MIRAR TOOLBAR/MALWARE

Please keep it all in one post and do not add any more posts
It will only delay a response


Hello BleepingComputer Experts,

I am having great difficulty removing the Mirar application! . I've tried removing using various methods, i.e. Add/Remove Programs, Uninstaller from website but none of these seem to work. Please could you advise me what to do in terms of removing the relevant files from the registry. I'd rather not do it manually as I'm not at all familiar with it! Should I posts a HJT log or would you be able to list the ones I need to remove? Please let me know asap so I can do this.

Many many thanks for your help! You're all stars and I don't know what we'd do without your help!

Kind regards,

Sarina.


Here is the HJT log file. Please could you advise what I need to do... Thank you!!
-----------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:36:00, on 08/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Documents and Settings\All Users\Application Data\Findbasic\findbasic125.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Application Data\DealAssistant\DealAssistant.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Findbasic\findbasic.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DealAssistant] C:\Documents and Settings\Administrator\Application Data\DealAssistant\DealAssistant.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip.com/games/lead-storm/en/"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {38D6D77C-5EC1-4A4A-AFEB-85FE780CD61A} (FontDownloaderIE Class) - http://www.qurancomplex.com/downloads/FontDown.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229184314171
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229184301109
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgGB2404.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DF9C24D1-030E-49ED-5EB5-D6610086C313} - http://www.superstarracing.net/miniclip/Ch...ublicPlayer.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Findbasic Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Findbasic\findbasic125.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - http://www.decet.org/Bilder/logo.jpg

--
End of file - 12115 bytes

Edited by garmanma, 08 October 2009 - 02:00 PM.

hi Sarina5,


Sorry for the delay. If you still need help simply reply to my post and we will get started.

Hello there shelf life,


Yesssss please, I still need your help. I hadn't realised you had replied already as I thought the system automatically sends emails when a response is received.

I eagerly await your reply.
Kind regards,

Sarina.

ok. We will get two downloads, the first is for diagnostics, the second for malware removal.

First:

Please download DDS and save it to your desktop.
Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
You can Copy and paste both logs in your reply.

Last:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

Hi, Thank you very much for your reply - much appreciated

I have done everything you have asked and and am pasting the 3 different logs here, as requested:

DDS.txt

DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 22:33:47.31 on 14/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.251 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\NavNT\defwatch.exe
C:\Documents and Settings\All Users\Application Data\Findbasic\findbasic137.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Findbasic\findbasic.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINDOW~4\MESSEN~1\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = about:blank
uDefault_Search_URL = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = about:blank
mSearchAssistant = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A9EABED0-D90B-4714-B253-63ADB7AB6FBA} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DealAssistant] c:\documents and settings\administrator\application data\dealassistant\DealAssistant.exe
uRun: [AdobeBridge]
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.shockwave.com/gamelanding/grooveblender.jsp"
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
mPolicies-explorer: NoClose = 1 (0x1)
mPolicies-explorer: NoLogoff = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - hxxp://www.streamplug.com/StreamPlug/beta/SP.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {38D6D77C-5EC1-4A4A-AFEB-85FE780CD61A} - hxxp://www.qurancomplex.com/downloads/FontDown.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229184314171
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229184301109
DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - hxxp://secure2.comned.com/signuptemplates/securelogin-devel.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - hxxp://85.255.114.166/1/rdgGB2404.exe
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF9C24D1-030E-49ED-5EB5-D6610086C313} - hxxp://www.superstarracing.net/miniclip/ChatRepublicPlayer.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: wineij32 - wineij32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ls8knurh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\mozilla firefox\components\rpff.dll
FF - plugin: c:\program files\common files\parallelgraphics\cortona\npCortona.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCortona.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 Findbasic Service;Findbasic Service;c:\documents and settings\all users\application data\findbasic\findbasic137.exe [2009-11-4 58872]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12992]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-1-24 46112]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 assgygfta;kkenrwct;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S2 isyjio;Shell Network;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S2 jadjgzm;Boot Monitor;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S2 jstxzys;Windows Universal;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S2 luzop;Universal Installer;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S2 punmfevm;Universal Support;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S2 vrfbbcd;Monitor Windows;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S2 vvuxch;Task Universal;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S3 bfgrw;bfgrw;\??\c:\windows\system32\015.tmp --> c:\windows\system32\015.tmp [?]
S3 cjlrcnc;cjlrcnc;\??\c:\windows\system32\06.tmp --> c:\windows\system32\06.tmp [?]
S3 gxhzx;gxhzx;\??\c:\windows\system32\013.tmp --> c:\windows\system32\013.tmp [?]
S3 heqohk;heqohk;\??\c:\windows\system32\07.tmp --> c:\windows\system32\07.tmp [?]
S3 iklcwtej;iklcwtej;\??\c:\windows\system32\04.tmp --> c:\windows\system32\04.tmp [?]
S3 kcfcu;kcfcu;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 oaugbcws;oaugbcws;\??\c:\windows\system32\05.tmp --> c:\windows\system32\05.tmp [?]
S3 uihnsvw;uihnsvw;\??\c:\windows\system32\0309.tmp --> c:\windows\system32\0309.tmp [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-11-13 22:08:59 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2009-11-06 21:51:33 0 d-----w- c:\documents and settings\administrator\Tracing
2009-11-06 21:43:05 0 d-----w- c:\program files\common files\Windows Live
2009-10-28 14:01:13 0 d-----w- c:\program files\common files\Macromedia Shared
2009-10-28 14:01:04 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-10-28 14:01:04 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-10-28 14:00:36 0 d-----w- c:\program files\common files\Macromedia
2009-10-28 13:59:22 0 d-----w- c:\program files\Macromedia
2009-10-28 13:33:01 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2009-10-28 13:33:00 0 d-----w- c:\program files\MagicDisc
2009-10-25 20:00:38 69632 ----a-w- c:\windows\RAUNINST.EXE

==================== Find3M ====================

2009-09-27 21:49:13 47132 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 18:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-07-12 15:43:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071220080713\index.dat

============= FINISH: 22:34:39.10 ===============


Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 09/01/2006 13:35:35
System Uptime: 14/11/2009 16:34:00 (6 hours ago)

Motherboard: Dell Inc. | | 0U8082
Processor: Intel® Pentium® M processor 2.00GHz | Microprocessor | 1994/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 56.827 GiB free.
D: is CDROM ()
F: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 11/11/2009 16:03:16 - System Checkpoint
RP2: 12/11/2009 16:59:50 - System Checkpoint
RP3: 13/11/2009 18:58:17 - System Checkpoint
RP4: 13/11/2009 22:13:02 - Software Distribution Service 3.0
RP5: 13/11/2009 22:25:00 - Installed Windows Live installer
RP6: 13/11/2009 22:25:33 - Installed Windows Live

==== Installed Programs ======================

Adobe Acrobat 6.0 Professional
Adobe AIR
Adobe Anchor Service CS4
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
C-Major Audio
Conexant D110 MDC V.92 Modem
Connect
Cortona3D Viewer
dBpoweramp Windows Media Audio 10 Codec
DealAssistant
Dell ResourceCD
Findbasic 1.0 build 137
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
iTunes
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 15
Java™ 6 Update 7
kuler
LimeWire 4.18.8
LiveUpdate (Symantec Corporation)
LogMeIn
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
MagicDisc 2.7.106
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Mozilla Firefox (3.0.14)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSVC80_x86
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
mToolkit
mWlsSafe
mWMI
mZConfig
Nero 6 Ultra Edition
Norton AntiVirus Corporate Edition
PC Connectivity Solution
PDF Settings CS4
Photoshop Camera Raw
PowerDirector Express
PowerDVD
PowerProducer
Quick Zip 4.60.004
QuickTime
SAGEM F@st 800-840
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sony DVD Architect Pro 4.5
Sony Picture Utility
Spybot - Search & Destroy
Suite Shared Configuration CS4
Texas Instruments PCIxx21/x515 drivers.
TI_Inst
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Defender Signatures
Windows Driver Package - Nokia Modem (03/05/2008 3.7)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

11/11/2009 16:03:06, error: Service Control Manager [7023] - The Monitor Windows service terminated with the following error: The specified module could not be found.
11/11/2009 11:20:34, error: Service Control Manager [7023] - The Shell Network service terminated with the following error: The specified module could not be found.
10/11/2009 10:41:32, error: Service Control Manager [7023] - The Boot Monitor service terminated with the following error: The specified module could not be found.
09/11/2009 14:06:31, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
09/11/2009 14:06:21, error: Service Control Manager [7023] - The Windows Universal service terminated with the following error: The specified module could not be found.
09/11/2009 14:06:21, error: Service Control Manager [7023] - The Universal Support service terminated with the following error: The specified module could not be found.
09/11/2009 14:06:21, error: Service Control Manager [7023] - The Universal Installer service terminated with the following error: The specified module could not be found.
09/11/2009 14:06:21, error: Service Control Manager [7023] - The Task Universal service terminated with the following error: The specified module could not be found.
09/11/2009 14:06:21, error: Service Control Manager [7023] - The kkenrwct service terminated with the following error: The specified module could not be found.
09/11/2009 14:06:21, error: Service Control Manager [7000] - The General Purpose USB Driver (adildr.sys) service failed to start due to the following error: The system cannot find the file specified.
08/11/2009 18:39:05, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
07/11/2009 20:02:44, error: Dhcp [1002] - The IP address lease 192.168.0.7 for the Network Card with network address 0013CEE92223 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================


Malware bytes

Malwarebytes' Anti-Malware 1.41
Database version: 3172
Windows 5.1.2600 Service Pack 3

14/11/2009 23:45:02
mbam-log-2009-11-14 (23-45-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 186288
Time elapsed: 57 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wineij32 (Trojan.Dialer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Administrator\Application Data\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Administrator\Application Data\DealAssistant\config.cfg (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\DealAssistant\DAUninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wineij32.dll (Trojan.Dialer) -> Quarantined and deleted successfully.



...and there you have it! Your help is very much appreciated - thank you so much!

Kind regards,

Sarina.
P.S. What's you name?

hi Sarina5,

ok good thanks for the information. We will get one more download to use. Its called combofix. There is a guide to read first. Read through the guide, download combofix to your desktop, disable any AV etc as explained in the guide, double click the combofix icon on your desktop and follow the prompts. Post the combofix log in your reply
My real name is david

Guide to using Combofix

Hi David,

Thank you for your reply. Please see below for Combofix log, as requsted:

ComboFix 09-11-16.05 - Administrator 16/11/2009 18:48..1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.469 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1392284910-270800707-2247778763-500
c:\recycler\S-1-5-21-2170371235-426764551-501881172-500
c:\windows\fnts~2
c:\windows\system32\ymante~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWCWORKSTATION
-------\Service_NWCWorkstation


((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.

2009-11-14 22:39 . 2009-11-14 22:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-14 22:39 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 22:39 . 2009-11-14 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-14 22:39 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 22:38 . 2009-11-14 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 21:43 . 2009-11-06 21:43 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-04 19:10 . 2009-11-04 13:18 58872 ----a-w- c:\documents and settings\All Users\Application Data\Findbasic\findbasic137.exe
2009-11-03 16:05 . 2009-11-03 16:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-10-28 16:17 . 2003-09-05 18:16 815104 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\FlashPlayerW.dll
2009-10-28 16:17 . 2003-09-05 18:16 757760 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll
2009-10-28 16:14 . 2009-10-28 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-10-28 14:01 . 2009-10-28 14:01 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-10-28 14:01 . 2003-07-30 18:28 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-10-28 14:01 . 2003-07-30 18:28 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-10-28 14:00 . 2009-10-28 14:01 -------- d-----w- c:\program files\Common Files\Macromedia
2009-10-28 13:59 . 2009-10-28 14:01 -------- d-----w- c:\program files\Macromedia
2009-10-25 20:00 . 1996-11-06 19:11 69632 ----a-w- c:\windows\RAUNINST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-16 16:25 . 2008-01-24 09:54 -------- d-----w- c:\program files\LogMeIn
2009-11-13 22:39 . 2006-07-11 09:10 -------- d-----w- c:\program files\HyperResearch
2009-11-13 22:29 . 2008-06-06 20:19 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2009-11-13 22:25 . 2008-06-06 20:19 -------- d-----w- c:\program files\Windows Live
2009-11-13 22:24 . 2008-06-06 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-11-13 22:10 . 2006-11-13 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-06 21:50 . 2005-04-07 13:56 62600 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 19:14 . 2009-09-26 12:17 -------- d-----w- c:\program files\Findbasic
2009-11-04 19:10 . 2009-09-26 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Findbasic
2009-10-28 14:01 . 2005-04-07 14:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-27 19:19 . 2008-10-16 19:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-10-27 17:22 . 2008-07-22 16:30 -------- d-----w- c:\program files\Yahoo!
2009-10-27 17:21 . 2009-10-06 17:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-10-27 17:20 . 2009-10-06 17:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-17 22:22 . 2006-11-13 09:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-17 22:07 . 2005-04-07 13:57 -------- d-----w- c:\program files\NavNT
2009-10-08 18:36 . 2009-10-08 18:34 -------- d-----w- c:\program files\HT
2009-10-06 20:33 . 2009-10-06 20:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-10-06 20:08 . 2009-10-06 19:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-06 17:16 . 2009-10-06 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-06 17:15 . 2009-10-06 17:12 -------- d-----w- c:\program files\Superanti Spyware
2009-09-27 21:49 . 2009-09-27 21:49 47132 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-27 17:18 . 2006-09-29 10:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-09-27 16:01 . 2009-09-27 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-27 16:01 . 2009-09-27 15:31 -------- d-----w- c:\program files\iTunes
2009-09-27 16:00 . 2009-09-27 16:00 -------- d-----w- c:\program files\iPod
2009-09-27 16:00 . 2009-09-27 15:54 -------- d-----w- c:\program files\Common Files\Apple
2009-09-27 15:59 . 2006-09-29 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-27 15:59 . 2009-09-27 15:59 -------- d-----w- c:\program files\Bonjour
2009-09-27 15:58 . 2009-09-27 15:58 -------- d-----w- c:\program files\QuickTime
2009-09-27 15:55 . 2006-09-29 10:06 -------- d-----w- c:\program files\Apple Software Update
2009-09-27 15:54 . 2009-09-27 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-21 16:09 . 2009-09-21 16:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 18:42 . 2009-09-27 15:55 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 18:42 . 2009-09-27 15:55 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 13:57 . 2009-08-22 13:57 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-14 18:29 . 2009-09-26 12:18 210944 ----a-w- c:\program files\mozilla firefox\components\rpff.dll
2009-07-18 17:13 . 2009-07-18 17:13 0 --sha-w- c:\windows\DRM\Cache\Indiv03.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-12-05 73728]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 32768]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 18:46 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Limewire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 Findbasic Service;Findbasic Service;c:\documents and settings\All Users\Application Data\Findbasic\findbasic137.exe [04/11/2009 19:10 58872]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [03/08/2007 15:09 12992]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [24/01/2008 09:55 46112]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [03/05/2004 15:26 80384]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 assgygfta;kkenrwct;c:\windows\system32\svchost.exe -k netsvcs [31/03/2003 12:00 14336]
S2 isyjio;Shell Network;c:\windows\system32\svchost.exe -k netsvcs [31/03/2003 12:00 14336]
S2 jadjgzm;Boot Monitor;c:\windows\system32\svchost.exe -k netsvcs [31/03/2003 12:00 14336]
S2 jstxzys;Windows Universal;c:\windows\system32\svchost.exe -k netsvcs [31/03/2003 12:00 14336]
S2 luzop;Universal Installer;c:\windows\system32\svchost.exe -k netsvcs [31/03/2003 12:00 14336]
S2 punmfevm;Universal Support;c:\windows\system32\svchost.exe -k netsvcs [31/03/2003 12:00 14336]
S2 vrfbbcd;Monitor Windows;c:\windows\system32\svchost.exe -k netsvcs [31/03/2003 12:00 14336]
S2 vvuxch;Task Universal;c:\windows\system32\svchost.exe -k netsvcs [31/03/2003 12:00 14336]
S3 bfgrw;bfgrw;\??\c:\windows\system32\015.tmp --> c:\windows\system32\015.tmp [?]
S3 cjlrcnc;cjlrcnc;\??\c:\windows\system32\06.tmp --> c:\windows\system32\06.tmp [?]
S3 gxhzx;gxhzx;\??\c:\windows\system32\013.tmp --> c:\windows\system32\013.tmp [?]
S3 heqohk;heqohk;\??\c:\windows\system32\07.tmp --> c:\windows\system32\07.tmp [?]
S3 iklcwtej;iklcwtej;\??\c:\windows\system32\04.tmp --> c:\windows\system32\04.tmp [?]
S3 kcfcu;kcfcu;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 oaugbcws;oaugbcws;\??\c:\windows\system32\05.tmp --> c:\windows\system32\05.tmp [?]
S3 uihnsvw;uihnsvw;\??\c:\windows\system32\0309.tmp --> c:\windows\system32\0309.tmp [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
luzop
jstxzys
vvuxch
assgygfta
punmfevm
jadjgzm
isyjio
vrfbbcd
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
DPF: {38D6D77C-5EC1-4A4A-AFEB-85FE780CD61A} - hxxp://www.qurancomplex.com/downloads/FontDown.cab
DPF: {DF9C24D1-030E-49ED-5EB5-D6610086C313} - hxxp://www.superstarracing.net/miniclip/ChatRepublicPlayer.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ls8knurh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\Mozilla Firefox\components\rpff.dll
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A9EABED0-D90B-4714-B253-63ADB7AB6FBA} - (no file)
HKCU-Run-AdobeBridge - (no file)
AddRemove-DealAssistant - c:\documents and settings\Administrator\Application Data\DealAssistant\dealassistant.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-16 18:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bfgrw]
"ImagePath"="\??\c:\windows\system32\015.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cjlrcnc]
"ImagePath"="\??\c:\windows\system32\06.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxhzx]
"ImagePath"="\??\c:\windows\system32\013.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\heqohk]
"ImagePath"="\??\c:\windows\system32\07.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iklcwtej]
"ImagePath"="\??\c:\windows\system32\04.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kcfcu]
"ImagePath"="\??\c:\windows\system32\03.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\oaugbcws]
"ImagePath"="\??\c:\windows\system32\05.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uihnsvw]
"ImagePath"="\??\c:\windows\system32\0309.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\assgygfta]
"ServiceDll"="c:\windows\system32\flfwlgxk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isyjio]
"ServiceDll"="c:\windows\system32\flfwlgxk.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jadjgzm]
"ServiceDll"="c:\windows\system32\flfwlgxk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jstxzys]
"ServiceDll"="c:\windows\system32\flfwlgxk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\luzop]
"ServiceDll"="c:\windows\system32\flfwlgxk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\punmfevm]
"ServiceDll"="c:\windows\system32\flfwlgxk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vrfbbcd]
"ServiceDll"="c:\windows\system32\flfwlgxk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vvuxch]
"ServiceDll"="c:\windows\system32\flfwlgxk.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4021508746-67682326-3153008980-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,2f,87,ba,51,6f,b0,49,8e,ce,90,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,45,f9,a1,41,71,20,4b,85,88,bc,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,2f,87,ba,51,6f,b0,49,8e,ce,90,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\LMIinit.dll
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(2172)
c:\windows\system32\WININET.dll
c:\program files\Findbasic\findbasic.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\NavNT\rtvscan.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\System32\locator.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\rundll32.exe
c:\program files\Findbasic\findbasic.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-11-16 19:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-16 19:02

Pre-Run: 61,143,162,880 bytes free
Post-Run: 62,310,293,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - DB6A4BDEA0AD081420FEA19349C0380A



Many thanks for your help!!
Kind regards,

Sarina.

hi,

Your welcome, Iam afraid i have not so good news. One more download to get. Its called Rootrepeal. link and directions below.

You should use this computer as little as possible and no financial transactions online, when not in use make sure the computer has no internet or LAN connectivity. Looks like root kit activity. Root Repeal should tell us more.

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

Hi David,

Thank you for your reply! Before posting on this website I came across a few tutorials on how to remove mirar. One of these involved removing certain registry keys. Although, I used regedit to locate the specified files, I didn't actually find them there. Instead I came across lots of dodgy looking entries, which I know for sure shouldn't be there. Is there anything I can download to remove malicious registry key entries?

Please see below for RootRepeal log as requested:

RootRepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/17 19:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAD20000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A75000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA94B3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\administrator\local settings\temp\~df35.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\administrator\local settings\temp\~dfffdd.tmp
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Hidden Services
-------------------
Service Name: assgygfta
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

Service Name: isyjio
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

Service Name: jadjgzm
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

Service Name: jstxzys
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

Service Name: luzop
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

Service Name: punmfevm
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

Service Name: vrfbbcd
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

Service Name: vvuxch
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

==EOF==




Many thanks fo your time and help again - much appreciated!
Kind regerds,

Sarina.

hi Sarina5,

your welcome, but the mirar toolbar should be the least of your worries. You see all these:

luzop
jstxzys
vvuxch
assgygfta
punmfevm
jadjgzm
isyjio
vrfbbcd

They are network services. Root kits can hide from traditional AV and antimalware tools. We can attempt to remove them with combofix but I cant make any promises your machine would be 100% clean. The best bet for removing root kits is to reformat and reinstall.

Two links about compromised computers:

First one is several years old and dosnt even mention the word root kit, but it still applies:
http://technet.microsoft.com/en-us/library/cc512587.aspx

http://technet.microsoft.com/en-us/library/cc512642.aspx

Let me know how you want to proceed.

Hi David,

OMG!! How in the world would have these been installed!? This is scary! . Please send me directions on how to proceed.
I look forward to hearing from you soon, and thanks again for your time and help!

Kind regards,

Sarina.

hi Sarina5,

I am going to have to spend some more time on a fix before I post it as a reply. You should use the machine as little as possible and no personal/financial transactions. When not in use power it off to insure no connectivity. I will post as soon as i get a script together.

Thank you very much for your help.
Look forward to hearing from you soon.

Kind regards,

Sarina.

hi,

ok. Lets go with this for now. Use the machine as little as possible until we are done and power it off when not in use.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

File::
c:\windows\system32\015.tmp
c:\windows\system32\06.tmp 
c:\windows\system32\013.tmp
c:\windows\system32\07.tmp 
c:\windows\system32\04.tmp 
c:\windows\system32\03.tmp 
c:\windows\system32\05.tmp
c:\windows\system32\0309.tmp 
c:\windows\system32\flfwlgxk.dll

Driver::
bfgrw
cjlrcnc
gxhzx
heqohk
iklcwtej
kcfcu
oaugbcws
uihnsvw
assgygfta
isyjio
jadjgzm
jstxzys
luzop
punmfevm
vvuxch

NetSvcs::
luzop
jstxzys
vvuxch
assgygfta
punmfevm
jadjgzm
isyjio
vrfbbcd

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bfgrw]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cjlrcnc]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxhzx]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\heqohk]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iklcwtej]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kcfcu]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\oaugbcws]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uihnsvw]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\assgygfta]

Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved (CFScript.txt) and the combofix icon, both on your desktop
Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log in your reply

Hi David,

Please see new log below...

ComboFix log
ComboFix 09-11-16.05 - Administrator 20/11/2009 16:08..1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.479 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\013.tmp"
"c:\windows\system32\015.tmp"
"c:\windows\system32\03.tmp"
"c:\windows\system32\0309.tmp"
"c:\windows\system32\04.tmp"
"c:\windows\system32\05.tmp"
"c:\windows\system32\06.tmp"
"c:\windows\system32\07.tmp"
"c:\windows\system32\flfwlgxk.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASSGYGFTA
-------\Legacy_ISYJIO
-------\Legacy_JADJGZM
-------\Legacy_JSTXZYS
-------\Legacy_LUZOP
-------\Legacy_PUNMFEVM
-------\Legacy_VVUXCH
-------\Service_assgygfta
-------\Service_isyjio
-------\Service_jadjgzm
-------\Service_jstxzys
-------\Service_luzop
-------\Service_punmfevm
-------\Service_vvuxch


((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 )))))))))))))))))))))))))))))))
.

2009-11-18 19:01 . 2008-04-13 19:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-11-18 19:01 . 2008-04-13 19:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-11-18 19:01 . 2008-03-21 13:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-11-18 18:54 . 2009-11-18 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2009-11-18 18:46 . 2009-03-19 14:48 8320 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2009-11-18 18:46 . 2009-03-19 14:48 136704 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2009-11-18 18:46 . 2009-02-09 08:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-11-18 18:46 . 2009-02-09 08:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-11-18 18:46 . 2009-02-09 08:37 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-11-18 18:46 . 2009-02-09 08:37 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-11-18 18:46 . 2009-02-09 08:37 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-11-18 18:46 . 2009-02-09 08:32 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-11-18 18:45 . 2009-11-18 19:56 -------- d-----w- c:\program files\Nokia
2009-11-18 18:44 . 2009-11-18 18:41 24403616 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_en[1].exe
2009-11-18 18:41 . 2009-11-18 18:41 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2009-11-18 18:41 . 2009-11-18 18:41 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2009-11-18 18:41 . 2009-11-18 18:41 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2009-11-14 22:39 . 2009-11-14 22:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-14 22:39 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 22:39 . 2009-11-14 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-14 22:39 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 22:38 . 2009-11-14 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 21:43 . 2009-11-06 21:43 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-04 19:10 . 2009-11-04 13:18 58872 ----a-w- c:\documents and settings\All Users\Application Data\Findbasic\findbasic137.exe
2009-11-03 16:05 . 2009-11-03 16:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-10-28 16:17 . 2003-09-05 18:16 815104 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\FlashPlayerW.dll
2009-10-28 16:17 . 2003-09-05 18:16 757760 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll
2009-10-28 16:14 . 2009-10-28 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-10-28 14:01 . 2009-10-28 14:01 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-10-28 14:01 . 2003-07-30 18:28 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-10-28 14:01 . 2003-07-30 18:28 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-10-28 14:00 . 2009-10-28 14:01 -------- d-----w- c:\program files\Common Files\Macromedia
2009-10-28 13:59 . 2009-10-28 14:01 -------- d-----w- c:\program files\Macromedia
2009-10-25 20:00 . 1996-11-06 19:11 69632 ----a-w- c:\windows\RAUNINST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 16:04 . 2008-01-24 09:54 -------- d-----w- c:\program files\LogMeIn
2009-11-18 19:01 . 2009-11-18 19:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-11-18 19:01 . 2009-11-18 19:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-11-18 18:41 . 2008-06-12 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-11-13 22:39 . 2006-07-11 09:10 -------- d-----w- c:\program files\HyperResearch
2009-11-13 22:29 . 2008-06-06 20:19 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2009-11-13 22:25 . 2008-06-06 20:19 -------- d-----w- c:\program files\Windows Live
2009-11-13 22:24 . 2008-06-06 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-11-13 22:10 . 2006-11-13 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-06 21:50 . 2005-04-07 13:56 62600 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 19:14 . 2009-09-26 12:17 -------- d-----w- c:\program files\Findbasic
2009-11-04 19:10 . 2009-09-26 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Findbasic
2009-10-28 14:01 . 2005-04-07 14:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-27 19:19 . 2008-10-16 19:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-10-27 17:22 . 2008-07-22 16:30 -------- d-----w- c:\program files\Yahoo!
2009-10-27 17:21 . 2009-10-06 17:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-10-27 17:20 . 2009-10-06 17:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-17 22:22 . 2006-11-13 09:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-17 22:07 . 2005-04-07 13:57 -------- d-----w- c:\program files\NavNT
2009-10-08 18:36 . 2009-10-08 18:34 -------- d-----w- c:\program files\HT
2009-10-06 20:33 . 2009-10-06 20:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-10-06 20:08 . 2009-10-06 19:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-06 17:16 . 2009-10-06 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-06 17:15 . 2009-10-06 17:12 -------- d-----w- c:\program files\Superanti Spyware
2009-09-27 21:49 . 2009-09-27 21:49 47132 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-27 17:18 . 2006-09-29 10:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-09-27 16:01 . 2009-09-27 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-27 16:01 . 2009-09-27 15:31 -------- d-----w- c:\program files\iTunes
2009-09-27 16:00 . 2009-09-27 16:00 -------- d-----w- c:\program files\iPod
2009-09-27 16:00 . 2009-09-27 15:54 -------- d-----w- c:\program files\Common Files\Apple
2009-09-27 15:59 . 2006-09-29 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-27 15:59 . 2009-09-27 15:59 -------- d-----w- c:\program files\Bonjour
2009-09-27 15:58 . 2009-09-27 15:58 -------- d-----w- c:\program files\QuickTime
2009-09-27 15:55 . 2006-09-29 10:06 -------- d-----w- c:\program files\Apple Software Update
2009-09-27 15:54 . 2009-09-27 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-21 16:09 . 2009-09-21 16:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2003-03-31 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 18:42 . 2009-09-27 15:55 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 18:42 . 2009-09-27 15:55 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-10-14 18:29 . 2009-09-26 12:18 210944 ----a-w- c:\program files\mozilla firefox\components\rpff.dll
2009-07-18 17:13 . 2009-07-18 17:13 0 --sha-w- c:\windows\DRM\Cache\Indiv03.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-11-16_18.57.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 20:54 . 2009-07-11 20:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-11 20:32 . 2009-07-11 20:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-11 20:32 . 2009-07-11 20:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-11 20:32 . 2009-07-11 20:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-11 20:32 . 2009-07-11 20:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-11 20:32 . 2009-07-11 20:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-11 20:32 . 2009-07-11 20:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-11 20:32 . 2009-07-11 20:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-11 20:32 . 2009-07-11 20:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-11 20:32 . 2009-07-11 20:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 01:07 . 2009-07-12 01:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 01:19 . 2009-07-12 01:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-11-20 16:19 . 2009-11-20 16:19 16384 c:\windows\Temp\Perflib_Perfdata_d0.dat
+ 2005-10-13 08:15 . 2009-02-09 08:37 91136 c:\windows\system32\nmwcdcls.dll
+ 2009-11-18 18:46 . 2009-02-09 08:37 22016 c:\windows\system32\DRVSTORE\ccdcmbo_34CB4225E6E4893AE1D3E4443E91C2B9703B729C\ccdcmbo.sys
+ 2009-11-18 18:46 . 2009-02-09 08:37 91136 c:\windows\system32\DRVSTORE\ccdcmb_34CB4225E6E4893AE1D3E4443E91C2B9703B729C\nmwcdcls.dll
+ 2009-11-18 18:46 . 2009-02-09 08:37 17664 c:\windows\system32\DRVSTORE\ccdcmb_34CB4225E6E4893AE1D3E4443E91C2B9703B729C\ccdcmb.sys
+ 2008-03-27 16:27 . 2008-03-27 16:27 35040 c:\windows\system32\drivers\wdfldr.sys
+ 2009-11-18 18:46 . 2009-03-19 14:48 8320 c:\windows\system32\DRVSTORE\nmwcdnsuc_34CB4225E6E4893AE1D3E4443E91C2B9703B729C\nmwcdnsuc.sys
+ 2009-11-18 18:46 . 2009-02-09 08:37 7808 c:\windows\system32\DRVSTORE\ccdcmbm_34CB4225E6E4893AE1D3E4443E91C2B9703B729C\usbser_lowerflt.sys
+ 2009-11-18 18:46 . 2009-02-09 08:37 7808 c:\windows\system32\DRVSTORE\ccdcmbcj_34CB4225E6E4893AE1D3E4443E91C2B9703B729C\usbser_lowerfltj.sys
+ 2009-11-18 18:47 . 2009-11-18 18:47 3262 c:\windows\Installer\{52D02A2B-03D2-4E34-A358-DC5D951FD296}\ARPPRODUCTICON.exe
+ 2009-07-12 01:12 . 2009-07-12 01:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 01:09 . 2009-07-12 01:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 01:08 . 2009-07-12 01:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2009-11-18 18:46 . 2009-03-19 14:48 136704 c:\windows\system32\DRVSTORE\nmwcdnsu_34CB4225E6E4893AE1D3E4443E91C2B9703B729C\nmwcdnsu.sys
+ 2009-11-18 18:46 . 2009-02-09 08:37 659968 c:\windows\system32\DRVSTORE\ccdcmb_34CB4225E6E4893AE1D3E4443E91C2B9703B729C\nmwcdcocls.dll
+ 2008-03-27 16:27 . 2008-03-27 16:27 503008 c:\windows\system32\drivers\wdf01000.sys
+ 2009-11-18 18:47 . 2009-11-18 18:47 331264 c:\windows\Installer\9c77d.msi
+ 2009-11-18 18:43 . 2009-11-18 18:43 424960 c:\windows\Installer\9c773.msi
+ 2009-07-11 20:46 . 2009-07-11 20:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-11 20:46 . 2009-07-11 20:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
+ 2009-11-18 18:46 . 2009-02-09 08:32 1112288 c:\windows\system32\DRVSTORE\ccdcmb_34CB4225E6E4893AE1D3E4443E91C2B9703B729C\wdfcoinstaller01007.dll
- 2005-04-14 09:09 . 2009-11-15 19:04 3817472 c:\windows\Installer\5b60c.msi
+ 2005-04-14 09:09 . 2009-11-18 19:39 3817472 c:\windows\Installer\5b60c.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-12-05 73728]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 32768]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 18:46 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Limewire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 Findbasic Service;Findbasic Service;c:\documents and settings\All Users\Application Data\Findbasic\findbasic137.exe [04/11/2009 19:10 58872]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [03/08/2007 15:09 12992]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [24/01/2008 09:55 46112]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [03/05/2004 15:26 80384]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 vrfbbcd;Monitor Windows;c:\windows\system32\svchost.exe -k netsvcs [31/03/2003 12:00 14336]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [18/11/2009 18:46 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [18/11/2009 18:46 8320]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vrfbbcd
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
DPF: {38D6D77C-5EC1-4A4A-AFEB-85FE780CD61A} - hxxp://www.qurancomplex.com/downloads/FontDown.cab
DPF: {DF9C24D1-030E-49ED-5EB5-D6610086C313} - hxxp://www.superstarracing.net/miniclip/ChatRepublicPlayer.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ls8knurh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\Mozilla Firefox\components\rpff.dll
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 16:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vrfbbcd]
"ServiceDll"="c:\windows\system32\flfwlgxk.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4021508746-67682326-3153008980-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,2f,87,ba,51,6f,b0,49,8e,ce,90,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,45,f9,a1,41,71,20,4b,85,88,bc,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,2f,87,ba,51,6f,b0,49,8e,ce,90,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\LMIinit.dll
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(3572)
c:\windows\system32\WININET.dll
c:\program files\Findbasic\findbasic.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\NavNT\rtvscan.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\System32\locator.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Findbasic\findbasic.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-11-20 16:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-20 16:25

Pre-Run: 61,888,835,584 bytes free
Post-Run: 61,843,578,880 bytes free

- - End Of File - - 0E003923E26F6DB12141D60CCB277336


Thanks again for your help!

Sarina.