PDA

View Full Version : My computer is overloaded with malware. PLEASE HELP



Scofield
2009-06-02, 02:28
My brother stayed with me last night, and when I came home from work my computer is completely over run with malware. I cannot access any programs, and my background is changed to some warning about being infected. I am getting constant pop ups as well. I cannot run Spybot S&D, but I did manage a HJT log file from safe mode. PLease help my guys. You have helped me in the past and it is so very appreciated. Thank you all in advance!

Hmmm... well now I am in regular mode and I cannot access my HJT log file. Any suggestions on how I can get you guys the information you need?

Blade81
2009-06-02, 21:16
Hi Scofield,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

Scofield
2009-06-05, 00:51
Hi and thanks for the response. I tried to run DDS, however every program that I attempt to run won't start. I get a pop up that says the application cannot run because it is infected, please activate your antivirus software. The "antivirus software" is something called "system securtity" with a black and yellow sheild as the icon. Spybot won't start in safe mode, and any thing I download in regular mode doesn't show up in safe mode. System Restore is disabled, and I cannot re enable because no program will open. Please any suggestions from here would be a god send.

Blade81
2009-06-05, 18:56
Hi,

Are you able to run DDS in safe mode (save it to root of your system drive, e.g. C:\ )?

Scofield
2009-06-06, 04:44
I will attempt to. Thanks for helping me blade.... I will post results as soon as I can. If I can just get my foot in the door then we can disable this thing.

Blade81
2009-06-06, 14:09
Ok. Let me know how that goes :)

Scofield
2009-06-06, 16:52
Hi. okay, here goes.... DDS.txt
DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by goodpaster at 9:46:45.37 on Sat 06/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.309 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\goodpaster\Local Settings\Temporary Internet Files\Content.IE5\3DBLR3GR\dds[1].scr

============== Pseudo HJT Report ===============

BHO: {0116d7b9-51a9-4cb6-bd04-3164753824c8} - c:\windows\system32\ativvax.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
mRun: [LTMSG] LTMSG.exe 7
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [13182504] c:\documents and settings\all users\application data\13182504\13182504.exe
mRun: [93192496] c:\documents and settings\all users\application data\93192496\93192496.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/XSL/mb_us//html/activexplayer/SMALStreaming.cab
DPF: {41ACD49D-1974-791A-0981-AA9872721044} - hxxp://67.15.101.3/g_bin/eng/boards_2_0_0_30.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132360301408
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139528139484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

============= SERVICES / DRIVERS ===============

S2 ipfw;ipfw_helper;c:\windows\system32\13012.exe [2009-6-1 48128]
S2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
S2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
S3 ip_fw;ipfw kernel-mode driver;c:\windows\system32\drivers\ip_fw.sys [2009-6-1 28800]
S3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090529.003\NAVENG.sys [2009-5-29 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090529.003\NAVEX15.sys [2009-5-29 876144]

=============== Created Last 30 ================

2009-06-04 17:44 115,716 a------- c:\windows\msb.exe
2009-06-02 17:55 <DIR> --dsh--- c:\documents and settings\goodpaster\PrivacIE
2009-06-02 00:20 <DIR> --dsh--- c:\documents and settings\goodpaster\IETldCache
2009-06-02 00:19 <DIR> --d----- c:\documents and settings\goodpaster
2009-06-01 07:30 97,792 a------- c:\windows\system32\ativvax.dll
2009-06-01 07:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\93192496
2009-06-01 07:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13182504
2009-06-01 02:38 28,800 a------- c:\windows\system32\drivers\ip_fw.sys
2009-06-01 02:38 48,128 a------- c:\windows\system32\13012.exe
2009-06-01 02:37 123,908 a------- c:\windows\msa.exe
2009-06-01 02:37 135,684 a------- c:\windows\system32\msxml71.dll
2009-05-21 20:50 <DIR> -cd-h--- c:\windows\ie8
2009-05-21 20:27 294,912 -c------ c:\windows\system32\dllcache\msctf.dll

==================== Find3M ====================

2009-06-01 23:46 3,606 a------- c:\windows\system32\tmp.reg
2009-04-08 21:38 194,948 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2006-12-06 18:15 5,186,048 a------- c:\program files\WindowsDefender.msi

============= FINISH: 9:47:11.21 ===============
Attach.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/23/2004 1:21:53 PM
System Uptime: 6/6/2009 9:25:51 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | Stingray
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | CPU 1 | 2600/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | CPU 1 | 2600/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 20 GiB total, 8.626 GiB free.
D: is FIXED (NTFS) - 92 GiB total, 46.74 GiB free.
W: is CDROM ()
Y: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.1
Alt-Tab Task Switcher Powertoy for Windows XP
Calculator Powertoy for Windows XP
CDex extraction audio
CmdHere Powertoy For Windows XP
CopyProfile
Diagnostic Tool for the Microsoft VM
DVD Decoder Pak for Windows XP
Easy CD & DVD Creator 6
Fritz 5.32
Full Tilt Poker
GSpot Codec Information Appliance
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HTML Slideshow Powertoy for Windows XP
Huffyuv AVI lossless video codec (Remove Only)
Image Resizer Powertoy for Windows XP
ISO Recorder
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 13
KBD
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Shockwave Player
Magnifier Powertoy for Windows XP
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Bootvis
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft OpenType Font Properties Extension (Remove Only)
Microsoft SharePoint Migration Tool 2003
Microsoft Windows Journal Viewer
Microsoft Windows Media Video 9 VCM
Microsoft XML Parser
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Nero - Burning Rom (Web installer)
NeroVision Express 2
No-IP.com DUC (remove only)
NVIDIA Display Driver
Panda ActiveScan
PartitionMagic
PokerStars
PowerQuest PartitionMagic 8.0
Powertoys for Windows XP - IEFind
PS2
Realtek AC'97 Audio
Remote Desktop Connection
Safety Alert 2006
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Spybot - Search & Destroy 1.4
Symantec AntiVirus Client
Target Context Menu (Remove Only)
Timershot Powertoy for Windows XP
TMPGEnc DVD Author 1.6
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Virtual Desktop Manager Powertoy for Windows XP
WebFldrs XP
WinAVIVideoConverter
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Series TweakMP PowerToy
Windows Movie Maker 2.0
Windows Rights Management client
Windows Vista Upgrade Advisor
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Windows XP Video Screensaver Powertoy
Windows XP Zoom Toy (remove only)
WinZip
XviD 1.1 final uninstall

==== Event Viewer Messages From Past Week ========

6/6/2009 6:11:00 AM, error: Service Control Manager [7022] - The Windows User Mode Driver Framework service hung on starting.
6/5/2009 9:33:29 PM, error: Dhcp [1002] - The IP address lease 98.28.132.136 for the Network Card with network address 000C6E468B2B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
6/5/2009 10:01:15 PM, error: Service Control Manager [7022] - The NVIDIA Display Driver Service service hung on starting.
6/4/2009 6:04:31 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
6/2/2009 8:04:14 PM, error: Dhcp [1002] - The IP address lease 24.165.126.173 for the Network Card with network address 000C6E468B2B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
6/2/2009 7:57:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/2/2009 5:51:29 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The pipe has been ended.
6/2/2009 12:15:42 AM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
6/1/2009 7:48:43 PM, error: Service Control Manager [7034] - The ipfw_helper service terminated unexpectedly. It has done this 1 time(s).
6/1/2009 7:30:27 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file wab.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.2180.
6/1/2009 7:18:51 PM, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
6/1/2009 7:18:51 PM, error: Service Control Manager [7034] - The Symantec AntiVirus Client service terminated unexpectedly. It has done this 1 time(s).
6/1/2009 7:18:51 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
6/1/2009 7:18:51 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
6/1/2009 7:18:51 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
6/1/2009 7:18:51 PM, error: Service Control Manager [7034] - The DefWatch service terminated unexpectedly. It has done this 1 time(s).
6/1/2009 7:18:51 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
6/1/2009 7:18:51 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/1/2009 7:17:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/1/2009 7:15:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
6/1/2009 7:09:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
6/1/2009 7:09:09 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
6/1/2009 7:09:09 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/1/2009 7:09:09 PM, error: Service Control Manager [7001] - The ipfw_helper service depends on the ipfw kernel-mode driver service which failed to start because of the following error: The dependency service or group failed to start.
6/1/2009 7:09:09 PM, error: Service Control Manager [7001] - The ipfw kernel-mode driver service depends on the IP Traffic Filter Driver service which failed to start because of the following error: The dependency service or group failed to start.
6/1/2009 7:09:09 PM, error: Service Control Manager [7001] - The IP Traffic Filter Driver service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/1/2009 7:09:09 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/1/2009 7:09:09 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/1/2009 7:05:06 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/1/2009 6:54:46 PM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).
6/1/2009 6:54:46 PM, error: Service Control Manager [7022] - The Java Quick Starter service hung on starting.
6/1/2009 6:53:24 PM, error: Service Control Manager [7000] - The Machine Debug Manager service failed to start due to the following error: The pipe state is invalid.
6/1/2009 12:32:04 PM, error: TermDD [50] - The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
6/1/2009 11:43:46 AM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8224d5b0, parameter3 8224d724, parameter4 80604450.

==== End Of File ===========================

Blade81
2009-06-06, 18:36
Good. Let's do some cleaning next :)

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log (taken in normal mode if possible).

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Scofield
2009-06-08, 00:29
Hiya Blade.... followed your instructions, hopefully did it right. Ran Combofix and am in normal mode now, with so far no sign of infection. Below is combofix log. Thanks!

ComboFix 09-06-07.01 - goodpaster 06/07/2009 17:14.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.380 [GMT -4:00]
Running from: c:\documents and settings\goodpaster\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\13182504
c:\documents and settings\All Users\Application Data\13182504\13182504.exe
c:\documents and settings\All Users\Application Data\13182504\13182504.glu
c:\documents and settings\All Users\Application Data\13182504\pc13182504cnf
c:\documents and settings\All Users\Application Data\13182504\pc13182504ins
c:\documents and settings\All Users\Application Data\93192496
c:\documents and settings\All Users\Application Data\93192496\93192496.exe
c:\documents and settings\goodpaster\Application Data\wiaserva.log
c:\windows\msa.exe
c:\windows\system32\13012.exe
c:\windows\system32\ativvax.dll
c:\windows\system32\drivers\ip_fw.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\mcrh.tmp
c:\windows\system32\msxml71.dll
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\wbem\grpconv.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPFW
-------\Legacy_IP_FW
-------\Service_ip_fw
-------\Service_ipfw


((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.

2009-06-04 21:44 . 2009-06-04 21:44 115716 ----a-w- c:\windows\msb.exe
2009-06-02 21:55 . 2009-06-02 21:55 -------- d-sh--w- c:\documents and settings\goodpaster\PrivacIE
2009-06-02 04:22 . 2009-06-02 04:22 -------- d-----w- c:\documents and settings\goodpaster\Local Settings\Application Data\Symantec
2009-06-02 03:28 . 2009-06-02 03:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-06-01 23:32 . 2009-06-01 23:33 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-01 23:05 . 2009-06-01 23:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-05-23 00:00 . 2009-05-23 00:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-22 00:50 . 2009-05-22 00:52 -------- dc-h--w- c:\windows\ie8
2009-05-22 00:27 . 2008-02-26 11:59 294912 -c----w- c:\windows\system32\dllcache\msctf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 22:09 . 2006-03-10 21:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-04 22:09 . 2006-03-10 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-02 04:22 . 2009-06-02 04:22 36784 ----a-w- c:\documents and settings\goodpaster\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 05:18 . 2009-04-12 21:15 -------- d-----w- c:\program files\Full Tilt Poker
2009-05-03 22:42 . 2004-11-12 23:09 -------- d-----w- c:\program files\LimeWire
2009-05-03 20:48 . 2004-11-12 23:08 -------- d-----w- c:\program files\Java
2009-04-21 02:10 . 2004-11-14 16:28 -------- d-----w- c:\program files\Hewlett-Packard
2009-04-21 02:08 . 2004-10-26 20:30 -------- d-----w- c:\program files\Common Files\InstallShield
2009-04-21 02:08 . 2004-10-26 20:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-21 02:08 . 2004-11-11 22:19 -------- d-----w- c:\program files\AIM
2009-04-21 02:05 . 2006-02-15 01:22 -------- d-----w- c:\program files\PokerStars
2009-04-16 01:45 . 2009-04-12 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-04-14 21:06 . 2009-04-14 21:06 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-04-14 21:04 . 2005-02-28 01:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-14 20:55 . 2009-04-12 20:56 -------- d-----w- c:\program files\NOS
2009-04-12 20:45 . 2009-04-12 20:45 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-12 20:45 . 2009-04-12 20:45 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-12 20:45 . 2009-04-12 20:45 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-12 20:45 . 2009-04-12 20:45 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-09 01:38 . 2009-06-02 02:46 194948 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat
2006-12-06 22:15 . 2006-12-06 22:15 5186048 ----a-w- c:\program files\WindowsDefender.msi
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-19 45632]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-02-23 3026944]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2003-07-13 155648]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2004-11-12 65536]
"PowerMenu"="c:\windows\system32\powermenu.exe" [2002-12-20 57344]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"BluetoothAuthenticationAgent"="irprops.cpl" - c:\windows\system32\irprops.cpl [2004-08-04 380416]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

BHO-{0116D7B9-51A9-4CB6-BD04-3164753824C8} - c:\windows\system32\ativvax.dll
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
HKLM-Run-13182504 - c:\documents and settings\All Users\Application Data\13182504\13182504.exe
HKLM-Run-93192496 - c:\documents and settings\All Users\Application Data\93192496\93192496.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-07 17:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2112)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\SYMANT~1\SYMANT~1\DWHWizrd.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2009-06-07 17:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-07 21:25

Pre-Run: 9,195,847,680 bytes free
Post-Run: 9,196,482,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

156

Blade81
2009-06-08, 21:18
Hi again,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.


LimeWire


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) if exists.



After that:

Uninstall these vulnerable Java versions:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 9


Open notepad and copy/paste the text in the quotebox below into it:



File::
c:\windows\msb.exe

Folder::
c:\program files\LimeWire



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Scofield
2009-06-10, 04:13
hi Blade. Okay, couldn't uninstall Limewire because it doesn't show up in the add/remove programs list. I was going to try manually but I want to follow your instructions first. Did everything else requested, the online scan revealed nothing on a critical systems scan. My log.txt file won't post because it's really large, keeps freezing up my computer. Not sure how to zip it. Here is my DDS.txt log. let me know how to proceed and thanks again!

DDS (Ver_09-05-14.01) - NTFSx86
Run by goodpaster at 22:41:11.42 on Mon 06/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.151 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\goodpaster\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
mRun: [LTMSG] LTMSG.exe 7
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/XSL/mb_us//html/activexplayer/SMALStreaming.cab
DPF: {41ACD49D-1974-791A-0981-AA9872721044} - hxxp://67.15.101.3/g_bin/eng/boards_2_0_0_30.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244484597041
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244484572212
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

============= SERVICES / DRIVERS ===============

R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090607.004\NAVENG.sys [2009-6-7 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090607.004\NAVEX15.sys [2009-6-7 876144]

=============== Created Last 30 ================

2009-06-08 16:40 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-08 16:09 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-08 16:08 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-08 16:08 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-08 16:08 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-08 16:08 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-08 16:08 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-08 16:08 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-06-08 16:08 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-08 15:16 <DIR> --d----- c:\windows\system32\scripting
2009-06-08 15:16 <DIR> --d----- c:\windows\l2schemas
2009-06-08 15:16 <DIR> --d----- c:\windows\system32\en
2009-06-08 15:01 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-06-08 14:53 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-06-08 14:53 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-06-08 14:52 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-06-08 14:52 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-06-08 14:51 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-06-08 14:47 276,992 -------- c:\windows\system32\wmphoto.dll
2009-06-08 14:47 69,120 -------- c:\windows\system32\wlanapi.dll
2009-06-08 14:47 712,704 -------- c:\windows\system32\windowscodecs.dll
2009-06-08 14:47 346,112 -------- c:\windows\system32\windowscodecsext.dll
2009-06-08 14:47 53,248 -------- c:\windows\system32\tsgqec.dll
2009-06-08 14:47 50,688 -------- c:\windows\system32\tspkg.dll
2009-06-08 14:47 10,240 -------- c:\windows\system32\drivers\sffp_mmc.sys
2009-06-08 14:47 32,768 -------- c:\windows\system32\setupn.exe
2009-06-08 14:47 290,304 -------- c:\windows\system32\rhttpaa.dll
2009-06-08 14:47 61,952 -------- c:\windows\system32\rasqec.dll
2009-06-08 14:47 76,800 -------- c:\windows\system32\qutil.dll
2009-06-08 14:45 6,144 -------- c:\windows\system32\kbdiultn.dll
2009-06-08 14:44 233,472 -------- c:\windows\system32\azroles.dll
2009-06-08 14:44 136,192 -------- c:\windows\system32\aaclient.dll
2009-06-08 14:43 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-06-08 14:43 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-06-08 14:31 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-08 14:31 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-06-08 14:31 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-08 14:15 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-06-08 14:10 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-06-08 14:10 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-06-08 14:10 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-06-08 14:10 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-06-07 17:16 39,424 a------- c:\windows\system32\grpconv.exe
2009-06-07 17:13 <DIR> a-dshr-- C:\cmdcons
2009-06-07 17:12 161,792 a------- c:\windows\SWREG.exe
2009-06-07 17:12 155,136 a------- c:\windows\PEV.exe
2009-06-07 17:12 98,816 a------- c:\windows\sed.exe
2009-06-02 17:55 <DIR> --dsh--- c:\documents and settings\goodpaster\PrivacIE
2009-06-02 00:20 <DIR> --dsh--- c:\documents and settings\goodpaster\IETldCache
2009-06-02 00:19 <DIR> --d----- c:\documents and settings\goodpaster
2009-05-21 20:50 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-08 15:22 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2006-12-06 18:15 5,186,048 a------- c:\program files\WindowsDefender.msi

============= FINISH: 22:41:28.29 ===============

Blade81
2009-06-10, 17:12
Hi

Please see here (www.bleepingcomputer.com/tutorials/tutorial105.html) for a tutorial how to create zip archive. Then post the log as an attachment in your reply :)

Scofield
2009-06-11, 00:57
cool....think I got it this time. Log should be attached. still need to get rid of limewire i think. Thanks!

Blade81
2009-06-11, 17:44
still need to get rid of limewire i think.
See if c:\program files\limewire folder still exists. If it does, delete it.

Did you run Kaspersky online scanner yet (instructions posted a few posts earlier)?

Scofield
2009-06-12, 06:50
Okay, deleted Limewire folder from D drive. Ran a search afterward and deleted what else showed up. Ran the online scan and I'm sorry, but I don't think I'm posting the report correctly. I will try though.....

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, June 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, June 11, 2009 19:42:47
Records in database: 2337631
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
W:\
Y:\

Scan statistics:
Files scanned: 94153
Threat name: 2
Infected objects: 2
Suspicious objects: 3
Duration of the scan: 04:54:01


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE00000.VBN Infected: Trojan-Downloader.Win32.Agent.cetp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE40000.VBN Infected: Trojan-Downloader.Win32.Agent.cetp 1
D:\Documents and Settings\Bobby Goodpaster\Local Settings\Temporary Internet Files\Content.IE5\64K9W4YD\deliver46860[1].htm Suspicious: Exploit.HTML.Mht 1
D:\Documents and Settings\Bobby Goodpaster\Local Settings\Temporary Internet Files\Content.IE5\64K9W4YD\deliver46860[2].htm Suspicious: Exploit.HTML.Mht 1
D:\Documents and Settings\Bobby Goodpaster\Local Settings\Temporary Internet Files\Content.IE5\EHTK2OMM\deliver46860[1].htm Suspicious: Exploit.HTML.Mht 1

The selected area was scanned.


Please advise and thanks yet again!

Blade81
2009-06-12, 16:49
You did just fine :)


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Delete following files if found:
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE00000.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE40000.VBN
D:\Documents and Settings\Bobby Goodpaster\Local Settings\Temporary Internet Files\Content.IE5\64K9W4YD\deliver46860[1].htm
D:\Documents and Settings\Bobby Goodpaster\Local Settings\Temporary Internet Files\Content.IE5\64K9W4YD\deliver46860[2].htm
D:\Documents and Settings\Bobby Goodpaster\Local Settings\Temporary Internet Files\Content.IE5\EHTK2OMM\deliver46860[1].htm

Reboot and post a fresh dds.txt log. How's the system running?

Scofield
2009-06-13, 01:17
Hi Blade. Okay, I did everything insructed in your previous post. Below is the new DDS log. The system is running fantastic by the way. You're good at what you do! Thanks!



DDS (Ver_09-05-14.01) - NTFSx86
Run by goodpaster at 18:10:37.14 on Fri 06/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.241 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\goodpaster\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
mRun: [LTMSG] LTMSG.exe 7
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/XSL/mb_us//html/activexplayer/SMALStreaming.cab
DPF: {41ACD49D-1974-791A-0981-AA9872721044} - hxxp://67.15.101.3/g_bin/eng/boards_2_0_0_30.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244484597041
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244484572212
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

============= SERVICES / DRIVERS ===============

R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090607.004\NAVENG.sys [2009-6-7 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090607.004\NAVEX15.sys [2009-6-7 876144]

=============== Created Last 30 ================

2009-06-10 03:05 <DIR> --d----- c:\windows\ie8updates
2009-06-09 18:20 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 18:20 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-09 18:20 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-09 18:20 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-08 16:40 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-08 16:09 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-08 16:08 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-08 16:08 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-08 16:08 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-08 16:08 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-08 16:08 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-08 16:08 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-06-08 16:08 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-08 15:16 <DIR> --d----- c:\windows\system32\scripting
2009-06-08 15:16 <DIR> --d----- c:\windows\l2schemas
2009-06-08 15:16 <DIR> --d----- c:\windows\system32\en
2009-06-08 15:01 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-06-08 14:53 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-06-08 14:53 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-06-08 14:52 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-06-08 14:52 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-06-08 14:51 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-06-08 14:47 276,992 -------- c:\windows\system32\wmphoto.dll
2009-06-08 14:47 69,120 -------- c:\windows\system32\wlanapi.dll
2009-06-08 14:47 712,704 -------- c:\windows\system32\windowscodecs.dll
2009-06-08 14:47 346,112 -------- c:\windows\system32\windowscodecsext.dll
2009-06-08 14:47 53,248 -------- c:\windows\system32\tsgqec.dll
2009-06-08 14:47 50,688 -------- c:\windows\system32\tspkg.dll
2009-06-08 14:47 10,240 -------- c:\windows\system32\drivers\sffp_mmc.sys
2009-06-08 14:47 32,768 -------- c:\windows\system32\setupn.exe
2009-06-08 14:47 290,304 -------- c:\windows\system32\rhttpaa.dll
2009-06-08 14:47 61,952 -------- c:\windows\system32\rasqec.dll
2009-06-08 14:47 76,800 -------- c:\windows\system32\qutil.dll
2009-06-08 14:45 6,144 -------- c:\windows\system32\kbdiultn.dll
2009-06-08 14:44 233,472 -------- c:\windows\system32\azroles.dll
2009-06-08 14:44 136,192 -------- c:\windows\system32\aaclient.dll
2009-06-08 14:43 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-06-08 14:43 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-06-08 14:31 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-08 14:31 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-06-08 14:31 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-08 14:15 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-06-08 14:10 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-06-08 14:10 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-06-08 14:10 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-06-08 14:10 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-06-07 17:16 39,424 a------- c:\windows\system32\grpconv.exe
2009-06-07 17:13 <DIR> a-dshr-- C:\cmdcons
2009-06-07 17:12 161,792 a------- c:\windows\SWREG.exe
2009-06-07 17:12 155,136 a------- c:\windows\PEV.exe
2009-06-07 17:12 98,816 a------- c:\windows\sed.exe
2009-06-02 17:55 <DIR> --dsh--- c:\documents and settings\goodpaster\PrivacIE
2009-06-02 00:20 <DIR> --dsh--- c:\documents and settings\goodpaster\IETldCache
2009-06-02 00:19 <DIR> --d----- c:\documents and settings\goodpaster
2009-05-21 20:50 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-08 15:22 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2006-12-06 18:15 5,186,048 a------- c:\program files\WindowsDefender.msi

============= FINISH: 18:11:54.31 ===============

Blade81
2009-06-13, 13:53
Thanks for the compliments :)

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



We need to re hide system files. To do so, please follow the steps below:
Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab.
Put a check by
Hide file extensions for known file types.
Under the
Hidden files
folder, select
Show hidden files and folders.
Check
Hide protected operating system files.
Click Apply, and then click OK.


Now lets uninstall ComboFix:

Click START then RUN
Now type "c:\documents and settings\goodpaster\Desktop\ComboFix.exe" /u in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.


hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!). Both providers have support forums that help with configuration related questions.



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

Blade81
2009-06-20, 13:57
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.