Severe PC Infection

Mahonri · May 15, 2008

OK. Here is the new ComboFix log:

ComboFix 08-05-12.1 - JD 2008-05-14 21:03:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2401 [GMT -4:00]
Running from: C:\Documents and Settings\JD\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JD\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-11 19:15 . 2008-05-11 19:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-11 19:15 . 2008-05-11 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 17:42 . 2008-05-10 17:42 <DIR> d-------- C:\Documents and Settings\JD\Application Data\Malwarebytes
2008-05-10 17:41 . 2008-05-10 17:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 17:41 . 2008-05-10 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 17:41 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-10 17:41 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-09 18:03 . 2008-05-09 18:04 1,891 --a------ C:\WINDOWS\imsins.BAK
2008-05-08 16:58 . 2008-05-08 17:14 3,152 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-29 22:47 . 2008-04-29 22:47 <DIR> d-------- C:\Documents and Settings\JD\Application Data\TrojanHunter
2008-04-29 19:32 . 2008-04-29 19:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-29 19:32 . 2008-04-30 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-29 19:30 . 2008-04-29 19:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-29 19:26 . 2008-05-01 06:30 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-29 18:31 . 2008-05-14 21:11 919,584 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-29 18:31 . 2008-05-14 21:07 11,804 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-29 18:28 . 2008-04-29 18:28 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-04-29 18:26 . 2008-04-29 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-29 18:26 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-04-29 18:26 . 2008-04-29 18:28 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-29 18:25 . 2008-04-29 18:26 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-29 18:25 . 2008-04-29 18:25 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-29 18:25 . 2008-04-02 21:07 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-29 18:25 . 2008-05-14 21:09 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-04-29 18:23 . 2008-05-14 20:18 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-27 15:53 . 2008-04-27 15:53 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-24 19:14 . 2008-04-24 19:30 <DIR> d-------- C:\SDAT
2008-04-24 19:12 . 2008-04-24 19:05 45,433,378 --a------ C:\sdat5281.exe
2008-04-24 18:33 . 2008-04-24 18:33 <DIR> d-------- C:\Documents and Settings\JD\Application Data\McAfee
2008-04-21 20:15 . 2008-04-21 20:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 20:03 . 2008-04-20 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-19 11:25 . 2008-04-19 11:25 <DIR> d-------- C:\Documents and Settings\JD\Application Data\Uniblue
2008-04-17 06:27 . 2008-04-17 06:19 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-17 06:27 . 2008-04-17 06:27 2,500 --a------ C:\WINDOWS\unins000.dat
2008-04-16 05:42 . 2008-04-16 05:43 <DIR> d-------- C:\Documents and Settings\JD\iArchives
2008-04-16 05:42 . 2008-04-16 05:42 228 --a------ C:\Documents and Settings\JD\jobq.dat
2008-04-16 05:41 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-15 18:19 . 2008-04-15 18:19 <DIR> d-------- C:\FamilySearchIndexingTutorials

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 18:12 --------- d-----w C:\Documents and Settings\BR\Application Data\SiteAdvisor
2008-05-11 17:08 --------- d-----w C:\Program Files\Google
2008-05-11 16:43 --------- d-----w C:\Program Files\SOS Software
2008-05-11 16:42 --------- d-----w C:\Program Files\Kate's Video Converter
2008-05-11 16:41 --------- d-----w C:\Program Files\GNU
2008-05-10 14:17 --------- d-----w C:\Program Files\McAfee
2008-05-01 10:23 --------- d-----w C:\Program Files\RGB
2008-05-01 10:23 --------- d-----w C:\Program Files\androidnews
2008-05-01 10:10 --------- d-----w C:\Program Files\Common Files\Real
2008-04-29 22:15 --------- d-----w C:\Program Files\ThreatFire
2008-04-27 21:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-24 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-24 09:36 --------- d-----w C:\Program Files\Folder Lock
2008-04-21 11:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-21 09:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-16 09:41 --------- d-----w C:\Program Files\Java
2008-04-14 16:40 --------- d-----w C:\Documents and Settings\JD\Application Data\SiteAdvisor
2008-04-09 01:11 --------- d-----w C:\Program Files\GRETECH
2008-04-08 22:43 --------- d-----w C:\Documents and Settings\JD\Application Data\Canon
2008-03-20 01:23 --------- d-----w C:\Program Files\Finale PrintMusic 2008
2007-04-06 14:36 8 --sh--r C:\WINDOWS\system32\5B904A25B7.dll
2006-09-07 00:54 56 --sh--r C:\WINDOWS\system32\5B904A25B7.sys
2006-09-07 00:52 88 --sh--r C:\WINDOWS\system32\B7254A905B.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-10_12.01.24.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-10 15:55:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 01:07:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2006-11-08 02:01:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2007-08-13 22:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
- 2006-11-07 08:26:44 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2007-08-13 22:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
- 2008-05-10 14:22:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-15 00:16:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-10 14:22:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-15 00:16:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-11-07 08:26:44 71,680 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2007-08-13 22:39:20 71,680 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
- 2006-11-08 02:03:36 33,792 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
+ 2007-08-13 22:54:10 33,792 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
- 2004-08-10 10:00:00 561,179 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2006-10-17 16:44:36 60,416 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2007-08-13 22:18:02 60,416 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
- 2006-10-17 17:04:50 69,120 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-13 22:44:02 69,120 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2006-10-17 17:06:00 78,336 -c--a-w C:\WINDOWS\system32\dllcache\ieencode.dll
+ 2007-08-13 22:45:18 78,336 -c--a-w C:\WINDOWS\system32\dllcache\ieencode.dll
- 2006-11-08 02:03:36 191,488 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-08-13 22:54:10 191,488 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2006-11-07 08:26:42 55,296 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2007-08-13 22:39:12 55,296 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
- 2006-10-17 16:57:58 36,352 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
+ 2007-08-13 22:36:06 36,352 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
- 2006-11-07 08:26:24 92,672 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-08-13 22:39:02 92,672 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2006-10-17 17:00:00 491,520 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-08-13 22:38:04 491,520 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2006-10-17 17:05:10 40,960 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2007-08-13 22:44:18 40,960 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
- 2004-08-10 11:00:00 512,029 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2004-08-10 11:00:00 319,517 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2006-10-17 16:56:10 45,568 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
+ 2007-08-13 22:32:30 45,568 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
- 2006-10-17 16:28:56 48,128 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
+ 2007-08-13 22:01:12 48,128 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2004-08-10 11:00:00 1,507,356 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2004-08-10 11:00:00 358,976 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2004-08-10 11:00:00 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
- 2004-08-10 11:00:00 53,279 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2004-08-10 11:00:00 241,693 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2006-11-08 02:03:36 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2007-08-13 22:54:10 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
- 2004-08-10 11:00:00 213,023 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2004-08-10 11:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2004-08-10 11:00:00 421,919 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2004-08-10 11:00:00 315,423 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2004-08-10 11:00:00 552,989 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2004-08-10 11:00:00 258,077 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2004-08-10 11:00:00 831,519 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2004-08-10 11:00:00 614,429 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2004-08-10 11:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2006-11-08 02:03:36 413,696 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2007-08-13 22:54:10 413,696 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2006-10-17 17:06:00 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
+ 2007-08-13 22:45:18 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
- 2006-11-08 02:03:36 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-08-13 22:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2006-11-07 08:26:42 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2007-08-13 22:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
- 2006-11-08 02:03:36 180,736 ----a-w C:\WINDOWS\system32\ieui.dll
+ 2007-08-13 22:54:10 180,736 ----a-w C:\WINDOWS\system32\ieui.dll
- 2006-10-17 16:57:58 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
+ 2007-08-13 22:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
- 2006-11-07 08:26:24 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-08-13 22:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
- 2006-10-17 17:00:00 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-08-13 22:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2006-10-17 17:05:10 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2007-08-13 22:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
- 2004-08-10 11:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-10 11:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2006-10-17 16:58:32 12,288 ------w C:\WINDOWS\system32\msfeedssync.exe
+ 2007-08-13 22:36:40 12,288 ----a-w C:\WINDOWS\system32\msfeedssync.exe
- 2006-10-17 16:56:10 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
+ 2007-08-13 22:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
- 2006-10-17 16:28:56 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
+ 2007-08-13 22:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2004-08-10 11:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-08-10 11:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-10 11:00:00 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
+ 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
- 2004-08-10 11:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-10 11:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2006-11-08 02:03:36 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
+ 2007-08-13 22:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
- 2004-08-10 11:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-10 11:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2004-08-10 11:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-10 11:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-10 11:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-10 11:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2004-08-10 11:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-10 11:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-10 11:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
- 2006-11-08 02:03:36 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-08-13 22:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2006-10-17 17:05:58 206,336 ------w C:\WINDOWS\system32\WinFXDocObj.exe
+ 2007-08-13 22:45:16 206,336 ----a-w C:\WINDOWS\system32\WinFXDocObj.exe
- 2008-04-03 01:08:02 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-05-15 00:29:38 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-05-15 01:08:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7c4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-29 18:28 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-29 18:28 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Startup Manager"="C:\Documents and Settings\JD\Application Data\Systweak\ASO 2\smstartUp manager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2005-11-08 13:30 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 05:00 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 12:01 122880]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 19:07 49152]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-01-17 15:24 36904]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33 582992]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-03-25 19:08 1047712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.exe" [2005-11-08 13:12 25600 C:\WINDOWS\MIDIDEF.EXE]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-10 06:00 44544]

C:\Documents and Settings\BR\Start Menu\Programs\Startup\
MemTurbo.lnk - C:\Program Files\MemTurbo\MemTurbo.exe [2006-05-05 22:12:01 598016]
Shortcut to MemTurbo.lnk - C:\Program Files\MemTurbo\MemTurbo.exe [2006-05-05 22:12:01 598016]

C:\Documents and Settings\JD\Start Menu\Programs\Startup\
MemTurbo.lnk - C:\Program Files\MemTurbo\MemTurbo.exe [2006-05-05 22:12:01 598016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-08-08 19:00 1945424 C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2007-08-08 18:47 1169456 C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-09-08 20:20 110592 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-07 05:45 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Startup Manager]
C:\Documents and Settings\JD\Application Data\Systweak\ASO 2\smstartUp manager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-02-15 07:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-02-11 23:19:03 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-02-11 23:19:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-15 01:12:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 21:09:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dwwin.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\CTXFISPI.EXE
.
**************************************************************************
.
Completion time: 2008-05-14 21:22:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 01:20:09
ComboFix2.txt 2008-05-10 20:25:39
ComboFix3.txt 2008-05-10 16:02:05

Pre-Run: 51,483,095,040 bytes free
Post-Run: 51,493,502,976 bytes free

359 --- E O F --- 2008-05-14 11:26:06

Blade81 · May 15, 2008

Hi

Delete C:\WINDOWS\imsins.BAK file. Did you test connection with Firefox? If not, please do so.

Mahonri · May 15, 2008

Blade81,

I installed Firefox this morning. It seemed to go well, no error messages during install. I chose the standard install (something I never do); I said no when asked if I wanted to import anything from IE. Firefox could not connect to any external www site to display any page.

MY OBSERVATIONS:
-----------------
I don't believe this is a general connection issue - but only in the context of browser access. In other words, something has turned-off or is blocking my ability to use a browser - again - in XP Normal mode.

1) I downloaded the Firefox setup exe file on the same PC in Safe+Networking (S+N) mode. Both IE7 and Firefox display pages in S+N mode.

2) I can get updates using Normal mode for any programs I run. I can ping www IP addresses in both S+N and Normal modes. I can get updates in Normal mode from Spybot and other programs that do not require the browser to load. I can also get my email using OutlookExpress in Normal Mode.

3) I have tried to open IE7 without add-ons & that doesn't work in normal mode either, but at least it seems like it gets a little further along as it shows the status bar moving to about 50% before hanging.

4) I have 2 other PCs that use the same connection through the same inbound/outbound infrastructure, running the same OS and browser versions. They have no problems.

From what I know about Safe+Networking, it doesn't load certain hardware interface drivers such as printer drivers, and it uses the standard VGA graphics driver. Perhaps it's some malware that loads into memory but is so hidden or that uses a normal filename that it can't be detected by hard drive scanners.?.?

I think I had a fair amount of malware on my PC, which you have done an excellent job of identifying and removing. Have you heard of any malware similar to what I describe?

I found an instance on another forum where someone had the identical problem. They stated: "I can't connect to the internet in regular mode. So I called my ISP provider (Bellsouth or AT&T) for technical assistance. Out of all the recommendations he gave me, the only thing that allowed me to be able to connect to the internet is by going to safe mode with networking."

There was no final outcome posted on the forum, but suggestions included turning off the firewall, and another one which said: "My guess would be more
along the lines of a DNS Hijack virus that is rerouting or preventing your connection to the internet when not running in safe mode. Sometime you can
get a virus or spyware that is only half removed by anti-virus programs and the end result is no ability to get the outside network. I've seen the same
problem a few times in the past and the easiest solution to correct it has always been the SmitFraudFix program, which currently resolves DNS Hijack
issues and a growing list of other viruses. This isn't an anti-virus or anti-spyware program, but rather a patch or fix to remove existing problems. If
it doesn't find or correct your problem, it won't cause any harm to your system, so no risk in running it."

I found many other references to the DNS cache (which is local to each machine) being corrupted - usually by some malware. Another of my symptoms is that I can ping ip addresses, but not their DNS name. There is a command that can be run in a safe mode command prompt = ipconfig /flushdns. I'll be trying this tonight.

Blade81.....have you used or had any success with this SmitFraudFix program? Should I try it?

I feel a bit rejuvenated now. I really think we're going to kill this with just a little more digging. THANKS AGAIN. I've noticed a lot more people on the forum with problems. You must be very busy.

Blade81 · May 16, 2008

Hi

SmitfraudFix is not something I would use here since nothing indicates that you have Smitfraud infection. I still suspect that this may be firewall related. I don't think either Zonealarm or McAfee loads in safe mode and that would explain why you're able to access net there. You might want to uninstall both McAfee and Zonealarm and enable XP own firewall for now.

Also, try restoring original hosts file.

Download the HostsXpert 4.2 - Hosts File Manager.

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Mahonri · May 16, 2008

OK. Sounds good. Will do tonight. Thanks.

Blade81 · May 16, 2008

No problem. I hope it works

Mahonri · May 17, 2008

Blade81.....You probably thought you were never going to get rid of me. Well, the day has come. It looks like you were right. It was a firewall issue, but a strange one.

I talked to a co-worker about my problem. She said she had the same problem about a year ago! I was shocked. She said McAfee had messed up her license subscription and had expired it early without informing her. I called McAfee this morning and they had done the same thing to me. They sent me a link to a script file that totally uninstalled all references to McAfee on my system. Then they had me send them configuration info from my PC. They said I needed to uninstall Spybot S&D, Avast, and ZoneAlarm. That these programs were totally incompatible with McAfee. (I know this is not absolutely true, since I'm running Spybot and Avast on a laptop at the same time as McAfee.) But I followed their instructions.

Then I had to reinstall McAfee and download all the updates.

As soon as the install rebooted - IE and Firefox started working in Normal Mode!!! When my McAfee license expires, I'm going with a different program. This is a terrible way to do business.

I have learned a lot from your capable, careful, and sincere assistance. I also have a few utilities I can use to keep my PC running in great shape. THANK YOU SO MUCH for all your help and you perseverance!

Mahonri Moriancumer

Blade81 · May 17, 2008

Glad to hear that things are well again Mahonri

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Severe PC Infection

Mahonri

New member

Blade81

Security Expert: Emeritus

Mahonri

New member

Blade81

Security Expert: Emeritus

Mahonri

New member

Blade81

Security Expert: Emeritus

Mahonri

New member

Blade81

Security Expert: Emeritus