XP Anti-Virus 2011

[triplerip]

Hi, I would appreciate some help to remove this. I can only boot to safe mode with command line without the spyware kicking in whenever i try to execute any application. Appreciated.

----------------------------------------------------------------------------
.
DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL
Run by Administrator at 20:27:59.46 on 08/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.684 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
C:\dds.com
.
============== Pseudo HJT Report ===============
.
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
mSearchURL = hxxp://internetsearchservice.com
mSearchAssistant = hxxp://internetsearchservice.com
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - d:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - d:\program files\orbitdownloader\orbitcth.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - d:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {14A6B963-7C6C-414B-B5BD-9CD0929F928F} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - d:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - d:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - d:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {58472BC6-BEA3-42d4-8917-7A8BCB0711B5} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - d:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - d:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - d:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - d:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - d:\program files\orbitdownloader\GrabPro.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - d:\program files\windows live\toolbar\wltcore.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - d:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [kdx] d:\program files\kontiki\KHost.exe -all
uRun: [DellSupport] "d:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [NeroHomeFirstStart] "d:\program files\common files\ahead\lib\NMFirstStart.exe"
mRun: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
mRun: [NBKeyScan] "d:\program files\nero\nero 7\nero backitup\NBKeyScan.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IAAnotif] d:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [dscactivate] "d:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DLPSP] "d:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [DellSupportCenter] "d:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [4oD] "d:\program files\kontiki\KHost.exe" -all
mRun: [NeroFilterCheck] d:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Windows UDP Control Center] fxsteller.exe
mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] d:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [UpdatePDRShortCut] "d:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "d:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [MSC] "d:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [ISTray] "d:\program files\spyware doctor\pctsGui.exe" /hideGUI
mRun: [PCTools FGuard] d:\program files\spyware doctor\bdt\FGuard.exe
dRun: [DWQueuedReporting] "d:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: d:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - d:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - d:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - d:\program files\orbitdownloader\orbitdm.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - d:\program files\panasonic\photofunstudio -viewer-\PhAutoRun.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\documents and settings\siubhan\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC} - d:\program files\java\jre6\bin\npjpi160_10.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - d:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - d:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - d:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - d:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: d:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182113919142
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.infuzer.com/IDC/client/player/isetup1.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/en/10/install/gtdownde.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - d:\progra~1\intern~2\SspNG.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - d:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
STS: {d1577581-2ed7-469f-99b1-72c1339e0ee0} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - d:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0kas99cf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: d:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: d:\program files\spyware doctor\bdt\firefox\platform\winnt_x86-msvc\components\libheuristic.dll
FF - plugin: d:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: d:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: d:\program files\microsoft\office live\npOLW.dll
FF - plugin: d:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - d:\program files\google\google gears\Firefox
FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - d:\program files\spyware doctor\bdt\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore;hotcore;d:\windows\system32\drivers\hotcore.sys [2007-6-18 30820]
R0 hotcore2;hotcore2;d:\windows\system32\drivers\hotcore2.sys [2007-6-18 30808]
R0 hotcore3;hotcore3;d:\windows\system32\drivers\hotcore3.sys [2007-11-10 39472]
R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [2011-4-4 239168]
R0 pctDS;PC Tools Data Store;d:\windows\system32\drivers\pctDS.sys [2011-4-5 338880]
S1 MpFilter;Microsoft Malware Protection Driver;d:\windows\system32\drivers\MpFilter.sys [2009-6-18 165264]
S1 MpKsl1843257a;MpKsl1843257a;\??\d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33fa6659-69b2-491e-93a1-0b1fe7e86598}\mpksl1843257a.sys --> d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33fa6659-69b2-491e-93a1-0b1fe7e86598}\MpKsl1843257a.sys [?]
S1 MpKsl3bcf647a;MpKsl3bcf647a;d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{368b78d7-6efe-4727-8404-a019636dc065}\MpKsl3bcf647a.sys [2011-4-4 28752]
S1 MpKsl9c5f8434;MpKsl9c5f8434;\??\d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33fa6659-69b2-491e-93a1-0b1fe7e86598}\mpksl9c5f8434.sys --> d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33fa6659-69b2-491e-93a1-0b1fe7e86598}\MpKsl9c5f8434.sys [?]
S2 Browser Defender Update Service;Browser Defender Update Service;d:\program files\spyware doctor\bdt\BDTUpdateService.exe [2011-4-4 247760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;d:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DLSDB;Dell Printer Status Database;d:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2007-6-17 135168]
S2 fssfltr;FssFltr;d:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-24 54752]
S2 gupdate1c91bf0ec9959c6;Google Update Service (gupdate1c91bf0ec9959c6);d:\program files\google\update\GoogleUpdate.exe [2008-9-21 133104]
S2 NetProbe;NetProbe Packet Driver;d:\windows\system32\drivers\NetProbe.sys [2008-3-6 5365]
S2 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2011-4-4 366840]
S2 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2011-4-4 1150936]
S2 ssoftnt4;ssoftnt4;d:\windows\system32\drivers\ssoftnt4.sys [2004-5-21 114944]
S2 Symantec Core LC;Symantec Core LC;d:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-8-5 585728]
S3 CX88VID;Conexant 2388x AvStream Video Capture;d:\windows\system32\drivers\cxavsvid.sys [2007-6-18 286720]
S3 cxbu0wdm;CardMan 3x21;d:\windows\system32\drivers\cxbu0wdm.sys [2008-1-15 97792]
S3 fsssvc;Windows Live Family Safety Service;d:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;d:\windows\system32\drivers\SWUSBFLT.SYS [2007-6-17 3968]
S3 USBDFU;USBDFU;d:\windows\system32\drivers\usbdfu.sys --> d:\windows\system32\drivers\usbdfu.sys [?]
S3 V0060VID;Creative WebCam Live! Ultra;d:\windows\system32\drivers\V0060Vid.sys [2007-7-1 196409]
S3 WinRM;Windows Remote Management (WS-Management);d:\windows\system32\svchost.exe -k WINRM [2003-7-16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;d:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-06 19:14:52 19 ----a-w- d:\docume~1\admini~1\locals~1\applic~1\ong.exe
2011-04-05 18:10:39 656320 ----a-w- d:\windows\system32\drivers\pctEFA.sys
2011-04-05 18:10:39 338880 ----a-w- d:\windows\system32\drivers\pctDS.sys
2011-04-04 18:26:02 28752 ----a-w- d:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{368b78d7-6efe-4727-8404-a019636dc065}\MpKsl3bcf647a.sys
2011-04-04 17:19:08 767952 ----a-w- d:\windows\BDTSupport.dll0443.old
2011-04-04 17:19:08 767952 ----a-w- d:\windows\BDTSupport.dll
2011-04-04 17:19:08 2000848 ----a-w- d:\windows\PCTBDCore.dll
2011-04-04 17:19:08 1652688 ----a-w- d:\windows\PCTBDCore.dll0443.old
2011-04-04 17:19:08 1533904 ----a-w- d:\windows\PCTBDRes.dll
2011-04-04 17:19:08 149456 ----a-w- d:\windows\SGDetectionTool.dll0443.old
2011-04-04 17:19:08 149456 ----a-w- d:\windows\SGDetectionTool.dll
2011-04-04 17:16:23 251560 ----a-w- d:\windows\system32\drivers\pctgntdi.sys
2011-04-04 17:16:17 239168 ----a-w- d:\windows\system32\drivers\PCTCore.sys
2011-04-04 17:16:17 160448 ----a-w- d:\windows\system32\drivers\PCTAppEvent.sys
2011-04-04 17:16:15 70536 ----a-w- d:\windows\system32\drivers\pctplsg.sys
2011-04-04 17:16:07 -------- d-----w- d:\program files\Spyware Doctor
2011-04-04 17:16:07 -------- d-----w- d:\program files\common files\PC Tools
2011-04-04 17:16:07 -------- d-----w- d:\docume~1\alluse~1\applic~1\PC Tools
2011-04-04 17:16:07 -------- d-----w- d:\docume~1\admini~1\applic~1\PC Tools
2011-04-03 01:02:54 6792528 ----a-w- d:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{368b78d7-6efe-4727-8404-a019636dc065}\mpengine.dll
2011-03-17 20:21:57 83249512 ----a-w- d:\program files\common files\windows live\.cache\wlcE8.tmp
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- d:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- d:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- d:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- d:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- d:\windows\system32\shimgvw.dll
2004-10-01 14:00:16 40960 ----a-w- d:\program files\Uninstall_CDS.exe
.
============= FINISH: 20:29:20.45 ===============

[redcar92]

Hello Triplerip and welcome to Safer Networking.
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

• Please observe these rules while we work:

• Read the entire procedure
• It is important to perform ALL actions in sequence.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it.
• Remember, absence of symptoms does not mean the infection is all gone.
• Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.

Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

Stay with this topic until I give you the all clean post.

Thanks,
Bill
In Training at WTT Classroom

[triplerip]

Thanks for your offer Bill. Happy to sign up on those ground rules. Ready when you are...

[redcar92]

Hello Triplerip,
Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
  
  
  
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, copy/paste in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Logs to post:
GMER.txt

Thanks
Bill
In Training at WTT Classroom

[triplerip]

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-10 09:49:28
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxddakog.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF74326E6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7410F68]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7411230]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF74330A0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF743342A]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7431924]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF743396E]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF7432AA4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF74109D8]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 108 804E2774 5 Bytes [68, 0F, 41, F7, 30] {PUSH 0x30f7410f}
.text ntoskrnl.exe!_abnormal_termination + 10E 804E277A 2 Bytes [41, F7]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs F2BAE400

---- EOF - GMER 1.0.15 ----

[redcar92]

Hello Triplerip,
Good news, no rootkit
Next
***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
Download Combofix from any of the links below. Save it to your desktop.

Link 1
Link 2




* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Thanks
Bill
In Training at WTT Classroom

[triplerip]

Hello Bill

Since I could not boot to safe mode with networking, I chose to run ComboFix from Safe mode command prompt. Turned out I did not have the recovery console installed as I did not have the network drivers loaded could not download this from the Microsoft site. I continued the scan and this produced the first log file.

I then decided to try run in Safe mode - with networking. This time I was able to start up ComboFix without the malware taking control. I was able to install the recovery console and proceeded with the scan. This produced the second log file.

I await your analysis and advice on next steps.

thank you

[redcar92]

Hello Triplerip,

Next

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: {14A6B963-7C6C-414B-B5BD-9CD0929F928F} - No File Fake Alert
BHO: {58472BC6-BEA3-42d4-8917-7A8BCB0711B5} - No File Rogue Security
mRun: [Windows UDP Control Center] fxsteller.exe Backdoor Trojan
STS: {d1577581-2ed7-469f-99b1-72c1339e0ee0} - No File

Save this as "CFScript.txt", and as* Type: All Files (*.*) in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next
Please go to one of the below sites to scan the following files:
jotti.org
Kaspersky Virus File Scanner
Virus Total

click on Browse, and upload the following file for analysis:
d:\documents and settings\Administrator\Local Settings\Application Data\ong.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

Logs to post:

• Combofix.txt
• File scan results
• How is you PC behaving now
  

Thanks
Bill
In Training at WTT Classroom

[triplerip]

Bill

I have attached the results you requested as a zip file.

I can now boot to safe mode with networking and fire up a browser without an issue. I haven't attempted a full reboot fearing the problem might recur.

What's next?

thank you again

David

[redcar92]

Hello Triplerip,
Looking better, I think you can safley boot up normal mode now.

Your logs indicate that you have Peer-to-Peer software installed on your PC. Peer-to-Peer sites like LimeWire are a major source of malware problems. It is in your best interest to avoid the sites. I strongly recommend that you remove this (these) program(s) by:

• Click Start
• Click Control Panel
• Click Add/Remove Programs
• Select Limewire 4.16.6 program
• Click Remove

Note: Often removal questions are stated so as to dissuade you from removing the program, please be careful.
Should you decide to not remove Peer – to – Peer software, do not use it until we are done. Continued use of this software will eventually infect you again. Continued use may result in no help received from WTT in the future.

Next
Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  If an update is found, it will download and install the latest version.
  Once the program has loaded, select "Perform Quick Scan", then click Scan.
  The scan may take some time to finish,so please be patient.
  When the scan is complete, click OK, then Show Results to view the results.
  Make sure that everything is checked, and click Remove Selected.
  When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Next
Please use Internet Explorer to download and run the following scan: Eset Online Scanner

• Place a check mark in the box YES, I accept the Terms Of Use
• Click the Start button.
• Now click the Install button.
• Click Start. The scanner engine will initialize and update.
• Do Not place a check mark in the box beside Remove found threats.
• Click the Scan button. The scan will now run, please be patient.
• When the scan finishes click on List of found threats.
• Click Export to text file
• Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.

Logs to Post:

• mbam.txt
• Eset result
• How is you PC behaving now.

Thanks
Bill
In Training at WTT Classroom