PDA

View Full Version : Need next instruction for Malware Removal



godalmighty69
2009-08-27, 19:27
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:29 AM, on 8/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: runit_32.lnk = C:\Program Files\runit\runit_32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237576612728
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243147641750
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D33C83D-B171-48F0-9ADF-680A56E450A4}: NameServer = 75.116.127.154 75.116.63.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D33C83D-B171-48F0-9ADF-680A56E450A4}: NameServer = 75.116.127.154 75.116.63.154
O20 - AppInit_DLLs: C:\WINDOWS\System32\dssec32.dll,C:\WINDOWS\System32\ddraw32.dll
O20 - Winlogon Notify: f8629a1e598 - C:\WINDOWS\System32\dssec32.dll (file missing)
O20 - Winlogon Notify: f8629a1e658 - C:\WINDOWS\System32\ddraw32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5535 bytes

Blade81
2009-08-28, 21:50
Hi,

Is this your personal computer?

godalmighty69
2009-08-29, 16:18
Hi,

Is this your personal computer?


Answer: Yes, this is my personal computer

Blade81
2009-08-29, 19:11
Ok. Let's have a closer look then.


Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.



Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

godalmighty69
2009-08-29, 19:37
DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 11:31:21.93 on Sat 08/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.81 [GMT -5:00]

AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar =
uSearch Page =
mSearchAssistant =
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\spybot~1\SDHelper.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck /autofix
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\quickl~1.lnk - c:\program files\alltel\quicklink mobile\QuickLink Mobile.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_14.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\spybot~1\SDHelper.dll
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237576612728
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243147641750
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {0D33C83D-B171-48F0-9ADF-680A56E450A4} = 75.116.127.154 75.116.63.154
Notify: f8629a1e598 - c:\windows\system32\dssec32.dll
Notify: f8629a1e658 - c:\windows\system32\ddraw32.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\dssec32.dll,c:\windows\system32\ddraw32.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-7-9 26104]
R3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [2009-5-19 32256]
R3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [2009-5-19 41344]
R3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [2009-5-19 39936]
R3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [2009-5-19 59776]
S2 kihist;kihist;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S2 naocj;Update Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [2008-12-11 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [2008-12-11 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [2008-12-11 93904]
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [2008-12-11 73696]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys --> c:\windows\system32\drivers\ewusbnet.sys [?]

============== File Associations ===============

VBSFile=%WINDIR%\System32\CScript.exe //nologo "%1" %*

=============== Created Last 30 ================

2009-08-29 08:26 <DIR> --d----- c:\program files\Spybot
2009-08-28 13:24 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-28 08:13 <DIR> --dsh--- c:\documents and settings\user\IECompatCache
2009-08-28 08:11 <DIR> --dsh--- c:\documents and settings\user\PrivacIE
2009-08-28 07:22 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-08-28 07:18 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-28 07:16 <DIR> --d----- c:\windows\ie8updates
2009-08-28 07:15 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-28 07:15 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 07:07 <DIR> -cd-h--- c:\windows\ie8
2009-08-28 06:30 4,153 a------- C:\fix.reg
2009-08-24 00:13 268,648 a------- c:\windows\system32\mucltui.dll
2009-08-24 00:13 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-08-23 06:45 91,328 a------- c:\windows\system32\drivers\msfwdrv.sys
2009-08-23 06:45 116,416 a------- c:\windows\system32\drivers\msfwhlpr.sys
2009-08-23 06:42 53,168 a------- c:\windows\system32\drivers\MpFilter.sys
2009-08-23 06:36 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live
2009-08-22 06:31 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-21 09:58 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-21 09:54 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 09:54 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-21 09:54 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 09:54 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 09:54 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-21 09:54 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 09:54 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-21 09:54 <DIR> --d----- C:\6f6b5f0da4264d87e011e22fee34eb1d
2009-08-18 12:43 <DIR> --d----- c:\docume~1\user\applic~1\IPublish
2009-08-18 12:43 377 a------- c:\windows\ipublish.ini
2009-08-18 12:43 <DIR> --d----- c:\program files\IPRO Tech
2009-08-14 00:31 69,697 a------- c:\windows\hfaot67545.exe
2009-08-14 00:31 69,697 a------- c:\windows\npwc74272.exe
2009-08-14 00:30 889,078 a------- c:\windows\xigr5657.exe
2009-08-14 00:30 889,078 a------- c:\windows\fjjil0160.exe
2009-08-13 23:28 17,428 a------- c:\windows\GnuHashes.ini
2009-08-13 23:18 <DIR> --dsh--- c:\windows\system32\SystemX86
2009-08-13 23:18 615 a------- c:\windows\system32\r6YzxMi4zXYWb8Z.vbs
2009-08-13 23:18 518,144 a--sh--- c:\windows\system32\15.tmp
2009-08-13 23:17 615 a------- c:\windows\system32\2fm3SQg.vbs
2009-08-13 22:53 4 a------- c:\docume~1\user\applic~1\NP.sys
2009-08-13 22:50 69,697 a------- c:\windows\wmqr64340.exe
2009-08-13 22:49 <DIR> --d----- c:\program files\runit
2009-08-13 22:49 69,697 a------- c:\windows\mbdk02062.exe
2009-08-13 22:49 <DIR> --d----- c:\program files\IEToolbar
2009-08-13 22:47 889,078 a------- c:\windows\qaxjt3355.exe
2009-08-13 22:46 889,078 a------- c:\windows\vmqq64340.exe
2009-08-11 23:47 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 23:47 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-14 00:50 24,192 a------- c:\documents and settings\user\usbsermptxp.sys
2009-08-14 00:50 22,768 a------- c:\documents and settings\user\usbsermpt.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-21 01:16 5,936 a------- c:\documents and settings\user\mqdmwhnt.sys
2009-07-21 01:16 79,328 a------- c:\documents and settings\user\mqdmserd.sys
2009-07-21 01:16 92,064 a------- c:\documents and settings\user\mqdmmdm.sys
2009-07-21 01:16 9,232 a------- c:\documents and settings\user\mqdmmdfl.sys
2009-07-21 01:16 4,048 a------- c:\documents and settings\user\mqdmcr.sys
2009-07-21 01:16 6,208 a------- c:\documents and settings\user\mqdmcmnt.sys
2009-07-21 01:16 66,656 a------- c:\documents and settings\user\mqdmbus.sys
2009-07-20 13:41 22,768 a------- c:\windows\system32\drivers\usbsermpt.sys
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 16:17 8,815,552 a------- c:\program files\windows-kb890830-v2.11.exe
2009-06-24 13:58 714,136 a------- c:\program files\JavaScript SunMicrosystems.exe
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-06 03:02 157 a------- C:\xcrashdump.dat
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-29 10:34 331,805,736 a------- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-05-24 20:39 4,909,440 a------- c:\program files\Silverlight.2.0.exe
2009-02-19 13:50 53,518 a------- c:\program files\11-13-07_1501.3g2
2009-02-19 13:46 52,307,672 a------- c:\program files\AVSVideoConverter.exe
2008-12-20 15:08 5,166,072 a------- c:\program files\msgrplus.exe
2008-12-12 20:11 123 a------- c:\program files\ALLTEL Internet Accelerator Client setup.log
2009-05-29 12:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052920090530\index.dat

============= FINISH: 11:32:19.98 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/8/2008 4:12:01 PM
System Uptime: 8/29/2009 7:06:57 AM (4 hours ago)

Motherboard: Hewlett-Packard | | 30AE
Processor: Mobile AMD Sempron(tm) Processor 3300+ | U23 | 1994/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 18.901 GiB free.
D: is CDROM ()
E: is CDROM (FAT)

==== Disabled Device Manager Items =============

Class GUID:
Description: PCI Modem
Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_30AE103C&REV_02\3&13C0B0C5&0&A6
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_30AE103C&REV_02\3&13C0B0C5&0&A6
Service:

==== System Restore Points ===================

RP33: 6/30/2009 11:18:17 PM - Unsigned driver install
RP34: 7/1/2009 7:33:15 AM - Unsigned driver install
RP35: 7/2/2009 2:20:06 PM - System Checkpoint
RP36: 7/3/2009 2:59:44 PM - System Checkpoint
RP37: 7/3/2009 4:27:50 PM - Unsigned driver install
RP38: 7/5/2009 3:48:19 AM - System Checkpoint
RP39: 7/6/2009 3:33:42 PM - System Checkpoint
RP40: 7/8/2009 1:36:03 PM - System Checkpoint
RP41: 7/9/2009 6:43:26 PM - System Checkpoint
RP42: 7/13/2009 6:28:47 AM - System Checkpoint
RP43: 7/14/2009 9:43:21 AM - System Checkpoint
RP44: 7/16/2009 6:37:11 AM - Software Distribution Service 3.0
RP45: 7/19/2009 11:59:25 AM - System Checkpoint
RP46: 7/20/2009 2:26:44 PM - System Checkpoint
RP47: 7/20/2009 11:55:52 PM - Unsigned driver install
RP48: 7/22/2009 3:41:48 PM - System Checkpoint
RP49: 7/26/2009 10:04:30 PM - System Checkpoint
RP50: 7/27/2009 11:05:32 PM - System Checkpoint
RP51: 7/29/2009 3:22:22 AM - Software Distribution Service 3.0
RP52: 7/29/2009 11:47:36 PM - Avg8 Update
RP53: 7/29/2009 11:53:29 PM - Avg8 Update
RP54: 7/31/2009 12:16:04 AM - System Checkpoint
RP55: 8/1/2009 2:54:14 AM - System Checkpoint
RP56: 8/2/2009 3:29:34 AM - System Checkpoint
RP57: 8/4/2009 12:06:38 AM - System Checkpoint
RP58: 8/5/2009 1:36:47 AM - System Checkpoint
RP59: 8/5/2009 5:36:13 AM - Removed HP Photosmart Essential
RP60: 8/5/2009 5:38:47 AM - Removed HPSU306Stub
RP61: 8/5/2009 5:39:18 AM - Removed HP Software Update
RP62: 8/6/2009 9:25:08 AM - System Checkpoint
RP63: 8/7/2009 9:52:44 AM - System Checkpoint
RP64: 8/8/2009 11:27:40 AM - System Checkpoint
RP65: 8/9/2009 10:42:49 PM - System Checkpoint
RP66: 8/11/2009 7:05:56 PM - System Checkpoint
RP67: 8/12/2009 5:43:55 AM - Software Distribution Service 3.0
RP68: 8/13/2009 6:13:05 AM - System Checkpoint
RP69: 8/14/2009 3:08:10 AM - Software Distribution Service 3.0
RP70: 8/15/2009 3:59:54 AM - System Checkpoint
RP71: 8/16/2009 1:05:08 AM - Spybot-S&D Spyware removal
RP72: 8/17/2009 3:02:47 AM - System Checkpoint
RP73: 8/18/2009 9:34:12 AM - System Checkpoint
RP74: 8/19/2009 5:58:57 PM - System Checkpoint
RP75: 8/20/2009 3:48:01 PM - Avg8 Update
RP76: 8/20/2009 3:50:34 PM - Avg8 Update
RP77: 8/21/2009 9:21:29 AM - Software Distribution Service 3.0
RP78: 8/22/2009 12:21:00 PM - System Checkpoint
RP79: 8/22/2009 4:44:48 PM - Removed AVG 8.5
RP80: 8/22/2009 4:56:03 PM - Installed AVG 8.5
RP81: 8/23/2009 5:54:30 AM - Software Distribution Service 3.0
RP82: 8/23/2009 1:17:06 PM - Microsoft OneCare Protection Checkpoint
RP83: 8/24/2009 10:17:05 PM - Software Distribution Service 3.0
RP84: 8/25/2009 9:42:16 PM - Installed AVG Free 8.5
RP85: 8/26/2009 6:37:58 PM - Configured AVG Free 8.5
RP86: 8/26/2009 6:51:58 PM - Configured AVG Free 8.5
RP87: 8/26/2009 10:49:27 PM - Removed AVG Free 8.5
RP88: 8/26/2009 10:53:38 PM - Installed AVG Free 8.5
RP89: 8/27/2009 3:00:26 AM - Software Distribution Service 3.0
RP90: 8/28/2009 6:50:36 AM - Software Distribution Service 3.0
RP91: 8/28/2009 12:15:14 PM - Software Distribution Service 3.0
RP92: 8/28/2009 12:41:44 PM - Software Distribution Service 3.0
RP93: 8/28/2009 1:24:27 PM - Removed Visual C++ 2008 x86 Runtime - (v9.0.30729)
RP94: 8/28/2009 1:30:34 PM - Removed Diskeeper 2009 Pro Premier.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1.3
Adobe Shockwave Player 11
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Broadcom 802.11 Wireless LAN Adapter
Citrix XenApp Web Plugin
Conexant AC-Link Audio
D1300_Help
eFax Messenger
Google Earth
GTOneCare
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
hph_readme
hph_software_req
Java(TM) 6 Update 14
Java(TM) 6 Update 7
LiveUpdate BVRP Software
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Protection Service
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Live OneCare Resources v2.5.2900.28
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Microsoft Windows OneCare Live v2.5.2900.28
Microsoft Windows OneCare Live v2.5.2900.28 Idcrl Install
mobile PhoneTools
Nero 6 Ultra Edition
NetWaiting
OpenOffice.org 3.0
palmOne
PANTECH UM175AL Driver
PowerDVD
PX Engine
QuickLink Mobile
QuickTime
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Spybot - Search & Destroy
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare
Windows Live OneCare safety scanner
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
XP Codec Pack

==== Event Viewer Messages From Past Week ========

8/29/2009 5:50:04 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Live OneCare service to connect.
8/26/2009 7:06:08 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG Free8 E-mail Scanner service to connect.
8/26/2009 7:06:08 PM, error: Service Control Manager [7000] - The AVG Free8 E-mail Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/26/2009 12:01:50 PM, error: PlugPlayManager [12] - The device 'PANTECH UM175AL WWAN Driver #4' (USB\VID_106c&PID_3715&MI_03\6&27c99b97&0&8515) disappeared from the system without first being prepared for removal.
8/26/2009 11:55:42 AM, error: Dhcp [1002] - The IP address lease 192.168.239.131 for the Network Card with network address 0014A5E911FE has been denied by the DHCP server 172.17.16.10 (The DHCP Server sent a DHCPNACK message).
8/26/2009 11:53:05 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
8/26/2009 11:53:05 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/26/2009 11:51:26 AM, error: MSFWDrv [9] - The device, , did not respond within the timeout period.
8/26/2009 10:20:45 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
8/25/2009 6:11:05 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
8/25/2009 6:11:05 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/25/2009 6:10:32 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 IDSxpx86 SYMTDI
8/25/2009 6:10:32 AM, error: Service Control Manager [7023] - The Update Helper service terminated with the following error: The specified module could not be found.
8/25/2009 6:10:32 AM, error: Service Control Manager [7023] - The kihist service terminated with the following error: The specified module could not be found.
8/23/2009 8:49:10 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.
8/23/2009 8:49:10 AM, error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/23/2009 8:49:10 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service COMSysApp with arguments "" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}
8/23/2009 8:48:39 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IDSxpx86
8/23/2009 6:51:09 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the N360 service.
8/23/2009 3:19:18 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Vundo.BR&threatid=2147607924 Scan ID: {1C9C68D6-6DEE-4FB0-AC31-9D1D38EE0B00} Scan Type: AntiMalware User: OWNER-380E95A56\User Name: Trojan:Win32/Vundo.BR ID: 2147607924 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
8/22/2009 6:26:35 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the sdCoreService service.
8/22/2009 2:36:07 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
8/22/2009 11:04:03 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
8/22/2009 11:04:03 AM, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

Blade81
2009-08-29, 21:24
Did you attempt GMER yet?

godalmighty69
2009-08-30, 07:20
GMER 1.0.15.15077 [meh8cg1s.exe] - http://www.gmer.net
Rootkit scan 2009-08-29 23:12:06
Windows 5.1.2600 Service Pack 3


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3716] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3716] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3716] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3716] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3716] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3716] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3716] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3716] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3716] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3800] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] naocj <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\naocj@DisplayName Update Helper
Reg HKLM\SYSTEM\CurrentControlSet\Services\naocj@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\naocj@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\naocj@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\naocj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\naocj@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\naocj@Description Stores security information for local user accounts.
Reg HKLM\SYSTEM\CurrentControlSet\Services\naocj\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\naocj\Parameters@ServiceDll C:\WINDOWS\system32\iohxpwha.dll
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@DisplayName Update Helper
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Description Stores security information for local user accounts.
Reg HKLM\SYSTEM\ControlSet002\Services\naocj\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\naocj\Parameters@ServiceDll C:\WINDOWS\system32\iohxpwha.dll
Reg HKLM\SYSTEM\ControlSet003\Services\naocj@DisplayName Update Helper
Reg HKLM\SYSTEM\ControlSet003\Services\naocj@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\naocj@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\naocj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\naocj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\naocj@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\naocj@Description Stores security information for local user accounts.
Reg HKLM\SYSTEM\ControlSet003\Services\naocj\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\naocj\Parameters@ServiceDll C:\WINDOWS\system32\iohxpwha.dll

---- EOF - GMER 1.0.15 ----

Blade81
2009-08-30, 11:28
Hi,


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

godalmighty69
2009-08-30, 20:07
Hello Blade 81

" Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer "

I followed the instructions above, but I do not have the Windows XP CD to get the Recovery Console program ... What are my options?

Blade81
2009-08-30, 20:12
Hi,

As said in the tutorial, ComboFix should ask you for permission to install one :)

godalmighty69
2009-08-31, 03:01
Hi Blade81,
Below is the result of the combofix ... Do I need to run the Hijack program as well?

ComboFix 09-08-30.01 - User 08/30/2009 17:53.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.160 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\User\APPLIC~1\020000007b3c7c04598C.manifest
c:\docume~1\User\APPLIC~1\020000007b3c7c04598O.manifest
c:\docume~1\User\APPLIC~1\020000007b3c7c04598P.manifest
c:\docume~1\User\APPLIC~1\020000007b3c7c04598S.manifest
c:\docume~1\User\APPLIC~1\020000007b3c7c04658C.manifest
c:\docume~1\User\APPLIC~1\020000007b3c7c04658O.manifest
c:\docume~1\User\APPLIC~1\020000007b3c7c04658P.manifest
c:\docume~1\User\APPLIC~1\020000007b3c7c04658S.manifest
c:\program files\IEToolbar
c:\program files\IEToolbar\Bullseye Tool Bar\basis.xml
c:\program files\IEToolbar\Bullseye Tool Bar\date2.html
c:\program files\IEToolbar\Bullseye Tool Bar\icons.bmp
c:\program files\IEToolbar\Bullseye Tool Bar\info.txt
c:\program files\IEToolbar\Bullseye Tool Bar\lw.crc
c:\program files\IEToolbar\Bullseye Tool Bar\lw.dll
c:\program files\IEToolbar\Bullseye Tool Bar\lwpopper.html
c:\program files\IEToolbar\Bullseye Tool Bar\popper3.html
c:\program files\IEToolbar\Bullseye Tool Bar\popup1.html
c:\program files\IEToolbar\Bullseye Tool Bar\popup2.html
c:\program files\IEToolbar\Bullseye Tool Bar\tbhelper.dll
c:\program files\IEToolbar\Bullseye Tool Bar\uninstall.exe
c:\program files\IEToolbar\Bullseye Tool Bar\version.txt
c:\program files\IEToolbar\Bullseye Tool Bar\your_logo.png
c:\program files\runit
c:\program files\runit\config.txt
c:\windows\fjjil0160.exe
c:\windows\GnuHashes.ini
c:\windows\hfaot67545.exe
c:\windows\mbdk02062.exe
c:\windows\npwc74272.exe
c:\windows\qaxjt3355.exe
c:\windows\system32\2fm3SQg.vbs
c:\windows\system32\Dl2Bc.vbs
c:\windows\system32\KSrPeVvsQcPaUL9.vbs
c:\windows\system32\r6YzxMi4zXYWb8Z.vbs
c:\windows\system32\SystemService32
c:\windows\system32\SystemService32\157.crack.zip.kwd
c:\windows\system32\SystemService32\158.keygen.zip.kwd
c:\windows\system32\SystemService32\159.serial.zip.kwd
c:\windows\system32\SystemService32\160.setup.zip.kwd
c:\windows\system32\SystemService32\161.music.au.kwd
c:\windows\system32\SystemService32\162.music.mp3.kwd
c:\windows\system32\SystemService32\163.music.wma.kwd
c:\windows\system32\SystemService32\164.music.snd.kwd
c:\windows\vmqq64340.exe
c:\windows\wmqr64340.exe
c:\windows\xigr5657.exe
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWCWORKSTATION
-------\Service_NWCWorkstation


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-29 13:26 . 2009-08-29 13:47 -------- d-----w- c:\program files\Spybot
2009-08-28 18:24 . 2009-08-28 18:43 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-28 13:13 . 2009-08-28 13:13 -------- d-sh--w- c:\documents and settings\User\IECompatCache
2009-08-28 13:11 . 2009-08-28 13:11 -------- d-sh--w- c:\documents and settings\User\PrivacIE
2009-08-28 12:28 . 2009-08-28 12:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-28 12:22 . 2009-08-28 12:22 -------- d-sh--w- c:\documents and settings\User\IETldCache
2009-08-28 12:18 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-28 12:16 . 2009-08-28 12:18 -------- d-----w- c:\windows\ie8updates
2009-08-28 12:15 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-28 12:15 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 12:07 . 2009-08-28 12:14 -------- dc-h--w- c:\windows\ie8
2009-08-28 11:30 . 2009-08-28 11:33 4153 ----a-w- C:\fix.reg
2009-08-24 05:13 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-23 11:45 . 2007-11-28 03:56 91328 ----a-w- c:\windows\system32\drivers\msfwdrv.sys
2009-08-23 11:45 . 2007-11-28 03:56 116416 ----a-w- c:\windows\system32\drivers\msfwhlpr.sys
2009-08-23 11:42 . 2008-05-15 21:15 53168 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2009-08-23 11:36 . 2009-08-27 06:01 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-08-21 14:58 . 2009-08-21 14:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\MSBuild
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 14:54 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 14:54 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 14:54 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 14:54 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 14:54 . 2009-08-21 14:55 -------- d-----w- C:\6f6b5f0da4264d87e011e22fee34eb1d
2009-08-18 17:43 . 2009-08-22 16:43 -------- d-----w- c:\docume~1\User\APPLIC~1\IPublish
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\program files\IPRO Tech
2009-08-14 04:18 . 2009-08-23 20:19 -------- d-sh--w- c:\windows\system32\SystemX86
2009-08-12 04:47 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 15:44 . 2008-12-18 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-28 18:30 . 2008-12-09 01:13 -------- d-----w- c:\program files\Diskeeper Corporation
2009-08-28 18:26 . 2008-12-16 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-28 18:26 . 2008-12-16 08:48 -------- d-----w- c:\program files\Yahoo!
2009-08-28 18:23 . 2008-12-08 23:13 -------- d-----w- c:\program files\CONEXANT
2009-08-28 17:59 . 2008-12-08 22:19 33216 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 17:45 . 2009-01-19 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-28 17:21 . 2009-01-19 10:19 -------- d-----w- c:\program files\Microsoft Works
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-27 03:15 . 2009-04-03 00:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-27 03:14 . 2009-04-03 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-25 11:08 . 2009-05-25 01:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-23 16:05 . 2008-12-18 02:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-23 11:36 . 2009-03-26 21:20 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-22 11:46 . 2008-12-18 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-19 07:02 . 2009-02-19 18:46 -------- d-----w- c:\program files\AVS4YOU
2009-08-17 12:06 . 2009-08-17 08:07 160 ----a-w- c:\documents and settings\User\udpcrawl.tmp
2009-08-14 08:11 . 2008-12-17 22:35 -------- d-----w- c:\docume~1\User\APPLIC~1\LimeWire
2009-08-14 05:50 . 2009-06-30 06:11 24192 ----a-w- c:\documents and settings\User\usbsermptxp.sys
2009-08-14 05:50 . 2009-06-30 06:11 22768 ----a-w- c:\documents and settings\User\usbsermpt.sys
2009-08-14 04:18 . 2009-08-14 04:18 518144 --sha-w- c:\windows\system32\15.tmp
2009-08-14 03:53 . 2009-08-14 03:53 4 ----a-w- c:\docume~1\User\APPLIC~1\NP.sys
2009-08-05 11:50 . 2009-01-12 01:52 -------- d-----w- c:\program files\Google
2009-08-05 10:40 . 2008-12-22 19:30 -------- d-----w- c:\program files\HP
2009-08-05 09:01 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 18:52 . 2008-12-20 20:09 -------- d-----w- c:\docume~1\User\APPLIC~1\eFax Messenger
2009-07-21 06:16 . 2009-07-20 14:59 5936 ----a-w- c:\documents and settings\User\mqdmwhnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 79328 ----a-w- c:\documents and settings\User\mqdmserd.sys
2009-07-21 06:16 . 2009-07-20 14:59 92064 ----a-w- c:\documents and settings\User\mqdmmdm.sys
2009-07-21 06:16 . 2009-07-20 14:59 9232 ----a-w- c:\documents and settings\User\mqdmmdfl.sys
2009-07-21 06:16 . 2009-07-20 14:59 4048 ----a-w- c:\documents and settings\User\mqdmcr.sys
2009-07-21 06:16 . 2009-07-20 14:59 6208 ----a-w- c:\documents and settings\User\mqdmcmnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 66656 ----a-w- c:\documents and settings\User\mqdmbus.sys
2009-07-20 18:41 . 2009-06-30 06:11 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2009-07-17 19:01 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-10 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 21:17 . 2009-06-24 21:16 8815552 ----a-w- c:\program files\windows-kb890830-v2.11.exe
2009-06-24 18:58 . 2009-06-24 18:58 714136 ----a-w- c:\program files\JavaScript SunMicrosystems.exe
2009-06-24 11:18 . 2004-08-10 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-10 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-10 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-12-08 21:50 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-10 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-10 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-10 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 12:59 . 2009-06-02 12:59 0 ----a-w- c:\windows\system32\10.tmp
2009-05-29 15:34 . 2009-05-29 13:27 331805736 ----a-w- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-05-25 01:39 . 2009-05-25 01:39 4909440 ----a-w- c:\program files\Silverlight.2.0.exe
2009-02-19 18:50 . 2009-02-19 18:50 53518 ----a-w- c:\program files\11-13-07_1501.3g2
2009-02-19 18:46 . 2009-02-19 18:45 52307672 ----a-w- c:\program files\AVSVideoConverter.exe
2008-12-20 20:08 . 2008-12-20 20:03 5166072 ----a-w- c:\program files\msgrplus.exe
2008-12-13 01:11 . 2008-12-13 01:10 123 ----a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\User\Start Menu\Programs\Startup\
QuickLink Mobile.lnk - c:\program files\Alltel\QuickLink Mobile\QuickLink Mobile.exe [2009-5-19 1525096]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Alltel\\QuickLink Mobile\\QuickLink Mobile.exe"=
"c:\\Program Files\\mobile PhoneTools\\mPhonetools.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 7:00 AM 14336]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [7/9/2009 12:15 PM 26104]
R3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [5/19/2009 6:53 PM 32256]
R3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [5/19/2009 6:53 PM 41344]
R3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [5/19/2009 6:53 PM 39936]
R3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [5/19/2009 6:53 PM 59776]
S2 kihist;kihist;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 7:00 AM 14336]
S2 naocj;Update Helper;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 7:00 AM 14336]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [12/11/2008 2:17 PM 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [12/11/2008 2:17 PM 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [12/11/2008 2:17 PM 93904]
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [12/11/2008 2:17 PM 73696]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
kihist
naocj

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SpybotSnD - c:\program files\Spybot - Search & Destroy\SpybotSD.exe
HKLM-Run-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
Notify-f8629a1e598 - c:\windows\System32\dssec32.dll
Notify-f8629a1e658 - c:\windows\System32\ddraw32.dll
Notify-SSOExec - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
TCP: {0D33C83D-B171-48F0-9ADF-680A56E450A4} = 75.116.127.154 75.116.63.154
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
.
.
------- File Associations -------
.
VBSFile=%WINDIR%\System32\CScript.exe //nologo "%1" %*
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 18:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\naocj]
"ServiceDll"="c:\windows\system32\iohxpwha.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1682526488-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2836)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-30 18:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 23:20

Pre-Run: 20,126,789,632 bytes free
Post-Run: 20,065,701,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=60

330 --- E O F --- 2009-08-28 12:18

Blade81
2009-08-31, 09:12
Do I need to run the Hijack program as well?
Sorry, accidentally asked for hjt log while I meant fresh dds.txt log. Please post that one.

Blade81
2009-09-07, 11:39
Hi,

What's the status here?

godalmighty69
2009-09-09, 12:34
Hi Blade 81,
I somehow got off track and am now going through and repeating the same series you had me to do earlier: Thank You in advance for your patience ...

Below are "the DDS.txt and the Attach.txt" files.


DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 4:18:23.90 on Wed 09/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.104 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\spybot~1\SDHelper.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_14.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\spybot~1\SDHelper.dll
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237576612728
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243147641750
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {0D33C83D-B171-48F0-9ADF-680A56E450A4} = 75.116.127.154 75.116.63.154
Notify: igfxcui - igfxsrvc.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [2009-5-19 32256]
R3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [2009-5-19 41344]
R3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [2009-5-19 39936]
R3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [2009-5-19 59776]
S2 kihist;kihist;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S2 naocj;Update Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [2008-12-11 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [2008-12-11 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [2008-12-11 93904]
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [2008-12-11 73696]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys --> c:\windows\system32\drivers\ewusbnet.sys [?]

============== File Associations ===============

VBSFile=%WINDIR%\System32\CScript.exe //nologo "%1" %*

=============== Created Last 30 ================

2009-08-31 01:29 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-30 22:24 <DIR> --d----- c:\program files\AVG
2009-08-30 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-30 21:02 68,569,208 a------- c:\program files\avg_free_stf_en_85_409a1634.exe
2009-08-30 18:17 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-30 17:51 <DIR> a-dshr-- C:\cmdcons
2009-08-30 17:46 229,376 a------- c:\windows\PEV.exe
2009-08-30 17:46 161,792 a------- c:\windows\SWREG.exe
2009-08-30 17:46 98,816 a------- c:\windows\sed.exe
2009-08-29 08:26 <DIR> --d----- c:\program files\Spybot
2009-08-28 13:24 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-28 08:13 <DIR> --dsh--- c:\documents and settings\user\IECompatCache
2009-08-28 08:11 <DIR> --dsh--- c:\documents and settings\user\PrivacIE
2009-08-28 07:22 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-08-28 07:18 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-28 07:16 <DIR> --d----- c:\windows\ie8updates
2009-08-28 07:15 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-28 07:15 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 07:07 <DIR> -cd-h--- c:\windows\ie8
2009-08-28 06:30 4,153 a------- C:\fix.reg
2009-08-24 00:13 268,648 a------- c:\windows\system32\mucltui.dll
2009-08-24 00:13 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-08-22 06:31 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-21 09:58 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-21 09:54 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 09:54 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-21 09:54 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 09:54 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 09:54 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-21 09:54 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 09:54 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-21 09:54 <DIR> --d----- C:\6f6b5f0da4264d87e011e22fee34eb1d
2009-08-18 12:43 <DIR> --d----- c:\docume~1\user\applic~1\IPublish
2009-08-18 12:43 377 a------- c:\windows\ipublish.ini
2009-08-18 12:43 <DIR> --d----- c:\program files\IPRO Tech
2009-08-13 23:18 <DIR> --dsh--- c:\windows\system32\SystemX86
2009-08-13 23:18 518,144 a--sh--- c:\windows\system32\15.tmp
2009-08-13 22:53 4 a------- c:\docume~1\user\applic~1\NP.sys
2009-08-11 23:47 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 23:47 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-08-14 00:50 24,192 a------- c:\documents and settings\user\usbsermptxp.sys
2009-08-14 00:50 22,768 a------- c:\documents and settings\user\usbsermpt.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-21 01:16 5,936 a------- c:\documents and settings\user\mqdmwhnt.sys
2009-07-21 01:16 79,328 a------- c:\documents and settings\user\mqdmserd.sys
2009-07-21 01:16 92,064 a------- c:\documents and settings\user\mqdmmdm.sys
2009-07-21 01:16 9,232 a------- c:\documents and settings\user\mqdmmdfl.sys
2009-07-21 01:16 4,048 a------- c:\documents and settings\user\mqdmcr.sys
2009-07-21 01:16 6,208 a------- c:\documents and settings\user\mqdmcmnt.sys
2009-07-21 01:16 66,656 a------- c:\documents and settings\user\mqdmbus.sys
2009-07-20 13:41 22,768 a------- c:\windows\system32\drivers\usbsermpt.sys
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 16:17 8,815,552 a------- c:\program files\windows-kb890830-v2.11.exe
2009-06-24 13:58 714,136 a------- c:\program files\JavaScript SunMicrosystems.exe
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-05-29 10:34 331,805,736 a------- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-05-24 20:39 4,909,440 a------- c:\program files\Silverlight.2.0.exe
2009-02-19 13:50 53,518 a------- c:\program files\11-13-07_1501.3g2
2009-02-19 13:46 52,307,672 a------- c:\program files\AVSVideoConverter.exe
2008-12-20 15:08 5,166,072 a------- c:\program files\msgrplus.exe
2008-12-12 20:11 123 a------- c:\program files\ALLTEL Internet Accelerator Client setup.log
2009-05-29 12:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052920090530\index.dat

============= FINISH: 4:19:44.85 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/8/2008 4:12:01 PM
System Uptime: 9/9/2009 3:31:36 AM (1 hours ago)

Motherboard: Hewlett-Packard | | 30AE
Processor: Mobile AMD Sempron(tm) Processor 3300+ | U23 | 1994/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 19.141 GiB free.
D: is CDROM ()
E: is CDROM (FAT)

==== Disabled Device Manager Items =============

Class GUID:
Description: PCI Modem
Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_30AE103C&REV_02\3&13C0B0C5&0&A6
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_30AE103C&REV_02\3&13C0B0C5&0&A6
Service:

==== System Restore Points ===================

RP47: 7/20/2009 11:55:52 PM - Unsigned driver install
RP48: 7/22/2009 3:41:48 PM - System Checkpoint
RP49: 7/26/2009 10:04:30 PM - System Checkpoint
RP50: 7/27/2009 11:05:32 PM - System Checkpoint
RP51: 7/29/2009 3:22:22 AM - Software Distribution Service 3.0
RP52: 7/29/2009 11:47:36 PM - Avg8 Update
RP53: 7/29/2009 11:53:29 PM - Avg8 Update
RP54: 7/31/2009 12:16:04 AM - System Checkpoint
RP55: 8/1/2009 2:54:14 AM - System Checkpoint
RP56: 8/2/2009 3:29:34 AM - System Checkpoint
RP57: 8/4/2009 12:06:38 AM - System Checkpoint
RP58: 8/5/2009 1:36:47 AM - System Checkpoint
RP59: 8/5/2009 5:36:13 AM - Removed HP Photosmart Essential
RP60: 8/5/2009 5:38:47 AM - Removed HPSU306Stub
RP61: 8/5/2009 5:39:18 AM - Removed HP Software Update
RP62: 8/6/2009 9:25:08 AM - System Checkpoint
RP63: 8/7/2009 9:52:44 AM - System Checkpoint
RP64: 8/8/2009 11:27:40 AM - System Checkpoint
RP65: 8/9/2009 10:42:49 PM - System Checkpoint
RP66: 8/11/2009 7:05:56 PM - System Checkpoint
RP67: 8/12/2009 5:43:55 AM - Software Distribution Service 3.0
RP68: 8/13/2009 6:13:05 AM - System Checkpoint
RP69: 8/14/2009 3:08:10 AM - Software Distribution Service 3.0
RP70: 8/15/2009 3:59:54 AM - System Checkpoint
RP71: 8/16/2009 1:05:08 AM - Spybot-S&D Spyware removal
RP72: 8/17/2009 3:02:47 AM - System Checkpoint
RP73: 8/18/2009 9:34:12 AM - System Checkpoint
RP74: 8/19/2009 5:58:57 PM - System Checkpoint
RP75: 8/20/2009 3:48:01 PM - Avg8 Update
RP76: 8/20/2009 3:50:34 PM - Avg8 Update
RP77: 8/21/2009 9:21:29 AM - Software Distribution Service 3.0
RP78: 8/22/2009 12:21:00 PM - System Checkpoint
RP79: 8/22/2009 4:44:48 PM - Removed AVG 8.5
RP80: 8/22/2009 4:56:03 PM - Installed AVG 8.5
RP81: 8/23/2009 5:54:30 AM - Software Distribution Service 3.0
RP82: 8/23/2009 1:17:06 PM - Microsoft OneCare Protection Checkpoint
RP83: 8/24/2009 10:17:05 PM - Software Distribution Service 3.0
RP84: 8/25/2009 9:42:16 PM - Installed AVG Free 8.5
RP85: 8/26/2009 6:37:58 PM - Configured AVG Free 8.5
RP86: 8/26/2009 6:51:58 PM - Configured AVG Free 8.5
RP87: 8/26/2009 10:49:27 PM - Removed AVG Free 8.5
RP88: 8/26/2009 10:53:38 PM - Installed AVG Free 8.5
RP89: 8/27/2009 3:00:26 AM - Software Distribution Service 3.0
RP90: 8/28/2009 6:50:36 AM - Software Distribution Service 3.0
RP91: 8/28/2009 12:15:14 PM - Software Distribution Service 3.0
RP92: 8/28/2009 12:41:44 PM - Software Distribution Service 3.0
RP93: 8/28/2009 1:24:27 PM - Removed Visual C++ 2008 x86 Runtime - (v9.0.30729)
RP94: 8/28/2009 1:30:34 PM - Removed Diskeeper 2009 Pro Premier.
RP95: 8/30/2009 12:08:56 AM - System Checkpoint
RP96: 8/30/2009 10:24:09 PM - Installed AVG Free 8.5
RP97: 9/1/2009 11:42:34 PM - Avg8 Update
RP98: 9/2/2009 11:47:02 PM - System Checkpoint
RP99: 9/3/2009 12:00:18 AM - Removed AVG Free 8.5
RP100: 9/3/2009 12:05:04 AM - Installed AVG Free 8.5
RP101: 9/4/2009 6:57:41 AM - System Checkpoint
RP102: 9/5/2009 7:09:01 AM - System Checkpoint
RP103: 9/6/2009 7:45:07 AM - System Checkpoint
RP104: 9/8/2009 1:19:41 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1.3
Adobe Shockwave Player 11
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Broadcom 802.11 Wireless LAN Adapter
Citrix XenApp Web Plugin
Conexant AC-Link Audio
D1300_Help
eFax Messenger
Google Earth
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
hph_readme
hph_software_req
Java(TM) 6 Update 14
Java(TM) 6 Update 7
LiveUpdate BVRP Software
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mobile PhoneTools
Nero 6 Ultra Edition
NetWaiting
OpenOffice.org 3.0
palmOne
PANTECH UM175AL Driver
PowerDVD
QuickLink Mobile
QuickTime
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Spybot - Search & Destroy
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
XP Codec Pack

==== Event Viewer Messages From Past Week ========

9/8/2009 10:01:26 PM, error: PlugPlayManager [12] - The device 'PANTECH UM175AL WWAN Driver #4' (USB\VID_106c&PID_3715&MI_03\6&27c99b97&0&8515) disappeared from the system without first being prepared for removal.
9/7/2009 12:56:33 PM, error: Dhcp [1002] - The IP address lease 192.168.1.6 for the Network Card with network address 0014A5E911FE has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/7/2009 11:30:08 AM, error: Dhcp [1002] - The IP address lease 192.168.239.131 for the Network Card with network address 0014A5E911FE has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/4/2009 6:31:02 AM, error: Service Control Manager [7031] - The OneCare AntiSpyware and AntiVirus service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
9/4/2009 6:30:21 AM, error: Service Control Manager [7031] - The OneCare AntiSpyware and AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
9/4/2009 6:29:53 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 6:29:37 AM, error: Service Control Manager [7034] - The Windows Live OneCare Health Monitor service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 10:08:19 PM, error: Service Control Manager [7023] - The Update Helper service terminated with the following error: The specified module could not be found.
9/4/2009 10:08:19 PM, error: Service Control Manager [7023] - The kihist service terminated with the following error: The specified module could not be found.
9/2/2009 11:10:00 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/2/2009 11:09:59 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
9/2/2009 10:45:08 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/2/2009 10:45:06 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

==== End Of File ===========================

godalmighty69
2009-09-09, 18:00
Hi Blade81
This test was run after I had used GMER to first disable, reboot,then delete a***hidden*** file.

GMER 1.0.15.15077 [udiizux6.exe] - http://www.gmer.net
Rootkit scan 2009-09-09 09:49:40
Windows 5.1.2600 Service Pack 3


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\naocj@DisplayName Update Helper
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Description Stores security information for local user accounts.
Reg HKLM\SYSTEM\ControlSet002\Services\naocj\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\naocj\Parameters@ServiceDll C:\WINDOWS\system32\iohxpwha.dll

---- EOF - GMER 1.0.15 ----

Blade81
2009-09-09, 18:21
Hi,

Yes, it's Conficker infection that GMER detected. When we've got the system clean it's extremely important to obtain all available patches.



Open notepad and copy/paste the text in the quotebox below into it:



Driver::
kihist
naocj
File::
c:\windows\system32\15.tmp
c:\docume~1\user\applic~1\NP.sys
c:\windows\system32\iohxpwha.dll
c:\documents and settings\User\udpcrawl.tmp
NetSvc::
kihist
naocj
Folder::
c:\windows\system32\SystemX86
c:\docume~1\User\APPLIC~1\LimeWire
DDS::
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-




Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

__________

Uninstall your current Adobe shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.


Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 16 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

godalmighty69
2009-09-09, 20:00
Hi, Next I will follow your instructions regarding uninstalling Adobe Shockwave, Flash, Java, etc.

ComboFix 09-08-30.01 - User 09/09/2009 11:40.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.192 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\docume~1\user\applic~1\NP.sys"
"c:\documents and settings\User\udpcrawl.tmp"
"c:\windows\system32\15.tmp"
"c:\windows\system32\iohxpwha.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\User\APPLIC~1\LimeWire
c:\docume~1\User\APPLIC~1\LimeWire\active.mojito
c:\docume~1\User\APPLIC~1\LimeWire\certificate\limewire.keystore
c:\docume~1\User\APPLIC~1\LimeWire\createtimes.cache
c:\docume~1\User\APPLIC~1\LimeWire\downloads.bak
c:\docume~1\User\APPLIC~1\LimeWire\downloads.dat
c:\docume~1\User\APPLIC~1\LimeWire\fileurns.bak
c:\docume~1\User\APPLIC~1\LimeWire\fileurns.cache
c:\docume~1\User\APPLIC~1\LimeWire\filters.props
c:\docume~1\User\APPLIC~1\LimeWire\gnutella.net
c:\docume~1\User\APPLIC~1\LimeWire\installation.props
c:\docume~1\User\APPLIC~1\LimeWire\library.dat
c:\docume~1\User\APPLIC~1\LimeWire\limewire.props
c:\docume~1\User\APPLIC~1\LimeWire\mojito.props
c:\docume~1\User\APPLIC~1\LimeWire\passive.mojito
c:\docume~1\User\APPLIC~1\LimeWire\promotion\promodb.backup
c:\docume~1\User\APPLIC~1\LimeWire\promotion\promodb.data
c:\docume~1\User\APPLIC~1\LimeWire\promotion\promodb.lck
c:\docume~1\User\APPLIC~1\LimeWire\promotion\promodb.log
c:\docume~1\User\APPLIC~1\LimeWire\promotion\promodb.properties
c:\docume~1\User\APPLIC~1\LimeWire\promotion\promodb.script
c:\docume~1\User\APPLIC~1\LimeWire\questions.props
c:\docume~1\User\APPLIC~1\LimeWire\responses.cache
c:\docume~1\User\APPLIC~1\LimeWire\simpp.xml
c:\docume~1\User\APPLIC~1\LimeWire\spam.dat
c:\docume~1\User\APPLIC~1\LimeWire\tables.props
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme.lwtp
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\01_star.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\02_star.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\03_star.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\04_star.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\05_star.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\chat.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\dir_closed.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\dir_open.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\forward_dn.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\forward_up.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\kill.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\kill_on.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\lime.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\lw_logo.png
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\pause_dn.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\pause_up.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\play_dn.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\play_up.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\question.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\rewind_dn.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\rewind_up.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\stop_dn.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\stop_up.gif
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\theme.txt
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\version.txt
c:\docume~1\User\APPLIC~1\LimeWire\themes\limewirePro_theme\warning.gif
c:\docume~1\User\APPLIC~1\LimeWire\ttrees.cache
c:\docume~1\User\APPLIC~1\LimeWire\ttroot.cache
c:\docume~1\User\APPLIC~1\LimeWire\version.xml
c:\docume~1\User\APPLIC~1\LimeWire\versions.props
c:\docume~1\User\APPLIC~1\LimeWire\xml\data\application.sxml2
c:\docume~1\User\APPLIC~1\LimeWire\xml\data\audio.sxml2
c:\docume~1\User\APPLIC~1\LimeWire\xml\data\video.sxml2
c:\docume~1\user\applic~1\NP.sys
c:\documents and settings\User\udpcrawl.tmp
c:\windows\system32\15.tmp
c:\windows\system32\SystemX86
c:\windows\system32\SystemX86\253.crack.zip.kwd
c:\windows\system32\SystemX86\254.keygen.zip.kwd
c:\windows\system32\SystemX86\255.serial.zip.kwd
c:\windows\system32\SystemX86\256.setup.zip.kwd
c:\windows\system32\SystemX86\257.music.au.kwd
c:\windows\system32\SystemX86\258.music2.au.kwd
c:\windows\system32\SystemX86\259.music3.au.kwd
c:\windows\system32\SystemX86\260.music.snd.kwd

.
((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-08-31 06:29 . 2009-08-31 06:29 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-31 03:24 . 2009-08-31 03:24 -------- d-----w- c:\program files\AVG
2009-08-31 03:24 . 2009-09-03 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-31 02:02 . 2009-08-31 03:07 68569208 ----a-w- c:\program files\avg_free_stf_en_85_409a1634.exe
2009-08-29 13:26 . 2009-08-29 13:47 -------- d-----w- c:\program files\Spybot
2009-08-28 18:24 . 2009-08-28 18:43 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-28 13:13 . 2009-08-28 13:13 -------- d-sh--w- c:\documents and settings\User\IECompatCache
2009-08-28 13:11 . 2009-08-28 13:11 -------- d-sh--w- c:\documents and settings\User\PrivacIE
2009-08-28 12:28 . 2009-08-28 12:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-28 12:22 . 2009-08-28 12:22 -------- d-sh--w- c:\documents and settings\User\IETldCache
2009-08-28 12:18 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-28 12:16 . 2009-08-28 12:18 -------- d-----w- c:\windows\ie8updates
2009-08-28 12:15 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-28 12:15 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 12:07 . 2009-08-28 12:14 -------- dc-h--w- c:\windows\ie8
2009-08-28 11:30 . 2009-08-28 11:33 4153 ----a-w- C:\fix.reg
2009-08-24 05:13 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-21 14:58 . 2009-08-21 14:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\MSBuild
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 14:54 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 14:54 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 14:54 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 14:54 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 14:54 . 2009-08-21 14:55 -------- d-----w- C:\6f6b5f0da4264d87e011e22fee34eb1d
2009-08-18 17:43 . 2009-08-22 16:43 -------- d-----w- c:\docume~1\User\APPLIC~1\IPublish
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\program files\IPRO Tech
2009-08-12 04:47 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 15:44 . 2008-12-18 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-28 18:30 . 2008-12-09 01:13 -------- d-----w- c:\program files\Diskeeper Corporation
2009-08-28 18:26 . 2008-12-16 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-28 18:26 . 2008-12-16 08:48 -------- d-----w- c:\program files\Yahoo!
2009-08-28 18:23 . 2008-12-08 23:13 -------- d-----w- c:\program files\CONEXANT
2009-08-28 17:59 . 2008-12-08 22:19 33216 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 17:45 . 2009-01-19 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-28 17:21 . 2009-01-19 10:19 -------- d-----w- c:\program files\Microsoft Works
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-27 03:15 . 2009-04-03 00:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-27 03:14 . 2009-04-03 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-25 11:08 . 2009-05-25 01:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-23 16:05 . 2008-12-18 02:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-23 11:36 . 2009-03-26 21:20 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-22 11:46 . 2008-12-18 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-19 07:02 . 2009-02-19 18:46 -------- d-----w- c:\program files\AVS4YOU
2009-08-14 05:50 . 2009-06-30 06:11 24192 ----a-w- c:\documents and settings\User\usbsermptxp.sys
2009-08-14 05:50 . 2009-06-30 06:11 22768 ----a-w- c:\documents and settings\User\usbsermpt.sys
2009-08-05 11:50 . 2009-01-12 01:52 -------- d-----w- c:\program files\Google
2009-08-05 10:40 . 2008-12-22 19:30 -------- d-----w- c:\program files\HP
2009-08-05 09:01 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 18:52 . 2008-12-20 20:09 -------- d-----w- c:\docume~1\User\APPLIC~1\eFax Messenger
2009-07-21 06:16 . 2009-07-20 14:59 5936 ----a-w- c:\documents and settings\User\mqdmwhnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 79328 ----a-w- c:\documents and settings\User\mqdmserd.sys
2009-07-21 06:16 . 2009-07-20 14:59 92064 ----a-w- c:\documents and settings\User\mqdmmdm.sys
2009-07-21 06:16 . 2009-07-20 14:59 9232 ----a-w- c:\documents and settings\User\mqdmmdfl.sys
2009-07-21 06:16 . 2009-07-20 14:59 4048 ----a-w- c:\documents and settings\User\mqdmcr.sys
2009-07-21 06:16 . 2009-07-20 14:59 6208 ----a-w- c:\documents and settings\User\mqdmcmnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 66656 ----a-w- c:\documents and settings\User\mqdmbus.sys
2009-07-20 18:41 . 2009-06-30 06:11 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2009-07-17 19:01 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-10 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 21:17 . 2009-06-24 21:16 8815552 ----a-w- c:\program files\windows-kb890830-v2.11.exe
2009-06-24 18:58 . 2009-06-24 18:58 714136 ----a-w- c:\program files\JavaScript SunMicrosystems.exe
2009-06-24 11:18 . 2004-08-10 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-10 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-10 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-05-29 15:34 . 2009-05-29 13:27 331805736 ----a-w- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-05-25 01:39 . 2009-05-25 01:39 4909440 ----a-w- c:\program files\Silverlight.2.0.exe
2009-02-19 18:50 . 2009-02-19 18:50 53518 ----a-w- c:\program files\11-13-07_1501.3g2
2009-02-19 18:46 . 2009-02-19 18:45 52307672 ----a-w- c:\program files\AVSVideoConverter.exe
2008-12-20 20:08 . 2008-12-20 20:03 5166072 ----a-w- c:\program files\msgrplus.exe
2008-12-13 01:11 . 2008-12-13 01:10 123 ----a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log
.

((((((((((((((((((((((((((((( SnapShot@2009-08-30_23.14.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 12:00 . 2008-04-14 10:42 14336 c:\windows\system32\dllcache\svchost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Alltel\\QuickLink Mobile\\QuickLink Mobile.exe"=
"c:\\Program Files\\mobile PhoneTools\\mPhonetools.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 7:00 AM 14336]
R3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [5/19/2009 6:53 PM 32256]
R3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [5/19/2009 6:53 PM 41344]
R3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [5/19/2009 6:53 PM 39936]
R3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [5/19/2009 6:53 PM 59776]
S2 kihist;kihist;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 7:00 AM 14336]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [12/11/2008 2:17 PM 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [12/11/2008 2:17 PM 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [12/11/2008 2:17 PM 93904]
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [12/11/2008 2:17 PM 73696]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 11:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1682526488-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-09-09 11:45
ComboFix-quarantined-files.txt 2009-09-09 16:45
ComboFix2.txt 2009-08-30 23:20

Pre-Run: 20,510,052,352 bytes free
Post-Run: 20,483,375,104 bytes free

290 --- E O F --- 2009-08-28 12:18

Blade81
2009-09-09, 20:34
Hi,

I didn't remember to remind you to let ComboFix update itself. Please run it once again after doing other steps. Do it without cfscript this time.

godalmighty69
2009-09-10, 06:48
Hi Blade81, I am awaiting your next instructions ...

Kaspersky Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 9, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 09, 2009 19:33:27
Records in database: 2764419
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 62469
Threats found: 3
Infected objects found: 22
Suspicious objects found: 0
Scan duration: 03:04:35


File name / Threat / Threats count
C:\Documents and Settings\All Users\LimeWire Downloads\mobile phone tools [cracked by TSRh].zip Infected: Trojan.Win32.Agent.cvwe 3
C:\Documents and Settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\keymaker.exe Infected: Trojan.Win32.VB.ujs 1
C:\Documents and Settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Setup.exe Infected: Trojan.Win32.VB.ujs 1
C:\Documents and Settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org).zip Infected: Trojan.Win32.VB.ujs 2
C:\Documents and Settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools 4 - Suite Completa - by arky.zip Infected: Trojan.Win32.VB.ujs 2
C:\Documents and Settings\User\Desktop\DriverTool\keymaker.exe Infected: Trojan.Win32.VB.ujs 1
C:\Documents and Settings\User\Desktop\DriverTool\Setup.exe Infected: Trojan.Win32.VB.ujs 1
C:\Qoobox\Quarantine\C\Program Files\IEToolbar\Bullseye Tool Bar\tbhelper.dll.vir Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\Qoobox\Quarantine\C\WINDOWS\fjjil0160.exe.vir Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\Qoobox\Quarantine\C\WINDOWS\qaxjt3355.exe.vir Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\Qoobox\Quarantine\C\WINDOWS\vmqq64340.exe.vir Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\Qoobox\Quarantine\C\WINDOWS\xigr5657.exe.vir Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\System Volume Information\_restore{F1D34CF9-0CFB-4953-8E83-E9F072FB3D13}\RP81\A0138252.dll Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\System Volume Information\_restore{F1D34CF9-0CFB-4953-8E83-E9F072FB3D13}\RP95\A0155403.dll Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\System Volume Information\_restore{F1D34CF9-0CFB-4953-8E83-E9F072FB3D13}\RP95\A0155405.exe Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\System Volume Information\_restore{F1D34CF9-0CFB-4953-8E83-E9F072FB3D13}\RP95\A0155410.exe Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\System Volume Information\_restore{F1D34CF9-0CFB-4953-8E83-E9F072FB3D13}\RP95\A0155415.exe Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\System Volume Information\_restore{F1D34CF9-0CFB-4953-8E83-E9F072FB3D13}\RP95\A0155417.exe Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1

Selected area has been scanned.

ComboFix Log
ComboFix 09-09-09.04 - User 09/09/2009 21:07.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.118 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-08-31 06:29 . 2009-08-31 06:29 -------- d-----w- C:\$AVG8.VAULT$
2009-08-31 03:24 . 2009-08-31 03:24 -------- d-----w- c:\program files\AVG
2009-08-31 03:24 . 2009-09-03 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-31 02:02 . 2009-08-31 03:07 68569208 ----a-w- c:\program files\avg_free_stf_en_85_409a1634.exe
2009-08-29 13:26 . 2009-08-29 13:47 -------- d-----w- c:\program files\Spybot
2009-08-28 18:24 . 2009-08-28 18:43 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-28 13:13 . 2009-08-28 13:13 -------- d-sh--w- c:\documents and settings\User\IECompatCache
2009-08-28 13:11 . 2009-08-28 13:11 -------- d-sh--w- c:\documents and settings\User\PrivacIE
2009-08-28 12:28 . 2009-08-28 12:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-28 12:22 . 2009-08-28 12:22 -------- d-sh--w- c:\documents and settings\User\IETldCache
2009-08-28 12:18 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-28 12:16 . 2009-08-28 12:18 -------- d-----w- c:\windows\ie8updates
2009-08-28 12:15 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-28 12:15 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 12:07 . 2009-08-28 12:14 -------- dc-h--w- c:\windows\ie8
2009-08-28 11:30 . 2009-08-28 11:33 4153 ----a-w- C:\fix.reg
2009-08-24 05:13 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-21 14:58 . 2009-08-21 14:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\MSBuild
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 14:54 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 14:54 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 14:54 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 14:54 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 14:54 . 2009-08-21 14:55 -------- d-----w- C:\6f6b5f0da4264d87e011e22fee34eb1d
2009-08-18 17:43 . 2009-08-22 16:43 -------- d-----w- c:\documents and settings\User\Application Data\IPublish
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\program files\IPRO Tech
2009-08-12 04:47 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 18:23 . 2008-12-09 01:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-09 17:25 . 2008-12-09 01:19 -------- d-----w- c:\program files\Java
2009-08-30 15:44 . 2008-12-18 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-28 18:30 . 2008-12-09 01:13 -------- d-----w- c:\program files\Diskeeper Corporation
2009-08-28 18:26 . 2008-12-16 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-28 18:26 . 2008-12-16 08:48 -------- d-----w- c:\program files\Yahoo!
2009-08-28 18:23 . 2008-12-08 23:13 -------- d-----w- c:\program files\CONEXANT
2009-08-28 17:59 . 2008-12-08 22:19 33216 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 17:45 . 2009-01-19 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-28 17:21 . 2009-01-19 10:19 -------- d-----w- c:\program files\Microsoft Works
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-27 03:15 . 2009-04-03 00:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-27 03:14 . 2009-04-03 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-25 11:08 . 2009-05-25 01:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-23 16:05 . 2008-12-18 02:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-23 11:36 . 2009-03-26 21:20 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-22 11:46 . 2008-12-18 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-19 07:02 . 2009-02-19 18:46 -------- d-----w- c:\program files\AVS4YOU
2009-08-14 05:50 . 2009-06-30 06:11 24192 ----a-w- c:\documents and settings\User\usbsermptxp.sys
2009-08-14 05:50 . 2009-06-30 06:11 22768 ----a-w- c:\documents and settings\User\usbsermpt.sys
2009-08-05 11:50 . 2009-01-12 01:52 -------- d-----w- c:\program files\Google
2009-08-05 10:40 . 2008-12-22 19:30 -------- d-----w- c:\program files\HP
2009-08-05 09:01 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 18:52 . 2008-12-20 20:09 -------- d-----w- c:\documents and settings\User\Application Data\eFax Messenger
2009-07-31 12:47 . 2009-07-31 12:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-31 12:47 . 2009-07-31 12:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-21 06:16 . 2009-07-20 14:59 5936 ----a-w- c:\documents and settings\User\mqdmwhnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 79328 ----a-w- c:\documents and settings\User\mqdmserd.sys
2009-07-21 06:16 . 2009-07-20 14:59 92064 ----a-w- c:\documents and settings\User\mqdmmdm.sys
2009-07-21 06:16 . 2009-07-20 14:59 9232 ----a-w- c:\documents and settings\User\mqdmmdfl.sys
2009-07-21 06:16 . 2009-07-20 14:59 4048 ----a-w- c:\documents and settings\User\mqdmcr.sys
2009-07-21 06:16 . 2009-07-20 14:59 6208 ----a-w- c:\documents and settings\User\mqdmcmnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 66656 ----a-w- c:\documents and settings\User\mqdmbus.sys
2009-07-20 18:41 . 2009-06-30 06:11 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2009-07-17 19:01 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-10 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 21:17 . 2009-06-24 21:16 8815552 ----a-w- c:\program files\windows-kb890830-v2.11.exe
2009-06-24 18:58 . 2009-06-24 18:58 714136 ----a-w- c:\program files\JavaScript SunMicrosystems.exe
2009-06-24 11:18 . 2004-08-10 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-10 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-10 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-05-29 15:34 . 2009-05-29 13:27 331805736 ----a-w- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-05-25 01:39 . 2009-05-25 01:39 4909440 ----a-w- c:\program files\Silverlight.2.0.exe
2009-02-19 18:50 . 2009-02-19 18:50 53518 ----a-w- c:\program files\11-13-07_1501.3g2
2009-02-19 18:46 . 2009-02-19 18:45 52307672 ----a-w- c:\program files\AVSVideoConverter.exe
2008-12-20 20:08 . 2008-12-20 20:03 5166072 ----a-w- c:\program files\msgrplus.exe
2008-12-13 01:11 . 2008-12-13 01:10 123 ----a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log
.

((((((((((((((((((((((((((((( SnapShot@2009-08-30_23.14.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-09 17:13 . 2009-09-09 17:13 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2009-08-14 08:48 . 2009-08-14 08:48 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2004-08-10 12:00 . 2008-04-14 10:42 14336 c:\windows\system32\dllcache\svchost.exe
+ 2009-09-09 17:07 . 2009-09-09 17:07 87618 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
- 2008-12-08 23:58 . 2008-11-24 22:34 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-07-31 13:26 . 2009-07-31 13:26 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 79488 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2009-07-31 13:42 . 2009-07-31 13:42 67000 c:\windows\system32\Adobe\Director\SWDNLD.EXE
+ 2009-07-31 13:28 . 2009-07-31 13:28 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
- 2008-12-08 23:58 . 2008-11-24 22:35 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-09-09 18:23 . 2009-09-09 18:23 149280 c:\windows\system32\javaws.exe
+ 2009-09-09 18:23 . 2009-09-09 18:23 145184 c:\windows\system32\javaw.exe
+ 2009-09-09 18:23 . 2009-09-09 18:23 145184 c:\windows\system32\java.exe
+ 2009-07-31 12:54 . 2009-07-31 12:54 132472 c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 2009-07-31 13:26 . 2009-07-31 13:26 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
- 2008-12-08 23:58 . 2008-11-24 22:34 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2009-07-31 13:40 . 2009-07-31 13:40 468408 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe
+ 2009-07-31 13:28 . 2009-07-31 13:28 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
- 2008-12-08 23:58 . 2008-11-24 22:36 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2009-07-31 13:26 . 2009-07-31 13:26 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 714752 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2009-07-31 13:25 . 2009-07-31 13:25 614400 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2009-07-31 13:41 . 2009-07-31 13:41 206264 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2009-07-31 13:27 . 2009-07-31 13:27 131072 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2009-07-31 13:00 . 2009-07-31 13:00 1011712 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 1886320 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2009-07-31 13:04 . 2009-07-31 13:04 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
- 2008-12-08 23:58 . 2008-11-24 22:16 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2009-09-09 18:22 . 2009-09-09 18:22 1757696 c:\windows\Installer\3099d8.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-09 149280]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Alltel\\QuickLink Mobile\\QuickLink Mobile.exe"=
"c:\\Program Files\\mobile PhoneTools\\mPhonetools.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 7:00 AM 14336]
R3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [5/19/2009 6:53 PM 32256]
R3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [5/19/2009 6:53 PM 41344]
R3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [5/19/2009 6:53 PM 39936]
R3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [5/19/2009 6:53 PM 59776]
S2 kihist;kihist;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 7:00 AM 14336]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [12/11/2008 2:17 PM 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [12/11/2008 2:17 PM 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [12/11/2008 2:17 PM 93904]
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [12/11/2008 2:17 PM 73696]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - aujasnkj

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
TCP: {0D33C83D-B171-48F0-9ADF-680A56E450A4} = 75.116.127.154 75.116.63.154
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
.
.
------- File Associations -------
.
VBSFile=%WINDIR%\System32\CScript.exe //nologo "%1" %*
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 21:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1682526488-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1988)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
Completion time: 2009-09-10 21:23
ComboFix-quarantined-files.txt 2009-09-10 02:23
ComboFix2.txt 2009-09-09 17:55
ComboFix3.txt 2009-09-09 16:45
ComboFix4.txt 2009-08-30 23:20

Pre-Run: 20,372,267,008 bytes free
Post-Run: 20,418,383,872 bytes free

255 --- E O F --- 2009-08-28 12:18

GMER Log
GMER 1.0.15.15077 [udiizux6.exe] - http://www.gmer.net
Rootkit scan 2009-09-09 21:01:52
Windows 5.1.2600 Service Pack 3


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\naocj@DisplayName Update Helper
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Description Stores security information for local user accounts.
Reg HKLM\SYSTEM\ControlSet002\Services\naocj\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\naocj\Parameters@ServiceDll C:\WINDOWS\system32\iohxpwha.dll

---- EOF - GMER 1.0.15 ----

Blade81
2009-09-10, 17:56
Open notepad and copy/paste the text in the quotebox below into it:



Driver::
kihist
File::
C:\Documents and Settings\All Users\LimeWire Downloads\mobile phone tools [cracked by TSRh].zip
C:\Documents and Settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools 4 - Suite Completa - by arky.zip
C:\Documents and Settings\User\Desktop\DriverTool\keymaker.exe
C:\Documents and Settings\User\Desktop\DriverTool\Setup.exe
C:\WINDOWS\system32\iohxpwha.dll
Folder::
C:\Documents and Settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds.txt log. How's the system running?

godalmighty69
2009-09-11, 23:00
ComboFix with CFScript
ComboFix 09-09-09.04 - User 09/11/2009 9:42.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.158 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript9'11'09.txt

FILE ::
"c:\documents and settings\All Users\LimeWire Downloads\mobile phone tools [cracked by TSRh].zip"
"c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools 4 - Suite Completa - by arky.zip"
"c:\documents and settings\User\Desktop\DriverTool\keymaker.exe"
"c:\documents and settings\User\Desktop\DriverTool\Setup.exe"
"c:\windows\system32\iohxpwha.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\LimeWire Downloads\mobile phone tools [cracked by TSRh].zip
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Data1.dll
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Data2.dll
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Data3.dll
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Data4.dll
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\keymaker.exe
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Motorola Mobile Phone Tools + USB Driver (www.softzone.org).nfo
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Setup.exe
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools 4 - Suite Completa - by arky.zip
c:\documents and settings\User\Desktop\DriverTool\keymaker.exe
c:\documents and settings\User\Desktop\DriverTool\Setup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KIHIST
-------\Service_kihist


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-09 14:15 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-08-31 06:29 . 2009-08-31 06:29 -------- d-----w- C:\$AVG8.VAULT$
2009-08-31 03:24 . 2009-08-31 03:24 -------- d-----w- c:\program files\AVG
2009-08-31 03:24 . 2009-09-03 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-31 02:02 . 2009-08-31 03:07 68569208 ----a-w- c:\program files\avg_free_stf_en_85_409a1634.exe
2009-08-29 13:26 . 2009-08-29 13:47 -------- d-----w- c:\program files\Spybot
2009-08-28 18:24 . 2009-08-28 18:43 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-28 13:13 . 2009-08-28 13:13 -------- d-sh--w- c:\documents and settings\User\IECompatCache
2009-08-28 13:11 . 2009-08-28 13:11 -------- d-sh--w- c:\documents and settings\User\PrivacIE
2009-08-28 12:28 . 2009-08-28 12:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-28 12:22 . 2009-08-28 12:22 -------- d-sh--w- c:\documents and settings\User\IETldCache
2009-08-28 12:18 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-28 12:16 . 2009-09-10 08:01 -------- d-----w- c:\windows\ie8updates
2009-08-28 12:15 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-28 12:15 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 12:07 . 2009-08-28 12:14 -------- dc-h--w- c:\windows\ie8
2009-08-28 11:30 . 2009-08-28 11:33 4153 ----a-w- C:\fix.reg
2009-08-24 05:13 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-21 14:58 . 2009-08-21 14:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\MSBuild
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 14:54 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 14:54 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 14:54 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 14:54 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 14:54 . 2009-08-21 14:55 -------- d-----w- C:\6f6b5f0da4264d87e011e22fee34eb1d
2009-08-18 17:43 . 2009-08-22 16:43 -------- d-----w- c:\documents and settings\User\Application Data\IPublish
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\program files\IPRO Tech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 08:12 . 2009-05-25 01:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 18:23 . 2008-12-09 01:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-09 17:25 . 2008-12-09 01:19 -------- d-----w- c:\program files\Java
2009-08-30 15:44 . 2008-12-18 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-28 18:30 . 2008-12-09 01:13 -------- d-----w- c:\program files\Diskeeper Corporation
2009-08-28 18:26 . 2008-12-16 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-28 18:26 . 2008-12-16 08:48 -------- d-----w- c:\program files\Yahoo!
2009-08-28 18:23 . 2008-12-08 23:13 -------- d-----w- c:\program files\CONEXANT
2009-08-28 17:59 . 2008-12-08 22:19 33216 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 17:45 . 2009-01-19 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-28 17:21 . 2009-01-19 10:19 -------- d-----w- c:\program files\Microsoft Works
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-27 03:15 . 2009-04-03 00:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-27 03:14 . 2009-04-03 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-23 16:05 . 2008-12-18 02:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-23 11:36 . 2009-03-26 21:20 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-22 11:46 . 2008-12-18 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-19 07:02 . 2009-02-19 18:46 -------- d-----w- c:\program files\AVS4YOU
2009-08-14 05:50 . 2009-06-30 06:11 24192 ----a-w- c:\documents and settings\User\usbsermptxp.sys
2009-08-14 05:50 . 2009-06-30 06:11 22768 ----a-w- c:\documents and settings\User\usbsermpt.sys
2009-08-05 11:50 . 2009-01-12 01:52 -------- d-----w- c:\program files\Google
2009-08-05 10:40 . 2008-12-22 19:30 -------- d-----w- c:\program files\HP
2009-08-05 09:01 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 18:52 . 2008-12-20 20:09 -------- d-----w- c:\documents and settings\User\Application Data\eFax Messenger
2009-07-31 12:47 . 2009-07-31 12:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-31 12:47 . 2009-07-31 12:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-21 06:16 . 2009-07-20 14:59 5936 ----a-w- c:\documents and settings\User\mqdmwhnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 79328 ----a-w- c:\documents and settings\User\mqdmserd.sys
2009-07-21 06:16 . 2009-07-20 14:59 92064 ----a-w- c:\documents and settings\User\mqdmmdm.sys
2009-07-21 06:16 . 2009-07-20 14:59 9232 ----a-w- c:\documents and settings\User\mqdmmdfl.sys
2009-07-21 06:16 . 2009-07-20 14:59 4048 ----a-w- c:\documents and settings\User\mqdmcr.sys
2009-07-21 06:16 . 2009-07-20 14:59 6208 ----a-w- c:\documents and settings\User\mqdmcmnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 66656 ----a-w- c:\documents and settings\User\mqdmbus.sys
2009-07-20 18:41 . 2009-06-30 06:11 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2009-07-17 19:01 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-10 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 21:17 . 2009-06-24 21:16 8815552 ----a-w- c:\program files\windows-kb890830-v2.11.exe
2009-06-24 18:58 . 2009-06-24 18:58 714136 ----a-w- c:\program files\JavaScript SunMicrosystems.exe
2009-06-24 11:18 . 2004-08-10 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-05-29 15:34 . 2009-05-29 13:27 331805736 ----a-w- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-05-25 01:39 . 2009-05-25 01:39 4909440 ----a-w- c:\program files\Silverlight.2.0.exe
2009-02-19 18:50 . 2009-02-19 18:50 53518 ----a-w- c:\program files\11-13-07_1501.3g2
2009-02-19 18:46 . 2009-02-19 18:45 52307672 ----a-w- c:\program files\AVSVideoConverter.exe
2008-12-20 20:08 . 2008-12-20 20:03 5166072 ----a-w- c:\program files\msgrplus.exe
2008-12-13 01:11 . 2008-12-13 01:10 123 ----a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log
.

((((((((((((((((((((((((((((( SnapShot@2009-08-30_23.14.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-11 14:55 . 2009-09-11 14:55 16384 c:\windows\temp\Perflib_Perfdata_3bc.dat
+ 2009-09-09 17:13 . 2009-09-09 17:13 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2009-08-14 08:48 . 2009-08-14 08:48 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2004-08-10 12:00 . 2008-04-14 10:42 14336 c:\windows\system32\dllcache\svchost.exe
+ 2009-09-09 17:07 . 2009-09-09 17:07 87618 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2009-07-31 13:26 . 2009-07-31 13:26 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
- 2008-12-08 23:58 . 2008-11-24 22:34 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 79488 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2009-07-31 13:42 . 2009-07-31 13:42 67000 c:\windows\system32\Adobe\Director\SWDNLD.EXE
- 2009-05-30 19:44 . 2009-05-30 19:44 40960 c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3000.0__31bf3856ad364e35\Microsoft.MediaCenter.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 40960 c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3000.0__31bf3856ad364e35\Microsoft.MediaCenter.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 53248 c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 53248 c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 16896 c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 16896 c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 73728 c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 73728 c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll
+ 2009-07-31 13:28 . 2009-07-31 13:28 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
- 2008-12-08 23:58 . 2008-11-24 22:35 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
- 2004-08-10 12:00 . 2009-03-08 09:33 726528 c:\windows\system32\jscript.dll
+ 2004-08-10 12:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2009-09-09 18:23 . 2009-09-09 18:23 149280 c:\windows\system32\javaws.exe
+ 2009-09-09 18:23 . 2009-09-09 18:23 145184 c:\windows\system32\javaw.exe
+ 2009-09-09 18:23 . 2009-09-09 18:23 145184 c:\windows\system32\java.exe
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-03-08 09:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 132472 c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 2009-07-31 13:26 . 2009-07-31 13:26 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
- 2008-12-08 23:58 . 2008-11-24 22:34 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2009-07-31 13:40 . 2009-07-31 13:40 468408 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe
+ 2009-07-31 13:28 . 2009-07-31 13:28 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
- 2008-12-08 23:58 . 2008-11-24 22:36 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2009-07-31 13:26 . 2009-07-31 13:26 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 714752 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2009-07-31 13:25 . 2009-07-31 13:25 614400 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2009-07-31 13:41 . 2009-07-31 13:41 206264 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2009-07-31 13:27 . 2009-07-31 13:27 131072 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2009-09-10 08:01 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-10 08:01 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-10 08:01 . 2009-03-08 09:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2008-12-08 21:57 . 2009-08-18 15:55 179712 c:\windows\ehome\ehkeyctl.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 331776 c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 331776 c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 258048 c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 258048 c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 348160 c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 348160 c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 139264 c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiPlay.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 139264 c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiPlay.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 167936 c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 167936 c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 126976 c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 126976 c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 811008 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 811008 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 180224 c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 180224 c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 102400 c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 102400 c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 111616 c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 111616 c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll
+ 2004-08-10 12:00 . 2009-05-20 17:44 2355200 c:\windows\system32\WMVCore.dll
+ 2004-08-10 12:00 . 2009-05-20 17:44 2355200 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-07-31 13:00 . 2009-07-31 13:00 1011712 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 1886320 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2009-07-31 13:04 . 2009-07-31 13:04 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
- 2008-12-08 23:58 . 2008-11-24 22:16 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2009-09-09 18:22 . 2009-09-09 18:22 1757696 c:\windows\Installer\3099d8.msi
- 2009-05-30 19:44 . 2009-05-30 19:44 1740800 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\EhCM.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 1740800 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\EhCM.dll
+ 2009-05-31 00:39 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-10 08:03 . 2009-09-10 08:03 15709696 c:\windows\Installer\aaeda7.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-09 149280]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Alltel\\QuickLink Mobile\\QuickLink Mobile.exe"=
"c:\\Program Files\\mobile PhoneTools\\mPhonetools.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 7:00 AM 14336]
R3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [5/19/2009 6:53 PM 32256]
R3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [5/19/2009 6:53 PM 41344]
R3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [5/19/2009 6:53 PM 39936]
R3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [5/19/2009 6:53 PM 59776]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [12/11/2008 2:17 PM 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [12/11/2008 2:17 PM 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [12/11/2008 2:17 PM 93904]
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [12/11/2008 2:17 PM 73696]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
TCP: {0D33C83D-B171-48F0-9ADF-680A56E450A4} = 75.116.127.154 75.116.63.154
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 10:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1682526488-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1548)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-11 10:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 15:07
ComboFix2.txt 2009-09-10 02:23
ComboFix3.txt 2009-09-09 17:55
ComboFix4.txt 2009-09-09 16:45
ComboFix5.txt 2009-09-11 14:41

Pre-Run: 20,313,567,232 bytes free
Post-Run: 20,274,274,304 bytes free

330 --- E O F --- 2009-09-10 08:06

dds.txt (I hope this is the correct one ...)


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/8/2008 4:12:01 PM
System Uptime: 9/11/2009 9:54:51 AM (4 hours ago)

Motherboard: Hewlett-Packard | | 30AE
Processor: Mobile AMD Sempron(tm) Processor 3300+ | U23 | 1994/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 18.902 GiB free.
D: is CDROM ()
E: is CDROM (FAT)

==== Disabled Device Manager Items =============

Class GUID:
Description: PCI Modem
Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_30AE103C&REV_02\3&13C0B0C5&0&A6
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_30AE103C&REV_02\3&13C0B0C5&0&A6
Service:

==== System Restore Points ===================

RP47: 7/20/2009 11:55:52 PM - Unsigned driver install
RP48: 7/22/2009 3:41:48 PM - System Checkpoint
RP49: 7/26/2009 10:04:30 PM - System Checkpoint
RP50: 7/27/2009 11:05:32 PM - System Checkpoint
RP51: 7/29/2009 3:22:22 AM - Software Distribution Service 3.0
RP52: 7/29/2009 11:47:36 PM - Avg8 Update
RP53: 7/29/2009 11:53:29 PM - Avg8 Update
RP54: 7/31/2009 12:16:04 AM - System Checkpoint
RP55: 8/1/2009 2:54:14 AM - System Checkpoint
RP56: 8/2/2009 3:29:34 AM - System Checkpoint
RP57: 8/4/2009 12:06:38 AM - System Checkpoint
RP58: 8/5/2009 1:36:47 AM - System Checkpoint
RP59: 8/5/2009 5:36:13 AM - Removed HP Photosmart Essential
RP60: 8/5/2009 5:38:47 AM - Removed HPSU306Stub
RP61: 8/5/2009 5:39:18 AM - Removed HP Software Update
RP62: 8/6/2009 9:25:08 AM - System Checkpoint
RP63: 8/7/2009 9:52:44 AM - System Checkpoint
RP64: 8/8/2009 11:27:40 AM - System Checkpoint
RP65: 8/9/2009 10:42:49 PM - System Checkpoint
RP66: 8/11/2009 7:05:56 PM - System Checkpoint
RP67: 8/12/2009 5:43:55 AM - Software Distribution Service 3.0
RP68: 8/13/2009 6:13:05 AM - System Checkpoint
RP69: 8/14/2009 3:08:10 AM - Software Distribution Service 3.0
RP70: 8/15/2009 3:59:54 AM - System Checkpoint
RP71: 8/16/2009 1:05:08 AM - Spybot-S&D Spyware removal
RP72: 8/17/2009 3:02:47 AM - System Checkpoint
RP73: 8/18/2009 9:34:12 AM - System Checkpoint
RP74: 8/19/2009 5:58:57 PM - System Checkpoint
RP75: 8/20/2009 3:48:01 PM - Avg8 Update
RP76: 8/20/2009 3:50:34 PM - Avg8 Update
RP77: 8/21/2009 9:21:29 AM - Software Distribution Service 3.0
RP78: 8/22/2009 12:21:00 PM - System Checkpoint
RP79: 8/22/2009 4:44:48 PM - Removed AVG 8.5
RP80: 8/22/2009 4:56:03 PM - Installed AVG 8.5
RP81: 8/23/2009 5:54:30 AM - Software Distribution Service 3.0
RP82: 8/23/2009 1:17:06 PM - Microsoft OneCare Protection Checkpoint
RP83: 8/24/2009 10:17:05 PM - Software Distribution Service 3.0
RP84: 8/25/2009 9:42:16 PM - Installed AVG Free 8.5
RP85: 8/26/2009 6:37:58 PM - Configured AVG Free 8.5
RP86: 8/26/2009 6:51:58 PM - Configured AVG Free 8.5
RP87: 8/26/2009 10:49:27 PM - Removed AVG Free 8.5
RP88: 8/26/2009 10:53:38 PM - Installed AVG Free 8.5
RP89: 8/27/2009 3:00:26 AM - Software Distribution Service 3.0
RP90: 8/28/2009 6:50:36 AM - Software Distribution Service 3.0
RP91: 8/28/2009 12:15:14 PM - Software Distribution Service 3.0
RP92: 8/28/2009 12:41:44 PM - Software Distribution Service 3.0
RP93: 8/28/2009 1:24:27 PM - Removed Visual C++ 2008 x86 Runtime - (v9.0.30729)
RP94: 8/28/2009 1:30:34 PM - Removed Diskeeper 2009 Pro Premier.
RP95: 8/30/2009 12:08:56 AM - System Checkpoint
RP96: 8/30/2009 10:24:09 PM - Installed AVG Free 8.5
RP97: 9/1/2009 11:42:34 PM - Avg8 Update
RP98: 9/2/2009 11:47:02 PM - System Checkpoint
RP99: 9/3/2009 12:00:18 AM - Removed AVG Free 8.5
RP100: 9/3/2009 12:05:04 AM - Installed AVG Free 8.5
RP101: 9/4/2009 6:57:41 AM - System Checkpoint
RP102: 9/5/2009 7:09:01 AM - System Checkpoint
RP103: 9/6/2009 7:45:07 AM - System Checkpoint
RP104: 9/8/2009 1:19:41 PM - System Checkpoint
RP105: 9/9/2009 12:24:50 PM - Removed Java(TM) 6 Update 7
RP106: 9/9/2009 12:25:56 PM - Removed Java(TM) 6 Update 11
RP107: 9/9/2009 1:22:48 PM - Installed Java(TM) 6 Update 16
RP108: 9/10/2009 3:00:26 AM - Software Distribution Service 3.0
RP109: 9/11/2009 8:35:34 AM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1.3
Adobe Shockwave Player 11.5
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Broadcom 802.11 Wireless LAN Adapter
Citrix XenApp Web Plugin
Conexant AC-Link Audio
D1300_Help
eFax Messenger
Google Earth
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
hph_readme
hph_software_req
Java(TM) 6 Update 16
LiveUpdate BVRP Software
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mobile PhoneTools
Nero 6 Ultra Edition
NetWaiting
OpenOffice.org 3.0
palmOne
PANTECH UM175AL Driver
PowerDVD
QuickLink Mobile
QuickTime
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Spybot - Search & Destroy
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
XP Codec Pack

==== Event Viewer Messages From Past Week ========

9/9/2009 8:35:17 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file svchost.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
9/9/2009 12:30:35 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
9/9/2009 11:42:16 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/9/2009 11:40:15 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/8/2009 10:01:26 PM, error: PlugPlayManager [12] - The device 'PANTECH UM175AL WWAN Driver #4' (USB\VID_106c&PID_3715&MI_03\6&27c99b97&0&8515) disappeared from the system without first being prepared for removal.
9/7/2009 12:56:33 PM, error: Dhcp [1002] - The IP address lease 192.168.1.6 for the Network Card with network address 0014A5E911FE has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/7/2009 11:30:22 AM, error: Service Control Manager [7023] - The Update Helper service terminated with the following error: The specified module could not be found.
9/7/2009 11:30:22 AM, error: Service Control Manager [7023] - The kihist service terminated with the following error: The specified module could not be found.
9/7/2009 11:30:08 AM, error: Dhcp [1002] - The IP address lease 192.168.239.131 for the Network Card with network address 0014A5E911FE has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/4/2009 6:31:02 AM, error: Service Control Manager [7031] - The OneCare AntiSpyware and AntiVirus service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
9/4/2009 6:30:21 AM, error: Service Control Manager [7031] - The OneCare AntiSpyware and AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
9/4/2009 6:29:53 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 6:29:37 AM, error: Service Control Manager [7034] - The Windows Live OneCare Health Monitor service terminated unexpectedly. It has done this 1 time(s).
9/10/2009 7:52:40 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
9/10/2009 7:52:40 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

GMER Log

GMER 1.0.15.15077 [udiizux6.exe] - http://www.gmer.net
Rootkit scan 2009-09-11 13:52:57
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\naocj@DisplayName Update Helper
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Description Stores security information for local user accounts.
Reg HKLM\SYSTEM\ControlSet002\Services\naocj\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\naocj\Parameters@ServiceDll C:\WINDOWS\system32\iohxpwha.dll

---- EOF - GMER 1.0.15 ----

You asked how the system was running ... much better I guess ... the fact of it is, I have purposefully not used this laptop very much until your opinion was that most of the issues had been resolved ... One question I had was that during the booting up phase, message flashes on the light blue screen as follows, except the first symbol appears to be a bacwards capital "L" ... it says "Ls delete program not found skipping autocheck" ...
Is this finding pertinent? And did the malware/spyware that was found by Kaspersky get removed?
Thanks again Blade81 for all your patience and help ...

Blade81
2009-09-11, 23:15
Hi,


dds.txt (I hope this is the correct one ...)
Looks like you posted attach.txt contents. Please post dds.txt contents in next post :)


One question I had was that during the booting up phase, message flashes on the light blue screen as follows, except the first symbol appears to be a bacwards capital "L" ... it says "Ls delete program not found skipping autocheck" ...
Is this finding pertinent?
Let's try to make that disappear.


And did the malware/spyware that was found by Kaspersky get removed?
Yes, those other items will be cleaned when ComboFix is uninstalled and system restore resetted (will be done in final phase).


Open notepad and copy/paste the text in the quotebox below into it:



Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\naocj]



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh DDS log. Still getting that message during bootup?

godalmighty69
2009-09-13, 22:18
Hi Blade81, please find below fresh ComboFix with CFScript and fresh DDS. And yes, the message on start-up regarding "Ls delete program not found skipping autocheck" is gone; that worked out fine. I will await your next instruction ...

ComboFix 09-09-12.A0 - User 09/13/2009 11:45.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.184 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript9'13'09.txt
.

((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-09 14:15 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-08-31 06:29 . 2009-08-31 06:29 -------- d-----w- C:\$AVG8.VAULT$
2009-08-31 03:24 . 2009-08-31 03:24 -------- d-----w- c:\program files\AVG
2009-08-31 03:24 . 2009-09-03 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-31 02:02 . 2009-08-31 03:07 68569208 ----a-w- c:\program files\avg_free_stf_en_85_409a1634.exe
2009-08-29 13:26 . 2009-08-29 13:47 -------- d-----w- c:\program files\Spybot
2009-08-28 18:24 . 2009-08-28 18:43 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-28 13:13 . 2009-08-28 13:13 -------- d-sh--w- c:\documents and settings\User\IECompatCache
2009-08-28 13:11 . 2009-08-28 13:11 -------- d-sh--w- c:\documents and settings\User\PrivacIE
2009-08-28 12:28 . 2009-08-28 12:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-28 12:22 . 2009-08-28 12:22 -------- d-sh--w- c:\documents and settings\User\IETldCache
2009-08-28 12:18 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-28 12:16 . 2009-09-10 08:01 -------- d-----w- c:\windows\ie8updates
2009-08-28 12:15 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-28 12:15 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 12:07 . 2009-08-28 12:14 -------- dc-h--w- c:\windows\ie8
2009-08-28 11:30 . 2009-08-28 11:33 4153 ----a-w- C:\fix.reg
2009-08-24 05:13 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-21 14:58 . 2009-08-21 14:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\MSBuild
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 14:54 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 14:54 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 14:54 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 14:54 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 14:54 . 2009-08-21 14:55 -------- d-----w- C:\6f6b5f0da4264d87e011e22fee34eb1d
2009-08-18 17:43 . 2009-08-22 16:43 -------- d-----w- c:\documents and settings\User\Application Data\IPublish
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\program files\IPRO Tech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 08:12 . 2009-05-25 01:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 18:23 . 2008-12-09 01:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-09 17:25 . 2008-12-09 01:19 -------- d-----w- c:\program files\Java
2009-08-30 15:44 . 2008-12-18 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-28 18:30 . 2008-12-09 01:13 -------- d-----w- c:\program files\Diskeeper Corporation
2009-08-28 18:26 . 2008-12-16 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-28 18:26 . 2008-12-16 08:48 -------- d-----w- c:\program files\Yahoo!
2009-08-28 18:23 . 2008-12-08 23:13 -------- d-----w- c:\program files\CONEXANT
2009-08-28 17:59 . 2008-12-08 22:19 33216 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 17:45 . 2009-01-19 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-28 17:21 . 2009-01-19 10:19 -------- d-----w- c:\program files\Microsoft Works
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-27 03:15 . 2009-04-03 00:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-27 03:14 . 2009-04-03 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-23 16:05 . 2008-12-18 02:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-23 11:36 . 2009-03-26 21:20 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-22 11:46 . 2008-12-18 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-19 07:02 . 2009-02-19 18:46 -------- d-----w- c:\program files\AVS4YOU
2009-08-14 05:50 . 2009-06-30 06:11 24192 ----a-w- c:\documents and settings\User\usbsermptxp.sys
2009-08-14 05:50 . 2009-06-30 06:11 22768 ----a-w- c:\documents and settings\User\usbsermpt.sys
2009-08-05 11:50 . 2009-01-12 01:52 -------- d-----w- c:\program files\Google
2009-08-05 10:40 . 2008-12-22 19:30 -------- d-----w- c:\program files\HP
2009-08-05 09:01 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 18:52 . 2008-12-20 20:09 -------- d-----w- c:\documents and settings\User\Application Data\eFax Messenger
2009-07-31 12:47 . 2009-07-31 12:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-31 12:47 . 2009-07-31 12:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-21 06:16 . 2009-07-20 14:59 5936 ----a-w- c:\documents and settings\User\mqdmwhnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 79328 ----a-w- c:\documents and settings\User\mqdmserd.sys
2009-07-21 06:16 . 2009-07-20 14:59 92064 ----a-w- c:\documents and settings\User\mqdmmdm.sys
2009-07-21 06:16 . 2009-07-20 14:59 9232 ----a-w- c:\documents and settings\User\mqdmmdfl.sys
2009-07-21 06:16 . 2009-07-20 14:59 4048 ----a-w- c:\documents and settings\User\mqdmcr.sys
2009-07-21 06:16 . 2009-07-20 14:59 6208 ----a-w- c:\documents and settings\User\mqdmcmnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 66656 ----a-w- c:\documents and settings\User\mqdmbus.sys
2009-07-20 18:41 . 2009-06-30 06:11 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2009-07-17 19:01 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-10 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 21:17 . 2009-06-24 21:16 8815552 ----a-w- c:\program files\windows-kb890830-v2.11.exe
2009-06-24 18:58 . 2009-06-24 18:58 714136 ----a-w- c:\program files\JavaScript SunMicrosystems.exe
2009-06-24 11:18 . 2004-08-10 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-05-29 15:34 . 2009-05-29 13:27 331805736 ----a-w- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-05-25 01:39 . 2009-05-25 01:39 4909440 ----a-w- c:\program files\Silverlight.2.0.exe
2009-02-19 18:50 . 2009-02-19 18:50 53518 ----a-w- c:\program files\11-13-07_1501.3g2
2009-02-19 18:46 . 2009-02-19 18:45 52307672 ----a-w- c:\program files\AVSVideoConverter.exe
2008-12-20 20:08 . 2008-12-20 20:03 5166072 ----a-w- c:\program files\msgrplus.exe
2008-12-13 01:11 . 2008-12-13 01:10 123 ----a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-09 149280]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Alltel\\QuickLink Mobile\\QuickLink Mobile.exe"=
"c:\\Program Files\\mobile PhoneTools\\mPhonetools.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [5/19/2009 6:53 PM 32256]
R3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [5/19/2009 6:53 PM 41344]
R3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [5/19/2009 6:53 PM 39936]
R3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [5/19/2009 6:53 PM 59776]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [12/11/2008 2:17 PM 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [12/11/2008 2:17 PM 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [12/11/2008 2:17 PM 93904]
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [12/11/2008 2:17 PM 73696]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 12:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1682526488-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2512)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
Completion time: 2009-09-13 12:11
ComboFix-quarantined-files.txt 2009-09-13 17:11
ComboFix2.txt 2009-09-11 15:07
ComboFix3.txt 2009-09-10 02:23
ComboFix4.txt 2009-09-09 17:55
ComboFix5.txt 2009-09-13 16:43

Pre-Run: 20,232,593,408 bytes free
Post-Run: 20,204,486,656 bytes free

211 --- E O F --- 2009-09-10 08:06




DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 12:20:38.64 on Sun 09/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.141 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\spybot~1\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237576612728
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243147641750
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [2009-5-19 32256]
R3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [2009-5-19 41344]
R3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [2009-5-19 39936]
R3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [2009-5-19 59776]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [2008-12-11 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [2008-12-11 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [2008-12-11 93904]
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [2008-12-11 73696]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys --> c:\windows\system32\drivers\ewusbnet.sys [?]

============== File Associations ===============

VBSFile=%WINDIR%\System32\CScript.exe //nologo "%1" %*

=============== Created Last 30 ================

2009-09-09 13:23 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-09 11:39 230,912 a------- c:\windows\PEV.exe
2009-09-09 11:39 161,792 a------- c:\windows\SWREG.exe
2009-09-09 11:39 98,816 a------- c:\windows\sed.exe
2009-09-09 09:15 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-08-31 01:29 <DIR> --d----- C:\$AVG8.VAULT$
2009-08-30 22:24 <DIR> --d----- c:\program files\AVG
2009-08-30 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-30 21:02 68,569,208 a------- c:\program files\avg_free_stf_en_85_409a1634.exe
2009-08-30 17:51 <DIR> a-dshr-- C:\cmdcons
2009-08-29 08:26 <DIR> --d----- c:\program files\Spybot
2009-08-28 13:24 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-28 08:13 <DIR> --dsh--- c:\documents and settings\user\IECompatCache
2009-08-28 08:11 <DIR> --dsh--- c:\documents and settings\user\PrivacIE
2009-08-28 07:22 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-08-28 07:18 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-28 07:16 <DIR> --d----- c:\windows\ie8updates
2009-08-28 07:15 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-28 07:15 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 07:07 <DIR> -cd-h--- c:\windows\ie8
2009-08-28 06:30 4,153 a------- C:\fix.reg
2009-08-24 00:13 268,648 a------- c:\windows\system32\mucltui.dll
2009-08-24 00:13 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-08-22 06:31 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-21 09:58 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-21 09:54 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 09:54 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-21 09:54 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 09:54 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 09:54 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-21 09:54 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 09:54 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-21 09:54 <DIR> --d----- C:\6f6b5f0da4264d87e011e22fee34eb1d
2009-08-18 12:43 <DIR> --d----- c:\docume~1\user\applic~1\IPublish
2009-08-18 12:43 377 a------- c:\windows\ipublish.ini
2009-08-18 12:43 <DIR> --d----- c:\program files\IPRO Tech

==================== Find3M ====================

2009-09-09 13:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-14 00:50 24,192 a------- c:\documents and settings\user\usbsermptxp.sys
2009-08-14 00:50 22,768 a------- c:\documents and settings\user\usbsermpt.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-31 07:47 499,712 a------- c:\windows\system32\msvcp71.dll
2009-07-31 07:47 348,160 a------- c:\windows\system32\msvcr71.dll
2009-07-21 01:16 5,936 a------- c:\documents and settings\user\mqdmwhnt.sys
2009-07-21 01:16 79,328 a------- c:\documents and settings\user\mqdmserd.sys
2009-07-21 01:16 92,064 a------- c:\documents and settings\user\mqdmmdm.sys
2009-07-21 01:16 9,232 a------- c:\documents and settings\user\mqdmmdfl.sys
2009-07-21 01:16 4,048 a------- c:\documents and settings\user\mqdmcr.sys
2009-07-21 01:16 6,208 a------- c:\documents and settings\user\mqdmcmnt.sys
2009-07-21 01:16 66,656 a------- c:\documents and settings\user\mqdmbus.sys
2009-07-20 13:41 22,768 a------- c:\windows\system32\drivers\usbsermpt.sys
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 16:17 8,815,552 a------- c:\program files\windows-kb890830-v2.11.exe
2009-06-24 13:58 714,136 a------- c:\program files\JavaScript SunMicrosystems.exe
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-05-29 10:34 331,805,736 a------- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-05-24 20:39 4,909,440 a------- c:\program files\Silverlight.2.0.exe
2009-02-19 13:50 53,518 a------- c:\program files\11-13-07_1501.3g2
2009-02-19 13:46 52,307,672 a------- c:\program files\AVSVideoConverter.exe
2008-12-20 15:08 5,166,072 a------- c:\program files\msgrplus.exe
2008-12-12 20:11 123 a------- c:\program files\ALLTEL Internet Accelerator Client setup.log
2009-05-29 12:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052920090530\index.dat

============= FINISH: 12:21:28.06 ===============

Blade81
2009-09-14, 17:41
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis




Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /u in the runbox and click OK


Next we remove all used tools.

Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.


hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)
Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation "Install Comodo HopSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!). Both providers have support forums that help with configuration related questions.



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

Blade81
2009-09-21, 19:56
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.