02

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::

Folder::

FCopy::
d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\n dis.sys | d:\windows\system32\drivers\ndis.sys
d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\n dis.sys | d:\windows\system32\DllCache\ndis.sys


Driver::

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
 "nlsf "=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
 "DisableNotifications "=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
 "26675:TCP "=-


RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

jmooney5115 · 2010/05/03

Thanks for your help. Do I need to install GMER to remove the rootkit? HiJackThis and Combox fix log is below completer per your instructions.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:04:59 AM, on 5/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\Kellie\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - HKUS\S-1-5-18\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - D:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - Unknown owner - D:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - D:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

--
End of file - 5453 bytes

--------------------------------------------------------------------------

ComboFix 10-05-01.04 - Kellie 05/02/2010 23:59:09.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.751 [GMT -5:00]
Running from: d:\documents and settings\Kellie\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Kellie\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\msxsltsso.dll

d:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-02 00:12 . 2010-05-02 00:14 -------- d-----w- d:\documents and settings\Kellie\Application Data\FileZilla
2010-05-02 00:12 . 2010-05-02 00:12 -------- d-----w- d:\program files\FileZilla FTP Client
2010-04-28 00:37 . 2006-12-11 15:20 180224 ----a-w- d:\documents and settings\Kellie\Application Data\U3\0000187DA573B173\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\U3AppWrapper.exe
2010-04-28 00:37 . 2006-12-11 15:20 72192 ----a-w- d:\documents and settings\Kellie\Application Data\U3\0000187DA573B173\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKLIST.EXE
2010-04-28 00:37 . 2006-12-11 15:20 72192 ----a-w- d:\documents and settings\Kellie\Application Data\U3\0000187DA573B173\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKKILL.EXE
2010-04-27 00:19 . 2010-04-27 00:19 -------- d-----w- d:\windows\system32\wbem\Repository
2010-04-27 00:19 . 2010-05-02 00:02 -------- d-----w- d:\program files\Symantec AntiVirus
2010-04-27 00:18 . 2010-04-27 00:18 -------- d-----w- d:\program files\Yahoo! Games
2010-04-27 00:05 . 2010-04-27 00:05 212736 ----a-w- d:\windows\system32\dllcache\ndis.sys
2010-04-26 21:27 . 2010-04-26 21:28 -------- d-----w- d:\documents and settings\Kellie\Application Data\.clamwin
2010-04-26 21:26 . 2010-04-27 00:18 -------- d-----w- d:\program files\ClamWin
2010-04-26 21:26 . 2010-04-27 00:18 -------- d-----w- d:\documents and settings\All Users\.clamwin
2010-04-26 21:20 . 2010-04-27 00:18 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-04-26 21:20 . 2010-04-26 21:20 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-18 20:24 . 2010-04-18 21:23 -------- d-----w- d:\documents and settings\Kellie\Application Data\Notepad++
2010-04-18 20:24 . 2010-04-18 20:24 -------- d-----w- d:\program files\Notepad++
2010-04-03 22:59 . 2010-04-06 20:45 2352 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-03 21:53 . 2010-04-03 21:53 -------- d-----w- d:\documents and settings\Kellie\Local Settings\Application Data\Intuit
2010-04-03 21:51 . 2010-04-03 21:51 -------- d-----w- d:\documents and settings\Kellie\Application Data\Intuit
2010-04-03 21:51 . 2010-04-03 21:51 -------- d-----w- d:\program files\Common Files\AnswerWorks 5.0
2010-04-03 21:47 . 2010-04-03 21:47 -------- d-----w- d:\documents and settings\Kellie\Local Settings\Application Data\IsolatedStorage
2010-04-03 21:47 . 2010-04-03 21:51 -------- d-----w- d:\program files\Common Files\Intuit
2010-04-03 21:46 . 2010-04-03 21:46 -------- d-----w- d:\program files\TurboTax
2010-04-03 21:46 . 2010-04-03 21:48 -------- d-----w- d:\documents and settings\All Users\Application Data\Intuit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 00:06 . 2009-10-01 14:37 -------- d-----w- d:\program files\Common Files\Apple
2010-05-02 00:02 . 2009-02-16 00:45 -------- d-----w- d:\program files\Symantec
2010-05-02 00:02 . 2009-02-16 00:45 -------- d-----w- d:\program files\Common Files\Symantec Shared
2010-05-02 00:02 . 2009-02-16 00:45 -------- d-----w- d:\documents and settings\All Users\Application Data\Symantec
2010-04-28 00:37 . 2009-02-16 00:43 -------- d-----w- d:\documents and settings\Kellie\Application Data\U3
2010-04-27 00:05 . 2006-01-13 01:23 212736 ----a-w- d:\windows\system32\drivers\ndis.sys
2010-04-06 20:44 . 2009-08-20 12:23 -------- d-----w- d:\program files\Lexmark X1100 Series
2010-04-03 21:53 . 2009-09-11 20:29 68688 ----a-w- d:\documents and settings\Kellie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-25 13:35 . 2009-08-25 12:57 -------- d-----w- d:\program files\Microsoft Silverlight
2010-03-22 21:34 . 2009-06-15 19:43 -------- d-----w- d:\program files\Coupons
2010-03-22 20:57 . 2009-12-01 18:15 423464 ----a-w- d:\documents and settings\Kellie\Application Data\E-centives\BSTIEPrintCtl1.dll
2010-03-17 00:24 . 2010-03-17 00:24 -------- d-----w- d:\documents and settings\All Users\Application Data\Trymedia
2010-03-10 02:07 . 2010-03-07 21:42 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2010-03-07 05:53 . 2009-10-01 14:40 -------- d-----w- d:\program files\Bonjour
2010-03-07 00:02 . 2010-03-07 00:01 -------- d-----w- d:\program files\Microsoft ActiveSync
2010-03-04 13:24 . 2009-11-24 07:58 79488 ----a-w- d:\documents and settings\Kellie\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-21 21:08 . 2010-02-21 21:08 50354 ----a-w- d:\documents and settings\Kellie\Application Data\Facebook\uninstall.exe
.

------- Sigcheck -------

[-] 2010-04-27 00:05 . 90847AF308BBEA2C84696DEB21F3CE49 . 212736 . . [------] . . d:\windows\system32\drivers\ndis.sys
[-] 2010-04-27 00:05 . 90847AF308BBEA2C84696DEB21F3CE49 . 212736 . . [------] . . d:\windows\system32\DllCache\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2006-01-13 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . d:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-05-02_16.41.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-03 04:58 . 2010-05-03 04:58 16384 d:\windows\Temp\Perflib_Perfdata_634.dat
+ 2006-01-13 01:39 . 2010-05-02 20:41 68558 d:\windows\system32\perfc009.dat
- 2006-01-13 01:39 . 2010-03-14 15:00 68558 d:\windows\system32\perfc009.dat
+ 2009-02-15 17:47 . 2010-05-02 20:38 32768 d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-15 17:47 . 2010-05-01 18:54 32768 d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-15 17:47 . 2010-05-02 20:38 32768 d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-15 17:47 . 2010-05-01 18:54 32768 d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-04-27 00:03 . 2010-05-01 18:54 16384 d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-02 20:38 . 2010-05-02 20:38 16384 d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-01-13 01:39 . 2010-05-02 20:41 435828 d:\windows\system32\perfh009.dat
- 2006-01-13 01:39 . 2010-03-14 15:00 435828 d:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X1100 Series "= "d:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc "= "d:\windows\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "d:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

[HKLM\~\startupfolder\D:^Documents and Settings^Kellie^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=d:\documents and settings\Kellie\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=d:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-05-20 13:17 223744 ----a-w- d:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2006-01-13 01:13 15360 ----a-w- d:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 17:44 31072 ----a-w- d:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 19:39 1289000 ----a-w- d:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 15:41 77824 ----a-w- d:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 15:45 118784 ----a-w- d:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 15:44 98304 ----a-w- d:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 15:36 305440 ----a-w- d:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2005-12-14 12:13 7095344 ----a-w- d:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- d:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 21:30 282624 ----a-w- d:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-20 12:14 148888 ----a-w- d:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry "=2 (0x2)
"RDSessMgr "=3 (0x3)
"RasMan "=3 (0x3)
"RasAuto "=3 (0x3)
"lanmanworkstation "=2 (0x2)
"lanmanserver "=2 (0x2)
"iPod Service "=3 (0x3)
"ImapiService "=3 (0x3)
"FastUserSwitchingCompatibility "=3 (0x3)
"Apple Mobile Device "=2 (0x2)
"Amazon Download Agent "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"d:\\Program Files\\iTunes\\iTunes.exe "=
"d:\\WINDOWS\\system32\\LEXPPS.EXE "=
"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe "=
"d:\program files\Microsoft ActiveSync\rapimgr.exe "= d:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft ActiveSync\wcescomm.exe "= d:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft ActiveSync\WCESMgr.exe "= d:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

S3 SavRoam;SAVRoam; "d:\program files\Symantec AntiVirus\SavRoam.exe" --> d:\program files\Symantec AntiVirus\SavRoam.exe [?]
S4 Amazon Download Agent;Amazon Download Agent;d:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [8/27/2009 5:20 AM 297472]
.
Contents of the 'Scheduled Tasks' folder

2010-05-01 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - d:\documents and settings\Kellie\Application Data\Mozilla\Firefox\Profiles\tfjg2d48.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxps://www.mypoints.com/emp/u/mysearch.vm?st=mypWeb&fctb.dns=1&q=
FF - component: d:\documents and settings\Kellie\Application Data\Mozilla\Firefox\Profiles\tfjg2d48.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: d:\documents and settings\Kellie\Application Data\Mozilla\Firefox\Profiles\tfjg2d48.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: d:\documents and settings\Kellie\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - trued:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.
- - - - ORPHANS REMOVED - - - -

SSODL-GootkitSSO-{49C1D6E2-7432-4A34-8447-C2FB3CFBF4EC} - d:\windows\System32\msxsltsso.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 00:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-03 00:04:35
ComboFix-quarantined-files.txt 2010-05-03 05:04
ComboFix2.txt 2010-05-02 16:42

Pre-Run: 11,672,211,456 bytes free
Post-Run: 11,645,853,696 bytes free

- - End Of File - - 476AF5A1512617E1BA2A131C90A63535

broni · 2010/05/03

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
FCopy::
d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys | d:\windows\system32\drivers\ndis.sys
d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys | d:\windows\system32\DllCache\ndis.sys
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

jmooney5115 · 2010/05/04

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:21:36 PM, on 5/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\Kellie\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - HKUS\S-1-5-18\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - D:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - Unknown owner - D:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - D:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

--
End of file - 5453 bytes

---------------------------------------------------------------------------------------------

ComboFix 10-05-01.04 - Kellie 05/04/2010 12:14:36.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.749 [GMT -5:00]
Running from: d:\documents and settings\Kellie\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Kellie\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys --> d:\windows\system32\drivers\ndis.sys
d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys --> d:\windows\system32\DllCache\ndis.sys
.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-02 00:12 . 2010-05-02 00:14 -------- d-----w- d:\documents and settings\Kellie\Application Data\FileZilla
2010-05-02 00:12 . 2010-05-02 00:12 -------- d-----w- d:\program files\FileZilla FTP Client
2010-04-28 00:37 . 2006-12-11 15:20 180224 ----a-w- d:\documents and settings\Kellie\Application Data\U3\0000187DA573B173\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\U3AppWrapper.exe
2010-04-28 00:37 . 2006-12-11 15:20 72192 ----a-w- d:\documents and settings\Kellie\Application Data\U3\0000187DA573B173\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKLIST.EXE
2010-04-28 00:37 . 2006-12-11 15:20 72192 ----a-w- d:\documents and settings\Kellie\Application Data\U3\0000187DA573B173\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKKILL.EXE
2010-04-27 00:19 . 2010-04-27 00:19 -------- d-----w- d:\windows\system32\wbem\Repository
2010-04-27 00:19 . 2010-05-02 00:02 -------- d-----w- d:\program files\Symantec AntiVirus
2010-04-27 00:18 . 2010-04-27 00:18 -------- d-----w- d:\program files\Yahoo! Games
2010-04-27 00:05 . 2008-04-13 19:20 182656 ----a-w- d:\windows\system32\dllcache\ndis.sys
2010-04-26 21:27 . 2010-04-26 21:28 -------- d-----w- d:\documents and settings\Kellie\Application Data\.clamwin
2010-04-26 21:26 . 2010-04-27 00:18 -------- d-----w- d:\program files\ClamWin
2010-04-26 21:26 . 2010-04-27 00:18 -------- d-----w- d:\documents and settings\All Users\.clamwin
2010-04-26 21:20 . 2010-04-27 00:18 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-04-26 21:20 . 2010-04-26 21:20 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-18 20:24 . 2010-04-18 21:23 -------- d-----w- d:\documents and settings\Kellie\Application Data\Notepad++
2010-04-18 20:24 . 2010-04-18 20:24 -------- d-----w- d:\program files\Notepad++

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 00:06 . 2009-10-01 14:37 -------- d-----w- d:\program files\Common Files\Apple
2010-05-02 00:02 . 2009-02-16 00:45 -------- d-----w- d:\program files\Symantec
2010-05-02 00:02 . 2009-02-16 00:45 -------- d-----w- d:\program files\Common Files\Symantec Shared
2010-05-02 00:02 . 2009-02-16 00:45 -------- d-----w- d:\documents and settings\All Users\Application Data\Symantec
2010-04-28 00:37 . 2009-02-16 00:43 -------- d-----w- d:\documents and settings\Kellie\Application Data\U3
2010-04-06 20:45 . 2010-04-03 22:59 2352 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-06 20:44 . 2009-08-20 12:23 -------- d-----w- d:\program files\Lexmark X1100 Series
2010-04-03 21:53 . 2009-09-11 20:29 68688 ----a-w- d:\documents and settings\Kellie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-03 21:51 . 2010-04-03 21:51 -------- d-----w- d:\documents and settings\Kellie\Application Data\Intuit
2010-04-03 21:51 . 2010-04-03 21:51 -------- d-----w- d:\program files\Common Files\AnswerWorks 5.0
2010-04-03 21:51 . 2010-04-03 21:47 -------- d-----w- d:\program files\Common Files\Intuit
2010-04-03 21:48 . 2010-04-03 21:46 -------- d-----w- d:\documents and settings\All Users\Application Data\Intuit
2010-04-03 21:46 . 2010-04-03 21:46 -------- d-----w- d:\program files\TurboTax
2010-03-25 13:35 . 2009-08-25 12:57 -------- d-----w- d:\program files\Microsoft Silverlight
2010-03-22 21:34 . 2009-06-15 19:43 -------- d-----w- d:\program files\Coupons
2010-03-22 20:57 . 2009-12-01 18:15 423464 ----a-w- d:\documents and settings\Kellie\Application Data\E-centives\BSTIEPrintCtl1.dll
2010-03-17 00:24 . 2010-03-17 00:24 -------- d-----w- d:\documents and settings\All Users\Application Data\Trymedia
2010-03-10 02:07 . 2010-03-07 21:42 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2010-03-07 05:53 . 2009-10-01 14:40 -------- d-----w- d:\program files\Bonjour
2010-03-07 00:02 . 2010-03-07 00:01 -------- d-----w- d:\program files\Microsoft ActiveSync
2010-03-04 13:24 . 2009-11-24 07:58 79488 ----a-w- d:\documents and settings\Kellie\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-21 21:08 . 2010-02-21 21:08 50354 ----a-w- d:\documents and settings\Kellie\Application Data\Facebook\uninstall.exe
.

------- Sigcheck -------

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . d:\windows\system32\DllCache\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . d:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . d:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2006-01-13 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . d:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-05-02_16.41.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-04 17:14 . 2010-05-04 17:14 16384 d:\windows\Temp\Perflib_Perfdata_62c.dat
+ 2006-01-13 01:39 . 2010-05-02 20:41 68558 d:\windows\system32\perfc009.dat
- 2006-01-13 01:39 . 2010-03-14 15:00 68558 d:\windows\system32\perfc009.dat
+ 2009-02-15 17:47 . 2010-05-02 20:38 32768 d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-15 17:47 . 2010-05-01 18:54 32768 d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-15 17:47 . 2010-05-02 20:38 32768 d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-15 17:47 . 2010-05-01 18:54 32768 d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-01-13 01:39 . 2010-05-02 20:41 435828 d:\windows\system32\perfh009.dat
- 2006-01-13 01:39 . 2010-03-14 15:00 435828 d:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X1100 Series "= "d:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc "= "d:\windows\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "d:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

[HKLM\~\startupfolder\D:^Documents and Settings^Kellie^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=d:\documents and settings\Kellie\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=d:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-05-20 13:17 223744 ----a-w- d:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2006-01-13 01:13 15360 ----a-w- d:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 17:44 31072 ----a-w- d:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 19:39 1289000 ----a-w- d:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 15:41 77824 ----a-w- d:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 15:45 118784 ----a-w- d:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 15:44 98304 ----a-w- d:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 15:36 305440 ----a-w- d:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2005-12-14 12:13 7095344 ----a-w- d:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- d:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 21:30 282624 ----a-w- d:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-20 12:14 148888 ----a-w- d:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry "=2 (0x2)
"RDSessMgr "=3 (0x3)
"RasMan "=3 (0x3)
"RasAuto "=3 (0x3)
"lanmanworkstation "=2 (0x2)
"lanmanserver "=2 (0x2)
"iPod Service "=3 (0x3)
"ImapiService "=3 (0x3)
"FastUserSwitchingCompatibility "=3 (0x3)
"Apple Mobile Device "=2 (0x2)
"Amazon Download Agent "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"d:\\Program Files\\iTunes\\iTunes.exe "=
"d:\\WINDOWS\\system32\\LEXPPS.EXE "=
"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe "=
"d:\program files\Microsoft ActiveSync\rapimgr.exe "= d:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft ActiveSync\wcescomm.exe "= d:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft ActiveSync\WCESMgr.exe "= d:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

S3 SavRoam;SAVRoam; "d:\program files\Symantec AntiVirus\SavRoam.exe" --> d:\program files\Symantec AntiVirus\SavRoam.exe [?]
S4 Amazon Download Agent;Amazon Download Agent;d:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [8/27/2009 5:20 AM 297472]
.
Contents of the 'Scheduled Tasks' folder

2010-05-01 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - d:\documents and settings\Kellie\Application Data\Mozilla\Firefox\Profiles\tfjg2d48.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxps://www.mypoints.com/emp/u/mysearch.vm?st=mypWeb&fctb.dns=1&q=
FF - component: d:\documents and settings\Kellie\Application Data\Mozilla\Firefox\Profiles\tfjg2d48.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: d:\documents and settings\Kellie\Application Data\Mozilla\Firefox\Profiles\tfjg2d48.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: d:\documents and settings\Kellie\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - trued:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 12:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-04 12:19:58
ComboFix-quarantined-files.txt 2010-05-04 17:19
ComboFix2.txt 2010-05-03 05:04
ComboFix3.txt 2010-05-02 16:42

Pre-Run: 11,623,063,552 bytes free
Post-Run: 11,595,931,648 bytes free

- - End Of File - - 547059EACB50A9F8CA793365DF60421F

broni · 2010/05/04

Looks good

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

===============================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

jmooney5115 · 2010/05/05

Thanks. Here are the requested logs.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Wednesday, May 5, 2010

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, May 04, 2010 23:57:29

Records in database: 4050605

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

Scan statistics:

Objects scanned: 301495

Threats found: 4

Infected objects found: 5

Suspicious objects found: 0

Scan duration: 06:43:41

File name / Threat / Threats count

C:\Documents and Settings\Kellie Frazier\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-10a72733.zip Infected: Trojan-Downloader.Java.Agent.f 1

C:\Documents and Settings\Kellie Frazier\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-34b856ce.zip Infected: Trojan-Downloader.Java.Agent.f 1

C:\Program Files\MATLAB\R2008a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6420.mexw32 Infected: Trojan.Win32.Agent.dszv 1

C:\Program Files\MATLAB\R2008a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6430.mexw32 Infected: Trojan.Win32.Agent.dszw 1

D:\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1

Selected area has been scanned.

--------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 8:15:25 AM, on 5/5/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\LEXBCES.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\LEXPPS.EXE

D:\Program Files\Bonjour\mDNSResponder.exe

D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

D:\Program Files\Java\jre6\bin\jqs.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\wscntfy.exe

D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

D:\Program Files\Microsoft ActiveSync\wcescomm.exe

D:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

D:\Documents and Settings\Kellie\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "

O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe "

O4 - HKUS\S-1-5-18\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)

O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - D:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: SAVRoam (SavRoam) - Unknown owner - D:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

O23 - Service: Symantec AntiVirus - Unknown owner - D:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

--

End of file - 5608 bytes

broni · 2010/05/05

Please download OTM

Save it to your desktop.

Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Processes

:Services

:Reg

:Files
C:\Documents and Settings\Kellie Frazier\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-10a72733.zip
C:\Documents and Settings\Kellie Frazier\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-34b856ce.zip
C:\Program Files\MATLAB\R2008a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6 420.mexw32
C:\Program Files\MATLAB\R2008a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6 430.mexw32
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

jmooney5115 · 2010/05/05

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\Kellie Frazier\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-10a72733.zip moved successfully.
C:\Documents and Settings\Kellie Frazier\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-34b856ce.zip moved successfully.
File/Folder C:\Program Files\MATLAB\R2008a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6 420.mexw32 not found.
File/Folder C:\Program Files\MATLAB\R2008a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6 430.mexw32 not found.
========== COMMANDS ==========
D:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kellie
->Temp folder emptied: 106149785 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 127542 bytes
->FireFox cache emptied: 17245269 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 5454 bytes

Total Files Cleaned = 118.00 mb

OTM by OldTimer - Version 3.1.12.0 log created on 05052010_220908

Files moved on Reboot...

Registry entries deleted on Reboot...

broni · 2010/05/05

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator ")

Click on the CleanUp! button and follow the prompts.

You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.

After the reboot all the tools we used should be gone.

The tool will delete itself once it finishes.

=================================================================

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

==============================================================

Re-run HJT and checkmark:
O4 - HKUS\S-1-5-18\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'Default user')
Click "Fix checked" button.
Post fresh HJT log.

jmooney5115 · 2010/05/06

Thanks. Performed scans/installations.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:04:02 PM, on 5/6/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Kellie\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: Ã¿Ã¾127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - D:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - Unknown owner - D:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - D:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

--
End of file - 5796 bytes

broni · 2010/05/06

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

[SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

jmooney5115 · 2010/05/09

Thanks again for the help. The computer is functioning normal. Can you give a brief explanation of what the CFScript.txt files do. I am trying to learn to fix malware/virus on my own and I cannot find anything explaining the CFScript.txt files.

Also, in a tutorial about Comboxfix.exe on bleepingcomputer "How to use ComboFix" it says, "You should not run ComboFix unless you are specifically asked to by a helper." What problems would cause this the computer to mess up? I'm assuming you see the problematic programs in the dds logs.

If you know of any sites I can find more information please let me know.

Thanks.

broni · 2010/05/09

I'm glad to see good news

As for Combofix...
You won't find any Combofix manual for very obvious reason.
Combofix creator doesn't want bad guys know, how he does it and what he does to get rid of malwares.
You shouldn't be running Combofix by yourself for two main reasons.
1. Combofix may make a mistake and it may remove something, what shouldn't be removed. You need to know how to recover.
2. Combofix, in most cases, won't remove all "baddies" by itself, so you need to know how to read Combofix log and how to remove all other remnants.

If you're interested in a subject and you want to learn more, I suggest you apply to one of malware schools (free): http://www.uniteagainstmalware.com/schools.php

Log in or Sign up

Solved Malware, plus I can't end any processes

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Malware, plus I can't end any processes

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

jmooney5115 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches