Multiple Infections on XP Pro SP1 box

**mambass** · 2010-04-22, 22:39

Running XP Pro SP 1. The system likely has multiple infections.

One of the infections appears to not allow Microsoft Update to run. I’m stuck with an old copy of NAV because I haven’t upgraded beyond SP1.

One infection installed jviesc.dll in the System32 directory and created an HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls key referencing the file. I renamed the dll but retained the registry entry. I believe that the dll was loaded into the Explorer process. It was blocking NAV from running.

One infection tries to change the value of registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer from a DWORD value of x00000091 to a Binary 91 00 00 00. When I tell TeaTimer to deny the change and remember the decision, the attempt is repeated at 1 second intervals. The log entry is:
4/21/2010 4:59:44 PM Denied (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:91,00,00,") changed in System Startup user entry!

I’m getting browser popups and redirects. Based on Wireshark monitoring, some of the sites which are visited upon boot are z0g7ya1i0.com, li1i16b0.com and clkh71yhks66.com.

While drafting this post, Spybot was deleted as a Browser help object (the option to deny the change was disabled):
4/22/2010 2:35:31 PM Allowed (based on user decision) value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!

I've been working on this problem for several days. The last run of Spybot failed to detect any problems. An online NAV scan detected Trojan.Monicker but I've been unable to identify manual procedures for deleting it.

When looking at the log file, please note that I’ve modified registry entries to keep certain software from starting up during the debugging process. Either “nomore” or “later” have been added to their .exe names so that I can go back later and reenable them. I’ve also renamed the Program Files\Google directory and hence those files will be reported as not found.

I’m including 2 HijackThis log files. The first is the most current. The second is the one that I ran earlier when I began drafting this post. As mentioned above, Spybot was deleted as a Browser Help Object after the second log was generated.

Current report:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:58:53 PM, on 4/22/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\SYSTEM32\CMD.EXE
C:\WINDOWS\regedit.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32NOMORE.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swgNOMORE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsgLATER.exe 9
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCDLATER.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMonNOMORE.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12LATER.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgrLATER.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2LATER.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realschedLATER.exe" -osboot
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\AtomicLATER.exe
O4 - HKLM\..\Run: [DaProcExp] "C:\Program Files\ProcessExplorer\procexp.exe"
O4 - HKLM\..\Run: [DaWireShark] "C:\Program Files\Wireshark\wireshark.exe" -k
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\WeatherLATER.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManagerLATER.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessengerLATER.exex" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtectionLATER.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifierLATER.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-4212676017-2704639424-2437969446-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-21-4212676017-2704639424-2437969446-500\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Later (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: Later (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Later
O4 - Global Startup: Later
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2...nAxControl.CAB
O16 - DPF: Microsoft WFC Forms Designer - file://D:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://D:\VJ98\vstudio6.cab
O16 - DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33} -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1271962936562
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/C...CamControl.ocx
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -
O18 - Filter hijack: text/html - {d3bcb27a-b78e-4c6d-9cb5-3d14229caa4e} - C:\WINDOWS\system32\xwreg32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC PBE Server (APCPBEServer) - Unknown owner - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe

--
End of file - 13313 bytes

---------------------------------------------------------------------
Previous report when Spybot was a BHO:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:07:05 PM, on 4/22/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32NOMORE.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swgNOMORE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsgLATER.exe 9
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCDLATER.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMonNOMORE.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12LATER.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgrLATER.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2LATER.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realschedLATER.exe" -osboot
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\AtomicLATER.exe
O4 - HKLM\..\Run: [DaProcExp] "C:\Program Files\ProcessExplorer\procexp.exe"
O4 - HKLM\..\Run: [DaWireShark] "C:\Program Files\Wireshark\wireshark.exe" -k
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\WeatherLATER.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManagerLATER.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessengerLATER.exex" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtectionLATER.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifierLATER.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Later (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: Later (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Later
O4 - Global Startup: Later
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2...nAxControl.CAB
O16 - DPF: Microsoft WFC Forms Designer - file://D:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://D:\VJ98\vstudio6.cab
O16 - DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33} -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1271962936562
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/C...CamControl.ocx
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -
O18 - Filter hijack: text/html - {d3bcb27a-b78e-4c6d-9cb5-3d14229caa4e} - C:\WINDOWS\system32\xwreg32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC PBE Server (APCPBEServer) - Unknown owner - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe

--
End of file - 13030 bytes

**Blade81** · 2010-04-25, 12:58

Hi,

Please run the MGA Diagnostic Tool and post back the report it creates:

Download MGADiag to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.

**mambass** · 2010-04-25, 15:49

Blade81,

Thank you SO much for taking this case.

The report that you requested is provided below.

In my initial post I forgot to mention that later in the same day when the jviesc.dll was delivered file ave.exe was also delievered to the Local Settings\Application Data directory and a registry key value was modified to reference the file. I renamed the file to avebad.exe but did not modify the registry key value.

I have also added a few policies to my router to help minimize traffic with the web sites identified in my original post (plus a few others) that I’ve noticed since then but have yet to identify their initial hook into the system.

George

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-T6DFB-Y934T-YD4YT
Windows Product Key Hash: 3g4CZGFEDgbKmn/oB4pa2FZsssU=
Windows Product ID: 55274-OEM-2211906-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.1.0.pro
ID: {46287E8E-6787-455D-8DA6-137C54B7ED15}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2ee7_E2AD56EA-148-80004005_16E0B333-89-80004005_78155E4D-232-80004005
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 101 Not Activated
Microsoft FrontPage 2002 - 100 Genuine
Microsoft Office XP Professional - 101 Not Activated
Microsoft Publisher 2002 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_3E121E02-385-80004005_3E121E02-452-80004005_3E121E02-312-80004005_3E121E02-372-80004005_3E121E02-452-80004005_3E121E02-312-80004005_3E121E02-372-80004005_3E121E02-452-80004005_3E121E02-312-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\oembios.bin[Hr = 0x800b0003]
File Mismatch: C:\WINDOWS\system32\oembios.dat[Hr = 0x800b0003]
File Mismatch: C:\WINDOWS\system32\oembios.sig[Hr = 0x800b0003]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{46287E8E-6787-455D-8DA6-137C54B7ED15}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.1.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-YD4YT</PKey><PID>55274-OEM-2211906-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-4212676017-2704639424-2437969446</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 8200 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A05</Version><SMBIOSVersion major="2" minor="3"/><Date>20020418******.******+***</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>D289336F0184C062</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell Computer Corporation</name><model>Dell DIMENSION 8200</model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>101</Result><Products><Product GUID="{90170409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft FrontPage 2002</Name><Ver>10</Ver><Val>44FC9E0D3745458</Val><Hash>3/W2mSsbIhqsoYg4RsRXOlyHCVU=</Hash><Pid>54196-700-0663481-16196</Pid><PidType>1</PidType></Product><Product GUID="{91110409-6000-11D3-8CFE-0050048383C9}"><LegitResult>101</LegitResult><Name>Microsoft Office XP Professional</Name><Ver>10</Ver><Val>5ADFCB16C75B3E6</Val><Hash>Xw6ze/DNOKi1LIk4OTEtzep/Sa4=</Hash><Pid>54186-OEM-1790981-26547</Pid><PidType>4</PidType></Product><Product GUID="{91190409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Publisher 2002</Name><Ver>10</Ver><Val>32846C26CE47B46</Val><Hash>HO5oizDLH8iKplJfCJx+Xk1eXj4=</Hash><Pid>54197-OEM-1691344-56547</Pid><PidType>4</PidType></Product></Products><Applications><App Id="15" Version="10" Result="101"/><App Id="16" Version="10" Result="101"/><App Id="17" Version="10" Result="100"/><App Id="18" Version="10" Result="101"/><App Id="19" Version="10" Result="100"/><App Id="1A" Version="10" Result="101"/><App Id="1B" Version="10" Result="101"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 8000:Dell Inc|8000:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System

OEM Activation 2.0 Data-->
N/A

**Blade81** · 2010-04-25, 15:57

Hi again,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post them back to your topic.

---

Download GMER here by clicking download exe -button and then saving it your desktop:

Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

**mambass** · 2010-04-25, 16:18

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86
Run by gm at 9:07:46.90 on Sun 04/25/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.589 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Pwrchute\ups.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\System32\hpbpro.exe
C:\WINDOWS\System32\hpboid.exe
C:\Documents and Settings\gm\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32NOMORE.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swgNOMORE.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: {0494D0DE-F8E0-41AD-92A3-14154ECE70AC} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [Weather] c:\program files\aws\weatherbug\WeatherLATER.exe 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManagerLATER.exe" AcRdB7_0_8 -reboot 1
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessengerLATER.exex" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtectionLATER.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifierLATER.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LTWinModem1] ltmsgLATER.exe 9
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCDLATER.exe"
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [Dell|Alert] c:\program files\dell\support\alert\bin\DAMonNOMORE.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12LATER.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgrLATER.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2LATER.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realschedLATER.exe" -osboot
mRun: [Atomic.exe] c:\program files\atomic clock sync\AtomicLATER.exe
mRun: [DaProcExp] "c:\program files\processexplorer\procexp.exe"
mRun: [DaWireShark] "c:\program files\wireshark\wireshark.exe" -k
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\later\pandora.lnk - c:\program files\pandora\Pandora.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\shortc~1.lnk - c:\program files\processexplorer\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\wiresh~1.lnk - c:\program files\wireshark\wireshark.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: Microsoft WFC Forms Designer - file://d:\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Visual Studio 6 Extensibility Libraries - file://d:\vj98\vstudio6.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33}
DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - hxxp://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6}
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271962936562
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.531087963
DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B}
DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_01-win.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6}
Filter: text/html - {d3bcb27a-b78e-4c6d-9cb5-3d14229caa4e} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R2 agentcd;DriverAgent Class Driver;c:\windows\system32\AgentCD.sys [2002-6-19 196096]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 Mojave;Dazzle Mojave Device;c:\windows\system32\drivers\Mojave.sys [2002-6-19 119276]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-3-15 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVENG.SYS [2008-9-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVEX15.SYS [2008-9-24 873552]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2009-7-2 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2009-7-2 545088]
S2 APCPBEServer;APC PBE Server;c:\program files\apc\powerchute business edition\server\pbeserver.exe --> c:\program files\apc\powerchute business edition\server\pbeserver.exe [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2009-7-2 19232]

=============== Created Last 30 ================

2010-04-22 18:48:41 0 d-----w- c:\program files\Trend Micro
2010-04-22 17:03:39 0 d-----w- c:\windows\pss
2010-04-20 21:25:05 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-20 21:25:05 1409 ----a-w- c:\windows\QTFont.for
2010-04-19 19:49:05 0 d-----w- c:\program files\SysinternalsSuite
2010-04-19 16:10:31 73 ----a-w- c:\windows\system32\-1
2010-04-19 16:09:31 0 d-----w- c:\program files\Wireshark
2010-04-18 22:01:30 0 d-----w- c:\program files\WhoIs
2010-04-18 21:46:24 0 d-----w- c:\program files\RootkitRevealer
2010-04-18 21:11:08 0 d-----w- c:\program files\Autoruns
2010-04-17 14:04:02 138410532 ----a-w- c:\windows\system32\20100417a.reg
2010-04-17 10:45:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-04-16 15:45:26 43008 ---ha-w- c:\windows\system32\jvieSCbad.dll

==================== Find3M ====================

2010-02-04 23:25:19 82232 ----a-w- c:\docume~1\gm\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 9:08:33.43 ===============

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 6/24/2002 3:54:21 PM
System Uptime: 4/25/2010 8:22:22 AM (1 hours ago)

Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Microprocessor | 2518/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 32.681 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2466: 1/25/2010 9:23:53 PM - System Checkpoint
RP2467: 1/26/2010 9:24:11 PM - System Checkpoint
RP2468: 1/27/2010 10:24:12 PM - System Checkpoint
RP2469: 1/28/2010 11:47:50 PM - System Checkpoint
RP2470: 1/30/2010 12:24:21 AM - System Checkpoint
RP2471: 1/31/2010 1:24:34 AM - System Checkpoint
RP2472: 2/1/2010 9:28:12 PM - System Checkpoint
RP2473: 2/8/2010 1:56:30 PM - System Checkpoint
RP2474: 2/9/2010 5:40:54 PM - System Checkpoint
RP2475: 2/11/2010 9:33:16 PM - System Checkpoint
RP2476: 2/13/2010 12:53:31 AM - System Checkpoint
RP2477: 2/14/2010 1:43:31 AM - System Checkpoint
RP2478: 2/15/2010 2:08:36 AM - System Checkpoint
RP2479: 2/16/2010 2:46:22 AM - System Checkpoint
RP2480: 2/17/2010 3:03:20 AM - System Checkpoint
RP2481: 2/18/2010 4:03:22 AM - System Checkpoint
RP2482: 2/18/2010 3:26:52 PM - Installed H&R Block Deluxe + Efile + State 2009.
RP2483: 2/18/2010 3:29:53 PM - Installed DeductionPro 2009
RP2484: 2/21/2010 7:55:48 AM - System Checkpoint
RP2485: 2/22/2010 10:01:27 AM - System Checkpoint
RP2486: 2/23/2010 3:36:11 PM - System Checkpoint
RP2487: 2/24/2010 4:03:28 PM - System Checkpoint
RP2488: 2/25/2010 5:22:55 PM - System Checkpoint
RP2489: 2/26/2010 5:37:35 PM - System Checkpoint
RP2490: 2/27/2010 7:21:38 PM - System Checkpoint
RP2491: 2/28/2010 7:57:07 PM - System Checkpoint
RP2492: 3/1/2010 8:19:04 PM - System Checkpoint
RP2493: 3/2/2010 9:09:26 PM - System Checkpoint
RP2494: 3/3/2010 9:47:19 PM - System Checkpoint
RP2495: 3/4/2010 10:47:21 PM - System Checkpoint
RP2496: 3/5/2010 11:47:21 PM - System Checkpoint
RP2497: 3/7/2010 12:47:21 AM - System Checkpoint
RP2498: 3/8/2010 1:47:21 AM - System Checkpoint
RP2499: 3/9/2010 2:46:15 AM - System Checkpoint
RP2500: 3/10/2010 2:47:22 AM - System Checkpoint
RP2501: 3/11/2010 2:58:12 AM - System Checkpoint
RP2502: 3/12/2010 1:54:44 PM - System Checkpoint
RP2503: 3/13/2010 1:58:58 PM - System Checkpoint
RP2504: 3/14/2010 3:01:02 PM - System Checkpoint
RP2505: 3/15/2010 4:04:15 PM - System Checkpoint
RP2506: 3/16/2010 4:10:14 PM - System Checkpoint
RP2507: 3/17/2010 8:36:58 PM - System Checkpoint
RP2508: 3/19/2010 10:16:20 AM - System Checkpoint
RP2509: 3/21/2010 3:54:32 PM - System Checkpoint
RP2510: 3/22/2010 5:00:37 PM - System Checkpoint
RP2511: 3/24/2010 5:24:08 PM - System Checkpoint
RP2512: 3/25/2010 6:05:07 PM - System Checkpoint
RP2513: 3/26/2010 8:01:32 PM - System Checkpoint
RP2514: 3/28/2010 7:07:49 PM - System Checkpoint
RP2515: 3/29/2010 7:48:47 PM - System Checkpoint
RP2516: 3/30/2010 8:19:10 PM - System Checkpoint
RP2517: 3/31/2010 9:15:17 PM - System Checkpoint
RP2518: 4/1/2010 9:48:44 PM - System Checkpoint
RP2519: 4/2/2010 10:03:19 PM - System Checkpoint
RP2520: 4/3/2010 11:20:19 PM - System Checkpoint
RP2521: 4/4/2010 12:30:01 PM - Installed H&R Block Missouri 2009.
RP2522: 4/5/2010 7:14:54 PM - System Checkpoint
RP2523: 4/6/2010 11:39:52 PM - System Checkpoint
RP2524: 4/8/2010 11:47:04 AM - System Checkpoint
RP2525: 4/9/2010 11:53:14 AM - System Checkpoint
RP2526: 4/10/2010 12:13:16 PM - System Checkpoint
RP2527: 4/11/2010 1:01:18 PM - System Checkpoint
RP2528: 4/12/2010 1:50:47 PM - System Checkpoint
RP2529: 4/13/2010 4:57:31 PM - System Checkpoint
RP2530: 4/14/2010 5:27:20 PM - System Checkpoint
RP2531: 4/15/2010 6:30:30 PM - System Checkpoint
RP2532: 4/17/2010 10:04:17 AM - System Checkpoint
RP2533: 4/18/2010 12:28:44 PM - System Checkpoint
RP2534: 4/19/2010 5:40:02 PM - System Checkpoint
RP2535: 4/20/2010 10:09:01 PM - System Checkpoint
RP2536: 4/22/2010 1:48:40 PM - Installed HiJackThis
RP2537: 4/24/2010 2:00:25 AM - System Checkpoint
RP2538: 4/25/2010 2:34:19 AM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint
Adobe Acrobat 4.0
Adobe AIR
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 2.0
Adobe Reader 7.0.8
AOL Instant Messenger
APC PowerChute Business Edition Agent
APC PowerChute Business Edition Console
APC PowerChute Business Edition Server
AppCore
Atomic Clock Sync
AV
Borland C++ 5.02
ccCommon
CDMaster32
CreativeProjects
CreativeProjectsTemplates
CueTour
DeductionPro 2003
DeductionPro 2004-05
DeductionPro 2005-06
DeductionPro 2006
DeductionPro 2007
DeductionPro 2008
DeductionPro 2009
Dell | Support
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
Destinations
Director
DivX Codec
Easy CD Creator 5 Basic
EPSON Copy Utility
EPSON Photo Print
EPSON Scan
EPSON Smart Panel
ERUNT 1.1j
Family Lawyer 2000
Forté Agent
GanttProject 2.0.9
Garmin City Navigator North America NT 2010.10 Update
Garmin POI Loader
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.0.0.320
H&R Block Deluxe + Efile + State 2009
H&R Block Missouri 2009
Help and Support Customization
HiJackThis
HP Deskjet 6800
HP Diagnostic Assistant
HP Photo & Imaging 4.1
HP Update
HPSystemDiagnostics
IE2K
InstantShare
Intel Processor Frequency ID Utility
InterActual Player
iolo technologies' Search and Recover
Island Hopper Scenario A
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment Standard Edition v1.3.1_01
Java(TM) SE Runtime Environment 6 Update 1
Legal Search
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Lucent Win Modem
MapSource
MapSource - City Select North America v7
MGI VideoWave 4
Microsoft .NET Framework 1.1
Microsoft ActiveSync 3.7
Microsoft Assembler Version 6.15
Microsoft Data Access Components KB870669
Microsoft FrontPage 2002
Microsoft Interactive Training
Microsoft Money 2005
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J++ 6.0
Microsoft Visual Studio 6.0 Professional Edition
MindSpring PipeLine+ 2.60-32
Miro
Modem Helper
Movie Studio 2 Hardware
MSDN Library - Visual Studio 6.0a
MSN Add-in for Windows Messenger
MSN Music Assistant
MSRedist
MUSICMATCH Jukebox
MyDVD
News Rover
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Windows 2000/XP Display Drivers
Overland
Pandora
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhoneTools
PowerChute plus 5.2
PowerDVD
Presto! BizCard 4.1 Eng
PrintScreen
QFolder
QuickProjects
QuickTime
RealPlayer
Realtek RTL8139 Diagnostics Program
Santa Cruz
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB914798)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Shockwave Player
SkinsHP1
SmartDraw 7 Trial Edition
SPBBC 32bit
Spybot - Search & Destroy
SpywareBlaster v3.2
Street Atlas USA 4.0
Symantec KB-DocID:2003093015493306
Symantec Real Time Storage Protection Component
Symantec Technical Support Web Controls
SymNet
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
TaxCut Missouri 2007
TaxCut Missouri 2008
TaxCut Premium + State + Efile 2008
TaxCut Premium + State 2007
TaxCut Premium 2006
TD AMERITRADE StrategyDesk 1.2
TD AMERITRADE StrategyDesk 1.3
TD AMERITRADE StrategyDesk 2.0
TD AMERITRADE StrategyDesk 2.1
TD AMERITRADE StrategyDesk 2.2
TD AMERITRADE StrategyDesk 2.3
TD AMERITRADE StrategyDesk 3.3_2 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TD AMERITRADE StrategyDesk 3.4_3 (C:\Program Files\TD AMERITRADE\StrategyDesk)
The Plain-Language Law Dictionary
TrayApp
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
VBA & Macros for Excel Project Files
VideoLAN VLC media player 0.7.2
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
vr3d
WeatherBug
WebEx
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB824151
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) Q811114
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
WinMX
WinPcap 4.1.1
WinZip
Wireshark 1.2.7
XviD MPEG-4 Video Codec
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar

==== Event Viewer Messages From Past Week ========

4/25/2010 2:57:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/25/2010 2:56:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/25/2010 2:50:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl FileDisk Fips Processor SPBBCDrv SRTSPL SRTSPX SYMTDI
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:49:13 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7000] - The IIS Admin service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/20/2010 4:50:56 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.sig has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.dat has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.sig could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.dat could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:27 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.bin could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:26 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.bin has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:38:52 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
4/20/2010 4:15:13 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/20/2010 3:03:40 PM, error: DCOM [10009] - DCOM was unable to communicate with the computer D using any of the configured protocols.
4/19/2010 9:36:22 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 8:03:25 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:18:DE:86:97:A9. Network operations on this system may be disrupted as a result.
4/19/2010 6:13:36 AM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 5:36:14 PM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
4/19/2010 2:26:11 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.102 with the system having network hardware address 00:25:A0:70:AA:E9. Network operations on this system may be disrupted as a result.
4/19/2010 10:45:07 AM, error: DCOM [10002] - Access denied attempting to launch a DCOM Server. The server is: {0C0A3666-30C9-11D0-8F20-00805F2CD064} The user is IWAM_DMAIN/DMAIN, SID=S-1-5-21-4212676017-2704639424-2437969446-1008.
4/19/2010 10:22:34 AM, error: Service Control Manager [7023] - The Machine Debug Manager service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 6:51:54 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate Scheduler service to connect.
4/18/2010 6:51:54 AM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/18/2010 5:05:55 PM, error: Service Control Manager [7003] - The SRTSP service depends on the following nonexistent service: FltMgr
4/18/2010 5:05:55 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the path specified.
4/18/2010 5:05:55 PM, error: Service Control Manager [7000] - The APC PBE Server service failed to start due to the following error: The system cannot find the file specified.
4/18/2010 5:05:04 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/18/2010 5:05:04 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/18/2010 5:00:49 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:90:4B:F5:A0:69. Network operations on this system may be disrupted as a result.
4/18/2010 4:30:50 AM, error: Service Control Manager [7023] - The Google Update Service (gupdate) service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 3:36:29 AM, error: Dhcp [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/18/2010 2:16:56 PM, error: Service Control Manager [7005] - The RpcImpersonateClient call failed with the following error: No security context is available to allow impersonation.

==== End Of File ===========================

---------------------------------------------

GMER Output:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 09:15:12
Windows 5.1.2600 Service Pack 1
Running: 35wodyyo.exe; Driver: C:\DOCUME~1\gm\LOCALS~1\Temp\axtdapod.sys

---- System - GMER 1.0.15 ----

SSDT 871160A8 ZwAlertResumeThread
SSDT 870E0418 ZwAlertThread
SSDT 870E1F18 ZwAllocateVirtualMemory
SSDT 86FD4158 ZwConnectPort
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA9EF2EB0]
SSDT 87101B28 ZwCreateMutant
SSDT 86F8F3A0 ZwCreateThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA9EF3130]
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA9EF3690]
SSDT 86E8AF98 ZwFreeVirtualMemory
SSDT 87024AA0 ZwImpersonateAnonymousToken
SSDT 86FF1430 ZwImpersonateThread
SSDT 8702D6A8 ZwMapViewOfSection
SSDT 86FF1508 ZwOpenEvent
SSDT 870DEC08 ZwOpenProcessToken
SSDT 871005A0 ZwOpenThreadToken
SSDT 86FF50D0 ZwResumeThread
SSDT 87100038 ZwSetContextThread
SSDT 870E3C58 ZwSetInformationProcess
SSDT 870F8838 ZwSetInformationThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA9EF38E0]
SSDT 86FF10C8 ZwSuspendProcess
SSDT 870BE960 ZwSuspendThread
SSDT 871162B8 ZwTerminateProcess
SSDT 8704A1E8 ZwTerminateThread
SSDT 8725D078 ZwUnmapViewOfSection
SSDT 870E7848 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\dmload.sys entry point in ".rsrc" section [0xF7A36114]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF28C5340, 0xFFF3F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9B8300, 0x234A20, 0xF8000020]
? C:\WINDOWS\System32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[880] ntdll.dll!NtProtectVirtualMemory 77F5BCC8 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[880] ntdll.dll!NtWriteVirtualMemory 77F5C588 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[880] ntdll.dll!KiUserExceptionDispatcher 77F75DAC 5 Bytes JMP 0066000C
.text C:\WINDOWS\System32\svchost.exe[880] ole32.dll!CoCreateInstance 4FEDF9E6 5 Bytes JMP 03AA000B
.text C:\WINDOWS\System32\svchost.exe[880] USER32.dll!GetCursorPos 77D48DF4 5 Bytes JMP 042A000B
.text C:\WINDOWS\Explorer.EXE[1888] ntdll.dll!NtProtectVirtualMemory 77F5BCC8 5 Bytes JMP 0097000A
.text C:\WINDOWS\Explorer.EXE[1888] ntdll.dll!NtWriteVirtualMemory 77F5C588 5 Bytes JMP 0098000A
.text C:\WINDOWS\Explorer.EXE[1888] ntdll.dll!KiUserExceptionDispatcher 77F75DAC 5 Bytes JMP 0096000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 872F5AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\dmload.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

**mambass** · 2010-04-25, 16:24

Blade81,

I thought I should also mention that I was unable to post the results from the infected computer. When I hit the "Submit Reply" button the address line contained "http://forums.spybot.info/newreply.php?do=postreply&t=57000" and the following message was displayed "The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings."

I copied the requested reports to a USB flash drive and sent them from another computer.

Thanks again for your help!

George

**Blade81** · 2010-04-25, 16:28

Thanks for the logs.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

**mambass** · 2010-04-25, 17:39

ComboFix 10-04-21.01 - gm 04/25/2010 10:12:48.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.651 [GMT -5:00]
Running from: c:\documents and settings\gm\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\gm\System
c:\documents and settings\gm\System\win_qs7.jqx
c:\recycler\NPROTECT
C:\test.txt
C:\Thumbs.db
c:\windows\system32\20100417a.reg
c:\windows\system32\Cache
c:\windows\winhelp.ini
C:\xu.dll

Infected copy of c:\windows\system32\drivers\DMLOAD.SYS was found and disinfected
Restored copy from - Kitty had a snack :p
c:\windows\system32\d3d9.dll . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.

2010-04-25 13:33 . 2010-04-25 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-24 15:10 . 2010-04-24 15:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-22 18:48 . 2010-04-22 18:48 388096 ----a-r- c:\documents and settings\gm\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-22 18:48 . 2010-04-22 18:48 -------- d-----w- c:\program files\Trend Micro
2010-04-22 18:38 . 2010-04-22 18:39 -------- d-----w- c:\program files\ERUNT
2010-04-20 23:27 . 2010-04-20 23:27 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-04-19 19:49 . 2010-04-19 19:49 -------- d-----w- c:\program files\SysinternalsSuite
2010-04-19 16:09 . 2010-04-19 16:10 -------- d-----w- c:\program files\Wireshark
2010-04-18 22:01 . 2010-04-18 22:01 -------- d-----w- c:\program files\WhoIs
2010-04-18 21:46 . 2010-04-18 21:46 -------- d-----w- c:\program files\RootkitRevealer
2010-04-18 21:11 . 2010-04-18 21:11 -------- d-----w- c:\program files\Autoruns
2010-04-18 14:32 . 2010-04-18 14:32 -------- d-----w- c:\documents and settings\gm\Local Settings\Application Data\Temp
2010-04-18 14:27 . 2010-04-18 14:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-17 10:45 . 2010-04-17 10:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-16 15:45 . 2010-04-16 15:45 43008 ---ha-w- c:\windows\system32\jvieSCbad.dll
2010-04-04 17:29 . 2010-04-04 17:29 2994016 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockMO.exe
2010-03-28 17:26 . 2010-03-28 17:26 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 15:11 . 2002-06-20 04:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-25 15:07 . 2001-08-18 12:00 5888 ----a-w- c:\windows\system32\drivers\DMLOAD.SYS
2010-04-24 00:49 . 2002-12-15 21:44 -------- d-----w- c:\program files\NewsRover
2010-04-20 14:16 . 2007-02-19 19:34 -------- d-----w- c:\program files\ProcessExplorer
2010-04-19 16:10 . 2009-04-29 22:40 -------- d-----w- c:\program files\WinPcap
2010-04-18 16:20 . 2004-11-14 13:31 -------- d-----w- c:\program files\Yahoo!
2010-04-18 15:31 . 2007-05-03 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-18 15:31 . 2009-04-17 01:46 -------- d-----w- c:\documents and settings\gm\Application Data\Yahoo!
2010-04-18 14:31 . 2005-02-23 22:25 -------- d-----w- c:\documents and settings\gm\Application Data\WeatherBug
2010-04-18 14:26 . 2005-07-26 07:34 -------- d-----w- c:\program files\Googlebad
2010-04-17 09:57 . 2004-07-15 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-17 01:56 . 2004-07-15 17:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-16 13:29 . 2006-06-24 15:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 13:29 . 2007-05-14 19:41 -------- d-----w- c:\program files\TD AMERITRADE
2010-03-30 05:45 . 2002-12-22 18:54 -------- d-----w- c:\program files\Pwrchute
2010-03-28 17:25 . 2008-02-10 22:28 -------- d-----w- c:\documents and settings\gm\Application Data\TaxCut
2010-03-25 13:07 . 2002-06-20 04:22 -------- d-----w- c:\program files\PhoneTools
2010-02-08 17:21 . 2005-07-12 18:06 82232 ----a-w- c:\documents and settings\gm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessengerLATER.exex -quiet" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsgLATER.exe 9" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-02-06 77824]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-06 26248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"DaProcExp"="c:\program files\ProcessExplorer\procexp.exe" [2010-04-15 3879288]
"DaWireShark"="c:\program files\Wireshark\wireshark.exe" [2010-03-31 2217984]
"TraySantaCruz"="c:\windows\System32\tbctray.exe" [2002-04-03 290816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-11-20 51200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\Later
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-2-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-14 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-14 53248]
Shortcut to procexp.exe.lnk - c:\program files\ProcessExplorer\procexp.exe [2007-2-19 3879288]
Wireshark.lnk - c:\program files\Wireshark\wireshark.exe [2010-3-31 2217984]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
ntkrELOG REG_SZ c:\windows\System32\jvieSC.dll

R2 agentcd;DriverAgent Class Driver;c:\windows\SYSTEM32\AgentCD.sys [6/19/2002 11:24 PM 196096]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/6/2009 4:05 PM 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/6/2009 4:05 PM 712048]
R2 Mojave;Dazzle Mojave Device;c:\windows\SYSTEM32\DRIVERS\Mojave.sys [6/19/2002 11:23 PM 119276]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [10/20/2009 1:19 PM 50704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2008 12:43 PM 99376]
R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [7/2/2009 3:21 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [7/2/2009 3:21 PM 545088]
S2 APCPBEServer;APC PBE Server;c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe --> c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [7/2/2009 3:21 PM 19232]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - gm.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2006-09-07 05:38]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: Microsoft WFC Forms Designer - file://d:\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Visual Studio 6 Extensibility Libraries - file://d:\vj98\vstudio6.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Weather - c:\program files\AWS\WeatherBug\WeatherLATER.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManagerLATER.exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtectionLATER.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifierLATER.exe
HKLM-Run-AdaptecDirectCD - c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCDLATER.exe
HKLM-Run-Dell|Alert - c:\program files\Dell\Support\Alert\bin\DAMonNOMORE.exe
HKLM-Run-HPDJ Taskbar Utility - c:\windows\System32\spool\drivers\w32x86\3\hpztsb12LATER.exe
HKLM-Run-HP Component Manager - c:\program files\HP\hpcoretech\hpcmpmgrLATER.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2LATER.exe
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realschedLATER.exe
HKLM-Run-Atomic.exe - c:\program files\Atomic Clock Sync\AtomicLATER.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-25 10:30
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x872EFAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7583aac
\Driver\ACPI -> ACPI.sys @ 0xf74e8740
\Driver\atapi -> atapi.sys @ 0xf748f03c
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
NDIS: GVC-REALTEK Ethernet 10/100 PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf73c5630
PacketIndicateHandler -> NDIS.sys @ 0xf73d0480
SendHandler -> NDIS.sys @ 0xf73c5779
user & kernel MBR OK

**************************************************************************
"PBEBackupImagePath"="%SystemRoot%\System32\ups.exe"
"OldImagePath"=" "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4212676017-2704639424-2437969446-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\ODBC32.dll

- - - - - - - > 'lsass.exe'(944)
c:\windows\System32\dssenh.dll
.
Completion time: 2010-04-25 10:40:05
ComboFix-quarantined-files.txt 2010-04-25 15:40

Pre-Run: 34,996,396,032 bytes free
Post-Run: 38,113,284,096 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 2A8AD835BA394F907AA0D356D5F92664

**mambass** · 2010-04-25, 17:52

Blade81,

My previous post contains the ComboFix report. This post contains the DDS output reports. As was the case when I last ran DDS, I was unable to post the reports from the infected machine. I am creating this post from another computer.

Thanks again for all of your help!

George

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86
Run by gm at 10:45:43.26 on Sun 04/25/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.629 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\gm\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32NOMORE.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swgNOMORE.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessengerLATER.exex" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LTWinModem1] ltmsgLATER.exe 9
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [DaProcExp] "c:\program files\processexplorer\procexp.exe"
mRun: [DaWireShark] "c:\program files\wireshark\wireshark.exe" -k
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\later\pandora.lnk - c:\program files\pandora\Pandora.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\shortc~1.lnk - c:\program files\processexplorer\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\wiresh~1.lnk - c:\program files\wireshark\wireshark.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: Microsoft WFC Forms Designer - file://d:\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Visual Studio 6 Extensibility Libraries - file://d:\vj98\vstudio6.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33}
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6}
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271962936562
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.531087963
DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B}
DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_01-win.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6}
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R2 agentcd;DriverAgent Class Driver;c:\windows\system32\AgentCD.sys [2002-6-19 196096]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 Mojave;Dazzle Mojave Device;c:\windows\system32\drivers\Mojave.sys [2002-6-19 119276]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-3-15 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVENG.SYS [2008-9-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVEX15.SYS [2008-9-24 873552]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2009-7-2 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2009-7-2 545088]
S2 APCPBEServer;APC PBE Server;c:\program files\apc\powerchute business edition\server\pbeserver.exe --> c:\program files\apc\powerchute business edition\server\pbeserver.exe [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2009-7-2 19232]

=============== Created Last 30 ================

2010-04-25 15:00:40 0 d-sha-r- C:\cmdcons
2010-04-25 14:59:08 98816 ----a-w- c:\windows\sed.exe
2010-04-25 14:59:08 77312 ----a-w- c:\windows\MBR.exe
2010-04-25 14:59:08 261632 ----a-w- c:\windows\PEV.exe
2010-04-25 14:59:08 161792 ----a-w- c:\windows\SWREG.exe
2010-04-22 18:48:41 0 d-----w- c:\program files\Trend Micro
2010-04-22 17:03:39 0 d-----w- c:\windows\pss
2010-04-20 21:25:05 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-20 21:25:05 1409 ----a-w- c:\windows\QTFont.for
2010-04-19 19:49:05 0 d-----w- c:\program files\SysinternalsSuite
2010-04-19 16:10:31 73 ----a-w- c:\windows\system32\-1
2010-04-19 16:09:31 0 d-----w- c:\program files\Wireshark
2010-04-18 22:01:30 0 d-----w- c:\program files\WhoIs
2010-04-18 21:46:24 0 d-----w- c:\program files\RootkitRevealer
2010-04-18 21:11:08 0 d-----w- c:\program files\Autoruns
2010-04-17 10:45:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-04-16 15:45:26 43008 ---ha-w- c:\windows\system32\jvieSCbad.dll

==================== Find3M ====================

2010-04-25 15:07:57 5888 ----a-w- c:\windows\system32\drivers\DMLOAD.SYS
2010-02-04 23:25:19 82232 ----a-w- c:\docume~1\gm\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 10:46:29.87 ===============

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 6/24/2002 3:54:21 PM
System Uptime: 4/25/2010 10:10:18 AM (0 hours ago)

Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Microprocessor | 2519/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 35.523 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2466: 1/25/2010 9:23:53 PM - System Checkpoint
RP2467: 1/26/2010 9:24:11 PM - System Checkpoint
RP2468: 1/27/2010 10:24:12 PM - System Checkpoint
RP2469: 1/28/2010 11:47:50 PM - System Checkpoint
RP2470: 1/30/2010 12:24:21 AM - System Checkpoint
RP2471: 1/31/2010 1:24:34 AM - System Checkpoint
RP2472: 2/1/2010 9:28:12 PM - System Checkpoint
RP2473: 2/8/2010 1:56:30 PM - System Checkpoint
RP2474: 2/9/2010 5:40:54 PM - System Checkpoint
RP2475: 2/11/2010 9:33:16 PM - System Checkpoint
RP2476: 2/13/2010 12:53:31 AM - System Checkpoint
RP2477: 2/14/2010 1:43:31 AM - System Checkpoint
RP2478: 2/15/2010 2:08:36 AM - System Checkpoint
RP2479: 2/16/2010 2:46:22 AM - System Checkpoint
RP2480: 2/17/2010 3:03:20 AM - System Checkpoint
RP2481: 2/18/2010 4:03:22 AM - System Checkpoint
RP2482: 2/18/2010 3:26:52 PM - Installed H&R Block Deluxe + Efile + State 2009.
RP2483: 2/18/2010 3:29:53 PM - Installed DeductionPro 2009
RP2484: 2/21/2010 7:55:48 AM - System Checkpoint
RP2485: 2/22/2010 10:01:27 AM - System Checkpoint
RP2486: 2/23/2010 3:36:11 PM - System Checkpoint
RP2487: 2/24/2010 4:03:28 PM - System Checkpoint
RP2488: 2/25/2010 5:22:55 PM - System Checkpoint
RP2489: 2/26/2010 5:37:35 PM - System Checkpoint
RP2490: 2/27/2010 7:21:38 PM - System Checkpoint
RP2491: 2/28/2010 7:57:07 PM - System Checkpoint
RP2492: 3/1/2010 8:19:04 PM - System Checkpoint
RP2493: 3/2/2010 9:09:26 PM - System Checkpoint
RP2494: 3/3/2010 9:47:19 PM - System Checkpoint
RP2495: 3/4/2010 10:47:21 PM - System Checkpoint
RP2496: 3/5/2010 11:47:21 PM - System Checkpoint
RP2497: 3/7/2010 12:47:21 AM - System Checkpoint
RP2498: 3/8/2010 1:47:21 AM - System Checkpoint
RP2499: 3/9/2010 2:46:15 AM - System Checkpoint
RP2500: 3/10/2010 2:47:22 AM - System Checkpoint
RP2501: 3/11/2010 2:58:12 AM - System Checkpoint
RP2502: 3/12/2010 1:54:44 PM - System Checkpoint
RP2503: 3/13/2010 1:58:58 PM - System Checkpoint
RP2504: 3/14/2010 3:01:02 PM - System Checkpoint
RP2505: 3/15/2010 4:04:15 PM - System Checkpoint
RP2506: 3/16/2010 4:10:14 PM - System Checkpoint
RP2507: 3/17/2010 8:36:58 PM - System Checkpoint
RP2508: 3/19/2010 10:16:20 AM - System Checkpoint
RP2509: 3/21/2010 3:54:32 PM - System Checkpoint
RP2510: 3/22/2010 5:00:37 PM - System Checkpoint
RP2511: 3/24/2010 5:24:08 PM - System Checkpoint
RP2512: 3/25/2010 6:05:07 PM - System Checkpoint
RP2513: 3/26/2010 8:01:32 PM - System Checkpoint
RP2514: 3/28/2010 7:07:49 PM - System Checkpoint
RP2515: 3/29/2010 7:48:47 PM - System Checkpoint
RP2516: 3/30/2010 8:19:10 PM - System Checkpoint
RP2517: 3/31/2010 9:15:17 PM - System Checkpoint
RP2518: 4/1/2010 9:48:44 PM - System Checkpoint
RP2519: 4/2/2010 10:03:19 PM - System Checkpoint
RP2520: 4/3/2010 11:20:19 PM - System Checkpoint
RP2521: 4/4/2010 12:30:01 PM - Installed H&R Block Missouri 2009.
RP2522: 4/5/2010 7:14:54 PM - System Checkpoint
RP2523: 4/6/2010 11:39:52 PM - System Checkpoint
RP2524: 4/8/2010 11:47:04 AM - System Checkpoint
RP2525: 4/9/2010 11:53:14 AM - System Checkpoint
RP2526: 4/10/2010 12:13:16 PM - System Checkpoint
RP2527: 4/11/2010 1:01:18 PM - System Checkpoint
RP2528: 4/12/2010 1:50:47 PM - System Checkpoint
RP2529: 4/13/2010 4:57:31 PM - System Checkpoint
RP2530: 4/14/2010 5:27:20 PM - System Checkpoint
RP2531: 4/15/2010 6:30:30 PM - System Checkpoint
RP2532: 4/17/2010 10:04:17 AM - System Checkpoint
RP2533: 4/18/2010 12:28:44 PM - System Checkpoint
RP2534: 4/19/2010 5:40:02 PM - System Checkpoint
RP2535: 4/20/2010 10:09:01 PM - System Checkpoint
RP2536: 4/22/2010 1:48:40 PM - Installed HiJackThis
RP2537: 4/24/2010 2:00:25 AM - System Checkpoint
RP2538: 4/25/2010 2:34:19 AM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint
Adobe Acrobat 4.0
Adobe AIR
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 2.0
Adobe Reader 7.0.8
AOL Instant Messenger
APC PowerChute Business Edition Agent
APC PowerChute Business Edition Console
APC PowerChute Business Edition Server
AppCore
Atomic Clock Sync
AV
Borland C++ 5.02
ccCommon
CDMaster32
CreativeProjects
CreativeProjectsTemplates
CueTour
DeductionPro 2003
DeductionPro 2004-05
DeductionPro 2005-06
DeductionPro 2006
DeductionPro 2007
DeductionPro 2008
DeductionPro 2009
Dell | Support
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
Destinations
Director
DivX Codec
Easy CD Creator 5 Basic
EPSON Copy Utility
EPSON Photo Print
EPSON Scan
EPSON Smart Panel
ERUNT 1.1j
Family Lawyer 2000
Forté Agent
GanttProject 2.0.9
Garmin City Navigator North America NT 2010.10 Update
Garmin POI Loader
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.0.0.320
H&R Block Deluxe + Efile + State 2009
H&R Block Missouri 2009
Help and Support Customization
HiJackThis
HP Deskjet 6800
HP Diagnostic Assistant
HP Photo & Imaging 4.1
HP Update
HPSystemDiagnostics
IE2K
InstantShare
Intel Processor Frequency ID Utility
InterActual Player
iolo technologies' Search and Recover
Island Hopper Scenario A
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment Standard Edition v1.3.1_01
Java(TM) SE Runtime Environment 6 Update 1
Legal Search
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Lucent Win Modem
MapSource
MapSource - City Select North America v7
MGI VideoWave 4
Microsoft .NET Framework 1.1
Microsoft ActiveSync 3.7
Microsoft Assembler Version 6.15
Microsoft Data Access Components KB870669
Microsoft FrontPage 2002
Microsoft Interactive Training
Microsoft Money 2005
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J++ 6.0
Microsoft Visual Studio 6.0 Professional Edition
MindSpring PipeLine+ 2.60-32
Miro
Modem Helper
Movie Studio 2 Hardware
MSDN Library - Visual Studio 6.0a
MSN Add-in for Windows Messenger
MSN Music Assistant
MSRedist
MUSICMATCH Jukebox
MyDVD
News Rover
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Windows 2000/XP Display Drivers
Overland
Pandora
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhoneTools
PowerChute plus 5.2
PowerDVD
Presto! BizCard 4.1 Eng
PrintScreen
QFolder
QuickProjects
QuickTime
RealPlayer
Realtek RTL8139 Diagnostics Program
Santa Cruz
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB914798)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Shockwave Player
SkinsHP1
SmartDraw 7 Trial Edition
SPBBC 32bit
Spybot - Search & Destroy
SpywareBlaster v3.2
Street Atlas USA 4.0
Symantec KB-DocID:2003093015493306
Symantec Real Time Storage Protection Component
Symantec Technical Support Web Controls
SymNet
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
TaxCut Missouri 2007
TaxCut Missouri 2008
TaxCut Premium + State + Efile 2008
TaxCut Premium + State 2007
TaxCut Premium 2006
TD AMERITRADE StrategyDesk 1.2
TD AMERITRADE StrategyDesk 1.3
TD AMERITRADE StrategyDesk 2.0
TD AMERITRADE StrategyDesk 2.1
TD AMERITRADE StrategyDesk 2.2
TD AMERITRADE StrategyDesk 2.3
TD AMERITRADE StrategyDesk 3.3_2 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TD AMERITRADE StrategyDesk 3.4_3 (C:\Program Files\TD AMERITRADE\StrategyDesk)
The Plain-Language Law Dictionary
TrayApp
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
VBA & Macros for Excel Project Files
VideoLAN VLC media player 0.7.2
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
vr3d
WeatherBug
WebEx
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB824151
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) Q811114
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
WinMX
WinPcap 4.1.1
WinZip
Wireshark 1.2.7
XviD MPEG-4 Video Codec
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar

==== Event Viewer Messages From Past Week ========

4/25/2010 5:12:19 AM, error: Service Control Manager [7000] - The wscsvc service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/25/2010 2:57:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/25/2010 2:56:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/25/2010 2:50:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl FileDisk Fips Processor SPBBCDrv SRTSPL SRTSPX SYMTDI
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:49:13 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7000] - The IIS Admin service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/20/2010 4:50:56 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.sig has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.dat has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.sig could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.dat could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:27 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.bin could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:26 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.bin has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:38:52 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
4/20/2010 4:15:13 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/20/2010 3:03:40 PM, error: DCOM [10009] - DCOM was unable to communicate with the computer D using any of the configured protocols.
4/19/2010 9:36:22 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 8:03:25 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:18:DE:86:97:A9. Network operations on this system may be disrupted as a result.
4/19/2010 6:13:36 AM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 5:43:08 AM, error: Service Control Manager [7003] - The SRTSP service depends on the following nonexistent service: FltMgr
4/19/2010 5:43:08 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the path specified.
4/19/2010 5:43:08 AM, error: Service Control Manager [7000] - The APC PBE Server service failed to start due to the following error: The system cannot find the file specified.
4/19/2010 5:41:55 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/19/2010 5:41:55 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/19/2010 5:36:14 PM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
4/19/2010 2:26:11 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.102 with the system having network hardware address 00:25:A0:70:AA:E9. Network operations on this system may be disrupted as a result.
4/19/2010 10:45:07 AM, error: DCOM [10002] - Access denied attempting to launch a DCOM Server. The server is: {0C0A3666-30C9-11D0-8F20-00805F2CD064} The user is IWAM_DMAIN/DMAIN, SID=S-1-5-21-4212676017-2704639424-2437969446-1008.
4/19/2010 10:22:34 AM, error: Service Control Manager [7023] - The Machine Debug Manager service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 6:51:54 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate Scheduler service to connect.
4/18/2010 6:51:54 AM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/18/2010 5:00:49 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:90:4B:F5:A0:69. Network operations on this system may be disrupted as a result.
4/18/2010 4:30:50 AM, error: Service Control Manager [7023] - The Google Update Service (gupdate) service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 3:36:29 AM, error: Dhcp [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/18/2010 2:16:56 PM, error: Service Control Manager [7005] - The RpcImpersonateClient call failed with the following error: No security context is available to allow impersonation.

==== End Of File ===========================

**Blade81** · 2010-04-25, 19:03

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\-1
c:\windows\system32\jvieSCbad.dll
DDS::
uStart Page = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
"ntkrELOG"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows, disable protection and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Adobe Acrobat 4.0 is badly outdated. If you use it for other duties than pdf conversions then you need to replace it with the latest non vulnerable version.

Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Shockwave player and get the fresh one here if needed.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Also, please run GMER again and post back its report.

Thread: Multiple Infections on XP Pro SP1 box

Thread Tools

Display

Multiple Infections on XP Pro SP1 box

Posting Permissions