[Closed- Posting in multiple forums]C an't remove DeepDive

[CTGull]

I've been cleaning a friends laptop for the last few days. There were a few trojans that I thought I removed. I did 10 rounds of Windows updates (hadn't been updated in a couple of years). As a final step I ran Spybot S&D. It found 2 registry keys indication it was infected with DeepDive. It was unable to remove it because the files were possibly in use. It suggested rebooting so it could run on startup. After running at startup it found DeepDive again, and again couldn't remove it. I've run through this 3 times hoping for a different result. Malwarebytes and MS Security Essentials does not find DeepDive.

I've followed the 5 step removal instructions and have included the logs in the following posts.

 

[CTGull]

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mom :: SAMANTHA [administrator]

6/11/2012 9:27:38 PM
mbam-log-2012-06-11 (21-27-38).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 292015
Time elapsed: 1 hour(s), 31 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[CTGull]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-06-12 18:23:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9120822AS rev.3.CDD
Running: b7c4vkeb.exe; Driver: C:\DOCUME~1\Mom\LOCALS~1\Temp\agldypoc.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
---- EOF - GMER 1.0.15 ----

 

[CTGull]

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mom at 18:24:13 on 2012-06-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.467 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\microsoft lifecam\mscams32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Mom\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: Download Energy Toolbar: {2bae58c2-79f9-45d1-a286-81f911301c3a} - c:\program files\p2p_energy\prxtbP2P2.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Download Energy Toolbar: {2bae58c2-79f9-45d1-a286-81f911301c3a} - c:\program files\p2p_energy\prxtbP2P2.dll
BHO: Updater For ooVoo Toolbar: {442ae524-eba5-4b17-82f3-888d68bc999a} - c:\program files\oovootb\auxi\oovooAu.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ooVoo Toolbar: {a1fb2f9a-d35e-11dd-8935-e46a56d89593} - c:\program files\oovootb\oovoodx.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: ooVoo Toolbar: {a1fb2f9a-d35e-11dd-8935-e46a56d89593} - c:\program files\oovootb\oovoodx.dll
TB: Download Energy Toolbar: {2bae58c2-79f9-45d1-a286-81f911301c3a} - c:\program files\p2p_energy\prxtbP2P2.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\mom\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\mom\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mom\application data\mozilla\firefox\profiles\30ctqk28.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\mom\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\mom\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-21 24652]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-10 257224]
S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [2011-8-19 1723840]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-2-9 30560]
S3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [2007-10-25 616064]
.
=============== Created Last 30 ================
.
2012-06-12 10:14:206737808----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{32923389-e0fd-4ce2-ba91-8b509e4b6f59}\mpengine.dll
2012-06-12 00:25:346737808----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-06-10 20:48:05--------d-----w-c:\documents and settings\mom\application data\Windows Desktop Search
2012-06-10 20:47:13--------d-----w-c:\program files\Windows Desktop Search
2012-06-10 20:47:12--------d-----w-c:\windows\system32\GroupPolicy
2012-06-10 20:42:3998304------w-c:\windows\system32\dllcache\nlhtml.dll
2012-06-10 20:42:3929696------w-c:\windows\system32\dllcache\mimefilt.dll
2012-06-10 20:42:38192000------w-c:\windows\system32\dllcache\offfilt.dll
2012-06-10 20:42:0333664----a-w-c:\windows\system32\drivers\BCMWLNPF.SYS
2012-06-10 20:41:591392640----a-w-c:\windows\system32\WLTRAY.EXE
2012-06-10 20:04:43--------d-sh--w-c:\documents and settings\mom\IECompatCache
2012-06-10 20:03:03--------d-sh--w-c:\documents and settings\mom\PrivacIE
2012-06-10 20:00:17--------d-sh--w-c:\documents and settings\mom\IETldCache
2012-06-10 19:27:436144------w-c:\windows\system32\dllcache\iecompat.dll
2012-06-10 19:26:03--------d-----w-c:\windows\ie8updates
2012-06-10 19:25:1712800------w-c:\windows\system32\dllcache\xpshims.dll
2012-06-10 19:25:05247808------w-c:\windows\system32\dllcache\ieproxy.dll
2012-06-10 19:25:04743424------w-c:\windows\system32\dllcache\iedvtool.dll
2012-06-10 19:21:50--------dc-h--w-c:\windows\ie8
2012-06-10 18:23:50--------d-----w-c:\documents and settings\mom\application data\JAM Software
2012-06-10 15:53:18953856------w-c:\windows\system32\dllcache\mfc40u.dll
2012-06-10 15:49:40617472------w-c:\windows\system32\dllcache\comctl32.dll
2012-06-10 15:45:5740960------w-c:\windows\system32\dllcache\ndproxy.sys
2012-06-10 15:44:49105472------w-c:\windows\system32\dllcache\mup.sys
2012-06-10 15:40:4545568------w-c:\windows\system32\dllcache\wab.exe
2012-06-10 15:40:2110496------w-c:\windows\system32\dllcache\ndistapi.sys
2012-06-10 15:40:173072------w-c:\windows\system32\iacenc.dll
2012-06-10 15:40:173072------w-c:\windows\system32\dllcache\iacenc.dll
2012-06-10 15:37:14139784------w-c:\windows\system32\dllcache\rdpwd.sys
2012-06-10 14:29:51272128------w-c:\windows\system32\dllcache\bthport.sys
2012-06-10 14:29:35357888------w-c:\windows\system32\dllcache\srv.sys
2012-06-10 14:29:26456320------w-c:\windows\system32\dllcache\mrxsmb.sys
2012-06-10 14:29:24471552------w-c:\windows\system32\dllcache\aclayers.dll
2012-06-10 14:26:58337408------w-c:\windows\system32\dllcache\netapi32.dll
2012-06-10 14:26:455120----a-w-c:\windows\system32\xpsp4res.dll
2012-06-10 14:26:44218112------w-c:\windows\system32\dllcache\wordpad.exe
2012-06-10 14:09:44--------d-----w-c:\windows\system32\scripting
2012-06-10 14:09:44--------d-----w-c:\windows\l2schemas
2012-06-10 14:09:42--------d-----w-c:\windows\system32\en
2012-06-10 14:09:42--------d-----w-c:\windows\system32\bits
2012-06-10 13:57:32426184----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-06-10 13:57:3170344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-10 13:52:27--------d-----w-c:\windows\EHome
2012-06-10 13:22:1569120------w-c:\windows\system32\wlanapi.dll
2012-06-10 13:22:0925471------w-c:\windows\system32\drivers\watv10nt.sys
2012-06-10 13:22:0922271------w-c:\windows\system32\drivers\watv06nt.sys
2012-06-10 13:22:0814208------w-c:\windows\system32\drivers\wacompen.sys
2012-06-10 13:22:0811935------w-c:\windows\system32\drivers\wadv11nt.sys
2012-06-10 13:22:0811871------w-c:\windows\system32\drivers\wadv09nt.sys
2012-06-10 13:22:0811807------w-c:\windows\system32\drivers\wadv07nt.sys
2012-06-10 13:22:0811295------w-c:\windows\system32\drivers\wadv08nt.sys
2012-06-10 13:22:0511325------w-c:\windows\system32\drivers\vchnt5.dll
2012-06-10 13:22:0212800------w-c:\windows\system32\drivers\usb8023x.sys
2012-06-10 13:20:59180360------w-c:\windows\system32\drivers\ntmtlfax.sys
2012-06-10 13:19:4337376------w-c:\windows\system32\l2gpstore.dll
2012-06-10 13:19:4161440------w-c:\windows\system32\kmsvc.dll
2012-06-10 13:19:406144------w-c:\windows\system32\kbdpash.dll
2012-06-10 13:19:406144------w-c:\windows\system32\kbdnepr.dll
2012-06-10 13:19:406144------w-c:\windows\system32\kbdiultn.dll
2012-06-10 13:19:406144------w-c:\windows\system32\kbdbhc.dll
2012-06-10 13:17:5712800------w-c:\windows\system32\credssp.dll
2012-06-09 17:06:32237072------w-c:\windows\system32\MpSigStub.exe
2012-06-09 17:02:25--------d-----w-c:\program files\Microsoft Security Client
2012-06-09 13:44:0898816----a-w-c:\windows\sed.exe
2012-06-09 13:44:08518144----a-w-c:\windows\SWREG.exe
2012-06-09 13:44:08256000----a-w-c:\windows\PEV.exe
2012-06-09 13:44:08208896----a-w-c:\windows\MBR.exe
2012-06-09 13:40:14--------d-----w-C:\TDSSKiller_Quarantine
2012-06-09 13:13:27--------d-----w-c:\program files\VS Revo Group
2012-06-09 03:16:47--------d-----w-c:\documents and settings\mom\application data\Malwarebytes
2012-06-09 03:16:37--------d-----w-c:\documents and settings\all users\application data\Malwarebytes
2012-06-09 03:16:3622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-09 03:16:36--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-06-09 03:06:36--------d-----w-c:\windows\system32\MpEngineStore
2012-05-31 13:22:09599040------w-c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2012-05-31 13:22:09599040----a-w-c:\windows\system32\crypt32.dll
2012-04-11 13:14:412148352----a-w-c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:061862272----a-w-c:\windows\system32\win32k.sys
2012-04-11 12:35:512026496----a-w-c:\windows\system32\ntkrnlpa.exe
2012-03-21 00:44:12171064----a-w-c:\windows\system32\drivers\MpFilter.sys
2006-11-20 13:01:08163840----a-w-c:\program files\common files\AMCap.exe
.
============= FINISH: 18:26:37.51 ===============

 

[CTGull]

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/29/2007 1:15:42 PM
System Uptime: 6/12/2012 4:29:19 PM (2 hours ago)
.
Motherboard: Dell Inc. | | 0UW744
Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-55 | Socket M2/S1G1 | 792/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 108 GiB total, 45.907 GiB free.
D: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: WebcamMax, WDM Video Capture
Device ID: ROOT\MEDIA\0000
Manufacturer: CoolwareMax
Name: WebcamMax, WDM Video Capture
PNP Device ID: ROOT\MEDIA\0000
Service: CAMTHWDM
.
==== System Restore Points ===================
.
RP260: 6/9/2012 1:11:10 AM - Installed NETGEAR WNA1100 wireless USB 2.0 adapter
RP261: 6/9/2012 9:14:53 AM - Revo Uninstaller's restore point - McAfee SecurityCenter
RP262: 6/9/2012 9:34:00 AM - Revo Uninstaller's restore point - Norton Security Scan
RP263: 6/9/2012 1:01:02 PM - Installed Windows XP KB914882.
RP264: 6/9/2012 1:06:30 PM - Software Distribution Service 3.0
RP265: 6/9/2012 1:25:13 PM - Software Distribution Service 3.0
RP266: 6/10/2012 8:44:47 AM - Software Distribution Service 3.0
RP267: 6/10/2012 9:29:29 AM - Software Distribution Service 3.0
RP268: 6/10/2012 9:39:40 AM - Software Distribution Service 3.0
RP269: 6/10/2012 10:32:21 AM - Software Distribution Service 3.0
RP270: 6/10/2012 2:28:26 PM - Software Distribution Service 3.0
RP271: 6/10/2012 4:07:21 PM - Software Distribution Service 3.0
RP272: 6/10/2012 4:09:37 PM - Software Distribution Service 3.0
RP273: 6/10/2012 4:38:35 PM - Software Distribution Service 3.0
RP274: 6/10/2012 4:41:05 PM - Software Distribution Service 3.0
RP275: 6/11/2012 8:11:51 PM - Software Distribution Service 3.0
RP276: 6/11/2012 8:25:30 PM - Software Distribution Service 3.0
RP277: 6/12/2012 6:14:16 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Acoustica Effects Pack
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player 11.5
AMD Processor Driver
Any Audio Converter 3.0.4
AoA DVD Ripper
Apple Software Update
Ask Toolbar
ATI Catalyst Control Center
ATI Display Driver
Banctec Service Agreement
Bonjour
Broadcom Management Programs
Browser Address Error Redirector
CCleaner
Choice Guard
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Dealio Toolbar v4.0.1
Dell DataSafe Online
Dell Support Center
Dell System Restore
Dell Wireless WLAN Card
DellSupport
Digital Line Detect
DivX Web Player
Documentation & Support Launcher
Download Updater (AOL LLC)
Express Burn
Facebook Plug-In
Free Video to MP3 Converter version 3.4
Games, Music, & Photos Launcher
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954550-v5)
InterActual Player
Internet Service Offers Launcher
iSofter DVD to Youtube 3.0.2007.206
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 14
LimeWire 5.1.3
LimeWire Music
Macromedia Shockwave Player
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Corporation
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Standard 2006
Microsoft Digital Image Standard 2006 Editor
Microsoft Digital Image Standard 2006 Library
Microsoft Encarta Encyclopedia Standard 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft LifeCam
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Photo Story 2 LE
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Mozilla Firefox (3.6.13)
MSN
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Myxer MP3 Downloader
n-Track Studio 6
NCH Toolbox
NetWaiting
ooVoo
ooVoo Toolbar (Remove Toolbar Only)
P2P_Energy Toolbar
PC Camera
PowerDVD 5.7
Protected Music Converter 1.1
QuickTime
Revo Uninstaller 1.94
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Search Settings 1.2.2
SearchAssist
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2675157)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Segoe UI
Skype™ 4.0
Smart Defrag 1.11
Sonic Activation Module
Spybot - Search & Destroy
Synaptics Pointing Device Driver
TabIt version 2.03
Ultra MP4 Video Converter 5.2.0603
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951978)
Update for Windows XP (KB971029)
VersionTracker Pro Windows
Viewpoint Media Player
WAV MP3 Converter 3.8 build 968
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
Windows XP Service Pack 3
Works Upgrade
Xilisoft Video to Audio Converter
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
6/9/2012 5:23:33 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024002d: Office XP Service Pack 3.
6/10/2012 8:58:13 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Windows XP Service Pack 3 (KB936929).
6/10/2012 4:09:56 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.New Signature Version: Previous Signature Version: 1.127.1680.0Update Source: Microsoft Update ServerUpdate Stage: InstallSource Path: http://www.microsoft.comSignature Type: AntiVirusUpdate Type: FullUser: NT AUTHORITY\SYSTEMCurrent Engine Version: Previous Engine Version: 1.1.8403.0Error code: 0x80240016Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
6/10/2012 4:09:56 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.New Signature Version: Previous Signature Version: 1.127.1680.0Update Source: Microsoft Update ServerUpdate Stage: InstallSource Path: http://www.microsoft.comSignature Type: AntiVirusUpdate Type: FullUser: NT AUTHORITY\SYSTEMCurrent Engine Version: Previous Engine Version: 1.1.8403.0Error code: 0x80240016Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
6/10/2012 4:09:56 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.New Signature Version: Previous Signature Version: 1.127.1680.0Update Source: Microsoft Update ServerUpdate Stage: DownloadSource Path: http://www.microsoft.comSignature Type: AntiVirusUpdate Type: FullUser: NT AUTHORITY\SYSTEMCurrent Engine Version: Previous Engine Version: 1.1.8403.0Error code: 0x80240016Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
6/10/2012 2:22:59 PM, error: ati2mtag [43015] - I2c return failed
6/10/2012 12:03:20 PM, error: AmdK8 [2] - The Acpi 2.0 _PCT object returned an invalid value of 3
6/10/2012 10:46:43 AM, error: ati2mtag [43016] - Not an EDID device
.
==== End Of File ===========================

 

[Bobbye]

Let's check this system:

Please run the MGA Diagnostics tool

• You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
• You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
• You must choose to Run this tool when prompted.
• Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
• If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
• After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
• Please return to this thread and Paste the results here for review.

------------------------------------------
This tool will look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
=============================================
Then go ahead with the following:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------

• 
  Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    

    The Recovery Console was successfully installed.

  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• Close any open browsers.
• Before you run the Combofix scan, please disable any security software you have running.
  (If you need help with this, please see HERE)
• Click on Yes, to continue scanning for malware
• If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1o not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
====================================================

My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.

 

[CTGull]

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
Windows Product ID: 76477-OEM-2111907-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {8489E762-0B18-498E-906A-255E36CCEB5B}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Word 2002 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: c:\program files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{8489E762-0B18-498E-906A-255E36CCEB5B}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>76477-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-815810583-3155536409-2577804381</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1501 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>2.6.1 </Version><SMBIOSVersion major="2" minor="4"/><Date>20060823000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>64BC33E70184206E</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell Inspiron 1501</name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{911B0409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Word 2002</Name><Ver>10</Ver><Val>62A4EAC3B9ACA0A</Val><Hash>oYFJkmRdgrdNVD6wKZKJMnTn5To=</Hash><Pid>54189-OEM-1650002-00005</Pid><PidType>16</PidType></Product></Products><Applications><App Id="1B" Version="10" Result="100"/></Applications></Office></Software></GenuineResults>
Licensing Data-->
N/A
Windows Activation Technologies-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1E832ell Inc|1075Cell Inc|1075C:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System
OEM Activation 2.0 Data-->
N/A

 

[CTGull]

I do not have the COA. The product code on the sticker on the bottom of the laptop does not match the one found in the post above.

Working on ComboFix. I had previously run it and need to do the uninstall.

 

[CTGull]

ComboFix 12-06-12.03 - Mom 06/12/2012 20:57:06.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.459 [GMT -4:00]
Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Mom\Application Data\alot
c:\documents and settings\Mom\Application Data\Dealio
c:\documents and settings\Mom\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Mom\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
.
.
((((((((((((((((((((((((( Files Created from 2012-05-13 to 2012-06-13 )))))))))))))))))))))))))))))))
.
.
2012-06-13 00:35 . 2012-06-13 00:35--------d-----w-c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2012-06-12 22:36 . 2012-05-08 13:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A7B36F6-A527-4586-8401-75E40B423F21}\mpengine.dll
2012-06-12 00:25 . 2012-05-08 13:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-11 20:17 . 2012-06-11 20:17--------d-sh--w-c:\documents and settings\NetworkService\IETldCache
2012-06-11 20:16 . 2012-06-11 20:16--------d-sh--w-c:\documents and settings\Samantha\IETldCache
2012-06-10 20:51 . 2012-06-10 20:52--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-06-10 20:48 . 2012-06-10 20:48--------d-----w-c:\documents and settings\Mom\Application Data\Windows Desktop Search
2012-06-10 20:47 . 2012-06-12 00:12--------d-----w-c:\program files\Windows Desktop Search
2012-06-10 20:47 . 2012-06-10 20:47--------d-----w-c:\windows\system32\GroupPolicy
2012-06-10 20:42 . 2008-03-07 17:0298304------w-c:\windows\system32\dllcache\nlhtml.dll
2012-06-10 20:42 . 2008-03-07 17:0229696------w-c:\windows\system32\dllcache\mimefilt.dll
2012-06-10 20:42 . 2008-03-07 17:02192000------w-c:\windows\system32\dllcache\offfilt.dll
2012-06-10 20:42 . 2006-11-02 00:4833664----a-w-c:\windows\system32\drivers\BCMWLNPF.SYS
2012-06-10 20:41 . 2006-11-02 00:481392640----a-w-c:\windows\system32\WLTRAY.EXE
2012-06-10 20:04 . 2012-06-10 20:04--------d-sh--w-c:\documents and settings\Mom\IECompatCache
2012-06-10 20:03 . 2012-06-10 20:03--------d-sh--w-c:\documents and settings\Mom\PrivacIE
2012-06-10 20:00 . 2012-06-10 20:00--------d-sh--w-c:\documents and settings\Mom\IETldCache
2012-06-10 19:57 . 2012-06-10 19:57--------d-sh--w-c:\documents and settings\LocalService\IETldCache
2012-06-10 19:27 . 2011-08-16 10:456144------w-c:\windows\system32\dllcache\iecompat.dll
2012-06-10 19:25 . 2012-03-01 11:0112800------w-c:\windows\system32\dllcache\xpshims.dll
2012-06-10 19:25 . 2012-03-01 11:01247808------w-c:\windows\system32\dllcache\ieproxy.dll
2012-06-10 19:25 . 2012-03-01 11:01743424------w-c:\windows\system32\dllcache\iedvtool.dll
2012-06-10 19:21 . 2012-06-10 19:24--------dc-h--w-c:\windows\ie8
2012-06-10 18:23 . 2012-06-10 18:33--------d-----w-c:\documents and settings\Mom\Application Data\JAM Software
2012-06-10 15:53 . 2010-09-18 06:53953856------w-c:\windows\system32\dllcache\mfc40u.dll
2012-06-10 15:49 . 2010-08-23 16:12617472------w-c:\windows\system32\dllcache\comctl32.dll
2012-06-10 15:45 . 2010-11-02 15:1740960------w-c:\windows\system32\dllcache\ndproxy.sys
2012-06-10 15:44 . 2011-04-21 13:37105472------w-c:\windows\system32\dllcache\mup.sys
2012-06-10 15:40 . 2010-10-11 14:5945568------w-c:\windows\system32\dllcache\wab.exe
2012-06-10 15:40 . 2011-07-08 14:0210496------w-c:\windows\system32\dllcache\ndistapi.sys
2012-06-10 15:40 . 2012-01-11 19:063072------w-c:\windows\system32\iacenc.dll
2012-06-10 15:40 . 2012-01-11 19:063072------w-c:\windows\system32\dllcache\iacenc.dll
2012-06-10 15:37 . 2012-01-09 16:20139784------w-c:\windows\system32\dllcache\rdpwd.sys
2012-06-10 14:29 . 2008-06-13 11:05272128------w-c:\windows\system32\dllcache\bthport.sys
2012-06-10 14:29 . 2011-02-17 13:18357888------w-c:\windows\system32\dllcache\srv.sys
2012-06-10 14:29 . 2011-07-15 13:29456320------w-c:\windows\system32\dllcache\mrxsmb.sys
2012-06-10 14:29 . 2009-11-21 15:51471552------w-c:\windows\system32\dllcache\aclayers.dll
2012-06-10 14:26 . 2008-10-15 16:34337408------w-c:\windows\system32\dllcache\netapi32.dll
2012-06-10 14:26 . 2011-02-17 12:325120----a-w-c:\windows\system32\xpsp4res.dll
2012-06-10 14:26 . 2010-07-12 12:55218112------w-c:\windows\system32\dllcache\wordpad.exe
2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\scripting
2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\l2schemas
2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\en
2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\bits
2012-06-10 13:57 . 2012-06-10 13:57426184----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-06-10 13:57 . 2012-06-10 13:5770344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-10 13:52 . 2012-06-10 13:52--------d-----w-c:\windows\EHome
2012-06-10 13:22 . 2008-04-14 00:1269120------w-c:\windows\system32\wlanapi.dll
2012-06-10 13:22 . 2004-08-04 02:2925471------w-c:\windows\system32\drivers\watv10nt.sys
2012-06-10 13:22 . 2004-08-04 02:2922271------w-c:\windows\system32\drivers\watv06nt.sys
2012-06-10 13:22 . 2008-04-13 18:4314208------w-c:\windows\system32\drivers\wacompen.sys
2012-06-10 13:22 . 2004-08-04 02:2911935------w-c:\windows\system32\drivers\wadv11nt.sys
2012-06-10 13:22 . 2004-08-04 02:2911871------w-c:\windows\system32\drivers\wadv09nt.sys
2012-06-10 13:22 . 2004-08-04 02:2911807------w-c:\windows\system32\drivers\wadv07nt.sys
2012-06-10 13:22 . 2004-08-04 02:2911295------w-c:\windows\system32\drivers\wadv08nt.sys
2012-06-10 13:22 . 2008-04-14 00:1211325------w-c:\windows\system32\drivers\vchnt5.dll
2012-06-10 13:22 . 2008-04-13 18:5612800------w-c:\windows\system32\drivers\usb8023x.sys
2012-06-10 13:20 . 2004-08-04 02:41180360------w-c:\windows\system32\drivers\ntmtlfax.sys
2012-06-10 13:19 . 2008-04-14 00:1137376------w-c:\windows\system32\l2gpstore.dll
2012-06-10 13:19 . 2008-04-14 00:1161440------w-c:\windows\system32\kmsvc.dll
2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdpash.dll
2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdnepr.dll
2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdiultn.dll
2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdbhc.dll
2012-06-10 13:17 . 2008-04-14 00:1112800------w-c:\windows\system32\credssp.dll
2012-06-09 17:06 . 2012-01-31 12:44237072------w-c:\windows\system32\MpSigStub.exe
2012-06-09 17:02 . 2012-06-09 17:03--------d-----w-c:\program files\Microsoft Security Client
2012-06-09 13:40 . 2012-06-09 13:40--------d-----w-C:\TDSSKiller_Quarantine
2012-06-09 13:13 . 2012-06-09 13:13--------d-----w-c:\program files\VS Revo Group
2012-06-09 03:16 . 2012-06-09 03:16--------d-----w-c:\documents and settings\Mom\Application Data\Malwarebytes
2012-06-09 03:16 . 2012-06-09 03:16--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-09 03:16 . 2012-06-09 12:19--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-06-09 03:16 . 2012-04-04 19:5622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-09 03:06 . 2012-06-09 21:24--------d-----w-c:\windows\system32\MpEngineStore
2012-05-31 13:22 . 2012-05-31 13:22599040------w-c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2004-08-10 17:50599040----a-w-c:\windows\system32\crypt32.dll
2012-04-11 13:14 . 2004-08-10 17:512148352----a-w-c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2004-08-10 17:511862272----a-w-c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-04 03:592026496----a-w-c:\windows\system32\ntkrnlpa.exe
2012-03-21 00:44 . 2012-03-21 00:44171064----a-w-c:\windows\system32\drivers\MpFilter.sys
2006-11-20 13:01 . 2006-11-20 13:01163840----a-w-c:\program files\Common Files\AMCap.exe
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 19:23 . 2007-07-30 16:4016384c:\dell\bak\dsca.exe
.
2007-10-23 19:23 . 2007-05-24 19:0317920c:\dell\E-Center\bak\EULALauncher.exe
.
2007-10-02 19:45 . 2007-10-02 19:4567488c:\program files\Adobe\Photoshop Elements 6.0\bak\apdproxy.exe
.
2007-05-11 08:06 . 2007-05-11 08:0640048c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
.
2006-05-10 15:12 . 2006-05-10 15:1290112c:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe
.
2007-03-01 15:37 . 2007-03-01 15:372321600c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe
.
2006-10-03 16:37 . 2006-10-03 16:3781920c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
.
2006-10-03 16:35 . 2006-10-03 16:35221184c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
.
2006-11-05 16:22 . 2006-11-05 16:22221184c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\bak\RoxWatchTray9.exe
.
2007-10-23 19:15 . 2005-12-10 01:2949152c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
.
2007-10-23 19:10 . 2007-02-20 17:291191936c:\program files\Dell\QuickSet\bak\quickset.exe
.
2007-03-15 17:09 . 2007-03-15 17:09460784c:\program files\DellSupport\bak\DSAgnt.exe
.
2007-10-29 17:42 . 2007-10-29 17:4268856c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
.
2007-12-11 17:10 . 2007-12-11 17:10267048c:\program files\iTunes\bak\iTunesHelper.exe
2008-02-04 18:18 . 2008-02-04 18:18267048c:\program files\iTunes\iTunesHelper.exe
.
2004-08-10 18:01 . 2004-10-13 16:241694208c:\program files\Messenger\bak\msmsgs.exe
2012-06-10 13:20 . 2008-04-14 00:121695232c:\program files\Messenger\msmsgs.exe
.
2007-10-23 19:15 . 2003-09-10 07:2420480c:\program files\NetWaiting\bak\netWaiting.exe
.
2007-12-11 15:56 . 2007-12-11 15:56286720c:\program files\QuickTime\bak\qttask.exe
.
2006-08-17 14:00 . 2006-08-17 14:001116920c:\program files\Roxio\Drag-to-Disc\bak\DrgToDsc.exe
.
2007-10-23 19:09 . 2006-09-22 16:47761947c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
.
2007-10-23 18:44 . 2005-12-19 20:081347584c:\windows\system32\bak\WLTRAY.exe
2012-06-10 20:41 . 2006-11-02 00:481392640c:\windows\system32\WLTRAY.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{2bae58c2-79f9-45d1-a286-81f911301c3a}"= "c:\program files\P2P_Energy\prxtbP2P2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
2011-05-09 09:49176936----a-w-c:\program files\P2P_Energy\prxtbP2P2.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442AE524-EBA5-4b17-82F3-888D68BC999A}]
2009-11-24 19:27252416----a-w-c:\program files\oovootb\auxi\oovooAu.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1FB2F9A-D35E-11DD-8935-E46A56D89593}]
2009-11-24 21:3587512----a-w-c:\program files\oovootb\oovoodx.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-26 15:25809864----a-w-c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-26 809864]
"{A1FB2F9A-D35E-11DD-8935-E46A56D89593}"= "c:\program files\oovootb\oovoodx.dll" [2009-11-24 87512]
"{2bae58c2-79f9-45d1-a286-81f911301c3a}"= "c:\program files\P2P_Energy\prxtbP2P2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{a1fb2f9a-d35e-11dd-8935-e46a56d89593}]
.
[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-26 809864]
"{2BAE58C2-79F9-45D1-A286-81F911301C3A}"= "c:\program files\P2P_Energy\prxtbP2P2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%PROVIDERID%"="bin\sprtcmd.exe" [N/A]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-02 1392640]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WNA1100 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WNA1100 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WNA1100 Smart Wizard.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VersionTrackerPro.lnk
backup=c:\windows\pss\VersionTrackerPro.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:1215360----a-w-c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-04 18:18267048----a-w-c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2009-07-24 20:05118640----a-w-c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeExp]
2009-07-24 20:05118640----a-w-c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ManyCam]
2008-10-14 06:021791272----a-w-c:\program files\ManyCam 2.3\ManyCam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2006-11-03 15:01319488----a-w-c:\windows\PixArt\PAC207\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC207_Monitor]
2006-11-03 15:01319488----a-w-c:\windows\PixArt\PAC207\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-09-22 16:06282624----a-w-c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-06-02 15:5624264488----a-r-c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2009-03-17 18:24721936----a-w-c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 00:05204288------w-c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/21/2007 12:25 AM 24652]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/10/2012 9:57 AM 257224]
S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [8/19/2011 2:01 PM 1723840]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys --> c:\windows\system32\DRIVERS\ManyCam.sys [?]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2/9/2010 2:48 AM 30560]
S3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [10/25/2007 6:31 PM 616064]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 13:57]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1006Core.job
- c:\documents and settings\Samantha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 20:07]
.
2012-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1006UA.job
- c:\documents and settings\Samantha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 20:07]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1007Core.job
- c:\documents and settings\Mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 04:33]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1007UA.job
- c:\documents and settings\Mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 04:33]
.
2012-06-13 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
2012-06-12 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-26 15:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Mom\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
FF - ProfilePath - c:\documents and settings\Mom\Application Data\Mozilla\Firefox\Profiles\30ctqk28.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-12 21:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2012-06-12 21:10:12
ComboFix-quarantined-files.txt 2012-06-13 01:10
ComboFix2.txt 2012-06-09 14:04
.
Pre-Run: 49,222,950,912 bytes free
Post-Run: 49,298,067,456 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - B87B341DE825ADD6A10408BCF0E863D3

 

[CTGull]

The ComboFix.txt file was 750kb due to installing a massive amount of Windows updates over the weekend, including SP3. I removed the Snapshot section of the file so I could post the results.

I was suspicious of the Dealio toolbar. That was a BHO and possibly the cause of the DeepDive warning from Spybot.

 

[CTGull]

Spybot still finds DeepDive. I did a screen capture but I can't seem to insert the image.

 

[CTGull]

I have to get up early tomorrow. I hope to see a reply in the morning.

 

[CTGull]

Help??? Anyone? Anyone?

 

[CTGull]

Due to a lack of additional responses I have moved my inquiry to the SpyBot forum.

Please close this thread.

 

[Bobbye]

I hope you slept well. Things have been very busy here- sometimes get behind. However, I will mention that it took quite a while to write the script for all the removals needed for your system! You made it reallyy easy for the system to get malware.

I removed the Snapshot section of the file so I could post the results.

Do not remove any entries from a log. Split the reply into 2 posts if necessary.
=========================================

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
c:\program files\Viewpoint\Common\ViewpointService.exe
Folder::
AWF::
c:\program files\Messenger\bak\msmsgs.exe
c:\windows\system32\bak\WLTRAY.exe
c:\program files\iTunes\bak\iTunesHelper.exe
 
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{2bae58c2-79f9-45d1-a286-81f911301c3a}"=-
[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442AE524-EBA5-4b17-82F3-888D68BC999A}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1FB2F9A-D35E-11DD-8935-E46A56D89593}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
"{A1FB2F9A-D35E-11DD-8935-E46A56D89593}"=-
"{2bae58c2-79f9-45d1-a286-81f911301c3a}"=-
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CLASSES_ROOT\clsid\{a1fb2f9a-d35e-11dd-8935-e46a56d89593}]
[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
"{2BAE58C2-79F9-45D1-A286-81F911301C3A}"=-
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-
 
Clearjavacache::
 
Driver::
Viewpoint Manager Service

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
The Delio Toolbar was just the tip of the malware on your system. As long as they are on the system, you will get malware:
Please uninstall ALL of the following in Add/Remove Programs:
1. Askbar or any other 'ASK' entries
2. P2P_Energy
3. Viewpoint> ALL entries
4. ooVoo Toolbar
5. Internet Service Offers Launcher
6. LimeWire 5.1.3> See P2P Warning
7. LimeWire Music> See P2P Warning

Then use Windows Explorer to access My Computer> Local Drive> Programs> Find Program Folder for each of the uninstalled programs and do a Right click> Delete.
-------------------------------
P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Limewire and Limewire Musicfor the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
=================================
The following are all outdated- Please update:
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
1. Adobe Reader > Current is v(10.xx)> Adobe Reader Update
2. Java(TM) > Current is v7u4 Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.[
3. Firefox: Update to most current version if you use. If you don't use, remove. You have Firefox v3.6.13
=================================

I do not have the COA. The product code on the sticker on the bottom of the laptop does not match the one found in the post above.

Not good.
==================================

 

[Bobbye]

Thread closed at member's request.

 

[Bobbye]

Due to a lack of additional responses I have moved my inquiry to the SpyBot forum.

Please close this thread.

Make up your mind please. Thread reopened by member request.

 

[CTGull]

Thanks for the detailed response on my thread. As I said in the first post, I am cleaning it for a friend, a much younger friend. I've warned her about toolbars, I knew about the dangers of Limewire, haven't mentioned that yet. I will tell her to read the thread to get an idea of what is dangerous.

Last night I removed all the programs you mentioned except Viewpoint, didn't know what is was. Firefox and Adobe were updated earlier in the week. I'm not sure Firefox was ever used. I will update Java.

I don't understand why the COA's don't match since it's a Dell branded Win XP and utilities installed. Windows Genuine Advantages passes. They gave me the original Dell Win XP & utilities disks is I have to reinstall. I don't really want to do that.

Thanks again!

Dave






ComboFix 12-06-12.03 - Mom 06/17/2012 12:47:59.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.380 [GMT -4:00]
Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mom\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-17 to 2012-06-17 )))))))))))))))))))))))))))))))
.
.
2012-06-17 16:01 . 2005-11-10 18:0349265----a-w-c:\windows\system32\jpicpl32.cpl
2012-06-17 13:13 . 2012-06-17 13:1356200----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB618EBB-548E-43D1-B373-A9E2682CEF9D}\offreg.dll
2012-06-17 13:03 . 2012-06-17 13:0329904----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB618EBB-548E-43D1-B373-A9E2682CEF9D}\MpKsl33dac9da.sys
2012-06-17 12:59 . 2012-06-17 12:59--------d-----w-c:\program files\ERUNT
2012-06-16 00:10 . 2012-05-08 13:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB618EBB-548E-43D1-B373-A9E2682CEF9D}\mpengine.dll
2012-06-16 00:03 . 2012-06-16 00:03--------d-----w-c:\documents and settings\Mom\Application Data\oovootb
2012-06-15 23:34 . 2012-06-15 23:34--------d-----w-c:\documents and settings\Mom\Application Data\Windows Search
2012-06-13 00:35 . 2012-06-13 00:35--------d-----w-c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2012-06-12 00:25 . 2012-05-08 13:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-12 00:15 . 2012-06-12 00:15--------d-----w-c:\documents and settings\Samantha\Application Data\Windows Desktop Search
2012-06-11 20:17 . 2012-06-11 20:17--------d-sh--w-c:\documents and settings\NetworkService\IETldCache
2012-06-11 20:16 . 2012-06-11 20:16--------d-sh--w-c:\documents and settings\Samantha\IETldCache
2012-06-10 20:51 . 2012-06-10 20:52--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-06-10 20:48 . 2012-06-10 20:48--------d-----w-c:\documents and settings\Mom\Application Data\Windows Desktop Search
2012-06-10 20:47 . 2012-06-12 00:12--------d-----w-c:\program files\Windows Desktop Search
2012-06-10 20:47 . 2012-06-10 20:47--------d-----w-c:\windows\system32\GroupPolicy
2012-06-10 20:42 . 2008-03-07 17:0298304------w-c:\windows\system32\dllcache\nlhtml.dll
2012-06-10 20:42 . 2008-03-07 17:0229696------w-c:\windows\system32\dllcache\mimefilt.dll
2012-06-10 20:42 . 2008-03-07 17:02192000------w-c:\windows\system32\dllcache\offfilt.dll
2012-06-10 20:42 . 2006-11-02 00:4833664----a-w-c:\windows\system32\drivers\BCMWLNPF.SYS
2012-06-10 20:41 . 2006-11-02 00:481392640----a-w-c:\windows\system32\WLTRAY.EXE
2012-06-10 20:04 . 2012-06-10 20:04--------d-sh--w-c:\documents and settings\Mom\IECompatCache
2012-06-10 20:03 . 2012-06-10 20:03--------d-sh--w-c:\documents and settings\Mom\PrivacIE
2012-06-10 20:00 . 2012-06-10 20:00--------d-sh--w-c:\documents and settings\Mom\IETldCache
2012-06-10 19:57 . 2012-06-10 19:57--------d-sh--w-c:\documents and settings\LocalService\IETldCache
2012-06-10 19:27 . 2011-08-16 10:456144------w-c:\windows\system32\dllcache\iecompat.dll
2012-06-10 19:25 . 2012-03-01 11:0112800------w-c:\windows\system32\dllcache\xpshims.dll
2012-06-10 19:25 . 2012-03-01 11:01247808------w-c:\windows\system32\dllcache\ieproxy.dll
2012-06-10 19:25 . 2012-03-01 11:01743424------w-c:\windows\system32\dllcache\iedvtool.dll
2012-06-10 19:21 . 2012-06-10 19:24--------dc-h--w-c:\windows\ie8
2012-06-10 18:23 . 2012-06-10 18:33--------d-----w-c:\documents and settings\Mom\Application Data\JAM Software
2012-06-10 15:53 . 2010-09-18 06:53953856------w-c:\windows\system32\dllcache\mfc40u.dll
2012-06-10 15:49 . 2010-08-23 16:12617472------w-c:\windows\system32\dllcache\comctl32.dll
2012-06-10 15:45 . 2010-11-02 15:1740960------w-c:\windows\system32\dllcache\ndproxy.sys
2012-06-10 15:44 . 2011-04-21 13:37105472------w-c:\windows\system32\dllcache\mup.sys
2012-06-10 15:40 . 2010-10-11 14:5945568------w-c:\windows\system32\dllcache\wab.exe
2012-06-10 15:40 . 2011-07-08 14:0210496------w-c:\windows\system32\dllcache\ndistapi.sys
2012-06-10 15:40 . 2012-01-11 19:063072------w-c:\windows\system32\iacenc.dll
2012-06-10 15:40 . 2012-01-11 19:063072------w-c:\windows\system32\dllcache\iacenc.dll
2012-06-10 15:37 . 2012-01-09 16:20139784------w-c:\windows\system32\dllcache\rdpwd.sys
2012-06-10 14:29 . 2008-06-13 11:05272128------w-c:\windows\system32\dllcache\bthport.sys
2012-06-10 14:29 . 2011-02-17 13:18357888------w-c:\windows\system32\dllcache\srv.sys
2012-06-10 14:29 . 2011-07-15 13:29456320------w-c:\windows\system32\dllcache\mrxsmb.sys
2012-06-10 14:29 . 2009-11-21 15:51471552------w-c:\windows\system32\dllcache\aclayers.dll
2012-06-10 14:26 . 2008-10-15 16:34337408------w-c:\windows\system32\dllcache\netapi32.dll
2012-06-10 14:26 . 2011-02-17 12:325120----a-w-c:\windows\system32\xpsp4res.dll
2012-06-10 14:26 . 2010-07-12 12:55218112------w-c:\windows\system32\dllcache\wordpad.exe
2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\scripting
2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\l2schemas
2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\en
2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\bits
2012-06-10 13:57 . 2012-06-10 13:57426184----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-06-10 13:57 . 2012-06-10 13:5770344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-10 13:52 . 2012-06-10 13:52--------d-----w-c:\windows\EHome
2012-06-10 13:22 . 2008-04-14 00:1269120------w-c:\windows\system32\wlanapi.dll
2012-06-10 13:22 . 2004-08-04 02:2925471------w-c:\windows\system32\drivers\watv10nt.sys
2012-06-10 13:22 . 2004-08-04 02:2922271------w-c:\windows\system32\drivers\watv06nt.sys
2012-06-10 13:22 . 2008-04-13 18:4314208------w-c:\windows\system32\drivers\wacompen.sys
2012-06-10 13:22 . 2004-08-04 02:2911935------w-c:\windows\system32\drivers\wadv11nt.sys
2012-06-10 13:22 . 2004-08-04 02:2911871------w-c:\windows\system32\drivers\wadv09nt.sys
2012-06-10 13:22 . 2004-08-04 02:2911807------w-c:\windows\system32\drivers\wadv07nt.sys
2012-06-10 13:22 . 2004-08-04 02:2911295------w-c:\windows\system32\drivers\wadv08nt.sys
2012-06-10 13:22 . 2008-04-14 00:1211325------w-c:\windows\system32\drivers\vchnt5.dll
2012-06-10 13:22 . 2008-04-13 18:5612800------w-c:\windows\system32\drivers\usb8023x.sys
2012-06-10 13:20 . 2004-08-04 02:41180360------w-c:\windows\system32\drivers\ntmtlfax.sys
2012-06-10 13:19 . 2008-04-14 00:1137376------w-c:\windows\system32\l2gpstore.dll
2012-06-10 13:19 . 2008-04-14 00:1161440------w-c:\windows\system32\kmsvc.dll
2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdpash.dll
2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdnepr.dll
2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdiultn.dll
2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdbhc.dll
2012-06-10 13:17 . 2008-04-14 00:1112800------w-c:\windows\system32\credssp.dll
2012-06-09 17:06 . 2012-01-31 12:44237072------w-c:\windows\system32\MpSigStub.exe
2012-06-09 17:02 . 2012-06-09 17:03--------d-----w-c:\program files\Microsoft Security Client
2012-06-09 13:40 . 2012-06-09 13:40--------d-----w-C:\TDSSKiller_Quarantine
2012-06-09 13:13 . 2012-06-09 13:13--------d-----w-c:\program files\VS Revo Group
2012-06-09 05:07 . 2012-06-09 05:07--------d-----w-c:\documents and settings\Samantha\Application Data\Malwarebytes
2012-06-09 03:16 . 2012-06-09 03:16--------d-----w-c:\documents and settings\Mom\Application Data\Malwarebytes
2012-06-09 03:16 . 2012-06-09 03:16--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-09 03:16 . 2012-06-09 12:19--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-06-09 03:16 . 2012-04-04 19:5622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-09 03:06 . 2012-06-09 21:24--------d-----w-c:\windows\system32\MpEngineStore
2012-05-31 13:22 . 2012-05-31 13:22599040------w-c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2004-08-10 17:50599040----a-w-c:\windows\system32\crypt32.dll
2012-04-11 13:14 . 2004-08-10 17:512148352----a-w-c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2004-08-10 17:511862272----a-w-c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-04 03:592026496----a-w-c:\windows\system32\ntkrnlpa.exe
2012-03-21 00:44 . 2012-03-21 00:44171064----a-w-c:\windows\system32\drivers\MpFilter.sys
2006-11-20 13:01 . 2006-11-20 13:01163840----a-w-c:\program files\Common Files\AMCap.exe
2012-06-16 00:45 . 2012-06-16 00:4597208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 19:23 . 2007-07-30 16:4016384c:\dell\bak\dsca.exe
.
2007-10-23 19:23 . 2007-05-24 19:0317920c:\dell\E-Center\bak\EULALauncher.exe
.
2007-10-02 19:45 . 2007-10-02 19:4567488c:\program files\Adobe\Photoshop Elements 6.0\bak\apdproxy.exe
.
2007-05-11 08:06 . 2007-05-11 08:0640048c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
.
2006-05-10 15:12 . 2006-05-10 15:1290112c:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe
.
2007-03-01 15:37 . 2007-03-01 15:372321600c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe
.
2006-10-03 16:37 . 2006-10-03 16:3781920c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
.
2006-10-03 16:35 . 2006-10-03 16:35221184c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
.
2006-11-05 16:22 . 2006-11-05 16:22221184c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\bak\RoxWatchTray9.exe
.
2007-10-23 19:15 . 2005-12-10 01:2949152c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
.
2007-10-23 19:10 . 2007-02-20 17:291191936c:\program files\Dell\QuickSet\bak\quickset.exe
.
2007-03-15 17:09 . 2007-03-15 17:09460784c:\program files\DellSupport\bak\DSAgnt.exe
.
2007-10-29 17:42 . 2007-10-29 17:4268856c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
.
2007-12-11 17:10 . 2007-12-11 17:10267048c:\program files\iTunes\bak\iTunesHelper.exe
2008-02-04 18:18 . 2008-02-04 18:18267048c:\program files\iTunes\iTunesHelper.exe
.
2004-08-10 18:01 . 2004-10-13 16:241694208c:\program files\Messenger\bak\msmsgs.exe
2012-06-10 13:20 . 2008-04-14 00:121695232c:\program files\Messenger\msmsgs.exe
.
2007-10-23 19:15 . 2003-09-10 07:2420480c:\program files\NetWaiting\bak\netWaiting.exe
.
2007-12-11 15:56 . 2007-12-11 15:56286720c:\program files\QuickTime\bak\qttask.exe
.
2006-08-17 14:00 . 2006-08-17 14:001116920c:\program files\Roxio\Drag-to-Disc\bak\DrgToDsc.exe
.
2007-10-23 19:09 . 2006-09-22 16:47761947c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
.
2007-10-23 18:44 . 2005-12-19 20:081347584c:\windows\system32\bak\WLTRAY.exe
2012-06-10 20:41 . 2006-11-02 00:481392640c:\windows\system32\WLTRAY.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%PROVIDERID%"="bin\sprtcmd.exe" [N/A]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-02 1392640]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WNA1100 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WNA1100 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WNA1100 Smart Wizard.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VersionTrackerPro.lnk
backup=c:\windows\pss\VersionTrackerPro.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:1215360----a-w-c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-04 18:18267048----a-w-c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2009-07-24 20:05118640----a-w-c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeExp]
2009-07-24 20:05118640----a-w-c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ManyCam]
2008-10-14 06:021791272----a-w-c:\program files\ManyCam 2.3\ManyCam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2006-11-03 15:01319488----a-w-c:\windows\PixArt\PAC207\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC207_Monitor]
2006-11-03 15:01319488----a-w-c:\windows\PixArt\PAC207\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-09-22 16:06282624----a-w-c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-06-02 15:5624264488----a-r-c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2009-03-17 18:24721936----a-w-c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 00:05204288------w-c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R1 MpKsl33dac9da;MpKsl33dac9da;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB618EBB-548E-43D1-B373-A9E2682CEF9D}\MpKsl33dac9da.sys [6/17/2012 9:03 AM 29904]
S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys --> c:\windows\system32\DRIVERS\tdx.sys [?]
S2 iphlpsvc;@%SystemRoot%\system32\iphlpsvc.dll,-200;c:\windows\System32\svchost.exe -k NetSvcs [8/10/2004 1:51 PM 14336]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/10/2012 9:57 AM 257224]
S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [8/19/2011 2:01 PM 1723840]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys --> c:\windows\system32\DRIVERS\ManyCam.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [6/15/2012 8:45 PM 129976]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2/9/2010 2:48 AM 30560]
S3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [10/25/2007 6:31 PM 616064]
S3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe -k secsvcs [8/10/2004 1:51 PM 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL33DAC9DA
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 13:57]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1006Core.job
- c:\documents and settings\Samantha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 20:07]
.
2012-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1006UA.job
- c:\documents and settings\Samantha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 20:07]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1007Core.job
- c:\documents and settings\Mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 04:33]
.
2012-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1007UA.job
- c:\documents and settings\Mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 04:33]
.
2012-06-17 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Mom\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
FF - ProfilePath - c:\documents and settings\Mom\Application Data\Mozilla\Firefox\Profiles\30ctqk28.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-17 12:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1352)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-06-17 12:59:40
ComboFix-quarantined-files.txt 2012-06-17 16:59
ComboFix2.txt 2012-06-17 16:42
.
Pre-Run: 51,756,572,672 bytes free
Post-Run: 51,817,041,920 bytes free
.
- - End Of File - - 208656FF2AA614CAE8CEC63C678EE0FE

 

[CTGull]

Malwarebytes still finds DeepDive and can't remove it.

 

[CTGull]

Java installed fine now. Network connect is working again. Updated Malewarebytes and SpyBot. MS Security Essentials update failed (a few times) saying check your internet connection, even after a reboot.

 

[CTGull]

Bobbye - What do you think the odds are of removing DeepDive from this computer? What do you think the risks are of leaving it as is? I've had it for 2 weeks, I'm sure she'd like to have it back. I'm thinking about adding a logical partition and moving My Documents to it in preparation of possibly having to reload it. I've always had My Documents on a separate partition to protect them from being lost if the operating system gets corrupted.

 

[Bobbye]

What do you think the odds are of removing DeepDive from this computer?

There are 2 things you don't want to do on the internet:

1. Post the same problem at the same time in multiple forums. This ties up multiple helpers who could be helping others.

2. Trash a helper in one forum in another forum. Someday you might want help from 'the other' helper.

You have done both, almost word for word:

Malwarebytes.org: 6/15
http://forums.malwarebytes.org/index.php?showtopic=111169 6/15

I submitted this to the Techspot virus and anti-malware removal forum and got some help, but was left hanging. Here's the thread. http://www.techspot....eepdive.181698/

I've followed the Techspots 5 step removal instructions and have included the logs in the following posts (I don't have the logs with me at work).

Then used your most frequently pasted reply:

Due to a lack of a response I am moving my inquiry to the SpyBot forum. Please close this thread. 6/17

=========================================
Spybot Search & Destroy: 6/17

http://forums.spybot.info/showthread.php?p=427018 6/17

found quite a few trojans in the system restore points

6/17, from the Spybot helper:

First
Please close any other threads you may have open in regards to this problem. It not only wastes valuable helper time/resources but makes it much more difficult if you are acting upon advice from multiple sources.

From you:

The guy at TechSpot got back to me minutes after I posted this thread, after a 5 day delay. I thought he had given up. I will continue to work with him and see if he can resolve it. If not I will come back here and start over. He wrote a custom script for ComboFix, which I ran and posted the log back to the thread. I'll wait and see what he finds.

When you didn't think think you got help fast enough, you started your comments again, which were indicated as # of replies.

To which the Moderator answered:

Like all forums, we look for post with 0 replies, so when you replied to your own topic, we assumed you were being helped. 6/19

=========================================
TechSpot:
Started 6/12, picked up 6/12. And you left the following:

6/13I have to get up early tomorrow. I hope to see a reply in the morning.
6/14Help??? Anyone? Anyone?
6/17
Due to a lack of additional responses I have moved my inquiry to the SpyBot forum.
Please close this thread.

Spybot still finds DeepDive. 6/12

--------------------------------
6/17, my reply:

I hope you slept well. Things have been very busy here- sometimes get behind. However, I will mention that it took quite a while to write the script for all the removals needed for your system! You made it reallyy easy for the system to get malware.

with P2P Warning and script I had started the night before.

I had you run MGA Diagnostic:

I read your comment:

I do not have the COA. The product code on the sticker on the bottom of the laptop does not match the one found in the post above.6/17

To which I replied> Not good.6/17
------------------------------
6/17:
Thread closed at member's request.
6/17
You sent message: Thread reopened by member request.
6/17
Malwarebytes still finds DeepDive and can't remove it.

Now, a week later, 6/24, you ask:

What do you think the odds are of removing DeepDive from this computer? What do you think the risks are of leaving it as is? I've had it for 2 weeks,

----------------------
IF you had given me the following information in the beginning:

found quite a few trojans in the system restore points

We would have been done in 2 replies. But you left that on another board. Unfortunately, no one explained what you were seeing.
==============================================
You are trying to fix someone elses computer, for which I imagine you will take full credit. The help on these forums is free, all done by volunteers who give of their time and knowledge to help others.

At the same time they are helping you, they are also juggling 40-60 other threads (+/-)

If you are not satisfied with this arrangement, please feel free to pay several hundred dollars to a professional computer tech who will likely tell you "we'll get to it as soon as we can- we are very busy."

This thread is closed.