Can not run D.D.S.

**gob71** · 2011-11-16, 02:40

COMBOFIX

ComboFix 11-11-15.06 - OWNER 11/15/2011 20:14:25.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.289 [GMT -5:00]
Running from: c:\documents and settings\Cassidy\desktop\ComboFix.exe
Command switches used :: /nombr
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\OWNER\Application Data\Adobe\plugs
c:\documents and settings\OWNER\Application Data\Adobe\shed
c:\documents and settings\OWNER\Local Settings\Application Data\{A6229D32-CF4F-46AA-B529-C0F352C72582}
c:\documents and settings\OWNER\Local Settings\Application Data\{A6229D32-CF4F-46AA-B529-C0F352C72582}\chrome.manifest
c:\documents and settings\OWNER\Local Settings\Application Data\{A6229D32-CF4F-46AA-B529-C0F352C72582}\chrome\content\overlay.xul
c:\documents and settings\OWNER\Local Settings\Application Data\{A6229D32-CF4F-46AA-B529-C0F352C72582}\install.rdf
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
c:\windows\tsoc.log
c:\windows\XSxS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-10-16 to 2011-11-16 )))))))))))))))))))))))))))))))
.
.
2011-11-13 04:32 . 2011-10-18 06:28 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-13 04:30 . 2011-10-18 06:28 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{54B1E0AA-E09E-46C1-98E5-36DC11ECE7A2}\mpengine.dll
2011-11-12 17:44 . 2011-11-12 17:45 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-09 00:57 . 2011-11-09 00:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-11-08 01:06 . 2011-11-12 17:44 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-08 00:58 . 2011-11-08 00:58 -------- d--h--w- c:\windows\PIF
2011-11-07 04:38 . 2011-11-07 04:38 -------- d-----w- c:\program files\Common Files\Java
2011-11-07 04:25 . 2011-11-07 04:27 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-07 01:23 . 2011-11-07 01:24 -------- d-----w- C:\WINSSLog
2011-11-06 22:14 . 2011-11-06 22:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-11-06 21:54 . 2011-11-06 21:54 69120 --sha-r- c:\windows\system32\inetcplc9.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-14 23:18 . 2011-05-16 05:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2009-11-25 03:31 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06 . 2010-05-26 02:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 07:06 . 2003-03-20 21:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-04-12 08:06 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-04-12 08:06 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2004-04-12 08:12 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2009-12-03 16:02 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2004-04-12 08:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-04-12 08:02 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-04-12 08:01 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 03:12 . 2011-06-03 04:24 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\OWNER\Application Data\mjusbsp\cdloader2.exe" [2009-12-24 50520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2001-11-06 131072]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2002-11-01 208560]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-10 1326080]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-10 904840]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-10 136472]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^OWNER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\OWNER\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^OWNER^Start Menu^Programs^Startup^Seagate 2GH26QJW Product Registration.lnk]
path=c:\documents and settings\OWNER\Start Menu\Programs\Startup\Seagate 2GH26QJW Product Registration.lnk
backup=c:\windows\pss\Seagate 2GH26QJW Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-29 13:22 136176 ----atw- c:\documents and settings\OWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\OWNER\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
S1 MpKsl06753459;MpKsl06753459;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{02065891-3F17-4033-9DA0-E553F7762462}\MpKsl06753459.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{02065891-3F17-4033-9DA0-E553F7762462}\MpKsl06753459.sys [?]
S1 MpKsl06c2b7d5;MpKsl06c2b7d5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C4B9E7A3-B56B-4F6E-A395-663BC9DD2933}\MpKsl06c2b7d5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C4B9E7A3-B56B-4F6E-A395-663BC9DD2933}\MpKsl06c2b7d5.sys [?]
S1 MpKsl0ce97650;MpKsl0ce97650;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DBB7438C-35D9-49E4-BDBE-FCC8BD52F423}\MpKsl0ce97650.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DBB7438C-35D9-49E4-BDBE-FCC8BD52F423}\MpKsl0ce97650.sys [?]
S1 MpKsl104f1a89;MpKsl104f1a89;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{914F958E-E732-4B4B-B0DA-C71D178667E3}\MpKsl104f1a89.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{914F958E-E732-4B4B-B0DA-C71D178667E3}\MpKsl104f1a89.sys [?]
S1 MpKsl18b0c8f1;MpKsl18b0c8f1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{03DCA112-2FD8-4273-BD98-239E261C787E}\MpKsl18b0c8f1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{03DCA112-2FD8-4273-BD98-239E261C787E}\MpKsl18b0c8f1.sys [?]
S1 MpKsl1d5ce3db;MpKsl1d5ce3db;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB8BD429-96DB-4CAB-807F-6AF44714325E}\MpKsl1d5ce3db.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB8BD429-96DB-4CAB-807F-6AF44714325E}\MpKsl1d5ce3db.sys [?]
S1 MpKsl2098ee12;MpKsl2098ee12;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{17F40F73-B59C-4FDE-AEC1-2E7A0B6BD64B}\MpKsl2098ee12.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{17F40F73-B59C-4FDE-AEC1-2E7A0B6BD64B}\MpKsl2098ee12.sys [?]
S1 MpKsl2c9a16f8;MpKsl2c9a16f8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43BC38AF-E431-4613-8113-3F07AAAA2876}\MpKsl2c9a16f8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43BC38AF-E431-4613-8113-3F07AAAA2876}\MpKsl2c9a16f8.sys [?]
S1 MpKsl2f587506;MpKsl2f587506;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2F39569A-B513-4ACD-9400-79A1A6937EDB}\MpKsl2f587506.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2F39569A-B513-4ACD-9400-79A1A6937EDB}\MpKsl2f587506.sys [?]
S1 MpKsl492b9faa;MpKsl492b9faa;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BF0F4DA6-22F1-4F18-8CD9-28D9ACFF0766}\MpKsl492b9faa.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BF0F4DA6-22F1-4F18-8CD9-28D9ACFF0766}\MpKsl492b9faa.sys [?]
S1 MpKsl5c882d1f;MpKsl5c882d1f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8B6ADFF-3C64-47E1-A50F-7FA1F6DBA09D}\MpKsl5c882d1f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8B6ADFF-3C64-47E1-A50F-7FA1F6DBA09D}\MpKsl5c882d1f.sys [?]
S1 MpKsl7c543b59;MpKsl7c543b59;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D241811-9A84-4E70-B3A4-F4E822BB2902}\MpKsl7c543b59.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D241811-9A84-4E70-B3A4-F4E822BB2902}\MpKsl7c543b59.sys [?]
S1 MpKsl7c8b4a62;MpKsl7c8b4a62;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{74C7B35C-1996-46B8-AB2D-A6D094376DBE}\MpKsl7c8b4a62.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{74C7B35C-1996-46B8-AB2D-A6D094376DBE}\MpKsl7c8b4a62.sys [?]
S1 MpKsl8b2b6408;MpKsl8b2b6408;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{74C7B35C-1996-46B8-AB2D-A6D094376DBE}\MpKsl8b2b6408.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{74C7B35C-1996-46B8-AB2D-A6D094376DBE}\MpKsl8b2b6408.sys [?]
S1 MpKslde5af808;MpKslde5af808;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CB61DF90-165B-4CC5-9940-78CE104A4C80}\MpKslde5af808.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CB61DF90-165B-4CC5-9940-78CE104A4C80}\MpKslde5af808.sys [?]
S3 26666836;26666836; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/12/2011 12:44 PM 41272]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-492894223-1957994488-1004Core.job
- c:\documents and settings\OWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 13:22]
.
2011-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-492894223-1957994488-1004UA.job
- c:\documents and settings\OWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 13:22]
.
2011-11-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\OWNER\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\OWNER\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 192.168.2.1
DPF: {2EA5DD45-9254-4B0D-9F48-E92FEC3A9754} - hxxps://simulcast.manheim.com/simulcast_docs/av/SimulcastAVPlugin-win-ie.cab
DPF: {7206EAAC-5CFA-43A3-9F61-E27E8E51E42F} - hxxp://adus1.liveglobalbid.com/container_repository/laiexec.cab
FF - ProfilePath - c:\documents and settings\OWNER\Application Data\Mozilla\Firefox\Profiles\hykzwa8x.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/;_ylt=AtoEu.MyDuQycydxJDNikOlG2vAI
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60848
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-GigglePop.com evalPal Plus for NADA - c:\windows\suinsta4001.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-15 20:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(3376)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\nvsvc32.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Apoint\Apntex.exe
.
**************************************************************************
.
Completion time: 2011-11-15 20:33:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-16 01:33
.
Pre-Run: 34,540,924,928 bytes free
Post-Run: 36,535,570,432 bytes free
.
- - End Of File - - 92BBADCB600E35477D1320CFB08E05F7

CKFILES

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.RAAPTI
----- EOF -----

Note- I have read the warnings on here, I do not have any file sharing installed anymore, It was deleted long ago but shows for some reason in that report under startup, not sure why. Thanks again for any help

**Jack&Jill** · 2011-11-17, 15:58

Hello gob71

,

Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.

Click here to go to ESET Online Scanner page.
Click on Run ESET Online Scanner. A new window will open.
For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
You will be prompted to install an ActiveX Control from ESET. Please install.
At the Computer scan settings section, uncheck (untick) Remove found threats. <-- Important, do not remove anything yet.
Then, check Scan archives.
Now, click on Advanced settings and make sure all these are checked:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
Click on Scan to proceed.
When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
Post the contents in your reply.

If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.

--------------------

Please post back:
1. ESET results
2. how is the computer behaving now?

**gob71** · 2011-11-18, 07:32

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeBillCourtCologne.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudInternetSecurity69.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudInternetSecurity7.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\OWNER\Desktop\Phone\autorun.inf Win32/AutoRun.Agent.FC worm
C:\Documents and Settings\OWNER\My Documents\Downloads\Setup_FreeConverter.exe Win32/Adware.Toolbar.Dealio application

MSE will now load upon start up, but it remains a red box w/x and it will not allow me to start " Real Time Protection", Also each time I restart the windows firewall is turned off. I am still redirected when doing searches on google and yahoo.

**gob71** · 2011-11-18, 07:37

OK I am mistaken, not MSE will turn green, and the redirect is gone. I did not select it to remove the threats, should I do that now? IT says 5 threats found, 0 cleaned.

**Jack&Jill** · 2011-11-18, 17:01

Hello gob71

,

We will deal with some of the ESET findings in this step. The remaining entries are backups from Spybot.

--------------------

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

Run ComboFix script

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here and here.

Open Notepad. Copy and paste the following text into it:

Code:

http://forums.spybot.info/showthread.php?t=64338
Collect::
c:\windows\system32\inetcplc9.dll
C:\Documents and Settings\OWNER\Desktop\Phone\autorun.inf

File::
c:\documents and settings\OWNER\Start Menu\Programs\Startup\LimeWire On Startup.lnk
c:\windows\pss\LimeWire On Startup.lnkStartup
C:\Documents and Settings\OWNER\My Documents\Downloads\Setup_FreeConverter.exe

Driver::
26666836

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"=-

[-HKLM\~\startupfolder\C:^Documents and Settings^OWNER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=1

Firefox::
FF - ProfilePath - c:\documents and settings\OWNER\Application Data\Mozilla\Firefox\Profiles\hykzwa8x.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60848

Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update, please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
ComboFix will also ask to upload some bad files for analysis. Please follow the steps accordingly.
When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.

--------------------

Please post back:
1. ComboFix log

**gob71** · 2011-11-19, 01:42

Combo Fix hangs up and the computer locks up, having to be restarted.

**Jack&Jill** · 2011-11-19, 05:37

Hello gob71

,

Please download MiniRegTool© by farbar and save it to your desktop.

Click here - 32-bit version.

Extract the file to the desktop using 7-Zip or a suitable archive utility that handles Zip files.
Double click on MiniRegTool.exe to run it.
Copy and paste the following text into the white box:
Code:
```
LimeWire
standardprofile
```
Please select:
- Search:
Click on the Go button. A log will open.
Please post the contents of this log. It can also be found on the desktop as Result.txt.

--------------------

Upload file(s) to VirusTotal (VT) for an online scan. Click here.

Click on the Browse button or the white box beside it. A File Upload prompt will open.
Copy and paste the following file and its path to upload:
Code:
```
c:\windows\system32\inetcplc9.dll
```
Press Open, then Send file. The file will be uploaded for testing.
If there is any indication or prompt that the file has been scanned before, please proceed to have the file rescanned or reanalyzed.
Please wait for all the scanners to finish, then copy and paste the result into Notepad and save it to a convenient place.
Post the results in your next response.

Alternatively, if VirusTotal is busy or inaccessible, you may try Jotti or VirScan (VS) with similar steps.

A result from either one of the above scanners would be sufficient.

--------------------

Please post back:
1. MiniRegTool log
2. VT result

**gob71** · 2011-11-19, 15:11

MINIREG

MiniRegTool by Farbar
Ran by oWNER (administrator) on 2011-11-19 at 09:06:21

==========================================
Search Result For: "LimeWire"

[HKEY_CURRENT_USER\Software\Magnet\Handlers\LimeWire]
[HKEY_CURRENT_USER\Software\Magnet\Handlers\LimeWire]
""="LimeWire"
[HKEY_CURRENT_USER\Software\Magnet\Handlers\LimeWire]
"DefaultIcon"=""C:\Program Files\LimeWire\LimeWire.exe",0"
[HKEY_CURRENT_USER\Software\Magnet\Handlers\LimeWire]
"Description"="LimeWire"
[HKEY_CURRENT_USER\Software\Magnet\Handlers\LimeWire]
"ShellExecute"=""C:\Program Files\LimeWire\LimeWire.exe" "%URL""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\LimeWire]
[HKEY_CURRENT_USER\Software\Classes\.torrent]
""="LimeWire"
[HKEY_CURRENT_USER\Software\Classes\LimeWire]
[HKEY_CURRENT_USER\Software\Classes\LimeWire]
""="LimeWire Torrent"
[HKEY_CURRENT_USER\Software\Classes\LimeWire\DefaultIcon]
""="C:\Program Files\LimeWire\LimeWire.exe,1"
[HKEY_CURRENT_USER\Software\Classes\LimeWire\shell\open\command]
""=""C:\Program Files\LimeWire\LimeWire.exe" "%1""
[HKEY_CURRENT_USER\Software\Classes\magnet\DefaultIcon]
""=""C:\Program Files\LimeWire\LimeWire.exe",0"
[HKEY_CURRENT_USER\Software\Classes\magnet\shell\open\command]
""=""C:\Program Files\LimeWire\LimeWire.exe" "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^OWNER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^OWNER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path"="C:\Documents and Settings\OWNER\Start Menu\Programs\Startup\LimeWire On Startup.lnk"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^OWNER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"backup"="C:\WINDOWS\pss\LimeWire On Startup.lnkStartup"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^OWNER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"command"="C:\PROGRA~1\LimeWire\LimeWire.exe -startup"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^OWNER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"item"="LimeWire On Startup"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1417001333-492894223-1957994488-1004\Components\C092FA47FB82BD113BA600313DEA14A1]
"C9B4E34C8C410BE499B85812B1E6DD16"="C?\Program Files\Common Files\Acronis\BackupScripts\limewire_4.1.xml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]
"C:\Program Files\Common Files\Acronis\BackupScripts\limewire_4.1.xml"="1"
==========================================
Search Result For: "standardprofile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

==== End of Search ====

**gob71** · 2011-11-20, 02:35

VirusTotal

File name:
inetcplc.dll
Submission date:
2011-11-20 01:22:05 (UTC)
Current status:
finished
Result:
0/ 42 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.11.19.00 2011.11.19 -
AntiVir 7.11.17.231 2011.11.18 -
Antiy-AVL 2.0.3.7 2011.11.19 -
Avast 6.0.1289.0 2011.11.19 -
AVG 10.0.0.1190 2011.11.19 -
BitDefender 7.2 2011.11.19 -
ByteHero 1.0.0.1 2011.11.14 -
ClamAV 0.97.3.0 2011.11.19 -
Commtouch 5.3.2.6 2011.11.19 -
Comodo 10780 2011.11.18 -
DrWeb 5.0.2.03300 2011.11.20 -
Emsisoft 5.1.0.11 2011.11.20 -
eSafe 7.0.17.0 2011.11.18 -
eTrust-Vet 37.0.9576 2011.11.19 -
F-Prot 4.6.5.141 2011.11.19 -
F-Secure 9.0.16440.0 2011.11.20 -
Fortinet 4.3.370.0 2011.11.19 -
GData 22.283/22.517 2011.11.19 -
Ikarus T3.1.1.109.0 2011.11.19 -
Jiangmin 13.0.900 2011.11.16 -
K7AntiVirus 9.119.5497 2011.11.19 -
Kaspersky 9.0.0.837 2011.11.19 -
McAfee 5.400.0.1158 2011.11.20 -
McAfee-GW-Edition 2010.1D 2011.11.20 -
Microsoft 1.7801 2011.11.19 -
NOD32 6644 2011.11.20 -
Norman 6.07.13 2011.11.19 -
nProtect 2011-11-19.01 2011.11.19 -
Panda 10.0.3.5 2011.11.19 -
PCTools 8.0.0.5 2011.11.20 -
Prevx 3.0 2011.11.20 -
Rising 23.84.04.02 2011.11.18 -
Sophos 4.71.0 2011.11.19 -
SUPERAntiSpyware 4.40.0.1006 2011.11.19 -
Symantec 20111.2.0.82 2011.11.20 -
TheHacker 6.7.0.1.345 2011.11.19 -
TrendMicro 9.500.0.1008 2011.11.19 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.20 -
VBA32 3.12.16.4 2011.11.18 -
VIPRE 11091 2011.11.19 -
ViRobot 2011.11.19.4782 2011.11.19 -
VirusBuster 14.1.73.0 2011.11.19 -
Additional information
MD5 : 60a29d924ac51a64f1bcaf6f43626915
SHA1 : 8e4640b293c32c8a6abe9de658af732cff7db6a5
SHA256: ab5b916704d481a63e9de7d74833f6658315fb08fa7270a40b53b0c746adfb31

VT Community

VirSCAN.org Scanned Report :
Scanned time : 2011/11/19 20:27:04 (EST)
Scanner results: Scanners did not find malware!
File Name : inetcplc.dll
File Size : 110592 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 60a29d924ac51a64f1bcaf6f43626915
SHA1 : 8e4640b293c32c8a6abe9de658af732cff7db6a5
Online report : http://r.virscan.org/f0026116f5444719393f5965753e3ab0

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20111120090206 2011-11-20 0.26 -
AhnLab V3 2011.11.19.00 2011.11.19 2011-11-19 2.51 -
AntiVir 8.2.6.116 7.11.17.231 2011-11-18 0.27 -
Antiy 2.0.18 20111120.14290528 2011-11-20 0.02 -
Arcavir 2011 201111190120 2011-11-19 3.07 -
Authentium 5.1.1 201111191819 2011-11-19 1.44 -
AVAST! 4.7.4 111119-1 2011-11-19 0.01 -
AVG 10.0.1405 2090/4027 2011-11-19 0.08 -
BitDefender 7.90123.9170313 7.39907 2011-11-20 4.55 -
ClamAV 0.97.1 13965 2011-11-19 0.04 -
Comodo 5.1 10780 2011-11-17 1.92 -
CP Secure 1.3.0.5 2011.11.19 2011-11-19 0.05 -
Dr.Web 5.0.2.3300 2011.11.20 2011-11-20 15.74 -
F-Prot 4.6.2.117 20111119 2011-11-19 0.78 -
F-Secure 7.02.73807 2011.11.19.03 2011-11-19 0.19 -
Fortinet 4.2.257 14.373 2011-11-19 0.10 -
GData 22.2833 20111120 2011-11-20 5.40 -
ViRobot 20111119 2011.11.19 2011-11-19 0.34 -
Ikarus T3.1.32.20.0 2011.11.19.79833 2011-11-19 4.93 -
JiangMin 13.0.900 2011.11.19 2011-11-19 1.93 -
Kaspersky 5.5.10 2011.11.20 2011-11-20 0.10 -
KingSoft 2009.2.5.15 2011.11.20.9 2011-11-20 0.87 -
McAfee 5400.1158 6535 2011-11-19 11.12 -
Microsoft 1.7801 2011.11.20 2011-11-20 3.56 -
NOD32 3.0.21 6641 2011-11-18 0.01 -
Norman 6.07.11 6.07.00 2011-09-17 18.02 -
Panda 9.05.01 2011.11.19 2011-11-19 3.26 -
Trend Micro 9.500-1005 8.584.06 2011-11-19 0.03 -
Quick Heal 11.00 2011.11.18 2011-11-18 5.83 -
Rising 20.0 23.84.04.02 2011-11-18 0.98 -
Sophos 3.24.4 4.70 2011-11-20 4.45 -
Sunbelt 3.9.2515.2 11091 2011-11-19 0.67 -
Symantec 1.3.0.24 20111118.004 2011-11-18 0.05 -
nProtect 20111119.01 12993033 2011-11-19 1.17 -
The Hacker 6.7.0.1 v00345 2011-11-19 0.52 -
VBA32 3.12.16.4 20111118.1105 2011-11-18 4.66 -
VirusBuster 5.4.0.10 14.1.73.0/6835106 2011-11-20 0.01 -

**Jack&Jill** · 2011-11-20, 05:17

Hello gob71

,

The VT scan you did was not on the file that I specified, but no worries, we will proceed to the next step.

We need to disable Spybot S&D's Teatimer real-time protection temporarily as it will interfere with the fix. Please minimize going online when your security softwares are disabled or not active.

First step:

Right click the Spybot icon that looks like a blue/white calendar with a padlock symbol in the System Tray (lower right corner where the clock is situated).
For version 1.6, the steps are similar to either one of the below.
If you have version 1.5, click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now unchecked (unticked). The Spybot icon should now be colorless.
If you have Version 1.4, click on Exit Spybot S&D Resident.

Second step, for either version:

Open Spybot S&D.
Click Mode, choose Advanced Mode.
Go to the bottom of the vertical panel on the left, click Tools.
Then, also in left panel, click on Resident that shows a red/white shield.
If your firewall raises a question, say OK.
In the Resident protection status frame, uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active.
OK any prompts.
Exit Spybot S&D and reboot your machine for the changes to take effect.

Remember to enable it after the fix.

--------------------

Please download ERUNT© by Lars Hederer from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

Backup your registry with ERUNT

Double click on erunt-setup.exe and run the installation setup.
Follow the setup instructions until you reach Select Additional Tasks, uncheck (untick) Create NTREGOPT desktop icon.
Continue until you get prompted to run ERUNT at startup. Choose No.
Next, make sure Launch ERUNT is checked (ticked) and click Finish.
Click OK when ERUNT is launched, and accept all default setting. ERUNT will then backup the registry.

--------------------

Please download OTM© by Old Timer from one of the links below and save it to your desktop.

Link 1
Link 2

Double click OTM.exe to run it.

Copy and paste the following text into the white box under Paste Instructions for Items to be Moved:

Code:

:files
c:\windows\system32\inetcplc9.dll
C:\Documents and Settings\OWNER\Desktop\Phone\autorun.inf
c:\documents and settings\OWNER\Start Menu\Programs\Startup\LimeWire On Startup.lnk
c:\windows\pss\LimeWire On Startup.lnkStartup
C:\Documents and Settings\OWNER\My Documents\Downloads\Setup_FreeConverter.exe
C:\Program Files\LimeWire

:services
26666836

:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^OWNER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
[-HKEY_CURRENT_USER\Software\Classes\LimeWire]
[-HKEY_CURRENT_USER\Software\Classes\.torrent]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\LimeWire]
[-HKEY_CURRENT_USER\Software\Magnet]
[-HKEY_CURRENT_USER\Software\Classes\magnet]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\standardprofile]
"EnableFirewall"=1

:commands
[CREATERESTOREPOINT]
[emptytemp]

Click the red MoveIt! button. Everything on the desktop may disappear, this is normal. Please wait until the tool completes its routine.
Copy everything in the Results window (under the green bar) and paste it in your next reply.
The results can also be found in C:\_OTM\MovedFiles folder, the log file being named MMDDYYYY_HHMMSS.log, where MMDDYYYY_HHMMSS represent the date and time the fix was performed.

--------------------

Please post back:
1. OTM log

Thread: Can not run D.D.S.

Thread Tools

Display

Posting Permissions