Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Malware Defender"


  • This topic is locked This topic is locked
16 replies to this topic

#1 BearCandy

BearCandy

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:15 AM

Posted 13 January 2010 - 01:50 AM

I have to make this quick because the virus won't allow me to stay on very long. I have figured out how to boot them off by going to my task manager and deleting "explore.exe" as well as "iexplore.exe." But that only buys me a little time.

It started about three days ago while I updated a photo on Classmates though I think it may have already been here. This is a borrowed laptop for work. I MISS MY MAC.

Quick!

Toshiblah! Running Windows 2000 5.1 (huh?)

I have running SpyDoctor as well as Xoftspy and Regcure and a bunch of other software I have only yet discovered or not?

SpyDoctor caught the malware but the malware then stopped SpyDoctor. I am running system on safe mode with networking. It won't work otherwise.

Error messages for websites.

History bar shows webpage I've not been to.

Lovely Porntube on the desktop.

I was able to remove the "Malware Defender" (mdefend.exe) file but not it's bastardized files. Rogue antispyweare Coreguard antivirus 2009.

Browser is redirecting on Firefox. Works on IE but will pop up errors and block usage forcing user to close down. I found that ignoring the errors allowed me to get around some.

I tried to run Malwarebytes but it has not worked. It jams no matter how I try to acess it.


I have another laptop which is on my wireless and I am cleaning that one. Was able to run Mawarebutes and it found 5 items.

But that one had a lot more security gates than this one.

Below is the Hijackthis log. Thanks in advance for any and all help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:09 AM, on 1/13/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchcanvas.com/?ot=6
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O3 - Toolbar: ShareThis - {6A719530-8443-4898-9BC4-69E76B5F1C89} - C:\Program Files\ShareThis Toolbar\share2me.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [XoftSpySE] "C:\Program Files\XoftSpySE6\XoftSpySE.exe" -NM -hidesplash
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-9LLPE.exe" /REG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: *.download.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://sef.mlxchange.com/Control/FileCruiser.cab
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://sef.mlxchange.com/Control/Specfile.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://sef.mlxchange.com/Control/SISC.cab
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/58.14/uploader2.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://sef.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163016009888
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://sef.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://sef.mlxchange.com/Control/LiteGrid.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://sef.mlxchange.com/5.0.05.46/Control/IRCSharc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://sef.mlxchange.com/Control/AspCustomCtrls.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe

--
End of file - 12115 bytes


BC AdBot (Login to Remove)

 


#2 BearCandy

BearCandy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:15 AM

Posted 15 January 2010 - 05:37 PM

Patiently waiting but situation getting worse.


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 16 January 2010 - 02:01 PM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:15 PM

Posted 19 January 2010 - 07:37 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 BearCandy

BearCandy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:15 AM

Posted 20 January 2010 - 01:15 AM


Thanks Elise.

I am no longer able to operate on the lap top originally infected. I had to switch to my other one, which is also infected. If I can get this one cleaned up, I will try again on the other one.

Computer specs:

Dell Inspiron B130
Processor Intel® Pentium® M processor 1.73GHz
Operating System Microsoft Windows XP Home Edition
Operating System Version 5.1.2600

I am fairly sure it is infected with VirtuMonde, FakeAlert, Sonic and some others.

It is istalling programs, moving files around and reinstalling deleted programs. I am no longer getting fake alerts after cleaning up what I could to get it functional.

I am not able to update any security updates or program updates.

SpyBot will run in safe mode but it won't update nor will it keep settings. It has not detected any virus for days. It did catch FakeAlert at first but it failed to remove it.

Malwarebytes will also run in safe mode but it will not update. It has not reported finding any virus either.

I have runn DDS but not sure if it is complete. I am attaching that below.

I am unable to sucessfully run GMer. I have tried many different ways. If in safe mode, it will scan for hours and then shut down without showing but four files.

I tried to run Wi32K but that was blocked.

It's been tricky because the settings were being changed. In safe mode, I was not able to download into administrator's desktop.

I hope you can help me get around this as I work from home.



DDS logs
-------------------------------


DDS (Ver_09-12-01.01) - NTFSx86
Run by Sandy at 19:51:49.59 on Tue 01/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.75 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hewlett-packard\smart web printing\hpswp_framework.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: del.icio.us Toolbar Helper: {7aa07ae6-01ef-44ec-93ca-9d7cd41ccdb6} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A58686ED-FC46-44C3-95C6-4A812AB776F1} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\spybot - search & destroy\TeaTimer.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hewlett-packard\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hewlett-packard\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\spybot~1\SDHelper.dll
Trusted Zone: careerbuilders.com
Trusted Zone: musicmatch.com\online
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.8.98/cab/aolpPlugins.10.6.0.6.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/26.34/uploader2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146942422265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77}
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} -
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sandy\applic~1\mozilla\firefox\profiles\bfw3dalw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?q=
FF - component: c:\documents and settings\sandy\application data\mozilla\firefox\profiles\bfw3dalw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\sandy\application data\mozilla\firefox\profiles\bfw3dalw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 108648]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 108648]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-13 236368]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-15 101936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-1-13 19160]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090514.002\NAVENG.SYS [2009-5-15 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090514.002\NAVEX15.SYS [2009-5-15 876144]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-11-25 1251720]
S2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-5-5 30192]
S3 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2009-8-28 582424]

=============== Created Last 30 ================

2010-01-20 00:44:30 524288 ----a-w- C:\dds.scr
2010-01-19 23:41:48 290816 ----a-w- C:\exeHelper.com
2010-01-19 23:36:27 77312 ----a-w- C:\mbr.exe
2010-01-19 22:55:38 47616 ----a-w- C:\Win32kDiag.exe
2010-01-17 02:09:44 0 d-----w- C:\Spybot - Search & Destroy
2010-01-17 02:09:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-17 01:32:12 0 d-----w- C:\SmitRem
2010-01-16 18:14:33 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-16 18:14:33 1409 ----a-w- c:\windows\QTFont.for
2010-01-15 16:07:36 1089601 ------w- c:\windows\system32\dllcache\ntprint.cat
2010-01-15 08:13:43 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-15 08:13:42 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-15 08:13:42 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-15 08:13:40 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-15 08:13:40 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-15 08:13:37 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-15 08:13:37 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-15 08:13:30 0 d-----w- C:\c4607a9960a1fc5991b5500170
2010-01-13 14:57:46 146944 ----a-w- c:\windows\system32\st325602.dll
2010-01-13 08:44:23 0 d-----w- C:\adae267f65b61f23d06451ce71f5
2010-01-13 06:06:33 0 d-----w- c:\docume~1\sandy\applic~1\Malwarebytes
2010-01-13 06:06:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 06:06:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-13 06:06:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 06:06:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 05:35:55 0 d-sh--w- c:\documents and settings\sandy\PrivacIE
2010-01-13 05:33:03 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 02:09:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Cached Installations
2010-01-11 22:38:19 0 d-----w- C:\!KillBox
2010-01-11 19:07:56 224 ----a-w- c:\windows\system32\9B13A86D.plf
2010-01-11 18:41:37 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-01-11 18:41:33 86016 ----a-w- c:\windows\system32\preflib.dll
2010-01-11 18:41:31 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-01-11 18:41:17 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-01-11 18:41:11 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-01-11 18:31:29 212992 ----a-w- c:\windows\system32\UCI32M19.dll
2010-01-11 18:21:38 0 d-----w- c:\docume~1\sandy\applic~1\DriverCure
2010-01-11 18:20:58 0 d-----w- c:\docume~1\alluse~1\applic~1\DriverCure
2010-01-11 18:20:24 0 d-----w- c:\program files\ParetoLogic
2010-01-11 17:24:14 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-01-11 17:24:12 0 d-----w- c:\program files\common files\ParetoLogic
2010-01-11 17:23:57 0 d-----w- c:\program files\common files\XoftSpySE
2010-01-11 17:23:28 0 d-----w- c:\program files\XoftSpySE6
2010-01-11 17:23:28 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2010-01-11 15:08:38 0 d-----w- c:\program files\MSXML 6.0
2010-01-11 15:04:09 0 d-----w- C:\a00c2ec5cc37fc046f
2010-01-11 15:03:58 0 d-----w- C:\c7a01afe5f1d9721f73cedb8a09d6b63
2010-01-11 14:41:02 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-01-06 08:24:25 0 d-----w- C:\5c338c88450e85661e8ac0ea9c
2010-01-06 08:23:17 0 d-----w- C:\19475113757489fc8b8a
2010-01-01 08:01:23 0 d-----w- C:\1ff49c13d1df59db060de98c410774b9
2010-01-01 00:46:52 0 d-sh--w- c:\documents and settings\sandy\IETldCache
2010-01-01 00:26:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-01 00:26:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-01 00:25:31 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-01-01 00:23:16 0 d-----w- c:\windows\Offline Web Pages
2009-12-31 23:43:25 0 d-----w- c:\windows\ServicePackFiles
2009-12-31 23:13:40 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-31 23:13:10 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2009-12-31 22:44:29 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-31 22:41:04 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-12-31 22:38:00 993 ---ha-w- C:\IPH.PH

==================== Find3M ====================

2010-01-17 09:49:04 13408 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 07:45:37 5940736 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 07:45:37 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-10-29 07:45:37 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 07:45:35 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-29 07:45:35 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-29 07:45:35 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-10-29 07:45:34 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-10-29 07:45:34 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-10-29 07:45:33 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-10-29 07:45:32 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:32 389120 ----a-w- c:\windows\system32\SET57.tmp
2009-10-28 14:36:11 70656 ----a-w- c:\windows\system32\SET59.tmp
2009-10-28 14:36:11 70656 ----a-w- c:\windows\system32\dllcache\SET89.tmp
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ----a-w- c:\windows\system32\dllcache\SET97.tmp
2009-10-28 06:52:46 161792 ----a-w- c:\windows\system32\SET5C.tmp
2009-10-28 06:52:46 161792 ----a-w- c:\windows\system32\dllcache\SET8C.tmp
2007-03-10 18:06:37 6429332 -c--a-w- c:\program files\scorpio.zip
2009-01-28 16:40:34 104 --sh--r- c:\windows\system32\590579E57B.sys
2009-01-12 02:53:10 168 --sh--r- c:\windows\system32\7BE5790559.sys

============= FINISH: 19:52:22.03 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/6/2006 3:08:24 AM
System Uptime: 1/19/2010 6:05:57 PM (1 hours ago)

Motherboard: Dell Inc. | | 0GD366
Processor: Intel® Pentium® M processor 1.73GHz | Microprocessor | 1729/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 53 GiB total, 12.029 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01C91028&REV_02\4&2FA23535&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01C91028&REV_02\4&2FA23535&0&00F0
Service: bcm4sbxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1370 WLAN Mini-PCI Card
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&2FA23535&0&18F0
Manufacturer: Broadcom
Name: Dell Wireless 1370 WLAN Mini-PCI Card
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&2FA23535&0&18F0
Service: BCM43XX

==== System Restore Points ===================

RP790: 12/31/2009 2:39:14 PM - Software Distribution Service 3.0
RP791: 12/31/2009 5:43:14 PM - Software Distribution Service 3.0
RP792: 12/31/2009 6:33:41 PM - Software Distribution Service 3.0
RP793: 1/1/2010 3:00:38 AM - Software Distribution Service 3.0
RP794: 1/2/2010 3:00:41 AM - Software Distribution Service 3.0
RP795: 1/6/2010 3:11:47 AM - Software Distribution Service 3.0
RP796: 1/6/2010 7:25:37 PM - Software Distribution Service 3.0
RP797: 1/7/2010 8:12:58 PM - System Checkpoint
RP798: 1/8/2010 8:44:11 PM - System Checkpoint
RP799: 1/9/2010 9:13:00 PM - System Checkpoint
RP800: 1/11/2010 3:26:13 AM - Software Distribution Service 3.0
RP801: 1/11/2010 9:29:49 AM - Removed Corel Photo Album 6
RP802: 1/11/2010 9:31:52 AM - Removed Get High Speed Internet!
RP803: 1/11/2010 9:35:57 AM - Removed RollerCoaster Tycoon 2
RP804: 1/11/2010 10:03:28 AM - Software Distribution Service 3.0
RP805: 1/11/2010 11:27:30 AM - Installed Windows Internet Explorer 8.
RP806: 1/11/2010 11:30:39 AM - Software Distribution Service 3.0
RP807: 1/11/2010 12:03:50 PM - Software Distribution Service 3.0
RP808: 1/11/2010 1:30:55 PM - Conexant Conexant HDA D110 MDC V.92 Modem
RP809: 1/11/2010 1:34:01 PM - Broadcom Broadcom 440x 10/100 Integrated Controller
RP810: 1/11/2010 1:38:14 PM - Broadcom Corporation Dell Wireless 1370 WLAN Mini-PCI Card
RP811: 1/11/2010 1:48:18 PM - (Standard system devices) ISAPNP Read Data Port
RP812: 1/11/2010 1:54:02 PM - Intel Intel® 82801 PCI Bridge - 2448
RP813: 1/11/2010 1:58:41 PM - Installed ParetoLogic Data Recovery.
RP814: 1/11/2010 2:15:34 PM - Software Distribution Service 3.0
RP815: 1/11/2010 2:28:14 PM - (Standard system devices) ISAPNP Read Data Port
RP816: 1/11/2010 2:57:49 PM - Intel Intel® 82801FB/FBM Ultra ATA Storage Controllers - 266F
RP817: 1/11/2010 3:20:49 PM - Intel Intel® 82801FB/FBM PCI Express Root Port - 2660
RP818: 1/11/2010 3:44:32 PM - Intel Intel® 82801FB/FBM USB2 Enhanced Host Controller - 265C
RP819: 1/11/2010 11:23:35 PM - Software Distribution Service 3.0
RP820: 1/12/2010 3:00:44 AM - Software Distribution Service 3.0
RP821: 1/12/2010 9:12:02 PM - Restore Operation
RP822: 1/13/2010 2:35:41 AM - Software Distribution Service 3.0
RP823: 1/13/2010 3:35:25 AM - Software Distribution Service 3.0
RP824: 1/13/2010 9:57:08 AM - SigmaTel SigmaTel High Definition Audio CODEC
RP825: 1/13/2010 9:59:48 AM - Installed SigmaTel Audio
RP826: 1/14/2010 10:01:18 AM - System Checkpoint
RP827: 1/14/2010 3:16:10 PM - Software Distribution Service 3.0
RP828: 1/15/2010 3:00:39 AM - Software Distribution Service 3.0
RP829: 1/15/2010 5:32:18 AM - Printer Driver Microsoft XPS Document Writer Installed
RP830: 1/16/2010 3:00:43 AM - Software Distribution Service 3.0
RP831: 1/19/2010 4:25:47 AM - System Checkpoint
RP832: 1/19/2010 4:05:33 PM - Software Distribution Service 3.0

==== Installed Programs ======================


32 Bit HP CIO Components Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
AIO_Scan
Anywhere PE Viewer
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
AppCore
Apple Mobile Device Support
Apple Software Update
AV
Bookmark Wizard
Broadcom Management Programs
BufferChm
C4200
C4200_doccd
c4200_Help
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon EOS-1D Mark II N WIA Driver
Canon EOS-1Ds Mark II WIA Driver
Canon EOS 5D WIA Driver
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.1
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
ccCommon
ClueFinders 5th Grade Adventures
Conexant HDA D110 MDC V.92 Modem
Copy
Corel Paint Shop Pro Photo XI
Corel Paint Shop Pro X
Corel Snapfire DVD Maker
Corel Snapfire Plus
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
del.icio.us Buttons for Internet Explorer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.1
Dell System Restore
Dell Wireless WLAN Card
DeLorme Street Atlas USA 2006
DeLorme Street Atlas USA 2006 Data
Destination Component
DeviceDiscovery
DeviceManagementQFolder
Digital Content Portal
Digital Line Detect
Digital Photography Winter Fun Pack
DocProc
DocProcQFolder
EarthLink setup files
EducateU
eSupportQFolder
Finger 1.9
FoneSync
Google Desktop
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
Highlight Viewer (Windows Live Toolbar)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP Memories Disc
HP OCR Software 9.0
HP Photo and Imaging 2.0 - Photosmart Printer Series
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Smart Web Printing
HP Smart Web Printing 4.60
HP Solution Center 9.0
HP Update
HPProductAssistant
HPSSupply
ieSpell
Intel® Graphics Media Accelerator Driver for Mobile
Internal Network Card Power Management
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
JAP
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 5
Learn2 Player (Uninstall Only)
LimeWire 4.18.2
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! for Windows XP
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Theme Nunavut
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
mIRC
Modem Helper
Mozilla Firefox (3.5.7)
MSN
MSRedist
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Musicmatch® Jukebox
MyWay Search Assistant
NetZeroInstallers
NILE THEME
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
ParetoLogic Data Recovery
ParetoLogic DriverCure
PH World History © 05
Photo Viewer 2.4
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
Picasa 2
PowerDVD 5.5
PS_AIO_ProductContext
PS_AIO_Software
PS_AIO_Software_min
PSSWCORE
QuickSet
QuickTime
RealPlayer Basic
RegCure
RIA-Media Viewer
SAMSUNG CDMA Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem ^^
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Samsung PC Studio for SGH-D807
Samsung Samples Installer
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SigmaTel Audio
Smart Menus (Windows Live Toolbar)
SolutionCenter
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SPBBC 32bit
Spybot - Search & Destroy
Status
Street Atlas USA 2006
Symantec Real Time Storage Protection Component
SymNet
Synaptics Pointing Device Driver
Toolbox
TrayApp
Tropical Screensaver
Try Corel Snapfire muvee autoProducer add on
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Online DSL
VideoToolkit01
Virtual Earth 3D (Beta)
WebCyberCoach 3.2 Dell
WebFldrs XP
WebReg
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Works Suite OS Pack
Works Synchronization
XoftSpySE

==== Event Viewer Messages From Past Week ========

1/19/2010 7:40:50 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.101 with the system having network hardware address 00:23:DF:E4:D9:83. Network operations on this system may be disrupted as a result.
1/19/2010 7:39:10 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 0014A45645B2 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/19/2010 5:21:01 PM, error: System Error [1003] - Error code 10000050, parameter1 fcd5400b, parameter2 00000000, parameter3 a82a1c65, parameter4 00000000.
1/19/2010 5:11:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
1/19/2010 5:11:56 PM, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/19/2010 5:02:23 PM, error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
1/19/2010 5:02:01 PM, error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
1/19/2010 5:01:26 PM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
1/19/2010 4:49:54 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/19/2010 4:46:44 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The system cannot find the file specified.
1/19/2010 4:46:40 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
1/19/2010 3:45:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Updater Service service to connect.
1/19/2010 3:45:30 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service gusvc with arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
1/19/2010 3:45:20 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
1/19/2010 3:45:20 PM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/19/2010 3:44:53 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
1/19/2010 3:37:25 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The system cannot find the file specified.
1/19/2010 3:37:25 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the path specified.
1/19/2010 3:37:25 PM, error: Service Control Manager [7000] - The Pure Networks Router Manager service failed to start due to the following error: The system cannot find the file specified.
1/19/2010 3:37:25 PM, error: Service Control Manager [7000] - The Pure Networks Network Magic Service service failed to start due to the following error: The system cannot find the file specified.
1/19/2010 3:21:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/19/2010 12:36:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV eeCtrl Fips intelppm SPBBCDrv SRTSP SRTSPX StarOpen SYMTDI
1/19/2010 12:35:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================










#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:15 PM

Posted 20 January 2010 - 09:05 AM

Hello BearCandy,

To be able to clean both computers, I need you to follow these steps:
Disconnect your not-accessible laptop from the internet and/or from any other network that might be connected with the computer you posted the logs for.
We will concentrate on cleaning this one up, once thats done, I will instruct you on what to do with the other one without re-infecting your other computer again.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 BearCandy

BearCandy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:15 AM

Posted 21 January 2010 - 03:23 AM

Elise, thank you very much.

It took a lot longer than I expected. I did not get the recovery console. Not sure what that means.

The other lap top is off and I shelved it a week ago. Will look forward to instructions for that one later.

Below is the combofix log.

--------------------------------------------


ComboFix 10-01-20.05 - Sandy 01/21/2010 1:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.171 [GMT -5:00]
Running from: C:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sandy\Local Settings\Temporary Internet Files\AlxRes_dll_IMAGE_bg_popup.gif
c:\documents and settings\Sandy\Local Settings\Temporary Internet Files\AlxRes_dll_IMAGE_window_sliver.gif
c:\documents and settings\Sandy\My Documents\ZbThumbnail.info
c:\documents and settings\Sandy\My Documents\ZbThumbnail_26mar08.info
c:\program files\Internet Explorer\SET40.tmp
c:\program files\Internet Explorer\SET41.tmp
c:\program files\Internet Explorer\SET42.tmp
C:\Thumbs.db
c:\windows\system32\AutoRun.inf
c:\windows\system32\KGyGaAvL.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-12-21 to 2010-01-21 )))))))))))))))))))))))))))))))
.

2010-01-21 05:26 . 2010-01-21 06:24 3831636 ----a-r- C:\ComboFix.exe
2010-01-21 02:24 . 2010-01-21 02:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-01-20 13:47 . 2010-01-20 13:50 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-20 10:24 . 2010-01-20 10:24 -------- d-----w- c:\windows\system32\LogFiles
2010-01-20 04:48 . 2010-01-20 04:48 0 ----a-w- C:\j10o6u3g.reg
2010-01-19 09:26 . 2010-01-19 09:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\MSNInstaller
2010-01-19 09:12 . 2010-01-19 09:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2010-01-17 02:09 . 2010-01-17 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-17 02:09 . 2010-01-17 02:23 -------- d-----w- C:\Spybot - Search & Destroy
2010-01-17 01:32 . 2010-01-19 05:37 -------- d-----w- C:\SmitRem
2010-01-16 20:06 . 2010-01-16 20:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-15 08:19 . 2010-01-15 08:19 -------- d-----w- c:\program files\MSBuild
2010-01-15 08:18 . 2010-01-15 08:18 -------- d-----w- c:\program files\Reference Assemblies
2010-01-15 08:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-15 08:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-15 08:13 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-15 08:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-15 08:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-15 08:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-15 08:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-15 08:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-15 08:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-15 08:13 . 2010-01-15 08:18 -------- d-----w- C:\c4607a9960a1fc5991b5500170
2010-01-13 14:57 . 2007-08-21 14:58 146944 ----a-w- c:\windows\system32\st325602.dll
2010-01-13 08:44 . 2010-01-13 08:44 -------- d-----w- C:\adae267f65b61f23d06451ce71f5
2010-01-13 06:06 . 2010-01-13 06:06 -------- d-----w- c:\documents and settings\Sandy\Application Data\Malwarebytes
2010-01-13 06:06 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 06:06 . 2010-01-13 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-13 06:06 . 2010-01-16 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 06:06 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 05:35 . 2010-01-13 05:35 -------- d-sh--w- c:\documents and settings\Sandy\PrivacIE
2010-01-13 05:33 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 02:35 . 2010-01-13 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2010-01-13 02:09 . 2010-01-13 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Cached Installations
2010-01-13 01:55 . 2010-01-20 04:55 50888 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-11 22:38 . 2010-01-11 22:38 -------- d-----w- C:\!KillBox
2010-01-11 18:41 . 2006-11-01 17:48 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-01-11 18:41 . 2006-11-01 17:48 86016 ----a-w- c:\windows\system32\preflib.dll
2010-01-11 18:41 . 2006-11-01 17:48 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-01-11 18:41 . 2006-11-01 17:48 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-01-11 18:41 . 2006-11-01 17:48 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-01-11 18:31 . 2007-03-22 15:49 212992 ----a-w- c:\windows\system32\UCI32M19.dll
2010-01-11 18:21 . 2010-01-11 18:23 -------- d-----w- c:\documents and settings\Sandy\Application Data\DriverCure
2010-01-11 18:20 . 2010-01-20 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2010-01-11 18:20 . 2010-01-11 18:58 -------- d-----w- c:\program files\ParetoLogic
2010-01-11 17:24 . 2010-01-11 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-11 17:24 . 2010-01-11 18:20 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-11 17:23 . 2010-01-11 17:23 -------- d-----w- c:\program files\Common Files\XoftSpySE
2010-01-11 17:23 . 2010-01-13 02:02 -------- d-----w- c:\program files\XoftSpySE6
2010-01-11 17:23 . 2010-01-11 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-01-11 16:21 . 2009-10-29 07:46 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-11 16:21 . 2009-10-29 07:46 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-01-11 15:19 . 2010-01-11 15:19 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-11 15:18 . 2010-01-11 15:18 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-11 15:16 . 2010-01-11 15:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-11 15:08 . 2010-01-11 15:08 -------- d-----w- c:\program files\MSXML 6.0
2010-01-11 15:04 . 2010-01-13 02:05 -------- d-----w- C:\a00c2ec5cc37fc046f
2010-01-11 15:03 . 2010-01-13 02:05 -------- d-----w- C:\c7a01afe5f1d9721f73cedb8a09d6b63
2010-01-11 14:41 . 2010-01-11 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-01-06 08:24 . 2010-01-13 02:07 -------- d-----w- C:\5c338c88450e85661e8ac0ea9c
2010-01-06 08:23 . 2010-01-13 02:07 -------- d-----w- C:\19475113757489fc8b8a
2010-01-01 08:01 . 2010-01-02 00:01 -------- d-----w- C:\1ff49c13d1df59db060de98c410774b9
2010-01-01 00:53 . 2010-01-01 00:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-01 00:46 . 2010-01-01 00:46 -------- d-sh--w- c:\documents and settings\Sandy\IETldCache
2010-01-01 00:26 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-01 00:26 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-01 00:25 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-31 23:43 . 2009-12-31 23:43 -------- d-----w- c:\windows\ServicePackFiles
2009-12-31 23:13 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-31 22:44 . 2010-01-14 16:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-31 22:41 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 06:43 . 2006-04-06 05:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-21 02:34 . 2007-10-26 22:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 01:12 . 2006-04-06 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-19 20:23 . 2005-12-11 00:55 -------- d-----w- c:\program files\Common Files\AOL
2010-01-19 20:23 . 2005-12-11 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-19 20:21 . 2005-12-11 00:55 -------- d-----w- c:\program files\Common Files\aolshare
2010-01-19 19:50 . 2005-12-11 00:54 -------- d-----w- c:\program files\Microsoft Plus! Digital Media Edition
2010-01-19 19:43 . 2006-08-17 00:21 -------- d-----w- c:\program files\Microsoft Plus!
2010-01-19 19:33 . 2005-12-11 00:56 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-01-19 19:26 . 2005-12-11 00:55 -------- d-----w- c:\program files\Microsoft Plus! Photo Story 2 LE
2010-01-19 10:05 . 2009-02-07 02:53 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-19 09:36 . 2005-12-11 00:52 -------- d-----w- c:\program files\CyberLink
2010-01-19 09:34 . 2005-12-11 00:54 -------- d-----w- c:\program files\MUSICMATCH
2010-01-19 09:14 . 2007-10-26 22:02 -------- d-----w- c:\program files\VB Bookmark Wizard
2010-01-19 09:11 . 2006-05-11 14:08 -------- d-----w- c:\program files\AOL Pictures
2010-01-17 09:56 . 2006-04-06 15:27 -------- d-----w- c:\documents and settings\Sandy\Application Data\Corel
2010-01-15 10:01 . 2006-04-06 05:47 50888 ----a-w- c:\documents and settings\Sandy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-13 14:57 . 2005-12-11 00:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-13 02:02 . 2007-10-30 17:54 -------- d-----w- c:\program files\XoftSpySE
2010-01-12 17:19 . 2006-04-06 15:17 -------- d-----w- c:\documents and settings\Sandy\Application Data\Apple Computer
2010-01-11 18:40 . 2005-12-11 00:51 -------- d-----w- c:\program files\Dell
2010-01-11 14:41 . 2007-11-19 16:31 -------- d-----w- c:\program files\RegCure
2010-01-06 08:25 . 2008-01-04 03:55 -------- d-----w- c:\documents and settings\Sandy\Application Data\Share-to-Web Upload Folder
2009-10-29 07:45 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll
2009-10-28 14:36 . 2010-01-11 16:21 389120 ----a-w- c:\windows\system32\SET57.tmp
2009-10-28 14:36 . 2010-01-11 16:21 70656 ----a-w- c:\windows\system32\SET59.tmp
2009-10-28 06:52 . 2010-01-11 16:21 161792 ----a-w- c:\windows\system32\SET5C.tmp
2007-03-10 18:06 . 2007-03-10 18:06 6429332 -c--a-w- c:\program files\scorpio.zip
2010-01-01 20:22 . 2008-05-05 14:23 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sandy^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sandy^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Sandy\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
2005-11-30 15:40 8808 -c--a-w- c:\program files\Common Files\AOL\1146062878\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2005-08-01 22:00 610304 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 08:04 332800 -c--a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 07:05 127035 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCure]
2009-08-07 19:36 3993368 ----a-w- c:\program files\ParetoLogic\DriverCure\DriverCure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-01-01 20:22 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2007-05-25 17:16 42032 ----a-w- c:\program files\Common Files\AOL\1146062878\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 02:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
2002-11-22 19:48 348160 ----a-w- c:\windows\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-11-22 19:50 49152 -c--a-w- c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-01-15 08:22 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 -c--a-w- c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 -c--a-w- c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
2006-09-06 01:22 26248 ----a-w- c:\program files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-01-10 20:27 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-12-11 00:56 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 14:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 15:22 405504 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
2005-11-30 15:40 136808 -c--a-w- c:\program files\Common Files\AOL\1146062878\ee\services\sscFirewallPlugin\ver1_10_3_1\sscRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2007-11-29 00:51 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-24 12:36 729178 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 -c--a-w- c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpySE]
2009-08-28 21:15 4853016 ----a-w- c:\program files\XoftSpySE6\XoftSpySE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Fax"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\AOL 9.1a\\waol.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1146062878\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:*:Disabled:DHCP Discovery Service

R2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-01-01 30192]
R3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [2009-08-28 582424]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-01-07 236368]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-15 101936]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-01-07 19160]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2010-01-20 c:\windows\Tasks\DriverCure.job
- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-08-07 19:36]

2010-01-21 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Administrator.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-13 21:07]

2010-01-20 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Sandy.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-13 21:07]

2010-01-21 c:\windows\Tasks\Malwarebytes' Scheduled Update for Administrator.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-13 21:07]

2010-01-21 c:\windows\Tasks\Malwarebytes' Scheduled Update for Sandy.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-13 21:07]

2010-01-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]

2010-01-21 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]

2010-01-16 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Sandy.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 05:38]

2010-01-20 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2010-01-20 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-28 21:15]

2010-01-13 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2010-01-15 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-28 21:15]

2010-01-20 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-21 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-17 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-21 c:\windows\Tasks\User_Feed_Synchronization-{9B0533D0-9460-4DED-AD73-D5EAFD5A67BD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

2010-01-20 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2009-08-28 21:13]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: careerbuilders.com
Trusted Zone: musicmatch.com\online
DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77}
FF - ProfilePath - c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\bfw3dalw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?q=
FF - component: c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\bfw3dalw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\bfw3dalw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DVDLauncher - c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
MSConfigStartUp-MimBoot - c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
MSConfigStartUp-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
MSConfigStartUp-nmapp - c:\program files\Pure Networks\Network Magic\nmapp.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
AddRemove-AOL Toolbar 5.0 - c:\program files\AOL\AOL Toolbar 5.0\uninstall.exe
AddRemove-BMW1_is1 - c:\program files\VB Bookmark Wizard\unins000.exe
AddRemove-FoneSync - c:\program files\FoneSync\Uninst.isu
AddRemove-JAP - c:\program files\JAP\uninstall.exe
AddRemove-LimeWire - c:\program files\LimeWire\uninstall.exe
AddRemove-MSNINST - c:\program files\MSN\MsnInstaller\msninst.exe
AddRemove-Photo Viewer - c:\program files\Photo Viewer\uninstall.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-Windows Live Toolbar - c:\program files\Windows Live Toolbar\UnInstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-21 02:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\windows\system32\PSIService.exe
c:\windows\wanmpsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2010-01-21 03:05:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-21 08:04

Pre-Run: 12,261,343,232 bytes free
Post-Run: 12,275,613,696 bytes free

- - End Of File - - A7938061156A3E0C77D38513109DA5A8


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:15 PM

Posted 21 January 2010 - 04:08 AM

Does this computer have a working internet connection?

SHOW HIDDEN FILES AND FOLDERS
-------------------------------------------------
Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

Now please see if the following file exists: c:\boot.ini

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 BearCandy

BearCandy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:15 AM

Posted 21 January 2010 - 08:19 AM

QUOTE(elise025 @ Jan 21 2010, 04:08 AM) View Post
Does this computer have a working internet connection?

SHOW HIDDEN FILES AND FOLDERS
-------------------------------------------------
Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

Now please see if the following file exists: c:\boot.ini



Yes, the file c:\boot.ini is there.




#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:15 PM

Posted 21 January 2010 - 10:10 AM

And the internet connection is working?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 BearCandy

BearCandy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:15 AM

Posted 21 January 2010 - 11:09 AM

Yes, internet is working though it flickers off and on.

I took a look at that more closely and I am curious about it.


I have an Internet Gateway connection. It is connecting through my "internet connection" which is my wireless. It is running XBox 3074 UDP on that connection. We do have an Xbox. Is this a security issue?

So I have:

1. Gateway (running the xbox)



2. Lan or high-speed Wireless (running my Dell)


3. Local Area - Broadband (disabled)


I have disabled the Xbox by unchecking it and unplugging it.

Wireless Network Connection Properties -> Advanced -> error:

"Windows cannot display the properties of this connection. The Windows Management Instrumentation (WMI) information might be corrupted. To correct this, use System Restore to restore Widows to an earlier time (called a restore point). System Restore is located in the System Tools folder in Accessories.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:15 PM

Posted 21 January 2010 - 02:33 PM

I would recommend to keep the XBox physically disconnected from your computer untill we are sure you are cleaned up.

Lets see if we can get Recovery Console isntalled:

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools



  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.





  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 BearCandy

BearCandy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:15 AM

Posted 21 January 2010 - 09:08 PM

Elise,

The combofix worked as promised. I am still having issue with the network connection but the computer is running well again, thanks.

Here is the combofix log:

ComboFix 10-01-20.05 - Sandy 01/21/2010 15:33:43.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.186 [GMT -5:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((( Files Created from 2009-12-21 to 2010-01-21 )))))))))))))))))))))))))))))))
.

2010-01-21 05:26 . 2010-01-21 06:24 3831636 ----a-r- C:\ComboFix.exe
2010-01-21 02:24 . 2010-01-21 02:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-01-20 13:47 . 2010-01-20 13:50 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-20 10:24 . 2010-01-20 10:24 -------- d-----w- c:\windows\system32\LogFiles
2010-01-20 04:48 . 2010-01-20 04:48 0 ----a-w- C:\j10o6u3g.reg
2010-01-19 09:26 . 2010-01-19 09:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\MSNInstaller
2010-01-19 09:12 . 2010-01-19 09:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2010-01-17 02:09 . 2010-01-17 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-17 02:09 . 2010-01-17 02:23 -------- d-----w- C:\Spybot - Search & Destroy
2010-01-17 01:32 . 2010-01-19 05:37 -------- d-----w- C:\SmitRem
2010-01-16 20:06 . 2010-01-16 20:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-15 08:19 . 2010-01-15 08:19 -------- d-----w- c:\program files\MSBuild
2010-01-15 08:18 . 2010-01-15 08:18 -------- d-----w- c:\program files\Reference Assemblies
2010-01-15 08:18 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-15 08:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-15 08:13 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-15 08:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-15 08:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-15 08:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-15 08:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-15 08:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-15 08:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-15 08:13 . 2010-01-15 08:18 -------- d-----w- C:\c4607a9960a1fc5991b5500170
2010-01-13 14:57 . 2007-08-21 14:58 146944 ----a-w- c:\windows\system32\st325602.dll
2010-01-13 08:44 . 2010-01-13 08:44 -------- d-----w- C:\adae267f65b61f23d06451ce71f5
2010-01-13 06:06 . 2010-01-13 06:06 -------- d-----w- c:\documents and settings\Sandy\Application Data\Malwarebytes
2010-01-13 06:06 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 06:06 . 2010-01-13 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-13 06:06 . 2010-01-16 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 06:06 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 05:35 . 2010-01-13 05:35 -------- d-sh--w- c:\documents and settings\Sandy\PrivacIE
2010-01-13 05:33 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 02:35 . 2010-01-13 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2010-01-13 02:09 . 2010-01-13 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Cached Installations
2010-01-13 01:55 . 2010-01-20 04:55 50888 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-11 22:38 . 2010-01-11 22:38 -------- d-----w- C:\!KillBox
2010-01-11 18:41 . 2006-11-01 17:48 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-01-11 18:41 . 2006-11-01 17:48 86016 ----a-w- c:\windows\system32\preflib.dll
2010-01-11 18:41 . 2006-11-01 17:48 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-01-11 18:41 . 2006-11-01 17:48 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-01-11 18:41 . 2006-11-01 17:48 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-01-11 18:31 . 2007-03-22 15:49 212992 ----a-w- c:\windows\system32\UCI32M19.dll
2010-01-11 18:21 . 2010-01-11 18:23 -------- d-----w- c:\documents and settings\Sandy\Application Data\DriverCure
2010-01-11 18:20 . 2010-01-20 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2010-01-11 18:20 . 2010-01-11 18:58 -------- d-----w- c:\program files\ParetoLogic
2010-01-11 17:24 . 2010-01-11 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-11 17:24 . 2010-01-11 18:20 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-11 17:23 . 2010-01-11 17:23 -------- d-----w- c:\program files\Common Files\XoftSpySE
2010-01-11 17:23 . 2010-01-13 02:02 -------- d-----w- c:\program files\XoftSpySE6
2010-01-11 17:23 . 2010-01-11 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-01-11 16:21 . 2009-10-29 07:46 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-11 16:21 . 2009-10-29 07:46 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-01-11 15:19 . 2010-01-11 15:19 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-11 15:18 . 2010-01-11 15:18 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-11 15:16 . 2010-01-11 15:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-11 15:08 . 2010-01-11 15:08 -------- d-----w- c:\program files\MSXML 6.0
2010-01-11 15:04 . 2010-01-13 02:05 -------- d-----w- C:\a00c2ec5cc37fc046f
2010-01-11 15:03 . 2010-01-13 02:05 -------- d-----w- C:\c7a01afe5f1d9721f73cedb8a09d6b63
2010-01-11 14:41 . 2010-01-11 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-01-06 08:24 . 2010-01-13 02:07 -------- d-----w- C:\5c338c88450e85661e8ac0ea9c
2010-01-06 08:23 . 2010-01-13 02:07 -------- d-----w- C:\19475113757489fc8b8a
2010-01-01 08:01 . 2010-01-02 00:01 -------- d-----w- C:\1ff49c13d1df59db060de98c410774b9
2010-01-01 00:53 . 2010-01-01 00:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-01 00:46 . 2010-01-01 00:46 -------- d-sh--w- c:\documents and settings\Sandy\IETldCache
2010-01-01 00:26 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-01 00:26 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-01 00:25 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-31 23:43 . 2009-12-31 23:43 -------- d-----w- c:\windows\ServicePackFiles
2009-12-31 23:13 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-31 22:44 . 2010-01-14 16:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-31 22:41 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 20:13 . 2010-01-21 20:12 4614888 ----a-w- C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2010-01-21 06:43 . 2006-04-06 05:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-21 02:34 . 2007-10-26 22:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 01:12 . 2006-04-06 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-19 20:23 . 2005-12-11 00:55 -------- d-----w- c:\program files\Common Files\AOL
2010-01-19 20:23 . 2005-12-11 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-19 20:21 . 2005-12-11 00:55 -------- d-----w- c:\program files\Common Files\aolshare
2010-01-19 19:50 . 2005-12-11 00:54 -------- d-----w- c:\program files\Microsoft Plus! Digital Media Edition
2010-01-19 19:43 . 2006-08-17 00:21 -------- d-----w- c:\program files\Microsoft Plus!
2010-01-19 19:33 . 2005-12-11 00:56 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-01-19 19:26 . 2005-12-11 00:55 -------- d-----w- c:\program files\Microsoft Plus! Photo Story 2 LE
2010-01-19 10:05 . 2009-02-07 02:53 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-19 09:36 . 2005-12-11 00:52 -------- d-----w- c:\program files\CyberLink
2010-01-19 09:34 . 2005-12-11 00:54 -------- d-----w- c:\program files\MUSICMATCH
2010-01-19 09:14 . 2007-10-26 22:02 -------- d-----w- c:\program files\VB Bookmark Wizard
2010-01-19 09:11 . 2006-05-11 14:08 -------- d-----w- c:\program files\AOL Pictures
2010-01-17 09:56 . 2006-04-06 15:27 -------- d-----w- c:\documents and settings\Sandy\Application Data\Corel
2010-01-15 10:01 . 2006-04-06 05:47 50888 ----a-w- c:\documents and settings\Sandy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-13 14:57 . 2005-12-11 00:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-13 05:33 . 2010-01-13 05:33 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-01-13 02:02 . 2007-10-30 17:54 -------- d-----w- c:\program files\XoftSpySE
2010-01-12 17:19 . 2006-04-06 15:17 -------- d-----w- c:\documents and settings\Sandy\Application Data\Apple Computer
2010-01-11 18:40 . 2005-12-11 00:51 -------- d-----w- c:\program files\Dell
2010-01-11 14:41 . 2007-11-19 16:31 -------- d-----w- c:\program files\RegCure
2010-01-06 08:25 . 2008-01-04 03:55 -------- d-----w- c:\documents and settings\Sandy\Application Data\Share-to-Web Upload Folder
2009-12-16 21:05 . 2010-01-13 16:05 340992 ----a-w- c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\bfw3dalw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 21:05 . 2010-01-13 16:05 471040 ----a-w- c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\bfw3dalw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2009-12-16 21:05 . 2010-01-13 16:05 347136 ----a-w- c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\bfw3dalw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 21:05 . 2010-01-13 16:05 43008 ----a-w- c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\bfw3dalw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 21:05 . 2010-01-13 16:05 1452032 ----a-w- c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\bfw3dalw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-10-29 07:45 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll
2009-10-28 14:36 . 2010-01-11 16:21 389120 ----a-w- c:\windows\system32\SET57.tmp
2009-10-28 14:36 . 2010-01-11 16:21 70656 ----a-w- c:\windows\system32\SET59.tmp
2009-10-28 06:52 . 2010-01-11 16:21 161792 ----a-w- c:\windows\system32\SET5C.tmp
2007-03-10 18:06 . 2007-03-10 18:06 6429332 -c--a-w- c:\program files\scorpio.zip
2010-01-01 20:22 . 2008-05-05 14:23 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-01-28 16:40 . 2006-04-11 15:02 104 --sh--r- c:\windows\system32\590579E57B.sys
2009-01-12 02:53 . 2006-04-17 04:20 168 --sh--r- c:\windows\system32\7BE5790559.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sandy^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sandy^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Sandy\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
2005-11-30 15:40 8808 -c--a-w- c:\program files\Common Files\AOL\1146062878\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2005-08-01 22:00 610304 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 08:04 332800 -c--a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 07:05 127035 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCure]
2009-08-07 19:36 3993368 ----a-w- c:\program files\ParetoLogic\DriverCure\DriverCure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-01-01 20:22 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2007-05-25 17:16 42032 ----a-w- c:\program files\Common Files\AOL\1146062878\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 02:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
2002-11-22 19:48 348160 ----a-w- c:\windows\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-11-22 19:50 49152 -c--a-w- c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-01-15 08:22 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 -c--a-w- c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 -c--a-w- c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
2006-09-06 01:22 26248 ----a-w- c:\program files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-01-10 20:27 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-12-11 00:56 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 14:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 15:22 405504 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
2005-11-30 15:40 136808 -c--a-w- c:\program files\Common Files\AOL\1146062878\ee\services\sscFirewallPlugin\ver1_10_3_1\sscRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2007-11-29 00:51 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-24 12:36 729178 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 -c--a-w- c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpySE]
2009-08-28 21:15 4853016 ----a-w- c:\program files\XoftSpySE6\XoftSpySE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Fax"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\AOL 9.1a\\waol.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1146062878\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:*:Disabled:DHCP Discovery Service

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/13/2010 1:06 AM 236368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [5/15/2009 2:40 AM 101936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/13/2010 1:06 AM 19160]
S2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/5/2008 9:23 AM 30192]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [8/28/2009 4:15 PM 582424]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2010-01-20 c:\windows\Tasks\DriverCure.job
- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-08-07 19:36]

2010-01-21 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Administrator.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-13 21:07]

2010-01-21 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Sandy.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-13 21:07]

2010-01-21 c:\windows\Tasks\Malwarebytes' Scheduled Update for Administrator.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-13 21:07]

2010-01-21 c:\windows\Tasks\Malwarebytes' Scheduled Update for Sandy.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-13 21:07]

2010-01-16 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Sandy.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 05:38]

2010-01-20 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2010-01-20 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-28 21:15]

2010-01-13 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2010-01-15 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-28 21:15]

2010-01-20 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-21 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-21 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-21 c:\windows\Tasks\User_Feed_Synchronization-{9B0533D0-9460-4DED-AD73-D5EAFD5A67BD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

2010-01-20 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2009-08-28 21:13]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: careerbuilders.com
Trusted Zone: musicmatch.com\online
DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77}
FF - ProfilePath - c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\bfw3dalw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?q=
FF - component: c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\bfw3dalw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\bfw3dalw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-21 15:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2872)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-21 15:56:44
ComboFix-quarantined-files.txt 2010-01-21 20:56
ComboFix2.txt 2010-01-21 08:05

Pre-Run: 12,167,471,104 bytes free
Post-Run: 12,115,460,096 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 2ED24CD194BB5CB55EB43526E86E1CDE


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:15 PM

Posted 22 January 2010 - 04:20 AM

To see if we can solve this network problem in an easy way, please update to Service Pack 3.

If you cannot download/install that because of the Internet Explorer problems, I recommend you to use another computer to download the iso for service pack 3 and burn it to a CD (if you don't know how to burn an iso to a CD, post back here and I will explain it, it is not the same as just burning the file to a CD).

Download link

To install the service pack, disconnect from the internet, disable your AV protection and run the CD.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 BearCandy

BearCandy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:15 AM

Posted 22 January 2010 - 09:54 AM

Thanks a bunch Elise. The issue with the network is better after I tooled around with the settings. It is running on the Dell wireless and not windows as I was accustomed to. But something was going on as programs were hoping my connection, specifically Wd20.exe.

I will need to get to work on the other laptop now. I am confident running ComboFix.

I will let you know how things work out with the wireless.

Thanks again and have a great weekend. thumbup2.gif

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:15 PM

Posted 22 January 2010 - 10:22 AM

Okay, keep me posted.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users