TechSpot

[Closed- Posting in multiple forums]C an't remove DeepDive

By CTGull
Jun 12, 2012
  1. I've been cleaning a friends laptop for the last few days. There were a few trojans that I thought I removed. I did 10 rounds of Windows updates (hadn't been updated in a couple of years). As a final step I ran Spybot S&D. It found 2 registry keys indication it was infected with DeepDive. It was unable to remove it because the files were possibly in use. It suggested rebooting so it could run on startup. After running at startup it found DeepDive again, and again couldn't remove it. I've run through this 3 times hoping for a different result. Malwarebytes and MS Security Essentials does not find DeepDive.

    I've followed the 5 step removal instructions and have included the logs in the following posts.
     
  2. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.06.12.01

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Mom :: SAMANTHA [administrator]

    6/11/2012 9:27:38 PM
    mbam-log-2012-06-11 (21-27-38).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 292015
    Time elapsed: 1 hour(s), 31 minute(s), 21 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  3. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-06-12 18:23:41
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9120822AS rev.3.CDD
    Running: b7c4vkeb.exe; Driver: C:\DOCUME~1\Mom\LOCALS~1\Temp\agldypoc.sys
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    ---- EOF - GMER 1.0.15 ----
     
  4. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Mom at 18:24:13 on 2012-06-12
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.467 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    FW: McAfee Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Java\jre6\bin\jqs.exe
    c:\program files\microsoft lifecam\mscams32.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Mom\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: H - No File
    uURLSearchHooks: Download Energy Toolbar: {2bae58c2-79f9-45d1-a286-81f911301c3a} - c:\program files\p2p_energy\prxtbP2P2.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Download Energy Toolbar: {2bae58c2-79f9-45d1-a286-81f911301c3a} - c:\program files\p2p_energy\prxtbP2P2.dll
    BHO: Updater For ooVoo Toolbar: {442ae524-eba5-4b17-82f3-888d68bc999a} - c:\program files\oovootb\auxi\oovooAu.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: ooVoo Toolbar: {a1fb2f9a-d35e-11dd-8935-e46a56d89593} - c:\program files\oovootb\oovoodx.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: ooVoo Toolbar: {a1fb2f9a-d35e-11dd-8935-e46a56d89593} - c:\program files\oovootb\oovoodx.dll
    TB: Download Energy Toolbar: {2bae58c2-79f9-45d1-a286-81f911301c3a} - c:\program files\p2p_energy\prxtbP2P2.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\mom\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\mom\start menu\programs\imvu\Run IMVU.lnk
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    Hosts: 127.0.0.1www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\mom\application data\mozilla\firefox\profiles\30ctqk28.default\
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\mom\application data\facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\mom\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-21 24652]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-10 257224]
    S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [2011-8-19 1723840]
    S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]
    S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-2-9 30560]
    S3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [2007-10-25 616064]
    .
    =============== Created Last 30 ================
    .
    2012-06-12 10:14:206737808----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{32923389-e0fd-4ce2-ba91-8b509e4b6f59}\mpengine.dll
    2012-06-12 00:25:346737808----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-06-10 20:48:05--------d-----w-c:\documents and settings\mom\application data\Windows Desktop Search
    2012-06-10 20:47:13--------d-----w-c:\program files\Windows Desktop Search
    2012-06-10 20:47:12--------d-----w-c:\windows\system32\GroupPolicy
    2012-06-10 20:42:3998304------w-c:\windows\system32\dllcache\nlhtml.dll
    2012-06-10 20:42:3929696------w-c:\windows\system32\dllcache\mimefilt.dll
    2012-06-10 20:42:38192000------w-c:\windows\system32\dllcache\offfilt.dll
    2012-06-10 20:42:0333664----a-w-c:\windows\system32\drivers\BCMWLNPF.SYS
    2012-06-10 20:41:591392640----a-w-c:\windows\system32\WLTRAY.EXE
    2012-06-10 20:04:43--------d-sh--w-c:\documents and settings\mom\IECompatCache
    2012-06-10 20:03:03--------d-sh--w-c:\documents and settings\mom\PrivacIE
    2012-06-10 20:00:17--------d-sh--w-c:\documents and settings\mom\IETldCache
    2012-06-10 19:27:436144------w-c:\windows\system32\dllcache\iecompat.dll
    2012-06-10 19:26:03--------d-----w-c:\windows\ie8updates
    2012-06-10 19:25:1712800------w-c:\windows\system32\dllcache\xpshims.dll
    2012-06-10 19:25:05247808------w-c:\windows\system32\dllcache\ieproxy.dll
    2012-06-10 19:25:04743424------w-c:\windows\system32\dllcache\iedvtool.dll
    2012-06-10 19:21:50--------dc-h--w-c:\windows\ie8
    2012-06-10 18:23:50--------d-----w-c:\documents and settings\mom\application data\JAM Software
    2012-06-10 15:53:18953856------w-c:\windows\system32\dllcache\mfc40u.dll
    2012-06-10 15:49:40617472------w-c:\windows\system32\dllcache\comctl32.dll
    2012-06-10 15:45:5740960------w-c:\windows\system32\dllcache\ndproxy.sys
    2012-06-10 15:44:49105472------w-c:\windows\system32\dllcache\mup.sys
    2012-06-10 15:40:4545568------w-c:\windows\system32\dllcache\wab.exe
    2012-06-10 15:40:2110496------w-c:\windows\system32\dllcache\ndistapi.sys
    2012-06-10 15:40:173072------w-c:\windows\system32\iacenc.dll
    2012-06-10 15:40:173072------w-c:\windows\system32\dllcache\iacenc.dll
    2012-06-10 15:37:14139784------w-c:\windows\system32\dllcache\rdpwd.sys
    2012-06-10 14:29:51272128------w-c:\windows\system32\dllcache\bthport.sys
    2012-06-10 14:29:35357888------w-c:\windows\system32\dllcache\srv.sys
    2012-06-10 14:29:26456320------w-c:\windows\system32\dllcache\mrxsmb.sys
    2012-06-10 14:29:24471552------w-c:\windows\system32\dllcache\aclayers.dll
    2012-06-10 14:26:58337408------w-c:\windows\system32\dllcache\netapi32.dll
    2012-06-10 14:26:455120----a-w-c:\windows\system32\xpsp4res.dll
    2012-06-10 14:26:44218112------w-c:\windows\system32\dllcache\wordpad.exe
    2012-06-10 14:09:44--------d-----w-c:\windows\system32\scripting
    2012-06-10 14:09:44--------d-----w-c:\windows\l2schemas
    2012-06-10 14:09:42--------d-----w-c:\windows\system32\en
    2012-06-10 14:09:42--------d-----w-c:\windows\system32\bits
    2012-06-10 13:57:32426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-06-10 13:57:3170344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-10 13:52:27--------d-----w-c:\windows\EHome
    2012-06-10 13:22:1569120------w-c:\windows\system32\wlanapi.dll
    2012-06-10 13:22:0925471------w-c:\windows\system32\drivers\watv10nt.sys
    2012-06-10 13:22:0922271------w-c:\windows\system32\drivers\watv06nt.sys
    2012-06-10 13:22:0814208------w-c:\windows\system32\drivers\wacompen.sys
    2012-06-10 13:22:0811935------w-c:\windows\system32\drivers\wadv11nt.sys
    2012-06-10 13:22:0811871------w-c:\windows\system32\drivers\wadv09nt.sys
    2012-06-10 13:22:0811807------w-c:\windows\system32\drivers\wadv07nt.sys
    2012-06-10 13:22:0811295------w-c:\windows\system32\drivers\wadv08nt.sys
    2012-06-10 13:22:0511325------w-c:\windows\system32\drivers\vchnt5.dll
    2012-06-10 13:22:0212800------w-c:\windows\system32\drivers\usb8023x.sys
    2012-06-10 13:20:59180360------w-c:\windows\system32\drivers\ntmtlfax.sys
    2012-06-10 13:19:4337376------w-c:\windows\system32\l2gpstore.dll
    2012-06-10 13:19:4161440------w-c:\windows\system32\kmsvc.dll
    2012-06-10 13:19:406144------w-c:\windows\system32\kbdpash.dll
    2012-06-10 13:19:406144------w-c:\windows\system32\kbdnepr.dll
    2012-06-10 13:19:406144------w-c:\windows\system32\kbdiultn.dll
    2012-06-10 13:19:406144------w-c:\windows\system32\kbdbhc.dll
    2012-06-10 13:17:5712800------w-c:\windows\system32\credssp.dll
    2012-06-09 17:06:32237072------w-c:\windows\system32\MpSigStub.exe
    2012-06-09 17:02:25--------d-----w-c:\program files\Microsoft Security Client
    2012-06-09 13:44:0898816----a-w-c:\windows\sed.exe
    2012-06-09 13:44:08518144----a-w-c:\windows\SWREG.exe
    2012-06-09 13:44:08256000----a-w-c:\windows\PEV.exe
    2012-06-09 13:44:08208896----a-w-c:\windows\MBR.exe
    2012-06-09 13:40:14--------d-----w-C:\TDSSKiller_Quarantine
    2012-06-09 13:13:27--------d-----w-c:\program files\VS Revo Group
    2012-06-09 03:16:47--------d-----w-c:\documents and settings\mom\application data\Malwarebytes
    2012-06-09 03:16:37--------d-----w-c:\documents and settings\all users\application data\Malwarebytes
    2012-06-09 03:16:3622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-09 03:16:36--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-06-09 03:06:36--------d-----w-c:\windows\system32\MpEngineStore
    2012-05-31 13:22:09599040------w-c:\windows\system32\dllcache\crypt32.dll
    .
    ==================== Find3M ====================
    .
    2012-05-31 13:22:09599040----a-w-c:\windows\system32\crypt32.dll
    2012-04-11 13:14:412148352----a-w-c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12:061862272----a-w-c:\windows\system32\win32k.sys
    2012-04-11 12:35:512026496----a-w-c:\windows\system32\ntkrnlpa.exe
    2012-03-21 00:44:12171064----a-w-c:\windows\system32\drivers\MpFilter.sys
    2006-11-20 13:01:08163840----a-w-c:\program files\common files\AMCap.exe
    .
    ============= FINISH: 18:26:37.51 ===============
     
  5. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/29/2007 1:15:42 PM
    System Uptime: 6/12/2012 4:29:19 PM (2 hours ago)
    .
    Motherboard: Dell Inc. | | 0UW744
    Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-55 | Socket M2/S1G1 | 792/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 108 GiB total, 45.907 GiB free.
    D: is CDROM ()
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
    Description: WebcamMax, WDM Video Capture
    Device ID: ROOT\MEDIA\0000
    Manufacturer: CoolwareMax
    Name: WebcamMax, WDM Video Capture
    PNP Device ID: ROOT\MEDIA\0000
    Service: CAMTHWDM
    .
    ==== System Restore Points ===================
    .
    RP260: 6/9/2012 1:11:10 AM - Installed NETGEAR WNA1100 wireless USB 2.0 adapter
    RP261: 6/9/2012 9:14:53 AM - Revo Uninstaller's restore point - McAfee SecurityCenter
    RP262: 6/9/2012 9:34:00 AM - Revo Uninstaller's restore point - Norton Security Scan
    RP263: 6/9/2012 1:01:02 PM - Installed Windows XP KB914882.
    RP264: 6/9/2012 1:06:30 PM - Software Distribution Service 3.0
    RP265: 6/9/2012 1:25:13 PM - Software Distribution Service 3.0
    RP266: 6/10/2012 8:44:47 AM - Software Distribution Service 3.0
    RP267: 6/10/2012 9:29:29 AM - Software Distribution Service 3.0
    RP268: 6/10/2012 9:39:40 AM - Software Distribution Service 3.0
    RP269: 6/10/2012 10:32:21 AM - Software Distribution Service 3.0
    RP270: 6/10/2012 2:28:26 PM - Software Distribution Service 3.0
    RP271: 6/10/2012 4:07:21 PM - Software Distribution Service 3.0
    RP272: 6/10/2012 4:09:37 PM - Software Distribution Service 3.0
    RP273: 6/10/2012 4:38:35 PM - Software Distribution Service 3.0
    RP274: 6/10/2012 4:41:05 PM - Software Distribution Service 3.0
    RP275: 6/11/2012 8:11:51 PM - Software Distribution Service 3.0
    RP276: 6/11/2012 8:25:30 PM - Software Distribution Service 3.0
    RP277: 6/12/2012 6:14:16 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Acoustica Effects Pack
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader 8.1.0
    Adobe Shockwave Player 11.5
    AMD Processor Driver
    Any Audio Converter 3.0.4
    AoA DVD Ripper
    Apple Software Update
    Ask Toolbar
    ATI Catalyst Control Center
    ATI Display Driver
    Banctec Service Agreement
    Bonjour
    Broadcom Management Programs
    Browser Address Error Redirector
    CCleaner
    Choice Guard
    Compatibility Pack for the 2007 Office system
    Conexant HDA D110 MDC V.92 Modem
    Dealio Toolbar v4.0.1
    Dell DataSafe Online
    Dell Support Center
    Dell System Restore
    Dell Wireless WLAN Card
    DellSupport
    Digital Line Detect
    DivX Web Player
    Documentation & Support Launcher
    Download Updater (AOL LLC)
    Express Burn
    Facebook Plug-In
    Free Video to MP3 Converter version 3.4
    Games, Music, & Photos Launcher
    Google Chrome
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB954550-v5)
    InterActual Player
    Internet Service Offers Launcher
    iSofter DVD to Youtube 3.0.2007.206
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 14
    LimeWire 5.1.3
    LimeWire Music
    Macromedia Shockwave Player
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB2656370)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Corporation
    Microsoft Digital Image Library 9 - Blocker
    Microsoft Digital Image Standard 2006
    Microsoft Digital Image Standard 2006 Editor
    Microsoft Digital Image Standard 2006 Library
    Microsoft Encarta Encyclopedia Standard 2006
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft LifeCam
    Microsoft Money 2006
    Microsoft National Language Support Downlevel APIs
    Microsoft Plus! Photo Story 2 LE
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Word 2002
    Microsoft Works
    Microsoft Works Suite 2006 Setup Launcher
    Microsoft Works Suite Add-in for Microsoft Word
    Modem Helper
    Mozilla Firefox (3.6.13)
    MSN
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Myxer MP3 Downloader
    n-Track Studio 6
    NCH Toolbox
    NetWaiting
    ooVoo
    ooVoo Toolbar (Remove Toolbar Only)
    P2P_Energy Toolbar
    PC Camera
    PowerDVD 5.7
    Protected Music Converter 1.1
    QuickTime
    Revo Uninstaller 1.94
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler
    Roxio MyDVD DE
    Search Settings 1.2.2
    SearchAssist
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Windows Internet Explorer 7 (KB2544521)
    Security Update for Windows Internet Explorer 7 (KB2675157)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    Segoe UI
    Skype™ 4.0
    Smart Defrag 1.11
    Sonic Activation Module
    Spybot - Search & Destroy
    Synaptics Pointing Device Driver
    TabIt version 2.03
    Ultra MP4 Video Converter 5.2.0603
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB971029)
    VersionTracker Pro Windows
    Viewpoint Media Player
    WAV MP3 Converter 3.8 build 968
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Search 4.0
    Windows XP Service Pack 3
    Works Upgrade
    Xilisoft Video to Audio Converter
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/9/2012 5:23:33 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024002d: Office XP Service Pack 3.
    6/10/2012 8:58:13 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Windows XP Service Pack 3 (KB936929).
    6/10/2012 4:09:56 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.New Signature Version: Previous Signature Version: 1.127.1680.0Update Source: Microsoft Update ServerUpdate Stage: InstallSource Path: http://www.microsoft.comSignature Type: AntiVirusUpdate Type: FullUser: NT AUTHORITY\SYSTEMCurrent Engine Version: Previous Engine Version: 1.1.8403.0Error code: 0x80240016Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    6/10/2012 4:09:56 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.New Signature Version: Previous Signature Version: 1.127.1680.0Update Source: Microsoft Update ServerUpdate Stage: InstallSource Path: http://www.microsoft.comSignature Type: AntiVirusUpdate Type: FullUser: NT AUTHORITY\SYSTEMCurrent Engine Version: Previous Engine Version: 1.1.8403.0Error code: 0x80240016Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    6/10/2012 4:09:56 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.New Signature Version: Previous Signature Version: 1.127.1680.0Update Source: Microsoft Update ServerUpdate Stage: DownloadSource Path: http://www.microsoft.comSignature Type: AntiVirusUpdate Type: FullUser: NT AUTHORITY\SYSTEMCurrent Engine Version: Previous Engine Version: 1.1.8403.0Error code: 0x80240016Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    6/10/2012 2:22:59 PM, error: ati2mtag [43015] - I2c return failed
    6/10/2012 12:03:20 PM, error: AmdK8 [2] - The Acpi 2.0 _PCT object returned an invalid value of 3
    6/10/2012 10:46:43 AM, error: ati2mtag [43016] - Not an EDID device
    .
    ==== End Of File ===========================
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's check this system:

    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    ------------------------------------------
    This tool will look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
    =============================================
    Then go ahead with the following:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------

    • Download Combofix from HERE or HERE and save to the desktop
      • Double click combofix.exe [​IMG]& follow the prompts.
      • If prompted for Recovery Console, please allow.
      • Once installed, you should see a blue screen prompt that says:
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • Close any open browsers.
    • Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • Click on Yes, to continue scanning for malware
    • If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
    ====================================================

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  7. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
    Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
    Windows Product ID: 76477-OEM-2111907-00102
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 5.1.2600.2.00010300.3.0.hom
    ID: {8489E762-0B18-498E-906A-255E36CCEB5B}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.7.69.2
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A
    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A
    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002
    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002
    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Word 2002 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: c:\program files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed
    File Scan Data-->
    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{8489E762-0B18-498E-906A-255E36CCEB5B}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>76477-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-815810583-3155536409-2577804381</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1501 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>2.6.1 </Version><SMBIOSVersion major="2" minor="4"/><Date>20060823000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>64BC33E70184206E</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell Inspiron 1501</name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{911B0409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Word 2002</Name><Ver>10</Ver><Val>62A4EAC3B9ACA0A</Val><Hash>oYFJkmRdgrdNVD6wKZKJMnTn5To=</Hash><Pid>54189-OEM-1650002-00005</Pid><PidType>16</PidType></Product></Products><Applications><App Id="1B" Version="10" Result="100"/></Applications></Office></Software></GenuineResults>
    Licensing Data-->
    N/A
    Windows Activation Technologies-->
    N/A
    HWID Data-->
    N/A
    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 1E832:Dell Inc|1075C:Dell Inc|1075C:Microsoft Corporation
    Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System
    OEM Activation 2.0 Data-->
    N/A
     
  8. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    I do not have the COA. The product code on the sticker on the bottom of the laptop does not match the one found in the post above.

    Working on ComboFix. I had previously run it and need to do the uninstall.
     
  9. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    ComboFix 12-06-12.03 - Mom 06/12/2012 20:57:06.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.459 [GMT -4:00]
    Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Mom\Application Data\alot
    c:\documents and settings\Mom\Application Data\Dealio
    c:\documents and settings\Mom\Application Data\Dealio\res\widgets.xml
    c:\documents and settings\Mom\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-13 to 2012-06-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-13 00:35 . 2012-06-13 00:35--------d-----w-c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2012-06-12 22:36 . 2012-05-08 13:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A7B36F6-A527-4586-8401-75E40B423F21}\mpengine.dll
    2012-06-12 00:25 . 2012-05-08 13:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-06-11 20:17 . 2012-06-11 20:17--------d-sh--w-c:\documents and settings\NetworkService\IETldCache
    2012-06-11 20:16 . 2012-06-11 20:16--------d-sh--w-c:\documents and settings\Samantha\IETldCache
    2012-06-10 20:51 . 2012-06-10 20:52--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2012-06-10 20:48 . 2012-06-10 20:48--------d-----w-c:\documents and settings\Mom\Application Data\Windows Desktop Search
    2012-06-10 20:47 . 2012-06-12 00:12--------d-----w-c:\program files\Windows Desktop Search
    2012-06-10 20:47 . 2012-06-10 20:47--------d-----w-c:\windows\system32\GroupPolicy
    2012-06-10 20:42 . 2008-03-07 17:0298304------w-c:\windows\system32\dllcache\nlhtml.dll
    2012-06-10 20:42 . 2008-03-07 17:0229696------w-c:\windows\system32\dllcache\mimefilt.dll
    2012-06-10 20:42 . 2008-03-07 17:02192000------w-c:\windows\system32\dllcache\offfilt.dll
    2012-06-10 20:42 . 2006-11-02 00:4833664----a-w-c:\windows\system32\drivers\BCMWLNPF.SYS
    2012-06-10 20:41 . 2006-11-02 00:481392640----a-w-c:\windows\system32\WLTRAY.EXE
    2012-06-10 20:04 . 2012-06-10 20:04--------d-sh--w-c:\documents and settings\Mom\IECompatCache
    2012-06-10 20:03 . 2012-06-10 20:03--------d-sh--w-c:\documents and settings\Mom\PrivacIE
    2012-06-10 20:00 . 2012-06-10 20:00--------d-sh--w-c:\documents and settings\Mom\IETldCache
    2012-06-10 19:57 . 2012-06-10 19:57--------d-sh--w-c:\documents and settings\LocalService\IETldCache
    2012-06-10 19:27 . 2011-08-16 10:456144------w-c:\windows\system32\dllcache\iecompat.dll
    2012-06-10 19:25 . 2012-03-01 11:0112800------w-c:\windows\system32\dllcache\xpshims.dll
    2012-06-10 19:25 . 2012-03-01 11:01247808------w-c:\windows\system32\dllcache\ieproxy.dll
    2012-06-10 19:25 . 2012-03-01 11:01743424------w-c:\windows\system32\dllcache\iedvtool.dll
    2012-06-10 19:21 . 2012-06-10 19:24--------dc-h--w-c:\windows\ie8
    2012-06-10 18:23 . 2012-06-10 18:33--------d-----w-c:\documents and settings\Mom\Application Data\JAM Software
    2012-06-10 15:53 . 2010-09-18 06:53953856------w-c:\windows\system32\dllcache\mfc40u.dll
    2012-06-10 15:49 . 2010-08-23 16:12617472------w-c:\windows\system32\dllcache\comctl32.dll
    2012-06-10 15:45 . 2010-11-02 15:1740960------w-c:\windows\system32\dllcache\ndproxy.sys
    2012-06-10 15:44 . 2011-04-21 13:37105472------w-c:\windows\system32\dllcache\mup.sys
    2012-06-10 15:40 . 2010-10-11 14:5945568------w-c:\windows\system32\dllcache\wab.exe
    2012-06-10 15:40 . 2011-07-08 14:0210496------w-c:\windows\system32\dllcache\ndistapi.sys
    2012-06-10 15:40 . 2012-01-11 19:063072------w-c:\windows\system32\iacenc.dll
    2012-06-10 15:40 . 2012-01-11 19:063072------w-c:\windows\system32\dllcache\iacenc.dll
    2012-06-10 15:37 . 2012-01-09 16:20139784------w-c:\windows\system32\dllcache\rdpwd.sys
    2012-06-10 14:29 . 2008-06-13 11:05272128------w-c:\windows\system32\dllcache\bthport.sys
    2012-06-10 14:29 . 2011-02-17 13:18357888------w-c:\windows\system32\dllcache\srv.sys
    2012-06-10 14:29 . 2011-07-15 13:29456320------w-c:\windows\system32\dllcache\mrxsmb.sys
    2012-06-10 14:29 . 2009-11-21 15:51471552------w-c:\windows\system32\dllcache\aclayers.dll
    2012-06-10 14:26 . 2008-10-15 16:34337408------w-c:\windows\system32\dllcache\netapi32.dll
    2012-06-10 14:26 . 2011-02-17 12:325120----a-w-c:\windows\system32\xpsp4res.dll
    2012-06-10 14:26 . 2010-07-12 12:55218112------w-c:\windows\system32\dllcache\wordpad.exe
    2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\scripting
    2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\l2schemas
    2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\en
    2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\bits
    2012-06-10 13:57 . 2012-06-10 13:57426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-06-10 13:57 . 2012-06-10 13:5770344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-10 13:52 . 2012-06-10 13:52--------d-----w-c:\windows\EHome
    2012-06-10 13:22 . 2008-04-14 00:1269120------w-c:\windows\system32\wlanapi.dll
    2012-06-10 13:22 . 2004-08-04 02:2925471------w-c:\windows\system32\drivers\watv10nt.sys
    2012-06-10 13:22 . 2004-08-04 02:2922271------w-c:\windows\system32\drivers\watv06nt.sys
    2012-06-10 13:22 . 2008-04-13 18:4314208------w-c:\windows\system32\drivers\wacompen.sys
    2012-06-10 13:22 . 2004-08-04 02:2911935------w-c:\windows\system32\drivers\wadv11nt.sys
    2012-06-10 13:22 . 2004-08-04 02:2911871------w-c:\windows\system32\drivers\wadv09nt.sys
    2012-06-10 13:22 . 2004-08-04 02:2911807------w-c:\windows\system32\drivers\wadv07nt.sys
    2012-06-10 13:22 . 2004-08-04 02:2911295------w-c:\windows\system32\drivers\wadv08nt.sys
    2012-06-10 13:22 . 2008-04-14 00:1211325------w-c:\windows\system32\drivers\vchnt5.dll
    2012-06-10 13:22 . 2008-04-13 18:5612800------w-c:\windows\system32\drivers\usb8023x.sys
    2012-06-10 13:20 . 2004-08-04 02:41180360------w-c:\windows\system32\drivers\ntmtlfax.sys
    2012-06-10 13:19 . 2008-04-14 00:1137376------w-c:\windows\system32\l2gpstore.dll
    2012-06-10 13:19 . 2008-04-14 00:1161440------w-c:\windows\system32\kmsvc.dll
    2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdpash.dll
    2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdnepr.dll
    2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdiultn.dll
    2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdbhc.dll
    2012-06-10 13:17 . 2008-04-14 00:1112800------w-c:\windows\system32\credssp.dll
    2012-06-09 17:06 . 2012-01-31 12:44237072------w-c:\windows\system32\MpSigStub.exe
    2012-06-09 17:02 . 2012-06-09 17:03--------d-----w-c:\program files\Microsoft Security Client
    2012-06-09 13:40 . 2012-06-09 13:40--------d-----w-C:\TDSSKiller_Quarantine
    2012-06-09 13:13 . 2012-06-09 13:13--------d-----w-c:\program files\VS Revo Group
    2012-06-09 03:16 . 2012-06-09 03:16--------d-----w-c:\documents and settings\Mom\Application Data\Malwarebytes
    2012-06-09 03:16 . 2012-06-09 03:16--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-06-09 03:16 . 2012-06-09 12:19--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-06-09 03:16 . 2012-04-04 19:5622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-09 03:06 . 2012-06-09 21:24--------d-----w-c:\windows\system32\MpEngineStore
    2012-05-31 13:22 . 2012-05-31 13:22599040------w-c:\windows\system32\dllcache\crypt32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-31 13:22 . 2004-08-10 17:50599040----a-w-c:\windows\system32\crypt32.dll
    2012-04-11 13:14 . 2004-08-10 17:512148352----a-w-c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12 . 2004-08-10 17:511862272----a-w-c:\windows\system32\win32k.sys
    2012-04-11 12:35 . 2004-08-04 03:592026496----a-w-c:\windows\system32\ntkrnlpa.exe
    2012-03-21 00:44 . 2012-03-21 00:44171064----a-w-c:\windows\system32\drivers\MpFilter.sys
    2006-11-20 13:01 . 2006-11-20 13:01163840----a-w-c:\program files\Common Files\AMCap.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-23 19:23 . 2007-07-30 16:4016384c:\dell\bak\dsca.exe
    .
    2007-10-23 19:23 . 2007-05-24 19:0317920c:\dell\E-Center\bak\EULALauncher.exe
    .
    2007-10-02 19:45 . 2007-10-02 19:4567488c:\program files\Adobe\Photoshop Elements 6.0\bak\apdproxy.exe
    .
    2007-05-11 08:06 . 2007-05-11 08:0640048c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
    .
    2006-05-10 15:12 . 2006-05-10 15:1290112c:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe
    .
    2007-03-01 15:37 . 2007-03-01 15:372321600c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe
    .
    2006-10-03 16:37 . 2006-10-03 16:3781920c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
    .
    2006-10-03 16:35 . 2006-10-03 16:35221184c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
    .
    2006-11-05 16:22 . 2006-11-05 16:22221184c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\bak\RoxWatchTray9.exe
    .
    2007-10-23 19:15 . 2005-12-10 01:2949152c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
    .
    2007-10-23 19:10 . 2007-02-20 17:291191936c:\program files\Dell\QuickSet\bak\quickset.exe
    .
    2007-03-15 17:09 . 2007-03-15 17:09460784c:\program files\DellSupport\bak\DSAgnt.exe
    .
    2007-10-29 17:42 . 2007-10-29 17:4268856c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
    .
    2007-12-11 17:10 . 2007-12-11 17:10267048c:\program files\iTunes\bak\iTunesHelper.exe
    2008-02-04 18:18 . 2008-02-04 18:18267048c:\program files\iTunes\iTunesHelper.exe
    .
    2004-08-10 18:01 . 2004-10-13 16:241694208c:\program files\Messenger\bak\msmsgs.exe
    2012-06-10 13:20 . 2008-04-14 00:121695232c:\program files\Messenger\msmsgs.exe
    .
    2007-10-23 19:15 . 2003-09-10 07:2420480c:\program files\NetWaiting\bak\netWaiting.exe
    .
    2007-12-11 15:56 . 2007-12-11 15:56286720c:\program files\QuickTime\bak\qttask.exe
    .
    2006-08-17 14:00 . 2006-08-17 14:001116920c:\program files\Roxio\Drag-to-Disc\bak\DrgToDsc.exe
    .
    2007-10-23 19:09 . 2006-09-22 16:47761947c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
    .
    2007-10-23 18:44 . 2005-12-19 20:081347584c:\windows\system32\bak\WLTRAY.exe
    2012-06-10 20:41 . 2006-11-02 00:481392640c:\windows\system32\WLTRAY.EXE
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{2bae58c2-79f9-45d1-a286-81f911301c3a}"= "c:\program files\P2P_Energy\prxtbP2P2.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
    2011-05-09 09:49176936----a-w-c:\program files\P2P_Energy\prxtbP2P2.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442AE524-EBA5-4b17-82F3-888D68BC999A}]
    2009-11-24 19:27252416----a-w-c:\program files\oovootb\auxi\oovooAu.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1FB2F9A-D35E-11DD-8935-E46A56D89593}]
    2009-11-24 21:3587512----a-w-c:\program files\oovootb\oovoodx.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2009-02-26 15:25809864----a-w-c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-26 809864]
    "{A1FB2F9A-D35E-11DD-8935-E46A56D89593}"= "c:\program files\oovootb\oovoodx.dll" [2009-11-24 87512]
    "{2bae58c2-79f9-45d1-a286-81f911301c3a}"= "c:\program files\P2P_Energy\prxtbP2P2.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CLASSES_ROOT\clsid\{a1fb2f9a-d35e-11dd-8935-e46a56d89593}]
    .
    [HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-26 809864]
    "{2BAE58C2-79F9-45D1-A286-81F911301C3A}"= "c:\program files\P2P_Energy\prxtbP2P2.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "%PROVIDERID%"="bin\sprtcmd.exe" [N/A]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-02 1392640]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WNA1100 Smart Wizard.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WNA1100 Smart Wizard.lnk
    backup=c:\windows\pss\NETGEAR WNA1100 Smart Wizard.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VersionTrackerPro.lnk
    backup=c:\windows\pss\VersionTrackerPro.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:1215360----a-w-c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-02-04 18:18267048----a-w-c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
    2009-07-24 20:05118640----a-w-c:\program files\Microsoft LifeCam\LifeExp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeExp]
    2009-07-24 20:05118640----a-w-c:\program files\Microsoft LifeCam\LifeExp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ManyCam]
    2008-10-14 06:021791272----a-w-c:\program files\ManyCam 2.3\ManyCam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
    2006-11-03 15:01319488----a-w-c:\windows\PixArt\PAC207\Monitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC207_Monitor]
    2006-11-03 15:01319488----a-w-c:\windows\PixArt\PAC207\Monitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2006-09-22 16:06282624----a-w-c:\windows\stsystra.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-06-02 15:5624264488----a-r-c:\program files\Skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
    2009-03-17 18:24721936----a-w-c:\windows\vVX3000.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 00:05204288------w-c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    .
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/21/2007 12:25 AM 24652]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/10/2012 9:57 AM 257224]
    S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [8/19/2011 2:01 PM 1723840]
    S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys --> c:\windows\system32\DRIVERS\ManyCam.sys [?]
    S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2/9/2010 2:48 AM 30560]
    S3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [10/25/2007 6:31 PM 616064]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-13 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 13:57]
    .
    2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1006Core.job
    - c:\documents and settings\Samantha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 20:07]
    .
    2012-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1006UA.job
    - c:\documents and settings\Samantha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 20:07]
    .
    2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1007Core.job
    - c:\documents and settings\Mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 04:33]
    .
    2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1007UA.job
    - c:\documents and settings\Mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 04:33]
    .
    2012-06-13 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
    .
    2012-06-12 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2009-02-26 15:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Mom\Start Menu\Programs\IMVU\Run IMVU.lnk
    TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
    FF - ProfilePath - c:\documents and settings\Mom\Application Data\Mozilla\Firefox\Profiles\30ctqk28.default\
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-12 21:04
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(808)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    Completion time: 2012-06-12 21:10:12
    ComboFix-quarantined-files.txt 2012-06-13 01:10
    ComboFix2.txt 2012-06-09 14:04
    .
    Pre-Run: 49,222,950,912 bytes free
    Post-Run: 49,298,067,456 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
    .
    - - End Of File - - B87B341DE825ADD6A10408BCF0E863D3
     
  10. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    The ComboFix.txt file was 750kb due to installing a massive amount of Windows updates over the weekend, including SP3. I removed the Snapshot section of the file so I could post the results.

    I was suspicious of the Dealio toolbar. That was a BHO and possibly the cause of the DeepDive warning from Spybot.
     
  11. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    Spybot still finds DeepDive. I did a screen capture but I can't seem to insert the image.

    [​IMG]
    [​IMG]
     
  12. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    I have to get up early tomorrow. I hope to see a reply in the morning.
     
  13. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    Help??? Anyone? Anyone?
     
  14. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    Due to a lack of additional responses I have moved my inquiry to the SpyBot forum.

    Please close this thread.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I hope you slept well. Things have been very busy here- sometimes get behind. However, I will mention that it took quite a while to write the script for all the removals needed for your system! You made it reallyy easy for the system to get malware.

    Do not remove any entries from a log. Split the reply into 2 posts if necessary.
    =========================================

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\Viewpoint\Common\ViewpointService.exe
    Folder::
    AWF::
    c:\program files\Messenger\bak\msmsgs.exe
    c:\windows\system32\bak\WLTRAY.exe
    c:\program files\iTunes\bak\iTunesHelper.exe
     
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{2bae58c2-79f9-45d1-a286-81f911301c3a}"=-
    [HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442AE524-EBA5-4b17-82F3-888D68BC999A}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1FB2F9A-D35E-11DD-8935-E46A56D89593}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    "{A1FB2F9A-D35E-11DD-8935-E46A56D89593}"=-
    "{2bae58c2-79f9-45d1-a286-81f911301c3a}"=-
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CLASSES_ROOT\clsid\{a1fb2f9a-d35e-11dd-8935-e46a56d89593}]
    [HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    "{2BAE58C2-79F9-45D1-A286-81F911301C3A}"=-
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
     
    Clearjavacache::
     
    Driver::
    Viewpoint Manager Service
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    The Delio Toolbar was just the tip of the malware on your system. As long as they are on the system, you will get malware:
    Please uninstall ALL of the following in Add/Remove Programs:
    1. Askbar or any other 'ASK' entries
    2. P2P_Energy
    3. Viewpoint> ALL entries
    4. ooVoo Toolbar
    5. Internet Service Offers Launcher
    6. LimeWire 5.1.3> See P2P Warning
    7. LimeWire Music> See P2P Warning

    Then use Windows Explorer to access My Computer> Local Drive> Programs> Find Program Folder for each of the uninstalled programs and do a Right click> Delete.
    -------------------------------
    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Limewire and Limewire Musicfor the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.
    Please read the information on P2P Warning to help you better understand these dangers.
    =================================
    The following are all outdated- Please update:
    Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
    1. Adobe Reader > Current is v(10.xx)> Adobe Reader Update
    2. Java(TM) > Current is v7u4 Java Updates .
    Uninstall any earlier versions in of both as they are vulnerabilities for the system.[
    3. Firefox: Update to most current version if you use. If you don't use, remove. You have Firefox v3.6.13
    =================================
    Not good.
    ==================================
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thread closed at member's request.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Make up your mind please. Thread reopened by member request.
     
  18. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    Thanks for the detailed response on my thread. As I said in the first post, I am cleaning it for a friend, a much younger friend. I've warned her about toolbars, I knew about the dangers of Limewire, haven't mentioned that yet. I will tell her to read the thread to get an idea of what is dangerous.

    Last night I removed all the programs you mentioned except Viewpoint, didn't know what is was. Firefox and Adobe were updated earlier in the week. I'm not sure Firefox was ever used. I will update Java.

    I don't understand why the COA's don't match since it's a Dell branded Win XP and utilities installed. Windows Genuine Advantages passes. They gave me the original Dell Win XP & utilities disks is I have to reinstall. I don't really want to do that.

    Thanks again!

    Dave






    ComboFix 12-06-12.03 - Mom 06/17/2012 12:47:59.5.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.380 [GMT -4:00]
    Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Mom\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-17 to 2012-06-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-17 16:01 . 2005-11-10 18:0349265----a-w-c:\windows\system32\jpicpl32.cpl
    2012-06-17 13:13 . 2012-06-17 13:1356200----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB618EBB-548E-43D1-B373-A9E2682CEF9D}\offreg.dll
    2012-06-17 13:03 . 2012-06-17 13:0329904----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB618EBB-548E-43D1-B373-A9E2682CEF9D}\MpKsl33dac9da.sys
    2012-06-17 12:59 . 2012-06-17 12:59--------d-----w-c:\program files\ERUNT
    2012-06-16 00:10 . 2012-05-08 13:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB618EBB-548E-43D1-B373-A9E2682CEF9D}\mpengine.dll
    2012-06-16 00:03 . 2012-06-16 00:03--------d-----w-c:\documents and settings\Mom\Application Data\oovootb
    2012-06-15 23:34 . 2012-06-15 23:34--------d-----w-c:\documents and settings\Mom\Application Data\Windows Search
    2012-06-13 00:35 . 2012-06-13 00:35--------d-----w-c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2012-06-12 00:25 . 2012-05-08 13:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-06-12 00:15 . 2012-06-12 00:15--------d-----w-c:\documents and settings\Samantha\Application Data\Windows Desktop Search
    2012-06-11 20:17 . 2012-06-11 20:17--------d-sh--w-c:\documents and settings\NetworkService\IETldCache
    2012-06-11 20:16 . 2012-06-11 20:16--------d-sh--w-c:\documents and settings\Samantha\IETldCache
    2012-06-10 20:51 . 2012-06-10 20:52--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2012-06-10 20:48 . 2012-06-10 20:48--------d-----w-c:\documents and settings\Mom\Application Data\Windows Desktop Search
    2012-06-10 20:47 . 2012-06-12 00:12--------d-----w-c:\program files\Windows Desktop Search
    2012-06-10 20:47 . 2012-06-10 20:47--------d-----w-c:\windows\system32\GroupPolicy
    2012-06-10 20:42 . 2008-03-07 17:0298304------w-c:\windows\system32\dllcache\nlhtml.dll
    2012-06-10 20:42 . 2008-03-07 17:0229696------w-c:\windows\system32\dllcache\mimefilt.dll
    2012-06-10 20:42 . 2008-03-07 17:02192000------w-c:\windows\system32\dllcache\offfilt.dll
    2012-06-10 20:42 . 2006-11-02 00:4833664----a-w-c:\windows\system32\drivers\BCMWLNPF.SYS
    2012-06-10 20:41 . 2006-11-02 00:481392640----a-w-c:\windows\system32\WLTRAY.EXE
    2012-06-10 20:04 . 2012-06-10 20:04--------d-sh--w-c:\documents and settings\Mom\IECompatCache
    2012-06-10 20:03 . 2012-06-10 20:03--------d-sh--w-c:\documents and settings\Mom\PrivacIE
    2012-06-10 20:00 . 2012-06-10 20:00--------d-sh--w-c:\documents and settings\Mom\IETldCache
    2012-06-10 19:57 . 2012-06-10 19:57--------d-sh--w-c:\documents and settings\LocalService\IETldCache
    2012-06-10 19:27 . 2011-08-16 10:456144------w-c:\windows\system32\dllcache\iecompat.dll
    2012-06-10 19:25 . 2012-03-01 11:0112800------w-c:\windows\system32\dllcache\xpshims.dll
    2012-06-10 19:25 . 2012-03-01 11:01247808------w-c:\windows\system32\dllcache\ieproxy.dll
    2012-06-10 19:25 . 2012-03-01 11:01743424------w-c:\windows\system32\dllcache\iedvtool.dll
    2012-06-10 19:21 . 2012-06-10 19:24--------dc-h--w-c:\windows\ie8
    2012-06-10 18:23 . 2012-06-10 18:33--------d-----w-c:\documents and settings\Mom\Application Data\JAM Software
    2012-06-10 15:53 . 2010-09-18 06:53953856------w-c:\windows\system32\dllcache\mfc40u.dll
    2012-06-10 15:49 . 2010-08-23 16:12617472------w-c:\windows\system32\dllcache\comctl32.dll
    2012-06-10 15:45 . 2010-11-02 15:1740960------w-c:\windows\system32\dllcache\ndproxy.sys
    2012-06-10 15:44 . 2011-04-21 13:37105472------w-c:\windows\system32\dllcache\mup.sys
    2012-06-10 15:40 . 2010-10-11 14:5945568------w-c:\windows\system32\dllcache\wab.exe
    2012-06-10 15:40 . 2011-07-08 14:0210496------w-c:\windows\system32\dllcache\ndistapi.sys
    2012-06-10 15:40 . 2012-01-11 19:063072------w-c:\windows\system32\iacenc.dll
    2012-06-10 15:40 . 2012-01-11 19:063072------w-c:\windows\system32\dllcache\iacenc.dll
    2012-06-10 15:37 . 2012-01-09 16:20139784------w-c:\windows\system32\dllcache\rdpwd.sys
    2012-06-10 14:29 . 2008-06-13 11:05272128------w-c:\windows\system32\dllcache\bthport.sys
    2012-06-10 14:29 . 2011-02-17 13:18357888------w-c:\windows\system32\dllcache\srv.sys
    2012-06-10 14:29 . 2011-07-15 13:29456320------w-c:\windows\system32\dllcache\mrxsmb.sys
    2012-06-10 14:29 . 2009-11-21 15:51471552------w-c:\windows\system32\dllcache\aclayers.dll
    2012-06-10 14:26 . 2008-10-15 16:34337408------w-c:\windows\system32\dllcache\netapi32.dll
    2012-06-10 14:26 . 2011-02-17 12:325120----a-w-c:\windows\system32\xpsp4res.dll
    2012-06-10 14:26 . 2010-07-12 12:55218112------w-c:\windows\system32\dllcache\wordpad.exe
    2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\scripting
    2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\l2schemas
    2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\en
    2012-06-10 14:09 . 2012-06-10 14:09--------d-----w-c:\windows\system32\bits
    2012-06-10 13:57 . 2012-06-10 13:57426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-06-10 13:57 . 2012-06-10 13:5770344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-10 13:52 . 2012-06-10 13:52--------d-----w-c:\windows\EHome
    2012-06-10 13:22 . 2008-04-14 00:1269120------w-c:\windows\system32\wlanapi.dll
    2012-06-10 13:22 . 2004-08-04 02:2925471------w-c:\windows\system32\drivers\watv10nt.sys
    2012-06-10 13:22 . 2004-08-04 02:2922271------w-c:\windows\system32\drivers\watv06nt.sys
    2012-06-10 13:22 . 2008-04-13 18:4314208------w-c:\windows\system32\drivers\wacompen.sys
    2012-06-10 13:22 . 2004-08-04 02:2911935------w-c:\windows\system32\drivers\wadv11nt.sys
    2012-06-10 13:22 . 2004-08-04 02:2911871------w-c:\windows\system32\drivers\wadv09nt.sys
    2012-06-10 13:22 . 2004-08-04 02:2911807------w-c:\windows\system32\drivers\wadv07nt.sys
    2012-06-10 13:22 . 2004-08-04 02:2911295------w-c:\windows\system32\drivers\wadv08nt.sys
    2012-06-10 13:22 . 2008-04-14 00:1211325------w-c:\windows\system32\drivers\vchnt5.dll
    2012-06-10 13:22 . 2008-04-13 18:5612800------w-c:\windows\system32\drivers\usb8023x.sys
    2012-06-10 13:20 . 2004-08-04 02:41180360------w-c:\windows\system32\drivers\ntmtlfax.sys
    2012-06-10 13:19 . 2008-04-14 00:1137376------w-c:\windows\system32\l2gpstore.dll
    2012-06-10 13:19 . 2008-04-14 00:1161440------w-c:\windows\system32\kmsvc.dll
    2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdpash.dll
    2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdnepr.dll
    2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdiultn.dll
    2012-06-10 13:19 . 2008-04-14 00:096144------w-c:\windows\system32\kbdbhc.dll
    2012-06-10 13:17 . 2008-04-14 00:1112800------w-c:\windows\system32\credssp.dll
    2012-06-09 17:06 . 2012-01-31 12:44237072------w-c:\windows\system32\MpSigStub.exe
    2012-06-09 17:02 . 2012-06-09 17:03--------d-----w-c:\program files\Microsoft Security Client
    2012-06-09 13:40 . 2012-06-09 13:40--------d-----w-C:\TDSSKiller_Quarantine
    2012-06-09 13:13 . 2012-06-09 13:13--------d-----w-c:\program files\VS Revo Group
    2012-06-09 05:07 . 2012-06-09 05:07--------d-----w-c:\documents and settings\Samantha\Application Data\Malwarebytes
    2012-06-09 03:16 . 2012-06-09 03:16--------d-----w-c:\documents and settings\Mom\Application Data\Malwarebytes
    2012-06-09 03:16 . 2012-06-09 03:16--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-06-09 03:16 . 2012-06-09 12:19--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-06-09 03:16 . 2012-04-04 19:5622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-09 03:06 . 2012-06-09 21:24--------d-----w-c:\windows\system32\MpEngineStore
    2012-05-31 13:22 . 2012-05-31 13:22599040------w-c:\windows\system32\dllcache\crypt32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-31 13:22 . 2004-08-10 17:50599040----a-w-c:\windows\system32\crypt32.dll
    2012-04-11 13:14 . 2004-08-10 17:512148352----a-w-c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12 . 2004-08-10 17:511862272----a-w-c:\windows\system32\win32k.sys
    2012-04-11 12:35 . 2004-08-04 03:592026496----a-w-c:\windows\system32\ntkrnlpa.exe
    2012-03-21 00:44 . 2012-03-21 00:44171064----a-w-c:\windows\system32\drivers\MpFilter.sys
    2006-11-20 13:01 . 2006-11-20 13:01163840----a-w-c:\program files\Common Files\AMCap.exe
    2012-06-16 00:45 . 2012-06-16 00:4597208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-23 19:23 . 2007-07-30 16:4016384c:\dell\bak\dsca.exe
    .
    2007-10-23 19:23 . 2007-05-24 19:0317920c:\dell\E-Center\bak\EULALauncher.exe
    .
    2007-10-02 19:45 . 2007-10-02 19:4567488c:\program files\Adobe\Photoshop Elements 6.0\bak\apdproxy.exe
    .
    2007-05-11 08:06 . 2007-05-11 08:0640048c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
    .
    2006-05-10 15:12 . 2006-05-10 15:1290112c:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe
    .
    2007-03-01 15:37 . 2007-03-01 15:372321600c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe
    .
    2006-10-03 16:37 . 2006-10-03 16:3781920c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
    .
    2006-10-03 16:35 . 2006-10-03 16:35221184c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
    .
    2006-11-05 16:22 . 2006-11-05 16:22221184c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\bak\RoxWatchTray9.exe
    .
    2007-10-23 19:15 . 2005-12-10 01:2949152c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
    .
    2007-10-23 19:10 . 2007-02-20 17:291191936c:\program files\Dell\QuickSet\bak\quickset.exe
    .
    2007-03-15 17:09 . 2007-03-15 17:09460784c:\program files\DellSupport\bak\DSAgnt.exe
    .
    2007-10-29 17:42 . 2007-10-29 17:4268856c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
    .
    2007-12-11 17:10 . 2007-12-11 17:10267048c:\program files\iTunes\bak\iTunesHelper.exe
    2008-02-04 18:18 . 2008-02-04 18:18267048c:\program files\iTunes\iTunesHelper.exe
    .
    2004-08-10 18:01 . 2004-10-13 16:241694208c:\program files\Messenger\bak\msmsgs.exe
    2012-06-10 13:20 . 2008-04-14 00:121695232c:\program files\Messenger\msmsgs.exe
    .
    2007-10-23 19:15 . 2003-09-10 07:2420480c:\program files\NetWaiting\bak\netWaiting.exe
    .
    2007-12-11 15:56 . 2007-12-11 15:56286720c:\program files\QuickTime\bak\qttask.exe
    .
    2006-08-17 14:00 . 2006-08-17 14:001116920c:\program files\Roxio\Drag-to-Disc\bak\DrgToDsc.exe
    .
    2007-10-23 19:09 . 2006-09-22 16:47761947c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
    .
    2007-10-23 18:44 . 2005-12-19 20:081347584c:\windows\system32\bak\WLTRAY.exe
    2012-06-10 20:41 . 2006-11-02 00:481392640c:\windows\system32\WLTRAY.EXE
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "%PROVIDERID%"="bin\sprtcmd.exe" [N/A]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-02 1392640]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WNA1100 Smart Wizard.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WNA1100 Smart Wizard.lnk
    backup=c:\windows\pss\NETGEAR WNA1100 Smart Wizard.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VersionTrackerPro.lnk
    backup=c:\windows\pss\VersionTrackerPro.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:1215360----a-w-c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-02-04 18:18267048----a-w-c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
    2009-07-24 20:05118640----a-w-c:\program files\Microsoft LifeCam\LifeExp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeExp]
    2009-07-24 20:05118640----a-w-c:\program files\Microsoft LifeCam\LifeExp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ManyCam]
    2008-10-14 06:021791272----a-w-c:\program files\ManyCam 2.3\ManyCam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
    2006-11-03 15:01319488----a-w-c:\windows\PixArt\PAC207\Monitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC207_Monitor]
    2006-11-03 15:01319488----a-w-c:\windows\PixArt\PAC207\Monitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2006-09-22 16:06282624----a-w-c:\windows\stsystra.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-06-02 15:5624264488----a-r-c:\program files\Skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
    2009-03-17 18:24721936----a-w-c:\windows\vVX3000.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 00:05204288------w-c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    .
    R1 MpKsl33dac9da;MpKsl33dac9da;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB618EBB-548E-43D1-B373-A9E2682CEF9D}\MpKsl33dac9da.sys [6/17/2012 9:03 AM 29904]
    S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys --> c:\windows\system32\DRIVERS\tdx.sys [?]
    S2 iphlpsvc;@%SystemRoot%\system32\iphlpsvc.dll,-200;c:\windows\System32\svchost.exe -k NetSvcs [8/10/2004 1:51 PM 14336]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/10/2012 9:57 AM 257224]
    S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [8/19/2011 2:01 PM 1723840]
    S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys --> c:\windows\system32\DRIVERS\ManyCam.sys [?]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [6/15/2012 8:45 PM 129976]
    S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2/9/2010 2:48 AM 30560]
    S3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [10/25/2007 6:31 PM 616064]
    S3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe -k secsvcs [8/10/2004 1:51 PM 14336]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSL33DAC9DA
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-17 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 13:57]
    .
    2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1006Core.job
    - c:\documents and settings\Samantha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 20:07]
    .
    2012-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1006UA.job
    - c:\documents and settings\Samantha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 20:07]
    .
    2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1007Core.job
    - c:\documents and settings\Mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 04:33]
    .
    2012-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-815810583-3155536409-2577804381-1007UA.job
    - c:\documents and settings\Mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 04:33]
    .
    2012-06-17 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Mom\Start Menu\Programs\IMVU\Run IMVU.lnk
    TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
    FF - ProfilePath - c:\documents and settings\Mom\Application Data\Mozilla\Firefox\Profiles\30ctqk28.default\
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-17 12:56
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(800)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(1352)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2012-06-17 12:59:40
    ComboFix-quarantined-files.txt 2012-06-17 16:59
    ComboFix2.txt 2012-06-17 16:42
    .
    Pre-Run: 51,756,572,672 bytes free
    Post-Run: 51,817,041,920 bytes free
    .
    - - End Of File - - 208656FF2AA614CAE8CEC63C678EE0FE
     
  19. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    Malwarebytes still finds DeepDive and can't remove it.
     
  20. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    Java installed fine now. Network connect is working again. Updated Malewarebytes and SpyBot. MS Security Essentials update failed (a few times) saying check your internet connection, even after a reboot.
     
  21. CTGull

    CTGull TS Rookie Topic Starter Posts: 17

    Bobbye - What do you think the odds are of removing DeepDive from this computer? What do you think the risks are of leaving it as is? I've had it for 2 weeks, I'm sure she'd like to have it back. I'm thinking about adding a logical partition and moving My Documents to it in preparation of possibly having to reload it. I've always had My Documents on a separate partition to protect them from being lost if the operating system gets corrupted.
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There are 2 things you don't want to do on the internet:

    1. Post the same problem at the same time in multiple forums. This ties up multiple helpers who could be helping others.

    2. Trash a helper in one forum in another forum. Someday you might want help from 'the other' helper.

    You have done both, almost word for word:

    Malwarebytes.org: 6/15
    http://forums.malwarebytes.org/index.php?showtopic=111169 6/15

    Then used your most frequently pasted reply:

    =========================================
    Spybot Search & Destroy: 6/17
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...