Need next instruction for Malware Removal

godalmighty69 · Sep 11, 2009

Fresh ComboFix with CFScript and GMER

ComboFix with CFScript
ComboFix 09-09-09.04 - User 09/11/2009 9:42.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.158 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript9'11'09.txt

FILE ::
"c:\documents and settings\All Users\LimeWire Downloads\mobile phone tools [cracked by TSRh].zip"
"c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools 4 - Suite Completa - by arky.zip"
"c:\documents and settings\User\Desktop\DriverTool\keymaker.exe"
"c:\documents and settings\User\Desktop\DriverTool\Setup.exe"
"c:\windows\system32\iohxpwha.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\LimeWire Downloads\mobile phone tools [cracked by TSRh].zip
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Data1.dll
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Data2.dll
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Data3.dll
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Data4.dll
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\keymaker.exe
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Motorola Mobile Phone Tools + USB Driver (www.softzone.org).nfo
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools + USB Driver (www.softzone.org)\Setup.exe
c:\documents and settings\All Users\LimeWire Downloads\Motorola Mobile Phone Tools 4 - Suite Completa - by arky.zip
c:\documents and settings\User\Desktop\DriverTool\keymaker.exe
c:\documents and settings\User\Desktop\DriverTool\Setup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KIHIST
-------\Service_kihist

((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-09 14:15 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-08-31 06:29 . 2009-08-31 06:29 -------- d-----w- C:\$AVG8.VAULT$
2009-08-31 03:24 . 2009-08-31 03:24 -------- d-----w- c:\program files\AVG
2009-08-31 03:24 . 2009-09-03 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-31 02:02 . 2009-08-31 03:07 68569208 ----a-w- c:\program files\avg_free_stf_en_85_409a1634.exe
2009-08-29 13:26 . 2009-08-29 13:47 -------- d-----w- c:\program files\Spybot
2009-08-28 18:24 . 2009-08-28 18:43 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-28 13:13 . 2009-08-28 13:13 -------- d-sh--w- c:\documents and settings\User\IECompatCache
2009-08-28 13:11 . 2009-08-28 13:11 -------- d-sh--w- c:\documents and settings\User\PrivacIE
2009-08-28 12:28 . 2009-08-28 12:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-28 12:22 . 2009-08-28 12:22 -------- d-sh--w- c:\documents and settings\User\IETldCache
2009-08-28 12:18 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-28 12:16 . 2009-09-10 08:01 -------- d-----w- c:\windows\ie8updates
2009-08-28 12:15 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-28 12:15 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 12:07 . 2009-08-28 12:14 -------- dc-h--w- c:\windows\ie8
2009-08-28 11:30 . 2009-08-28 11:33 4153 ----a-w- C:\fix.reg
2009-08-24 05:13 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-21 14:58 . 2009-08-21 14:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\MSBuild
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 14:54 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 14:54 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 14:54 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 14:54 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 14:54 . 2009-08-21 14:55 -------- d-----w- C:\6f6b5f0da4264d87e011e22fee34eb1d
2009-08-18 17:43 . 2009-08-22 16:43 -------- d-----w- c:\documents and settings\User\Application Data\IPublish
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\program files\IPRO Tech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 08:12 . 2009-05-25 01:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 18:23 . 2008-12-09 01:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-09 17:25 . 2008-12-09 01:19 -------- d-----w- c:\program files\Java
2009-08-30 15:44 . 2008-12-18 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-28 18:30 . 2008-12-09 01:13 -------- d-----w- c:\program files\Diskeeper Corporation
2009-08-28 18:26 . 2008-12-16 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-28 18:26 . 2008-12-16 08:48 -------- d-----w- c:\program files\Yahoo!
2009-08-28 18:23 . 2008-12-08 23:13 -------- d-----w- c:\program files\CONEXANT
2009-08-28 17:59 . 2008-12-08 22:19 33216 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 17:45 . 2009-01-19 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-28 17:21 . 2009-01-19 10:19 -------- d-----w- c:\program files\Microsoft Works
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-27 03:15 . 2009-04-03 00:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-27 03:14 . 2009-04-03 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-23 16:05 . 2008-12-18 02:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-23 11:36 . 2009-03-26 21:20 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-22 11:46 . 2008-12-18 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-19 07:02 . 2009-02-19 18:46 -------- d-----w- c:\program files\AVS4YOU
2009-08-14 05:50 . 2009-06-30 06:11 24192 ----a-w- c:\documents and settings\User\usbsermptxp.sys
2009-08-14 05:50 . 2009-06-30 06:11 22768 ----a-w- c:\documents and settings\User\usbsermpt.sys
2009-08-05 11:50 . 2009-01-12 01:52 -------- d-----w- c:\program files\Google
2009-08-05 10:40 . 2008-12-22 19:30 -------- d-----w- c:\program files\HP
2009-08-05 09:01 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 18:52 . 2008-12-20 20:09 -------- d-----w- c:\documents and settings\User\Application Data\eFax Messenger
2009-07-31 12:47 . 2009-07-31 12:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-31 12:47 . 2009-07-31 12:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-21 06:16 . 2009-07-20 14:59 5936 ----a-w- c:\documents and settings\User\mqdmwhnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 79328 ----a-w- c:\documents and settings\User\mqdmserd.sys
2009-07-21 06:16 . 2009-07-20 14:59 92064 ----a-w- c:\documents and settings\User\mqdmmdm.sys
2009-07-21 06:16 . 2009-07-20 14:59 9232 ----a-w- c:\documents and settings\User\mqdmmdfl.sys
2009-07-21 06:16 . 2009-07-20 14:59 4048 ----a-w- c:\documents and settings\User\mqdmcr.sys
2009-07-21 06:16 . 2009-07-20 14:59 6208 ----a-w- c:\documents and settings\User\mqdmcmnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 66656 ----a-w- c:\documents and settings\User\mqdmbus.sys
2009-07-20 18:41 . 2009-06-30 06:11 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2009-07-17 19:01 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-10 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 21:17 . 2009-06-24 21:16 8815552 ----a-w- c:\program files\windows-kb890830-v2.11.exe
2009-06-24 18:58 . 2009-06-24 18:58 714136 ----a-w- c:\program files\JavaScript SunMicrosystems.exe
2009-06-24 11:18 . 2004-08-10 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-05-29 15:34 . 2009-05-29 13:27 331805736 ----a-w- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-05-25 01:39 . 2009-05-25 01:39 4909440 ----a-w- c:\program files\Silverlight.2.0.exe
2009-02-19 18:50 . 2009-02-19 18:50 53518 ----a-w- c:\program files\11-13-07_1501.3g2
2009-02-19 18:46 . 2009-02-19 18:45 52307672 ----a-w- c:\program files\AVSVideoConverter.exe
2008-12-20 20:08 . 2008-12-20 20:03 5166072 ----a-w- c:\program files\msgrplus.exe
2008-12-13 01:11 . 2008-12-13 01:10 123 ----a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log
.

((((((((((((((((((((((((((((( SnapShot@2009-08-30_23.14.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-11 14:55 . 2009-09-11 14:55 16384 c:\windows\temp\Perflib_Perfdata_3bc.dat
+ 2009-09-09 17:13 . 2009-09-09 17:13 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2009-08-14 08:48 . 2009-08-14 08:48 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2004-08-10 12:00 . 2008-04-14 10:42 14336 c:\windows\system32\dllcache\svchost.exe
+ 2009-09-09 17:07 . 2009-09-09 17:07 87618 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2009-07-31 13:26 . 2009-07-31 13:26 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
- 2008-12-08 23:58 . 2008-11-24 22:34 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 79488 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2009-07-31 13:42 . 2009-07-31 13:42 67000 c:\windows\system32\Adobe\Director\SWDNLD.EXE
- 2009-05-30 19:44 . 2009-05-30 19:44 40960 c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3000.0__31bf3856ad364e35\Microsoft.MediaCenter.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 40960 c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3000.0__31bf3856ad364e35\Microsoft.MediaCenter.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 53248 c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 53248 c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 16896 c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 16896 c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 73728 c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 73728 c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll
+ 2009-07-31 13:28 . 2009-07-31 13:28 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
- 2008-12-08 23:58 . 2008-11-24 22:35 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
- 2004-08-10 12:00 . 2009-03-08 09:33 726528 c:\windows\system32\jscript.dll
+ 2004-08-10 12:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2009-09-09 18:23 . 2009-09-09 18:23 149280 c:\windows\system32\javaws.exe
+ 2009-09-09 18:23 . 2009-09-09 18:23 145184 c:\windows\system32\javaw.exe
+ 2009-09-09 18:23 . 2009-09-09 18:23 145184 c:\windows\system32\java.exe
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-03-08 09:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 132472 c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 2009-07-31 13:26 . 2009-07-31 13:26 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
- 2008-12-08 23:58 . 2008-11-24 22:34 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2009-07-31 13:40 . 2009-07-31 13:40 468408 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe
+ 2009-07-31 13:28 . 2009-07-31 13:28 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
- 2008-12-08 23:58 . 2008-11-24 22:36 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2009-07-31 13:26 . 2009-07-31 13:26 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 714752 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2009-07-31 13:25 . 2009-07-31 13:25 614400 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2009-07-31 13:41 . 2009-07-31 13:41 206264 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2009-07-31 13:27 . 2009-07-31 13:27 131072 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2009-09-10 08:01 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-10 08:01 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-10 08:01 . 2009-03-08 09:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2008-12-08 21:57 . 2009-08-18 15:55 179712 c:\windows\ehome\ehkeyctl.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 331776 c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 331776 c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 258048 c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 258048 c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 348160 c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 348160 c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 139264 c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiPlay.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 139264 c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiPlay.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 167936 c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 167936 c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 126976 c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 126976 c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 811008 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 811008 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 180224 c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 180224 c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 102400 c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 102400 c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 111616 c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll
- 2009-05-30 19:44 . 2009-05-30 19:44 111616 c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll
+ 2004-08-10 12:00 . 2009-05-20 17:44 2355200 c:\windows\system32\WMVCore.dll
+ 2004-08-10 12:00 . 2009-05-20 17:44 2355200 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-07-31 13:00 . 2009-07-31 13:00 1011712 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2009-07-31 12:54 . 2009-07-31 12:54 1886320 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2009-07-31 13:04 . 2009-07-31 13:04 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
- 2008-12-08 23:58 . 2008-11-24 22:16 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2009-09-09 18:22 . 2009-09-09 18:22 1757696 c:\windows\Installer\3099d8.msi
- 2009-05-30 19:44 . 2009-05-30 19:44 1740800 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\EhCM.dll
+ 2009-09-10 08:13 . 2009-09-10 08:13 1740800 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\EhCM.dll
+ 2009-05-31 00:39 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-10 08:03 . 2009-09-10 08:03 15709696 c:\windows\Installer\aaeda7.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-09 149280]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Alltel\\QuickLink Mobile\\QuickLink Mobile.exe"=
"c:\\Program Files\\mobile PhoneTools\\mPhonetools.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*

isabled

xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 7:00 AM 14336]
R3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [5/19/2009 6:53 PM 32256]
R3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [5/19/2009 6:53 PM 41344]
R3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [5/19/2009 6:53 PM 39936]
R3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [5/19/2009 6:53 PM 59776]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [12/11/2008 2:17 PM 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [12/11/2008 2:17 PM 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [12/11/2008 2:17 PM 93904]
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [12/11/2008 2:17 PM 73696]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
TCP: {0D33C83D-B171-48F0-9ADF-680A56E450A4} = 75.116.127.154 75.116.63.154
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 10:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1682526488-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1548)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-11 10:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 15:07
ComboFix2.txt 2009-09-10 02:23
ComboFix3.txt 2009-09-09 17:55
ComboFix4.txt 2009-09-09 16:45
ComboFix5.txt 2009-09-11 14:41

Pre-Run: 20,313,567,232 bytes free
Post-Run: 20,274,274,304 bytes free

330 --- E O F --- 2009-09-10 08:06

dds.txt (I hope this is the correct one ...)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/8/2008 4:12:01 PM
System Uptime: 9/11/2009 9:54:51 AM (4 hours ago)

Motherboard: Hewlett-Packard | | 30AE
Processor: Mobile AMD Sempron(tm) Processor 3300+ | U23 | 1994/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 18.902 GiB free.
D: is CDROM ()
E: is CDROM (FAT)

==== Disabled Device Manager Items =============

Class GUID:
Description: PCI Modem
Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_30AE103C&REV_02\3&13C0B0C5&0&A6
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_30AE103C&REV_02\3&13C0B0C5&0&A6
Service:

==== System Restore Points ===================

RP47: 7/20/2009 11:55:52 PM - Unsigned driver install
RP48: 7/22/2009 3:41:48 PM - System Checkpoint
RP49: 7/26/2009 10:04:30 PM - System Checkpoint
RP50: 7/27/2009 11:05:32 PM - System Checkpoint
RP51: 7/29/2009 3:22:22 AM - Software Distribution Service 3.0
RP52: 7/29/2009 11:47:36 PM - Avg8 Update
RP53: 7/29/2009 11:53:29 PM - Avg8 Update
RP54: 7/31/2009 12:16:04 AM - System Checkpoint
RP55: 8/1/2009 2:54:14 AM - System Checkpoint
RP56: 8/2/2009 3:29:34 AM - System Checkpoint
RP57: 8/4/2009 12:06:38 AM - System Checkpoint
RP58: 8/5/2009 1:36:47 AM - System Checkpoint
RP59: 8/5/2009 5:36:13 AM - Removed HP Photosmart Essential
RP60: 8/5/2009 5:38:47 AM - Removed HPSU306Stub
RP61: 8/5/2009 5:39:18 AM - Removed HP Software Update
RP62: 8/6/2009 9:25:08 AM - System Checkpoint
RP63: 8/7/2009 9:52:44 AM - System Checkpoint
RP64: 8/8/2009 11:27:40 AM - System Checkpoint
RP65: 8/9/2009 10:42:49 PM - System Checkpoint
RP66: 8/11/2009 7:05:56 PM - System Checkpoint
RP67: 8/12/2009 5:43:55 AM - Software Distribution Service 3.0
RP68: 8/13/2009 6:13:05 AM - System Checkpoint
RP69: 8/14/2009 3:08:10 AM - Software Distribution Service 3.0
RP70: 8/15/2009 3:59:54 AM - System Checkpoint
RP71: 8/16/2009 1:05:08 AM - Spybot-S&D Spyware removal
RP72: 8/17/2009 3:02:47 AM - System Checkpoint
RP73: 8/18/2009 9:34:12 AM - System Checkpoint
RP74: 8/19/2009 5:58:57 PM - System Checkpoint
RP75: 8/20/2009 3:48:01 PM - Avg8 Update
RP76: 8/20/2009 3:50:34 PM - Avg8 Update
RP77: 8/21/2009 9:21:29 AM - Software Distribution Service 3.0
RP78: 8/22/2009 12:21:00 PM - System Checkpoint
RP79: 8/22/2009 4:44:48 PM - Removed AVG 8.5
RP80: 8/22/2009 4:56:03 PM - Installed AVG 8.5
RP81: 8/23/2009 5:54:30 AM - Software Distribution Service 3.0
RP82: 8/23/2009 1:17:06 PM - Microsoft OneCare Protection Checkpoint
RP83: 8/24/2009 10:17:05 PM - Software Distribution Service 3.0
RP84: 8/25/2009 9:42:16 PM - Installed AVG Free 8.5
RP85: 8/26/2009 6:37:58 PM - Configured AVG Free 8.5
RP86: 8/26/2009 6:51:58 PM - Configured AVG Free 8.5
RP87: 8/26/2009 10:49:27 PM - Removed AVG Free 8.5
RP88: 8/26/2009 10:53:38 PM - Installed AVG Free 8.5
RP89: 8/27/2009 3:00:26 AM - Software Distribution Service 3.0
RP90: 8/28/2009 6:50:36 AM - Software Distribution Service 3.0
RP91: 8/28/2009 12:15:14 PM - Software Distribution Service 3.0
RP92: 8/28/2009 12:41:44 PM - Software Distribution Service 3.0
RP93: 8/28/2009 1:24:27 PM - Removed Visual C++ 2008 x86 Runtime - (v9.0.30729)
RP94: 8/28/2009 1:30:34 PM - Removed Diskeeper 2009 Pro Premier.
RP95: 8/30/2009 12:08:56 AM - System Checkpoint
RP96: 8/30/2009 10:24:09 PM - Installed AVG Free 8.5
RP97: 9/1/2009 11:42:34 PM - Avg8 Update
RP98: 9/2/2009 11:47:02 PM - System Checkpoint
RP99: 9/3/2009 12:00:18 AM - Removed AVG Free 8.5
RP100: 9/3/2009 12:05:04 AM - Installed AVG Free 8.5
RP101: 9/4/2009 6:57:41 AM - System Checkpoint
RP102: 9/5/2009 7:09:01 AM - System Checkpoint
RP103: 9/6/2009 7:45:07 AM - System Checkpoint
RP104: 9/8/2009 1:19:41 PM - System Checkpoint
RP105: 9/9/2009 12:24:50 PM - Removed Java(TM) 6 Update 7
RP106: 9/9/2009 12:25:56 PM - Removed Java(TM) 6 Update 11
RP107: 9/9/2009 1:22:48 PM - Installed Java(TM) 6 Update 16
RP108: 9/10/2009 3:00:26 AM - Software Distribution Service 3.0
RP109: 9/11/2009 8:35:34 AM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1.3
Adobe Shockwave Player 11.5
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Broadcom 802.11 Wireless LAN Adapter
Citrix XenApp Web Plugin
Conexant AC-Link Audio
D1300_Help
eFax Messenger
Google Earth
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
hph_readme
hph_software_req
Java(TM) 6 Update 16
LiveUpdate BVRP Software
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mobile PhoneTools
Nero 6 Ultra Edition
NetWaiting
OpenOffice.org 3.0
palmOne
PANTECH UM175AL Driver
PowerDVD
QuickLink Mobile
QuickTime
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Spybot - Search & Destroy
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
XP Codec Pack

==== Event Viewer Messages From Past Week ========

9/9/2009 8:35:17 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file svchost.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
9/9/2009 12:30:35 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
9/9/2009 11:42:16 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/9/2009 11:40:15 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/8/2009 10:01:26 PM, error: PlugPlayManager [12] - The device 'PANTECH UM175AL WWAN Driver #4' (USB\VID_106c&PID_3715&MI_03\6&27c99b97&0&8515) disappeared from the system without first being prepared for removal.
9/7/2009 12:56:33 PM, error: Dhcp [1002] - The IP address lease 192.168.1.6 for the Network Card with network address 0014A5E911FE has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/7/2009 11:30:22 AM, error: Service Control Manager [7023] - The Update Helper service terminated with the following error: The specified module could not be found.
9/7/2009 11:30:22 AM, error: Service Control Manager [7023] - The kihist service terminated with the following error: The specified module could not be found.
9/7/2009 11:30:08 AM, error: Dhcp [1002] - The IP address lease 192.168.239.131 for the Network Card with network address 0014A5E911FE has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/4/2009 6:31:02 AM, error: Service Control Manager [7031] - The OneCare AntiSpyware and AntiVirus service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
9/4/2009 6:30:21 AM, error: Service Control Manager [7031] - The OneCare AntiSpyware and AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
9/4/2009 6:29:53 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 6:29:37 AM, error: Service Control Manager [7034] - The Windows Live OneCare Health Monitor service terminated unexpectedly. It has done this 1 time(s).
9/10/2009 7:52:40 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
9/10/2009 7:52:40 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

GMER Log

GMER 1.0.15.15077 [udiizux6.exe] - http://www.gmer.net
Rootkit scan 2009-09-11 13:52:57
Windows 5.1.2600 Service Pack 3

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\naocj@DisplayName Update Helper
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\naocj@Description Stores security information for local user accounts.
Reg HKLM\SYSTEM\ControlSet002\Services\naocj\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\naocj\Parameters@ServiceDll C:\WINDOWS\system32\iohxpwha.dll

---- EOF - GMER 1.0.15 ----

You asked how the system was running ... much better I guess ... the fact of it is, I have purposefully not used this laptop very much until your opinion was that most of the issues had been resolved ... One question I had was that during the booting up phase, message flashes on the light blue screen as follows, except the first symbol appears to be a bacwards capital "L" ... it says "Ls delete program not found skipping autocheck" ...
Is this finding pertinent? And did the malware/spyware that was found by Kaspersky get removed?
Thanks again Blade81 for all your patience and help ...

Blade81 · Sep 11, 2009

Hi,

dds.txt (I hope this is the correct one ...)

Looks like you posted attach.txt contents. Please post dds.txt contents in next post

One question I had was that during the booting up phase, message flashes on the light blue screen as follows, except the first symbol appears to be a bacwards capital "L" ... it says "Ls delete program not found skipping autocheck" ...
Is this finding pertinent?

Let's try to make that disappear.

And did the malware/spyware that was found by Kaspersky get removed?

Yes, those other items will be cleaned when ComboFix is uninstalled and system restore resetted (will be done in final phase).

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\naocj]

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh DDS log. Still getting that message during bootup?

godalmighty69 · Sep 13, 2009

Fresh ComboFix with CFScript and fresh dds.txt

Hi Blade81, please find below fresh ComboFix with CFScript and fresh DDS. And yes, the message on start-up regarding "Ls delete program not found skipping autocheck" is gone; that worked out fine. I will await your next instruction ...

ComboFix 09-09-12.A0 - User 09/13/2009 11:45.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.184 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript9'13'09.txt
.

((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-09 14:15 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-08-31 06:29 . 2009-08-31 06:29 -------- d-----w- C:\$AVG8.VAULT$
2009-08-31 03:24 . 2009-08-31 03:24 -------- d-----w- c:\program files\AVG
2009-08-31 03:24 . 2009-09-03 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-31 02:02 . 2009-08-31 03:07 68569208 ----a-w- c:\program files\avg_free_stf_en_85_409a1634.exe
2009-08-29 13:26 . 2009-08-29 13:47 -------- d-----w- c:\program files\Spybot
2009-08-28 18:24 . 2009-08-28 18:43 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-28 13:13 . 2009-08-28 13:13 -------- d-sh--w- c:\documents and settings\User\IECompatCache
2009-08-28 13:11 . 2009-08-28 13:11 -------- d-sh--w- c:\documents and settings\User\PrivacIE
2009-08-28 12:28 . 2009-08-28 12:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-28 12:22 . 2009-08-28 12:22 -------- d-sh--w- c:\documents and settings\User\IETldCache
2009-08-28 12:18 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-28 12:16 . 2009-09-10 08:01 -------- d-----w- c:\windows\ie8updates
2009-08-28 12:15 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-28 12:15 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 12:07 . 2009-08-28 12:14 -------- dc-h--w- c:\windows\ie8
2009-08-28 11:30 . 2009-08-28 11:33 4153 ----a-w- C:\fix.reg
2009-08-24 05:13 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-21 14:58 . 2009-08-21 14:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\MSBuild
2009-08-21 14:57 . 2009-08-21 14:57 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 14:54 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 14:54 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 14:54 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 14:54 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 14:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 14:54 . 2009-08-21 14:55 -------- d-----w- C:\6f6b5f0da4264d87e011e22fee34eb1d
2009-08-18 17:43 . 2009-08-22 16:43 -------- d-----w- c:\documents and settings\User\Application Data\IPublish
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\program files\IPRO Tech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 08:12 . 2009-05-25 01:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 18:23 . 2008-12-09 01:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-09 17:25 . 2008-12-09 01:19 -------- d-----w- c:\program files\Java
2009-08-30 15:44 . 2008-12-18 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-28 18:30 . 2008-12-09 01:13 -------- d-----w- c:\program files\Diskeeper Corporation
2009-08-28 18:26 . 2008-12-16 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-28 18:26 . 2008-12-16 08:48 -------- d-----w- c:\program files\Yahoo!
2009-08-28 18:23 . 2008-12-08 23:13 -------- d-----w- c:\program files\CONEXANT
2009-08-28 17:59 . 2008-12-08 22:19 33216 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 17:45 . 2009-01-19 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-28 17:21 . 2009-01-19 10:19 -------- d-----w- c:\program files\Microsoft Works
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-27 03:17 . 2009-04-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-27 03:15 . 2009-04-03 00:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-27 03:14 . 2009-04-03 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-23 16:05 . 2008-12-18 02:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-23 11:36 . 2009-03-26 21:20 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-22 11:46 . 2008-12-18 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-19 07:02 . 2009-02-19 18:46 -------- d-----w- c:\program files\AVS4YOU
2009-08-14 05:50 . 2009-06-30 06:11 24192 ----a-w- c:\documents and settings\User\usbsermptxp.sys
2009-08-14 05:50 . 2009-06-30 06:11 22768 ----a-w- c:\documents and settings\User\usbsermpt.sys
2009-08-05 11:50 . 2009-01-12 01:52 -------- d-----w- c:\program files\Google
2009-08-05 10:40 . 2008-12-22 19:30 -------- d-----w- c:\program files\HP
2009-08-05 09:01 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 18:52 . 2008-12-20 20:09 -------- d-----w- c:\documents and settings\User\Application Data\eFax Messenger
2009-07-31 12:47 . 2009-07-31 12:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-31 12:47 . 2009-07-31 12:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-21 06:16 . 2009-07-20 14:59 5936 ----a-w- c:\documents and settings\User\mqdmwhnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 79328 ----a-w- c:\documents and settings\User\mqdmserd.sys
2009-07-21 06:16 . 2009-07-20 14:59 92064 ----a-w- c:\documents and settings\User\mqdmmdm.sys
2009-07-21 06:16 . 2009-07-20 14:59 9232 ----a-w- c:\documents and settings\User\mqdmmdfl.sys
2009-07-21 06:16 . 2009-07-20 14:59 4048 ----a-w- c:\documents and settings\User\mqdmcr.sys
2009-07-21 06:16 . 2009-07-20 14:59 6208 ----a-w- c:\documents and settings\User\mqdmcmnt.sys
2009-07-21 06:16 . 2009-07-20 14:59 66656 ----a-w- c:\documents and settings\User\mqdmbus.sys
2009-07-20 18:41 . 2009-06-30 06:11 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2009-07-17 19:01 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-10 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 21:17 . 2009-06-24 21:16 8815552 ----a-w- c:\program files\windows-kb890830-v2.11.exe
2009-06-24 18:58 . 2009-06-24 18:58 714136 ----a-w- c:\program files\JavaScript SunMicrosystems.exe
2009-06-24 11:18 . 2004-08-10 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-05-29 15:34 . 2009-05-29 13:27 331805736 ----a-w- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-05-25 01:39 . 2009-05-25 01:39 4909440 ----a-w- c:\program files\Silverlight.2.0.exe
2009-02-19 18:50 . 2009-02-19 18:50 53518 ----a-w- c:\program files\11-13-07_1501.3g2
2009-02-19 18:46 . 2009-02-19 18:45 52307672 ----a-w- c:\program files\AVSVideoConverter.exe
2008-12-20 20:08 . 2008-12-20 20:03 5166072 ----a-w- c:\program files\msgrplus.exe
2008-12-13 01:11 . 2008-12-13 01:10 123 ----a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-09 149280]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Alltel\\QuickLink Mobile\\QuickLink Mobile.exe"=
"c:\\Program Files\\mobile PhoneTools\\mPhonetools.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*

isabled

xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [5/19/2009 6:53 PM 32256]
R3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [5/19/2009 6:53 PM 41344]
R3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [5/19/2009 6:53 PM 39936]
R3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [5/19/2009 6:53 PM 59776]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [12/11/2008 2:17 PM 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [12/11/2008 2:17 PM 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [12/11/2008 2:17 PM 93904]
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [12/11/2008 2:17 PM 73696]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 12:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1682526488-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2512)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
Completion time: 2009-09-13 12:11
ComboFix-quarantined-files.txt 2009-09-13 17:11
ComboFix2.txt 2009-09-11 15:07
ComboFix3.txt 2009-09-10 02:23
ComboFix4.txt 2009-09-09 17:55
ComboFix5.txt 2009-09-13 16:43

Pre-Run: 20,232,593,408 bytes free
Post-Run: 20,204,486,656 bytes free

211 --- E O F --- 2009-09-10 08:06

DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 12:20:38.64 on Sun 09/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.141 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\spybot~1\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237576612728
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243147641750
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [2009-5-19 32256]
R3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [2009-5-19 41344]
R3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [2009-5-19 39936]
R3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [2009-5-19 59776]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [2008-12-11 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [2008-12-11 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [2008-12-11 93904]
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [2008-12-11 73696]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys --> c:\windows\system32\drivers\ewusbnet.sys [?]

============== File Associations ===============

VBSFile=%WINDIR%\System32\CScript.exe //nologo "%1" %*

=============== Created Last 30 ================

2009-09-09 13:23 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-09 11:39 230,912 a------- c:\windows\PEV.exe
2009-09-09 11:39 161,792 a------- c:\windows\SWREG.exe
2009-09-09 11:39 98,816 a------- c:\windows\sed.exe
2009-09-09 09:15 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-08-31 01:29 <DIR> --d----- C:\$AVG8.VAULT$
2009-08-30 22:24 <DIR> --d----- c:\program files\AVG
2009-08-30 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-30 21:02 68,569,208 a------- c:\program files\avg_free_stf_en_85_409a1634.exe
2009-08-30 17:51 <DIR> a-dshr-- C:\cmdcons
2009-08-29 08:26 <DIR> --d----- c:\program files\Spybot
2009-08-28 13:24 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-28 08:13 <DIR> --dsh--- c:\documents and settings\user\IECompatCache
2009-08-28 08:11 <DIR> --dsh--- c:\documents and settings\user\PrivacIE
2009-08-28 07:22 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-08-28 07:18 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-28 07:16 <DIR> --d----- c:\windows\ie8updates
2009-08-28 07:15 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-28 07:15 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 07:07 <DIR> -cd-h--- c:\windows\ie8
2009-08-28 06:30 4,153 a------- C:\fix.reg
2009-08-24 00:13 268,648 a------- c:\windows\system32\mucltui.dll
2009-08-24 00:13 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-08-22 06:31 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-21 09:58 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-21 09:54 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 09:54 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-21 09:54 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 09:54 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 09:54 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-21 09:54 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 09:54 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-21 09:54 <DIR> --d----- C:\6f6b5f0da4264d87e011e22fee34eb1d
2009-08-18 12:43 <DIR> --d----- c:\docume~1\user\applic~1\IPublish
2009-08-18 12:43 377 a------- c:\windows\ipublish.ini
2009-08-18 12:43 <DIR> --d----- c:\program files\IPRO Tech

==================== Find3M ====================

2009-09-09 13:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-14 00:50 24,192 a------- c:\documents and settings\user\usbsermptxp.sys
2009-08-14 00:50 22,768 a------- c:\documents and settings\user\usbsermpt.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-31 07:47 499,712 a------- c:\windows\system32\msvcp71.dll
2009-07-31 07:47 348,160 a------- c:\windows\system32\msvcr71.dll
2009-07-21 01:16 5,936 a------- c:\documents and settings\user\mqdmwhnt.sys
2009-07-21 01:16 79,328 a------- c:\documents and settings\user\mqdmserd.sys
2009-07-21 01:16 92,064 a------- c:\documents and settings\user\mqdmmdm.sys
2009-07-21 01:16 9,232 a------- c:\documents and settings\user\mqdmmdfl.sys
2009-07-21 01:16 4,048 a------- c:\documents and settings\user\mqdmcr.sys
2009-07-21 01:16 6,208 a------- c:\documents and settings\user\mqdmcmnt.sys
2009-07-21 01:16 66,656 a------- c:\documents and settings\user\mqdmbus.sys
2009-07-20 13:41 22,768 a------- c:\windows\system32\drivers\usbsermpt.sys
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 16:17 8,815,552 a------- c:\program files\windows-kb890830-v2.11.exe
2009-06-24 13:58 714,136 a------- c:\program files\JavaScript SunMicrosystems.exe
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-05-29 10:34 331,805,736 a------- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-05-24 20:39 4,909,440 a------- c:\program files\Silverlight.2.0.exe
2009-02-19 13:50 53,518 a------- c:\program files\11-13-07_1501.3g2
2009-02-19 13:46 52,307,672 a------- c:\program files\AVSVideoConverter.exe
2008-12-20 15:08 5,166,072 a------- c:\program files\msgrplus.exe
2008-12-12 20:11 123 a------- c:\program files\ALLTEL Internet Accelerator Client setup.log
2009-05-29 12:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052920090530\index.dat

============= FINISH: 12:21:28.06 ===============

Blade81 · Sep 14, 2009

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTC and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

hosts file:
- Every version of windows has a hosts file as part of them.
- In a very basic sense, they are used to locate webpages.
- We can customize a hosts file so that it blocks certain webpages.
- However, it can slow down certain computers.
- This is why using a hosts file is optional!!
Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir
Avast!
Good commercial ones are from:
Kaspersky and
ESET
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo HopSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!). Both providers have support forums that help with configuration related questions.

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

Blade81 · Sep 21, 2009

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.

Need next instruction for Malware Removal

godalmighty69

New member

Blade81

Security Expert: Emeritus

godalmighty69

New member

Blade81

Security Expert: Emeritus

Blade81

Security Expert: Emeritus