Spybot not updating

**Elvis316** · 2009-07-29, 03:43

I am having problems updating spybot. Whenever I try to update ... it keeps giving message saying "error retrieving update file". I cannot even open safer-network website to download latest updates and definitions.

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:36:42, on 29/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Etisalat Modem Protector\ModemProtectorService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Etisalat Modem Protector\Modem Protector.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...r/fix_homepage
O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Etisalat Modem Protector] C:\Program Files\Etisalat Modem Protector\Modem Protector.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\WECPUpdate.exe -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6511] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3094] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB951] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2868] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - S-1-5-18 Startup: Shortcut to Local Area Connection.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Shortcut to Local Area Connection.lnk = ? (User 'Default user')
O4 - Startup: Shortcut to Local Area Connection.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1226583123390
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O21 - SSODL: InternetConnection - {B1A95BA3-3827-4F63-A75E-009E2B48A48F} - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Modem Protector service (ModemProtectorService) - Unknown owner - C:\Program Files\Etisalat Modem Protector\ModemProtectorService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7914 bytes

**Shaba** · 2009-07-29, 18:15

Hi Elvis316

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

**Elvis316** · 2009-07-31, 09:00

7-Zip 4.57
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.2
AppCore
Ares 2.1.1
ATI - Software Uninstall Utility
ATI Parental Control
Backspin Billiards
ccCommon
Component Framework
Conexant D850 56K V.9x DFVc Modem
Data Lifeguard Diagnostic for Windows
Dell Resource CD
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DVD Suite
ERUNT 1.1j
getPlus(R) for Adobe
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Java(TM) 6 Update 13
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Modem Protector - Stops your PC calling unwanted numbers
Mozilla Firefox (3.0.12)
MSN
MSVC80_x86
MSXML 4.0 SP2 (KB954430)
Nero 7 Essentials
neroxml
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Nokia Software Updater
Norton AntiVirus
Norton AntiVirus Help
Norton AntiVirus Online (Symantec Corporation)
Norton Protection Center
PC Connectivity Solution
PowerDVD
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
SigmaTel Audio
SPBBC 32bit
Spybot - Search & Destroy
Update for Windows XP (KB955839)
VC80CRTRedist - 8.0.50727.762
Winamp
Windows Driver Package - Nokia Modem (05/22/2008 3.8)
Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
Windows Driver Package - Nokia Modem (06/01/2009 4.1)
Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.3)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Essentials Media Codec Pack 2.2
Windows Media Format Runtime
Windows XP Service Pack 3
Xvid 1.1.3 final uninstall

**Shaba** · 2009-07-31, 09:33

As per forum rules, all P2P programs has to be uninstalled, link.

So please uninstall Ares 2.1.1 and post back a fresh uninstall list afterwards.

**Elvis316** · 2009-08-01, 04:43

Done !!

7-Zip 4.57
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.2
AppCore
ATI - Software Uninstall Utility
ATI Parental Control
Backspin Billiards
ccCommon
Component Framework
Conexant D850 56K V.9x DFVc Modem
Data Lifeguard Diagnostic for Windows
Dell Resource CD
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DVD Suite
ERUNT 1.1j
getPlus(R) for Adobe
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Java(TM) 6 Update 13
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Modem Protector - Stops your PC calling unwanted numbers
Mozilla Firefox (3.0.12)
MSN
MSVC80_x86
MSXML 4.0 SP2 (KB954430)
Nero 7 Essentials
neroxml
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Nokia Software Updater
Norton AntiVirus
Norton AntiVirus Help
Norton AntiVirus Online (Symantec Corporation)
Norton Protection Center
PC Connectivity Solution
PowerDVD
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
SigmaTel Audio
SPBBC 32bit
Spybot - Search & Destroy
Update for Windows XP (KB955839)
VC80CRTRedist - 8.0.50727.762
Winamp
Windows Driver Package - Nokia Modem (05/22/2008 3.8)
Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
Windows Driver Package - Nokia Modem (06/01/2009 4.1)
Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.3)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Essentials Media Codec Pack 2.2
Windows Media Format Runtime
Windows XP Service Pack 3
Xvid 1.1.3 final uninstall

**Shaba** · 2009-08-01, 11:02

Download gmer.zip and save to your desktop.
alternate download site

Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

**Elvis316** · 2009-08-01, 15:41

Here we go !!! Hope this is the right thing you looking for !!!

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-01 17:36:33
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT 82748720 ZwAlertResumeThread
SSDT 827487E0 ZwAlertThread
SSDT 81CEC290 ZwAllocateVirtualMemory
SSDT 82774F40 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAAB5C020]
SSDT 827484D0 ZwCreateMutant
SSDT 81CEC420 ZwCreateThread
SSDT 827481D0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAAB5C2A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAAB5C800]
SSDT spqy.sys ZwEnumerateKey [0xF8415CA2]
SSDT spqy.sys ZwEnumerateValueKey [0xF8416030]
SSDT 82748F38 ZwFreeVirtualMemory
SSDT 827485A0 ZwImpersonateAnonymousToken
SSDT 82748660 ZwImpersonateThread
SSDT 82748E58 ZwMapViewOfSection
SSDT 82748410 ZwOpenEvent
SSDT spqy.sys ZwOpenKey [0xF83F80C0]
SSDT 81CEC360 ZwOpenProcessToken
SSDT 82748290 ZwOpenSection
SSDT 82748BF8 ZwOpenThreadToken
SSDT spqy.sys ZwQueryKey [0xF8416108]
SSDT spqy.sys ZwQueryValueKey [0xF8415F88]
SSDT 81CEED58 ZwResumeThread
SSDT 82748B38 ZwSetContextThread
SSDT 82748CC8 ZwSetInformationProcess
SSDT 82748A68 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAAB5CA50]
SSDT 82748350 ZwSuspendProcess
SSDT 827488E8 ZwSuspendThread
SSDT 81CEC678 ZwTerminateProcess
SSDT 827489A8 ZwTerminateThread
SSDT 82748D98 ZwUnmapViewOfSection
SSDT 82748008 ZwWriteVirtualMemory

INT 0x62 ? 82DE1BF8
INT 0x63 ? 82DE1BF8
INT 0x84 ? 82C49BF8
INT 0x94 ? 82C49BF8
INT 0xA4 ? 82C49BF8
INT 0xB4 ? 82C49BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 275D 80501F95 3 Bytes CALL E6D29422
? spqy.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F80468AC 3 Bytes JMP 82C491D8
.text USBPORT.SYS!DllUnload + 4 F80468B0 1 Byte [8A]
.text a52pttsq.SYS F7DA6384 1 Byte [20]
.text a52pttsq.SYS F7DA6384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text a52pttsq.SYS F7DA63AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text a52pttsq.SYS F7DA63C4 3 Bytes [00, 00, 00]
.text a52pttsq.SYS F7DA63C9 1 Byte [00]
.text ...
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mc23.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[400] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[400] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 5F00003D
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\hkcmd.exe[812] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\igfxpers.exe[820] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 5F00003D
.text C:\Program Files\Etisalat Modem Protector\Modem Protector.exe[1816] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[2568] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[2568] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 5F00003D
.text C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe[2688] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F040F5A
.text C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe[2688] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 5F00003D
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2712] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2712] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 5F00003D
.text C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe[3220] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 5F00003D
.text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[3340] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 5F00003D
.text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[3728] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 5F00003D
.text C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe[3876] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 5F00003D

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F83F9040] spqy.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F83F913C] spqy.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F83F90BE] spqy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F83F97FC] spqy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F83F96D2] spqy.sys
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\a52pttsq.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC

---- Devices - GMER 1.0.15 ----

Device 82DE01F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device FFA001F8
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\sptd \Device\361543518 spqy.sys
Device \Driver\sptd \Device\361543518 spqy.sys
Device \Driver\usbuhci \Device\USBPDO-0 82BEB500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 82D741F8
Device \Driver\dmio \Device\DmControl\DmConfig 82D741F8
Device \Driver\dmio \Device\DmControl\DmPnP 82D741F8
Device \Driver\dmio \Device\DmControl\DmInfo 82D741F8
Device \Driver\usbehci \Device\USBPDO-1 82BC9500
Device \Driver\usbuhci \Device\USBPDO-2 82BEB500
Device \Driver\usbuhci \Device\USBPDO-3 82BEB500
Device \Driver\PCI_PNP2268 \Device\00000054 spqy.sys
Device \Driver\PCI_PNP2268 \Device\00000054 spqy.sys
Device \Driver\usbuhci \Device\USBPDO-4 82BEB500

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\USBSTOR \Device\00000071 827361F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 82DE21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82DE21F8
Device \Driver\Cdrom \Device\CdRom0 82BD7500
Device \Driver\USBSTOR \Device\00000072 827361F8
Device \Driver\Cdrom \Device\CdRom1 82BD7500
Device \Driver\Ftdisk \Device\HarddiskVolume3 82DE21F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 82DE21F8
Device \Driver\Cdrom \Device\CdRom2 82BD7500
Device \Driver\Ftdisk \Device\HarddiskVolume5 82DE21F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 82B92500
Device \Driver\NetBT \Device\NetbiosSmb 82B92500

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 82BEB500
Device \Driver\usbuhci \Device\USBFDO-1 82BEB500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81CEA1F8
Device \Driver\usbuhci \Device\USBFDO-2 82BEB500
Device 81CEA1F8
Device \Driver\usbuhci \Device\USBFDO-3 82BEB500
Device \Driver\usbehci \Device\USBFDO-4 82BC9500
Device \Driver\Ftdisk \Device\FtControl 82DE21F8
Device \Driver\a52pttsq \Device\Scsi\a52pttsq1Port3Path0Target0Lun0 82BD0500
Device \Driver\a52pttsq \Device\Scsi\a52pttsq1 82BD0500

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0x98 0xAE 0x7D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA4 0xAB 0xB8 0x77 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x39 0xE0 0xB9 0xEE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0x98 0xAE 0x7D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA4 0xAB 0xB8 0x77 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xBF 0x91 0xED 0xF7 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0x98 0xAE 0x7D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA4 0xAB 0xB8 0x77 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x1D 0xEF 0x70 0x92 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ECCEE0F8-2389-DBF0-CD44-27A089191EA6}

---- EOF - GMER 1.0.15 ----

**Shaba** · 2009-08-01, 15:56

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

**Elvis316** · 2009-08-01, 18:08

Okay ... here you go ... log files of ComboFix and HijackThis.

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
ComboFix Log

ComboFix 09-07-31.04 - Administrator 01/08/2009 19:53.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.502.211 [GMT 4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Norton AntiVirus Online *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus Online *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
The following files were disabled during the run:
c:\program files\Etisalat Modem Protector\RasHookAPI.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
C:\resycled
c:\resycled\boot.com
c:\windows\Installer\a8189.msi
c:\windows\jestertb.dll
I:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-29 01:35 . 2009-07-29 01:35 -------- d-----w- c:\program files\Trend Micro
2009-07-29 01:34 . 2009-07-29 01:34 -------- d-----w- c:\program files\ERUNT
2009-07-27 01:23 . 2009-07-28 01:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-20 08:54 . 2009-07-20 08:54 737280 ----a-w- c:\windows\iun6002.exe
2009-07-20 08:54 . 2009-07-20 08:54 -------- d-----w- c:\program files\BFG
2009-07-19 18:37 . 2009-07-19 18:37 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-07-18 15:57 . 2009-07-19 18:41 -------- d-----w- c:\program files\GameShadow
2009-07-18 15:52 . 2005-05-26 11:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-07-16 01:56 . 2009-07-16 01:56 -------- d-----w- c:\program files\Common Files\PCSuite
2009-07-16 01:52 . 2009-07-16 01:57 -------- d-----w- c:\program files\DIFX
2009-07-16 01:52 . 2008-08-26 06:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-07-16 01:52 . 2009-07-16 01:52 -------- d-----w- c:\program files\PC Connectivity Solution
2009-07-16 01:51 . 2009-02-09 04:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-07-16 01:51 . 2009-02-09 04:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-07-16 01:51 . 2009-02-09 04:37 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-07-16 01:51 . 2009-02-09 04:37 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-07-16 01:51 . 2009-02-09 04:37 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-07-16 01:51 . 2009-02-09 04:32 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-07-16 01:50 . 2009-07-16 01:48 33773208 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_eng.exe
2009-07-16 01:49 . 2009-07-16 01:49 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-07-16 01:49 . 2009-07-16 01:49 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-07-16 01:49 . 2009-07-16 01:49 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-07-16 01:49 . 2009-07-16 01:49 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 15:47 . 2008-11-09 11:18 -------- d-----w- c:\program files\Etisalat Modem Protector
2009-08-01 15:44 . 2008-11-17 12:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-08-01 02:38 . 2008-11-09 16:16 -------- d-----w- c:\program files\Ares
2009-07-20 19:00 . 2008-10-09 17:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-17 14:32 . 2008-11-09 16:08 -------- d-----w- c:\program files\DivX
2009-07-17 14:31 . 2009-04-10 09:54 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-16 02:00 . 2008-11-09 11:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-16 01:56 . 2009-02-05 02:02 -------- d-----w- c:\program files\Common Files\Nokia
2009-07-16 01:56 . 2008-12-18 14:11 -------- d-----w- c:\program files\Nokia
2009-07-16 01:48 . 2008-12-18 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-06-07 16:14 . 2009-03-29 08:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NETg
2009-07-23 11:21 . 2008-11-09 15:40 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-14 4608]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Etisalat Modem Protector"="c:\program files\Etisalat Modem Protector\Modem Protector.exe" [2006-06-05 446464]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-08-30 714608]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 4891472]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\WECPUpdate.exe" [2009-01-25 196608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingC3094"="del" [X]
"GrpConv"="grpconv -o" [X]
"SpybotDeletingA6511"="command" [X]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\NPC\\npcLUStb.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/30/2007 4:45 AM 149352]
R2 ModemProtectorService;Modem Protector service;c:\program files\Etisalat Modem Protector\ModemProtectorService.exe [5/22/2006 5:33 PM 143360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 6:35 AM 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [8/30/2007 4:46 AM 23888]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/13/2008 5:24 PM 33752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUJASNKJ
*Deregistered* - aujasnkj
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-08-01 c:\windows\Tasks\Norton AntiVirus Online - Run Full System Scan - Administrator.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-30 00:47]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\znic94gk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ae/
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 19:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\mc23.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-651377827-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ECCEE0F8-2389-DBF0-CD44-27A089191EA6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-08-01 19:59
ComboFix-quarantined-files.txt 2009-08-01 15:59

Pre-Run: 2,500,263,936 bytes free
Post-Run: 2,511,200,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
169 --- E O F --- 2009-01-18 12:53

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04:14, on 01/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Etisalat Modem Protector\ModemProtectorService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Etisalat Modem Protector\Modem Protector.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...r/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Etisalat Modem Protector] C:\Program Files\Etisalat Modem Protector\Modem Protector.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\WECPUpdate.exe -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3094] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKLM\..\RunOnce: [SpybotDeletingA6511] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB951] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2868] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - S-1-5-18 Startup: Shortcut to Local Area Connection.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Shortcut to Local Area Connection.lnk = ? (User 'Default user')
O4 - Startup: Shortcut to Local Area Connection.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1226583123390
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O21 - SSODL: InternetConnection - {B1A95BA3-3827-4F63-A75E-009E2B48A48F} - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Modem Protector service (ModemProtectorService) - Unknown owner - C:\Program Files\Etisalat Modem Protector\ModemProtectorService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8056 bytes

**Shaba** · 2009-08-01, 19:32

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

Folder::
c:\documents and settings\Administrator\Application Data\uTorrent
c:\program files\Ares
c:\Program Files\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Thread: Spybot not updating

Thread Tools

Display

Spybot not updating

Posting Permissions